Forest-wide Roles
Forest-wide roles are unique to a forest, forest-wide roles are:
● Schema master
Controls all updates to the schema. The schema contains the master list of object classes
and attributes that are used to create all Active Directory objects, such as users,
computers, and printers.
● Domain naming master
Controls the addition or removal of domains in the forest. When you add a new domain to
the forest, only the domain controller that holds the domain naming master role can add
the new domain.
There is only one schema master and one domain naming master in the entire forest.
Domain-wide Roles
Domain-wide roles are unique to each domain in a forest, the domain-wide roles are:
Primary domain controller emulator (PDC)
Acts as a Windows NT PDC to support any backup domain controllers (BDCs) running
Microsoft Windows® NT within a mixed-mode domain. This type of domain has domain
controllers that run Windows NT 4.0. The PDC emulator is the first domain controller that you
create in a new domain.
● Relative identifier master (RID)
When a new object is created, the domain controller creates a new security principal that
represents the object and assigns the object a unique security identifier (SID). This SID
consists of a domain SID, which is the same for all security principals created in the
domain, and a RID, which is unique for each security principal created in the domain. The
RID master allocates blocks of RIDs to each domain controller in the domain. The domain
controller then assigns a RID to objects that are created from its allocated block of RIDs.
● Infrastructure master
when objects are moved from one domain to another, the infrastructure master updates
object references in its domain that point to the object in the other domain. The object
reference contains the object’s globally unique identifier (GUID), distinguished name, and
a SID. Active Directory periodically updates the distinguished name and the SID on the
object reference to reflect changes made to the actual object, such as moves within and
between domains and the deletion of the object.
The global catalog contains:
● The attributes that are most frequently used in queries, such as a user’s first name, last
name, and logon name.
● The information that is necessary to determine the location of any object in the directory.
● The access permissions for each object and attribute that is stored in the global catalog. If
you search for an object that you do not have the appropriate permissions to view, the
object will not appear in the search results. Access permissions ensure that users can
find only objects to which they have been assigned access.
2
A global catalog server is a domain controller that, in addition to its full, writable domain
directory partition replica, also stores a partial, read-only replica of all other domain directory
partitions in the forest. Taking a user object as an example, it would by default have many
different attributes such as first name, last name, phone number, and many more. The GC will
by default only store the most common of those attributes that would be used in search
operations (such as a user’s first and last names, or login name, for example). The partial
attributes that it has for that object would be enough to allow a search for that object to be
able to locate the full replica of the object in active directory. This allows searches done
against a local GC, and reduces network traffic over the WAN in an attempt to locate objects
somewhere else in the network.
Domain Controllers always contain the full attribute list for objects belonging to their domain.
If the Domain Controller is also a GC, it will also contain a partial replica of objects from all
other domains in the forest.
Active Directory uses DNS as the name resolution service to identify domains and domain
host computers during processes such as logging on to the network.
Similar to the way a Windows NT 4.0 client will query WINS for a NetBIOS DOMAIN[1B]
record to locate a PDC, or a NetBIOS DOMAIN[1C] record for domain controllers, a Windows
2000, 2003, or Windows XP client can query DNS to find a domain controller by looking for
SRV records.
3
Types of Zones
There are two types of zones, forward lookup and reverse lookup. Forward lookup zones
contain information needed to resolve names within the DNS domain. They must include SOA
and NS records and can include any type of resource record except the PTR resource record.
Reverse lookup zones contain information needed to perform reverse lookups. They usually
include SOA, NS, PTR, and CNAME records.
With most queries, the client supplies a name and requests the IP address that corresponds
to that name. This type of query is typically described as a forward lookup. Active Directory
requires forward lookup zones.
However, what if a client already has a computer's IP address and wants to determine the
DNS name for the computer? This is important for programs that implement security based on
the connecting FQDN, and is used for TCP/IP network troubleshooting. The DNS standard
provides for this possibility through reverse lookups.
Once you have installed Active Directory, you have two options for storing your zones when
operating the DNS server at the new domain controller:
Standard Zone
Zones stored this way are located in .dns text files that are stored in the %SystemRoot
%\System32\Dns folder on each computer operating a DNS server. Zone file names
correspond to the name you choose for the zone when creating it, such as
Example.microsoft.com.dns if the zone name was example.microsoft.com.
This type offers the choice of using either a Standard Primary zone or a Standard Secondary
zone.
4
Directory-integrated Zone
Zones stored this way are located in the Active Directory tree under the domain object
container. Each directory-integrated zone is stored in a dnsZone container object identified by
the name you choose for the zone when creating it. Active Directory integrated zones will
replicate this information to other domain controllers in that domain.
Note If DNS is running on a Windows 2000 server that is not a domain controller, it will not be
able to use an Active Directory integrated zones, or replicate with other domain controllers
since it does not have Active Directory installed.
DNS Records
After you create a zone, additional resource records need to be added to it. The most
common resource records (RRs) to be added are:
Table 1. Record Types
Name Description
Host (A) For mapping a DNS domain name to an IP address used by a computer.
Alias (CNAME) For mapping an alias DNS domain name to another primary or canonical
name.
Mail Exchanger For mapping a DNS domain, name to the name of a computer that exchanges
(MX) or forwards mail.
Pointer (PTR) For mapping a reverse DNS domain name based on the IP address of a
computer that points to the forward DNS domain name of that computer.
Service location For mapping a DNS domain name to a specified list of DNS host computers
(SRV) that offer a specific type of service, such as Active Directory domain
controllers.
Other resource records as needed.
Q1. What does the logical component of the Active Directory structure include?
Microsoft.com
sales.microsoft.co RND.Microsoft.com
m
Microsoft.com
Contoso.com
sales.microsoft.co RND.Microsoft.com
m
West.contoso.com
East.contoso.com
East.Microsoft.com West.Microsoft.com
6
Figure 1-2 Trees in a forest share the same schema, but not the same namespace.
A forest is the outermost boundary of Active Directory; the directory cannot be larger than the forest.
However, you can create multiple forests and then create trust relationships between specific domains
in those forests; this would let you grant access to resources and accounts that are outside of a
particular forest.
■Organizational Units
Organizational Units (OUs) provide a way to create administrative boundaries within a domain.
Primarily, this allows you to delegate administrative tasks within the domain.
OUs serve as containers into which the resources of a domain can be placed. You can then assign
administrative permissions on the OU itself. Typically, the structure of OUs follows an organization’s
business or functional structure. For example, a relatively small organization with a single domain
might create separate OUs for departments within the organization.
Q3.What is nesting?
The creation of an OU inside another OU.
IMP: - once you go beyond about 12 OUs deep in a nesting structure, you start running into significant
performance issues.
Q4. What is trust relationship and how many types of trust relationship is there in exchange
2003?
Since domains represent security boundaries, special mechanisms called trust relationships allow
objects in one domain (called the trusted domain) to access resources in another domain (called the
trusting domain).
Windows Server 2003 supports six types of trust relationships:
■ Parent and child trusts
■ Tree-root trusts
■ External trusts
■ Shortcut trusts
■ Realm trusts
■ Forest trusts
7
data they need. To this end, DFS uses site information to direct a client to the server that is hosting the
requested data within the site. If DFS does not find a copy of the data within the same site as the client,
DFS uses the site information in Active Directory to determine which file server that has DFS shared
data is closest to the client.
8
you may decide to allow replication only during slower times of the day. Of course, this delay in
replication (based on the schedule) can cause inconsistency between servers in different sites.
the relative distinguished name of the object is CN=wjglenn. The relative distinguished name of the
parent organizational unit is Users. For most objects, the relative distinguished name of an object is the
same as that object’s Common Name attribute. Active Directory creates the relative distinguished
name automatically, based on information provided when the object is created. Active Directory does
not allow two objects with the same relative distinguished name to exist in the same parent container.
The notations used in the relative distinguished name (and in the distinguished name discussed in the
next section) use special notations called LDAP attribute tags to identify each part of the name. The
three attribute tags used include:
■ DC The Domain Component (DC) tag identifies part of the DNS name of the domain, such as COM
or ORG.
■ OU The Organizational Unit (OU) tag identifies an organizational unit container.
■ CN The Common Name (CN) tag identifies the common name configured for an Active Directory
object.
■ Distinguished Names
Each object in the directory has a distinguished name (DN) that is globally unique and identifies not
only the object itself, but also where the object resides in the overall object hierarchy. You can think of
the distinguished name as the relative distinguished name of an object concatenated with the relative
distinguished names of all parent containers that make up the path to the object.
An example of a typical distinguished name would be:
CN=wjglenn,CN=Users,DC=contoso,DC=com.
This distinguished name would indicate that the user object wjglenn is in the Users container, which in
turn is located in the contoso.com domain. If the wjglenn object is moved to another container, its DN
will change to reflect its new position in the hierarchy. Distinguished names are guaranteed to be
unique in the forest, similar to the way that a fully qualified domain name uniquely identifies an object’s
placement in a DNS hierarchy. You cannot have two objects with the same distinguished name.
9
■ Canonical Names
An object’s canonical name is used in much the same way as the distinguished name— it just uses a
different syntax. The same distinguished name presented in the preceding section would have the
canonical name:
contoso.com/Users/wjglenn.
As you can see, there are two primary differences in the syntax of distinguished names and canonical
names. The first difference is that the canonical name presents the root of the path first and works
downward toward the object name. The second difference is that the canonical name does not use the
LDAP attribute tags (e.g., CN and DC).
Q14.Which two operations master roles should be available when new security principals are
being created and named?
Domain naming master and the relative ID master
Q16. What is a group scope and what are the different types of group scopes?
Group scopes determine where in the Active Directory forest a group is accessible and what objects
can be placed into the group. Windows Server 2003 includes three group scopes: global, domain local,
and universal.
■ Global groups are used to gather users that have similar permissions requirements. Global groups
have the following characteristics:
1. Global groups can contain user and computer accounts only from the domain in which the global
group is created.
2. When the domain functional level is set to Windows 2000 native or Windows Server 2003 (i.e., the
domain contains only Windows 2000 or 2003 servers), global groups can also contain other global
groups from the local domain.
3. Global groups can be assigned permissions or be added to local groups in any domain in a forest.
■ Domain local groups exist on domain controllers and are used to control access to resources
located on domain controllers in the local domain (for member servers and workstations, you use local
groups on those systems instead). Domain local groups share the following characteristics:
1. Domain local groups can contain users and global groups from any domain in a forest no matter
what functional level is enabled.
2. When the domain functional level is set to Windows 2000 native or Windows Server 2003, domain
local groups can also contain other domain local groups and universal groups.
■ Universal groups are normally used to assign permissions to related resources in multiple domains.
Universal groups share the following characteristics:
1. Universal groups are available only when the forest functional level is set to Windows 2000 native or
Windows Server 2003.
1
0
2. Universal groups exist outside the boundaries of any particular domain and are managed by Global
Catalog servers.
3. Universal groups are used to assign permissions to related resources in multiple domains.
4. Universal groups can contain users, global groups, and other universal groups from any domain in a
forest.
5. You can grant permissions for a universal group to any resource in any domain.
Q17. What are the items that groups of different scopes can contain in mixed and native mode
domains?
1
1
Dfs root: You can think of this as a share that is visible on the network, and in this share you can have
additional files and folders.
Dfs link: A link is another share somewhere on the network that goes under the root. When a user
opens this link they will be redirected to a shared folder.
Dfs target (or replica): This can be referred to as either a root or a link. If you have two identical
shares, normally stored on different servers, you can group them together as Dfs Targets under the
same link.
The image below shows the actual folder structure of what the user sees when using DFS and load
balancing.
Windows 2003 offers a revamped version of the Distributed File System found in Windows 2000, which
has been improved to better performance and add additional fault tolerance, load balancing and
reduced use of network bandwidth. It also comes with a powerful set of command-line scripting tools
which can be used to make administrative backup and restoration tasks of the DFS namespaces
easier. The client windows operating system consists of a DFS client which provides additional
features as well as caching.
Media Access Control (MAC)—this is the network adapter hardware addressQ3. How DNS really
works DNS uses a client/server model in which the DNS server maintains a static database of
domain names mapped to IP addresses. The DNS client, known as the resolver, perform queries
against the DNS servers. The bottom line? DNS resolves domain names to IP address using these
stepstep 1. A client (or “resolver”) passes its request to its local name server. For example, the URL
term www.idgbooks.com typed into Internet Explorer is passed to the DNS server identified in the
client TCP/IP configuration. This DNS server is known as the local name server.Step 2. If, as often
happens, the local name server is unable to resolve the request, other name servers are queried so
that the resolver may be satisfied.Step 3. If all else fails, the request is passed to more and more,
higher-level name servers until the query resolution process starts with far-right term (for instance
Figure 8-5:
1
4
A note for those who run their own name servers: although Allegiance Internet is capable of pulling
zones from your name server, we cannot pull the inverse zones (these in-addr.arpa records) unless
you have been assigned a full class C network. If you would like us to put PTR records in our name
servers for you, you will have to fill out the online web form on the support.allegianceinternet.com
page.
5. Name Server Records (NS)
NS records are imperative to functioning DNS entries. They are very simple; they merely state the
authoritative name servers for the given domain. There must be at least two NS records in every
DNS entry. NS records look like this:
foobarbaz.com. IN NS draven.foobarbaz.com.
There also must be an A record in your DNS for each machine you enter as A NAME server in your
domain.
If Allegiance Internet is doing primary and secondary names service, we will set up these records for
you automatically, with “nse.algx.net” and “nsf.algx.net” as your two authoritative name servers.
6. Start Of Authority Records (SOA)
The “SOA” record is the most crucial record in a DNS entry. It conveys more information than all the
other records combined. This record is called the start of authority because it denotes the DNS entry
as the official source of information for its domain. Here is an example of a SOA record, then each
part of it will be explained:
foobarbaz.com. IN SOA draven.foobarbaz.com. hostmaster.foobarbaz.com.
1996111901 ; Serial
10800 ; Refresh
3600 ; Retry
3600000 ; Expire
86400 ) ; Minimum
The first column contains the domain for which this record begins authority for. The next two entries
should look familiar. The “draven.foobarbaz.com” entry is the primary name server for the domain.
The last entry on this row is actually an email address, if you substituted a “@” for the first “.”. There
should always be a viable contact address in the SOA record.
The next entries are a little more unusual then what we have become used to. The serial number is a
record of how often this DNS entry has been updated. Every time a change is made to the entry, the
serial number must be incremented. Other name servers that pull information for a zone from the
primary only pull the zone if the serial number on the primary name server’s entry is higher than the
serial number on it’s entry. In this way the name servers for a domain are able to update themselves.
A recommended way of using your serial number is the YYYYMMDDNN format shown above, where
the NN is the number of times that day the DNS has been changed.
Also, a note for Allegiance Internet customers who run their own name servers: even if the serial
number is incremented, you should still fill out the web form and use the comment box when you
make changes asking us to pull the new zones.All the rest of the numbers in the record are
measurements of time, in seconds. The “refresh” number stands for how often secondary name
servers should check the primary for a change in the serial number. “Retry” is how long a secondary
server should wait before trying to reconnect to primary server if the connection was refused. “Expire”
is how long the secondary server should use its current entry if it is unable to perform a refresh, and
“minimum” is how long other name servers should cache, or save, this entry.
1
5
There can only be one SOA record per domain. Like NS records, Allegiance Internet sets up
this record for you if you are not running your own name server.
Quick Summary of the major records in DNS
A mail exchange server is a host that will either process or forward mail for
the DNS domain name. Processing the mail means either delivering it to the
addressee or passing it to a different type of mail transport. Forwarding the
mail means sending it to its final destination server, sending it using Simple
Mail Transfer Protocol to another mail server that is closer to the final
destination, or queuing it for a specified amount of time.
Fields include: Domain, Host Name (Optional), Mail Exchange Server DNS
Name, Preference Number.
Q5.What is a DNS zone
A zone is simply a contiguous section of the DNS namespace. Records for a zone are stored and
managed together. Often, subdomains are split into several zones to make manageability easier.
For example, support.microsoft.com and msdn.microsoft.com are separate zones, where support
and msdn are subdomains within the Microsoft.com domain.
Q6. Name the two Zones in DNS?
DNS servers can contain primary and secondary zones. A primary zone is a copy of a zone where
updates can be made, while a secondary zone is a copy of a primary zone. For fault tolerance
purposes and load balancing, a domain may have several DNS servers that respond to requests for
the same information.
The entries within a zone give the DNS server the information it needs to satisfy requests from other
computers or DNS servers.
Q7. How many SOA record does each zone contain?
Each zone will have one SOA record. This records contains many miscellaneous settings for the
zone, such as who is responsible for the zone, refresh interval settings, TTL (Time To Live) settings,
and a serial number (incremented with every update).
1
6
Q8. Short summary of the records in DNS.
The NS records are used to point to additional DNS servers. The PTR record is used for reverse
lookups (IP to name). CNAME records are used to give a host multiple names. MX records are used
when configuring a domain for email.
Q9. What is an AD-integrated zone?
AD-integrated zones store the zone data in Active Directory and use the same replication process used
to replicate other data between domain controllers. The one catch with AD-integrated zones is that the
DNS server must also be a domain controller. Overloading DNS server responsibilities on your domain
controllers may not be something you want to do if you plan on supporting a large volume of DNS
requests.
1
7
This server maintains the master copy of the zone in a local file. With this model, the primary server for
the zone represents a single fixed point of failure. If this server is not available, update requests from
DNS clients are not processed for the zone.
With directory-integrated storage, dynamic updates to DNS are conducted based upon a multimaster
update model.
In this model, any authoritative DNS server, such as a domain controller running a DNS server, is
designated as a primary source for the zone. Because the master copy of the zone is maintained in the
Active Directory database, which is fully replicated to all domain controllers, the zone can be updated
by the DNS servers operating at any domain controller for the domain.
With the multimaster update model of Active Directory, any of the primary servers for the directory-
integrated zone can process requests from DNS clients to update the zone as long as a domain controller
is available and reachable on the network.
Also, when using directory-integrated zones, you can use access control list (ACL) editing to secure a
dnsZone object container in the directory tree. This feature provides granulated access to either the zone
or a specified RR in the zone.
For example, an ACL for a zone RR can be restricted so that dynamic updates are only allowed for a
specified client computer or a secure group such as a domain administrators group. This security feature
is not available with standard primary zones.
Note that when you change the zone type to be directory-integrated, the default for updating the zone
changes to allow only secure updates. Also, while you may use ACLs on DNS-related Active Directory
objects, ACLs may only be applied to the DNS client service.
* Directory replication is faster and more efficient than standard DNS replication.
Because Active Directory replication processing is performed on a per-property basis, only relevant
changes are propagated. This allows less data to be used and submitted in updates for directory-stored
zones.
Note: Only primary zones can be stored in the directory. A DNS server cannot store secondary zones
in the directory. It must store them in standard text files. The multimaster replication model of Active
Directory removes the need for secondary zones when all zones are stored in Active Directory.
Q15. What is the default interval when DNS server will kick off the scavenging process?
The default value is 168 hours, which is equivalent to 7 days.
DNS Q&A corner
1
8
> queries, ie - both by local queries directly from local users and
> also queries from external DNS servers. I've included a text
> representation of the physical configuration. Have you ever
> heard or architected such a configuration?
>VIP = 167.147.1.5
> ------------------------------------
>> Load Balancer Device |
> ------------------------------------
>------------------------------
>> DNS 1|| DNS 2|
> ------------------------------
> 1.1.1.11.1.1.2
There's usually not much need to design solutions like these, since most
name server implementations will automatically choose the name server
that responds most quickly. In other words, if DNS 1 fails, remote
name servers will automatically try DNS 2, and vice versa.
However, it can be useful for resolvers. In that case, you don't need to
worry about NS records (since resolvers don't use them), just setting up
a virtual IP address.
> Also, Is there any problems in running two Master/Primaries?
Just that you'd have to synchronize the zone data between the two
manually.
Q2. How does reverse mapping work?
How can reverse lookup possibly work on the Internet - how can a local
> resolver or ISP's Dns server find the pointer records please? E.g. I run
> nslookup 161.114.1.206 & get a reply for a Compaq server
> - how does it know where to look? Is there a giant reverse lookup zone in
> the sky?
Yes, actually, there is: in-addr.arpa.
If a resolver needs to reverse map, say, 161.114.1.206 to a domain name, it first inverts the
octets of the IP address and appends "in-addr.arpa." So, in this case, the IP address would
become the domain name 206.1.114.161.in-addr.arpa.
Then the resolver sends a query for PTR records attached to that domain name. If necessary,
the resolution process starts at the root name servers. The root name servers refer the querier
to the 161.in-addr.arpa name servers, run by an organization called ARIN, the American
Registry for Internet Numbers. These name servers refer the querier to 1.114.161.in-addr.arpa
name servers, run by Compaq. And, finally, these name servers map the IP address to
inmail.compaq.com.
Q3. What are the pros and cons of running slaves versus caching-only name servers?
> Question: I am in the process of setting up dns servers in several locations for my
> business. I have looked into having a primary master server running in my server
> room and adding slave servers in the other areas. I then thought I could just
> setup a primary and a single slave server and run caching only servers in the other
> areas. What are the pros and cons of these two options, or should I run a slave
> server in every location and still have a caching server with it? I just don't
> know what the best way would be. Please help.
The main advantage of having slaves everywhere is that you have a
source of your own zone data on each name server. So if you have
a community of hosts near each slave that look up domain names in
your zones, the local name server can answer most of their queries.
1
9
On the other hand, administering slaves is a little more work than
administering caching-only name servers, and a little greater burden
on the primary master name server.
- Dynamic updaters determine where to send updates using the NS records, which they often get from
the authoritative name servers.
No. The refresh query (for the zone's SOA record) is usually done over UDP.
2
0
Q8. What's the largest number I can use in an MX record?
> Could you tell us the highest possible number we can use for the MX
> preference ?
Preference is an unsigned, 16-bit number, so the largest number you
can use is 65535.
IMP information
http://www.menandmice.com/online_docs_and_faq/glossary/glossarytoc.htm
Q1.Which is the FIVE FSMO roles?
Additionally, if your domain is a mixed mode domain that contains Windows NT 4 BDCs, then
the Windows 2000 domain controller, that is the PDC emulator, acts as a Windows NT 4 PDC
to the BDCs.
There is only one PDC emulator per domain.
Note: Some consider the PDC emulator to only be relevant in a mixed mode domain. This is
not true. Even after you have changed your domain to native mode (no more NT 4 domain
controllers), the PDC emulator is still necessary for the reasons above.
4. RID Master (Domain level)
The RID master FSMO role holder is the single DC responsible for processing RID Pool
requests from all DCs within a given domain. It is also responsible for removing an object
from its domain and putting it in another domain during an object move.
When a DC creates a security principal object such as a user, group or computer account, it
attaches a unique Security ID (SID) to the object. This SID consists of a domain SID (the
same for all SIDs created in a domain), and a relative ID (RID) that makes the object unique
in a domain.
Each Windows 2000 DC in a domain is allocated a pool of RIDs that it assigns to the security
principals it creates. When a DC's allocated RID pool falls below a threshold, that DC issues
a request for additional RIDs to the domain's RID master. The domain RID master responds
to the request by retrieving RIDs from the domain's unallocated RID pool and assigns them to
the pool of the requesting DC.
There is one RID master per domain in a directory.
5. Infrastructure Master (Domain level)
The DC that holds the Infrastructure Master FSMO role is responsible for cross domain
updates and lookups. When an object in one domain is referenced by another object in
another domain, it represents the reference by the GUID, the SID (for references to security
principals), and the distinguished name (DN) of the object being referenced. The
Infrastructure role holder is the DC responsible for updating an object's SID and distinguished
name in a cross-domain object reference.
When a user in DomainA is added to a group in DomainB, then the Infrastructure master is
involved. Likewise, if that user in DomainA, who has been added to a group in DomainB,
then changes his username in DomainA, the Infrastructure master must update the group
membership(s) in DomainB with the name change.
There is only one Infrastructure master per domain.
Schema Master No updates to the Active Directory schema will be possible. Since
schema updates are rare (usually done by certain applications and
possibly an Administrator adding an attribute to an object), then the
malfunction of the server holding the Schema Master role will not pose
a critical problem.
Domain Naming Master The Domain Naming Master must be available when adding or
removing a domain from the forest (i.e. running DCPROMO). If it is not,
then the domain cannot be added or removed. It is also needed when
promoting or demoting a server to/from a Domain Controller. Like the
Schema Master, this functionality is only used on occasion and is not
critical unless you are modifying your domain or forest structure.
PDC Emulator The server holding the PDC emulator role will cause the most problems
2
2
if it is unavailable. This would be most noticeable in a mixed mode
domain where you are still running NT 4 BDCs and if you are using
downlevel clients (NT and Win9x). Since the PDC emulator acts as a
NT 4 PDC, then any actions that depend on the PDC would be affected
(User Manager for Domains, Server Manager, changing passwords,
browsing and BDC replication).
In a native mode domain the failure of the PDC emulator isn't as critical
because other domain controllers can assume most of the
responsibilities of the PDC emulator.
RID Master The RID Master provides RIDs for security principles (users, groups,
computer accounts). The failure of this FSMO server would have little
impact unless you are adding a very large number of users or groups.
Each DC in the domain has a pool of RIDs already, and a problem
would occur only if the DC you adding the users/groups on ran out of
RIDs.
Infrastructure Master This FSMO server is only relevant in a multi-domain environment. If
you only have one domain, then the Infrastructure Master is irrelevant.
Failure of this server in a multi-domain environment would be a
problem if you are trying to add objects from one domain to another.
Assuming you do have multiple domain controllers in your domain, there are some best practices to
follow for placing FSMO server roles.
The Schema Master and Domain Naming Master should reside on the same server, and that machine
should be a Global Catalog server. Since all three are, by default, on the first domain controller
installed in a forest, then you can leave them as they are.
Note: According to MS, the Domain Naming master needs to be on a Global Catalog Server. If you are
going to separate the Domain Naming master and Schema master, just make sure they are both on
Global Catalog servers.
IMP:- Why Infrastructure Master should not be on the same server that acts as a Global Catalog
server?
The Infrastructure Master should not be on the same server that acts as a Global Catalog server.
The reason for this is the Global Catalog contains information about every object in the forest. When
2
3
the Infrastructure Master, which is responsible for updating Active Directory information about cross
domain object changes, needs information about objects not in it's domain, it contacts the Global
Catalog server for this information. If they both reside on the same server, then the Infrastructure
Master will never think there are changes to objects that reside in other domains because the Global
Catalog will keep it constantly updated. This would result in the Infrastructure Master never replicating
changes to other domain controllers in its domain.
Note: In a single domain environment this is not an issue.
Microsoft also recommends that the PDC Emulator and RID Master be on the same server. This is not
mandatory like the Infrastructure Master and the Global Catalog server above, but is recommended.
Also, since the PDC Emulator will receive more traffic than any other FSMO role holder, it should be on
a server that can handle the load.
It is also recommended that all FSMO role holders be direct replication partners and they have high
bandwidth connections to one another as well as a Global Catalog server.
Before you can transfer a role, you must have the appropriate permissions depending on which role you
plan to transfer:
Schema Master member of the Schema Admins group
Domain Naming Master member of the Enterprise Admins group
member of the Domain Admins group and/or the
PDC Emulator
Enterprise Admins group
member of the Domain Admins group and/or the
RID Master
Enterprise Admins group
member of the Domain Admins group and/or the
Infrastructure Master
Enterprise Admins group
FSMO TOOLS
Q8. Tools to find out what servers in your domain/forest hold what server roles?
1. Active Directory Users and Computers:- use this snap-in to find out where the domain level
FSMO roles are located (PDC Emulator, RID Master, Infrastructure Master), and also to change the
location of one or more of these 3 FSMO roles.
Open Active Directory Users and Computers, right click on the domain you want to view the FSMO
roles for and click "Operations Masters". A dialog box (below) will open with three tabs, one for each
FSMO role. Click each tab to see what server that role resides on. To change the server roles, you must
first connect to the domain controller you want to move it to. Do this by right clicking "Active
Directory Users and Computers" at the top of the Active Directory Users and Computers snap-in and
choose "Connect to Domain Controller". Once connected to the DC, go back into the Operations
Masters dialog box, choose a role to move and click the Change button.
When you do connect to another DC, you will notice the name of that DC will be in the field below the
2
4
Change button (not in this graphic).
2. Active Directory Domains and Trusts - use this snap-in to find out where the Domain
Naming Master FSMO role is and to change it's location.
The process is the same as it is when viewing and changing the Domain level FSMO roles in
Active Directory Users and Computers, except you use the Active Directory Domains and
Trusts snap-in. Open Active Directory Domains and Trusts, right click "Active Directory
Domains and Trusts" at the top of the tree, and choose "Operations Master". When you do,
you will see the dialog box below. Changing the server that houses the Domain Naming
Master requires that you first connect to the new domain controller, then click the Change
button. You can connect to another domain controller by right clicking "Active Directory
Domains and Trusts" at the top of the Active Directory Domains and Trusts snap-in and
choosing "Connect to Domain Controller".
2
5
3. Active Directory Schema - this snap-in is used to view and change the Schema Master
FSMO role. However... the Active Directory Schema snap-in is not part of the default Windows
2000 administrative tools or installation. You first have to install the Support Tools from the
\Support directory on the Windows 2000 server CD or install the Windows 2000 Server
Resource Kit. Once you install the support tools you can open up a blank Microsoft
Management Console (start, run, mmc) and add the snap-in to the console. Once the snap-in
is open, right click "Active Directory Schema" at the top of the tree and choose "Operations
Masters". You will see the dialog box below. Changing the server the Schema Master
resides on requires you first connect to another domain controller, and then click the Change
button.
You can connect to another domain controller by right clicking "Active Directory Schema" at
the top of the Active Directory Schema snap-in and choosing "Connect to Domain Controller
4.Netdom
The easiest and fastest way to find out what server holds what FSMO role is by using the
Netdom command line utility. Like the Active Directory Schema snap-in, the Netdom utility is
only available if you have installed the Support Tools from the Windows 2000 CD or the
Win2K Server Resource Kit.
To use Netdom to view the FSMO role holders, open a command prompt window and type:
netdom query fsmo and press enter. You will see a list of the FSMO role servers:
2
6
5. Active Directory Relication Monitor another tool that comes with the Support Tools is the
Active Directory Relication Monitor. Open this utility from Start, Programs, Windows 2000
Support Tools. Once open, click Edit, Add Monitored Server and add the name of a Domain
Controller. Once added, right click the Server name and choose properties. Click the FSMO
Roles tab to view the servers holding the 5 FSMO roles (below). You cannot change roles
using Replication Monitor, but this tool has many other useful purposes in regard to Active
Directory information. It is something you should check out if you haven't already.
Finally, you can use the Ntdsutil.exe utility to gather information about and change servers
for FSMO roles. Ntdsutil.exe, a command line utility that is installed with Windows 2000
server, is rather complicated and beyond the scope of this document.
6. DUMPFSMOS
Command-line tool to query for the current FSMO role holders
Part of the Microsoft Windows 2000 Server Resource Kit
Downloadable from http://www.microsoft.com/windows2000
/techinfo/reskit/default.asp
Prints to the screen, the current FSMO holders
Calls NTDSUTIL to get this information
7. NLTEST
Command-line tool to perform common network administrative tasks
Type “nltest /?” for syntax and switches
Common uses
Get a list of all DCs in the domain
Get the name of the PDC emulator
Query or reset the secure channel for a server
2
7
Call DsGetDCName to query for an available domain controller
8. Adcheck (470k) (3rd party)
A simple utility to view information about AD and FSMO roles
http://www.svrops.com/svrops/downloads/zipfiles/ADcheck.msi
Q9. How to Transfer and Seize a FSMO Role
http://support.microsoft.com/default.aspx?scid=kb;en-us;Q255504
GROUP POLICY
You have to have Administrative privileges to create/modify group policies. The following table shows
who can create/modify group policies:
There are two nodes in each Group Policy Object that is created. A Computer node and a User
Node. They are called Computer Configuration and User Configuration (see image above). The
polices configured in the Computer node apply to the computer as a whole. Whoever logs onto that
computer will see those policies.
2
9
Note: Computer policies are also referred to as machine policies.
User policies are user specific. They only apply to the user that is logged on. When creating Domain
Group Polices you can disable either the Computer node or User node of the Group Policy Object you
are creating. By disabling a node that no policies are defined for, you are decreasing the time it takes
to apply the polices.
To disable the node polices: After creating a Group Policy Object, click that Group Policy Object on
the Group Policy tab, then click the Properties button. You will see two check boxes at the bottom of
the General tab.
It's important to understand that when Group Policies are being applied, all the policies for a node are
evaluated first, and then applied. They are not applied one after the other. For example, say Sally the
user is a member of the Development OU, and the Security OU. When Sally logs onto her PC the
policies set in the User node of the both the Development OU and the Security OU Group Policy
Objects are evaluated, as a whole, and then applied to Sally the user. They are not applied
Development OU first, and then Security OU (or visa- versa).
The same goes for Computer policies. When a computer boots up, all the Computer node polices for
that computer are evaluated, then applied.
When computers boot up, the Computer policies are applied. When users login, the User policies are
applied. When user and computer group policies overlap, the computer policy wins.
Note: IPSec and EFS policies are not additive. The last policy applied is the policy the user/computer
will have.
When applying multiple Group Policies Objects from any container, Group Policies are applied from
bottom to top in the Group Policy Object list. The top Group Policy in the list is the last to be applied. In
the above image you can see three Group Policy Objects associated with the Human Resources OU.
These polices would be applied No Windows Update first, then No Display Settings, then No
ScreenSaver. If there were any conflicts in the policy settings, the one above it would take
precedence.
3
0
click - a little check will appear. Click the Edit button, make your changes, then double click under the
Disable column to re-enable the GPO. Also, if you want to temporarily disable a GPO for
troubleshooting reasons, this is the place to do it. You can also click the Options button on the Group
Policy tab and select the Disabled check box.
Background refresh for non DCs (PCs and Member Servers) is every 90 mins., with a +/- 30 min.
interval. So the refresh could be 60, 90 or 120 mins. For DCs (Domain Controllers), background
refresh is every 5 mins.
Also, every 16 hours every PC will request all group policies to be reapplied (user and machine)
These settings can be changed under Computer and User Nodes, Administrative Templates,System,
Group Policy.
Q9. Which are the policies which does not get affected by background refresh?
Policies not affected by background refresh. These policies are only applied at logon time:
Folder Redirection
Software Installation
Logon, Logoff, Startup, Shutdown Scripts
These parameters will only refresh any user or computer policies that have changed since the last
refresh. To force a reload of all group policies regardless of the last change, use:
secedit /refreshpolicy user_policy /enforce
secedit /refreshpolicy machine_policy /enforce
Gpupdate.exe is a command line tool that can be used to refresh group policies on a Windows XP
computer. It has replaced the secedit command. To use gpupdate, open a command prompt and
type:
gpupdate /target:user to refresh the user policies
gpupdate /target:machine to refresh the machine (or computer) policies
As with secedit, these parameters will only refresh any user or computer policies that have changed
since the last refresh. To force a reload of all group policies regardless of the last change, use:
gpupdate /force
Notice the /force switch applies to both user and computer policies. There is no separation of the two
like there is with secedit
3
1
Q10. What is the Default Setting for Dial-up users?
Win2000 considers a slow dial-up link as anything less than 500kbps. When a user logs into a domain
on a link under 500k some policies are not applied.
Windows 2000 will automatically detect the speed of the dial-up connection and make a decision about
applying Group Policies.
Q11. Which are the policies which get applied regardless of the speed of the dial-up
connection?
Some policies are always applied regardless of the speed of the dial-up connection. These are:
Administrative Templates
Security Settings
EFS Recovery
IPSec
Q12. Which are the policies which do not get applied over slow links?
IE Maintenance Settings
Folder Redirection
Scripts
Disk Quota settings
Software Installation and Maintenance
These settings can be changed under Computer and User Nodes, Administrative Templates,
System, Group Policy.If the user connects to the domain using "Logon Using Dial-up Connection" from
the logon screen, once the user is authenticated, the computer policies are applied first, followed by
the user policies.If the user connects to the domain using "Network and Dial-up Connections", after
they logon, the policies are applied using the standard refresh cycle.
There are two default group policy objects that are created when a domain is created. The Default
Domain policy and the Default Domain Controllers policy.
Default Domain Policy - this GPO can be found under the group policy tab for that domain. It is the
first policy listed. The default domain policy is unique in that certain policies can only be applied at the
domain level.
If you double click this GPO and drill down to Computer Configuration, Windows Settings, Security
Settings, Account Policies, you will see three policies listed:
Password Policy
Account Lockout Policy
Kerberos Policy
These 3 policies can only be set at the domain level. If you set these policies anywhere else- Site or
OU, they are ignored. However, setting these 3 policies at the OU level will have the effect of setting
these policies for users who log on locally to their PCs. Login to the domain you get the domain policy,
login locally you get the OU policy.
If you drill down to Computer Configuration, Windows Settings, Security Settings, Local Policies,
Security Options, there are 3 policies that are affected by Default Domain Policy:
Automatically log off users when logon time expires
Rename Adminsitrator Account - When set at the domain level, it affects the Domain Administrator
account only.
Rename Guest Account - When set at the domain level, it affects the Domain Guest account only.
3
2
The Default Domain Policy should be used only for the policies listed above. If you want to create
additional domain level policies, you should create additional domain level GPOs.
Do not delete the Default Domain Policy. You can disable it, but it is not recommended.
Default Domain Controllers Policy - This policy can be found by right clicking the Domain Controllers
OU, choosing Properties, then the Group Policy tab. This policy affects all Domain Controllers in the
domain regardless of where you put the domain controllers. That is, no matter where you put your
domain controllers in Active Directory (whatever OU you put them in), they will still process this policy.
Use the Default Domain Controllers Policy to set local policies for your domain controllers, e.g. Audit
Policies, Event Log settings, who can logon locally and so on.
The following command would replace both the Default Domain Security Policy and Default
Domain Controller Security Policy. You can specify Domain or DC instead of Both, to only
restore one or the other.
> dcgpofix /target:Both
Note that this must be run from a domain controller in the target domain where you want to reset the
GPO
If you've ever made changes to the default GPOs and would like to revert back to the original
settings, the dcgpofix utility is your solution. dcgpofix works with a particular version of
schema. If the version it expects to be current is different from what is in Active Directory, it
not restore the GPOs. You can work around this by using the /ignoreschema switch, which
restore the GPO according to the version dcgpofix thinks is current. The only time you might
experience this issue is if you install a service pack on a domain controller (dc1) that extends
schema, but have not installed it yet on a second domain controller (dc2). If you try to run
dcgpofix from dc2, you will receive the error since a new version of the schema and the
dcgpofix utility was installed on dc1.
Q15. What are the two exceptions to control the inheritance of the group policy?
■ No Override When you link a GPO to a container, you can configure a No Override option that
prevents settings in the GPO from being overridden by settings in GPOs linked to child containers. This
provides a way to force child containers to conform to a particular policy.
■ Block Inheritance You can configure the Block Inheritance option on a container to prevent the
container from inheriting GPO settings from its parent containers. However, if a parent container has
the No Override option set, the child container cannot block inheritance from this parent.
3
3
Q16. How to Redirect New User and Computer Accounts?
By default, new user and computer accounts are created in the Users and Computers containers,
respectively. You cannot link a GPO to either of these built-in containers. Even though the built-in
containers inherit GPOs linked to the domain, you may have a situation that requires user accounts
and computer accounts to be stored in an OU to which you can link a GPO. Windows Server 2003
includes two new tools that let you redirect the target location
for new user and computer accounts. You can use redirusr.exe to redirect user accounts and
redircomp.exe to redirect computer accounts. Once you choose the OU for redirection, new user and
computer accounts are created
directly in the new target OU, where the appropriate GPOs are linked. For example, you could create
an OU named New Users, link an appropriate GPO to the OU, and then redirect the creation of new-
users accounts to the New Users OU. Any new users created would immediately be affected by the
settings in the GPO. Administrators could then move the new user accounts to a more appropriate
location later. You can find both of these tools in the %windir%\system32 folder on any computer
running Windows Server 2003. You can learn more about using these tools in Knowledge Base article
324949, “Redirecting the Users and Computers Containers in Windows Server 2003 Domains,” in the
Microsoft Knowledge Base at http://support.microsoft.com.
3
4