Documente Academic
Documente Profesional
Documente Cultură
The above command will allow you to access the database using port 10289.
Now you can useLDP.exetool to connect to this mounted instance.
If you migrating windows 2003 environment to windows 2008 then its 60 day’s
you can use the below command to check/view the current tombstone lifetime value for your Domain/Forest
dsquery * “cn=directory service,cn=windows nt,cn=services,cn=configuration,dc=” –scope base –attr
tombstonelifetime
Replace forestDN with your domain partition DN, for domainname.com the DN would be dc=domainname, dc=com
Source: http://technet.microsoft.com/en-us/library/cc784932(WS.10).aspx
3. How to find the domain controller that contains the lingering object
If we enable Strict Replication Consistency
Lingering objects are not present on domain controllers that log Event ID 1988. The source domain controller
contains the lingering object
If we doesn’t enable Strict Replication Consistency
Lingering objects are not present on domain controllers that log Event ID 1388. Domain controller that doesn’t log
Event ID 1388 and that domain controller contain the lingering object
You have a 100 Domain controllers which doesn’t enable Strict Replication Consistency, then you will get the Event
ID 1388 on all the 99 Domain controllers except the one that contain the lingering object
Need to Remove Lingering Objects from the affected domain controller or decommission the domain controller
You can use Event Comb tool (Eventcombmt.exe) is a multi-threaded tool that can be used to gather specific events
from the Event Viewer logs of different computers at the same time.
You can download these tools from the following location:
http://www.microsoft.com/downloads/details.aspx?FamilyID=9d467a69-57ff-4ae7-96ee-
b18c4790cffd&DisplayLang=en
4. What are Active Directory ports:
List of Active Directory Ports for Active Directory replication and Active Directory authentication, this ports can be
used to configure the Firewall
Active Directory replication- There is no defined port for Active Directory replication, Active Directory replication
remote procedure calls (RPC) occur dynamically over an available port through RPCSS (RPC Endpoint Mapper) by
using port 135
File Replication Services (FRS)- There is no defined port for FRS, FRS replication over remote procedure calls
(RPCs) occurs dynamically over an available port by using RPCSS (RPC Endpoint Mapper ) on port 135
Other required ports for Active Directory
Insert the DVD to DVD drive and boot using DVD, Setup will load all the installation files.
1. On the Install Windows page, select your language and locale preferences, and then
click Next
2. Click Install
Now
3. On the Select the operating system you want to install page, select the OS you want to install, and then
clickNext
4. Accept the licence terms, and then
click Next
5. On the Which type of installation do you want? page,
select Custom
6. On the Where do you want to install Windows? page, select the disk you want to install Windows on, and then
click Next
7. The installation process will
begin
8. Once the installation is complete, you will be prompted to change your password.
Click Next
9. Enter and confirm a new password, and then click the arrow
button
10. You will receive a message informing you that the password was changed.
Click OK.
11. Since this is the first time you are logging onto the computer, Windows will create your
profile
12. Once this is complete, your desktop will load and you will be presented with the Initial Configuration
Taskswizard
13. Use the Initial Configuration Tasks wizard to provide computer information, such as time zone, network
configuration, and computer name.
14. When you close the Initial Configuration Tasks wizard, your desktop will be
displayed
About these ad
2. Login with ./administrator and the domain recovery mode password you set up while running Dcpromo
In the above command, since backup is stored locally on disk, we haven’t specified the network location but if the
backup is on a SAN or on another server, we need to specify UNC in backuptarget switch.
6. After the restore, type ntdsutil activate instance NTDS
7. Type authoritative restore to get into the right NTDSUTIL context
8. Type restore object “distinguishedName” for a single account or restore subtree “distinguishedName” if you are
restoring an entire OU.
9. Reboot normally
Windows Server 2008 Boot process.
1. System is powered on
2. The CMOS loads the BIOS and then runs POST
3. Looks for the MBR on the bootable device
4. Through the MBR the boot sector is located and the BOOTMGR is loaded
5. BOOTMGR looks for active partition
6. BOOTMGR reads the BCD file from the \boot directory on the active partition
7. The BCD (boot configuration database) contains various configuration parameters( this
information was previously stored in the boot.ini)
8. BOOTMGR transfer control to the Windows Loader (winload.exe) or winresume.exe in
case the system was hibernated.
9. Winloader loads drivers that are set to start at boot and then transfers the control to
the windows kernel.
Types of Backup
There are mainly three types of backup.
1. Full backup or Normal backup. This backs ups the entire contents including the systemstate data of the
server from where the backup is being run. you have the option to choose this. After backup is done, the
attribute of the backed up file/folder is reset.
2. Incremental backup - This backups up files and folders that have been modified or created after the
previous backup. After this backup, the attribute is again reset.
3. Differential backup - This backs up files and folders that have been modified or created after a previous
full or incremental backup. The difference here is that the attributes are not reset. Hence every time it
backups all the files whose attributes have not been reset or changed.
Normal—Backs up the files you select, and marks the files as backed up.
Incremental—Backs up the files that changed since the last backup, and marks the files as
backed up.
Differential—Backs up the files that changed since the last backup, but doesn’t mark the
files as backed up.
Copy—Backs up the files you select, but doesn’t mark the files as backed up.
Daily—Backs up the files that changed that day, but doesn’t mark the files as backed up.
Differential backup
Differential backups copy those files that have been changed since the last full backup took
place. So if a full backup was done on Day 1, Day 2's differential will copy all of the files that
have changed since Day 1's backup copied everything. Day 3's differential backup will also copy
all of the files that have changed since Day 1's full copy was made.
The key advantage of differential backups comes when data needs to be restored. Because a
full backup was taken and the differentials copied everything that subsequently changed, only
the full backup and the latest differential need to be restored.
The main disadvantage is that the size of the differential copy increases each time a backup is
taken until the next full version is made, which can begin to impinge on backup window
duration.
Incremental backup
Incremental backups copy all of the files that have changed since the last backup was made.
They do this whether the last backup was a full one or an incremental copy. So if a full backup
was done on Day 1, Day 2's incremental will back up all of the files that have changed since Day
1. Likewise, Day 3's incremental backup will only copy those files that have changed since Day
2's incremental took place.
The main advantage to incremental backups is that fewer files are copied in the period between
full backups, which means you will get a shorter backup window. The main disadvantage is that
when you want to carry out a complete restore, the most recent full backup and all of the
subsequent incremental copies must be restored. This can make the restore process a lengthier
one than when using a full backup plus the most recent differential copies only.
The Global Catalog Partition is created automatically by software on the Domain Controller. This software copies
some of the attributes for each object in the Global Catalog Partition. This information is replicated to other Domain
Controllers inside and outside the domain. This is how, given enough time, all Global Catalog servers will have a
partial replicate of all objects in the domain.
Schema Partition
The schema partitions define what can be stored in the Active Directory database. It essentially defines the layout of
the database. The schema partition is replicated to all Domain Controllers in the forest and defines the Active
Directory database for all Domain Controllers in the domain.
Configuration Partition
This partition contains configuration information for the whole forest. For example, it contains information about sites
in the forest and partition defined in the Active Directory database. This partition is replicated to all Domain
Controllers in the forest.
Application Partition
The application partition is created by Applications to store their data. It is different from any other partition in that the
application can choose which Domain Controller or Controllers to store the data on. The advantage for the application
storing the data this way is that the application has access to the same replicate and fault tolerance used by the
Domain Controllers. An example of an Application is DNS Integrated Active Directory Zones. When this zone type is
used, the data is stored in an application partition.
Active Directory extends the single-master model found in earlier versions of Windows to include multiple
roles, and the ability to transfer roles to any domain controller (DC) in the enterprise. Because an Active
Directory role is not bound to a single DC, it is referred to as a Flexible Single Master Operation (FSMO)
role. Currently in Windows there are five FSMO roles:
Schema master
Domain naming master
RID master
PDC emulator
Infrastructure master
When a DC creates a security principal object such as a user or group, it attaches a unique Security ID
(SID) to the object. This SID consists of a domain SID (the same for all SIDs created in a domain), and a
relative ID (RID) that is unique for each security principal SID created in a domain.
Each Windows DC in a domain is allocated a pool of RIDs that it is allowed to assign to the security
principals it creates. When a DC's allocated RID pool falls below a threshold, that DC issues a request for
additional RIDs to the domain's RID master. The domain RID master responds to the request by retrieving
RIDs from the domain's unallocated RID pool and assigns them to the pool of the requesting DC. There is
one RID master per domain in a directory.
The PDC emulator of a domain is authoritative for the domain. The PDC emulator at the root of the forest
becomes authoritative for the enterprise, and should be configured to gather the time from an external
source. All PDC FSMO role holders follow the hierarchy of domains in the selection of their in-bound time
partner.
In a Windows domain, the PDC emulator role holder retains the following functions:
Password changes performed by other DCs in the domain are replicated preferentially to the PDC
emulator.
Authentication failures that occur at a given DC in a domain because of an incorrect password are
forwarded to the PDC emulator before a bad password failure message is reported to the user.
Account lockout is processed on the PDC emulator.
The PDC emulator performs all of the functionality that a Microsoft Windows NT 4.0 Server-based
PDC or earlier PDC performs for Windows NT 4.0-based or earlier clients.
This part of the PDC emulator role becomes unnecessary when all workstations, member servers, and
domain controllers that are running Windows NT 4.0 or earlier are all upgraded to Windows 2000. The
PDC emulator still performs the other functions as described in a Windows 2000 environment.
The following information describes the changes that occur during the upgrade process:
Windows clients (workstations and member servers) and down-level clients that have installed the
distributed services client package do not perform directory writes (such as password changes)
preferentially at the DC that has advertised itself as the PDC; they use any DC for the domain.
Once backup domain controllers (BDCs) in down-level domains are upgraded to Windows 2000,
the PDC emulator receives no down-level replica requests.
Windows clients (workstations and member servers) and down-level clients that have installed the
distributed services client package use the Active Directory to locate network resources. They do
not require the Windows NT Browser service.
If all the domain controllers in a domain also host the global catalog, all the domain controllers
have the current data, and it is not important which domain controller holds the infrastructure
master role.
When the Recycle Bin optional feature is enabled, every DC is responsible to update its cross-
domain object references when the referenced object is moved, renamed, or deleted. In this case,
there are no tasks associated with the Infrastructure FSMO role, and it is not important which
domain controller owns the Infrastructure Master role. For more information, see 6.1.5.5
Infrastructure FSMO Role at http://msdn.microsoft.com/en-us/library/cc223753.aspx
Primary zone
When a zone that this DNS server hosts is a primary zone, the DNS server is the primary source for
information about this zone, and it stores the master copy of zone data in a local file or in AD DS. When
the zone is stored in a file, by default the primary zone file is named zone_name.dns and it is located in
the %windir%\System32\Dns folder on the server.
Secondary zone
When a zone that this DNS server hosts is a secondary zone, this DNS server is a secondary source for
information about this zone. The zone at this server must be obtained from another remote DNS server
computer that also hosts the zone. This DNS server must have network access to the remote DNS server
that supplies this server with updated information about the zone. Because a secondary zone is merely a
copy of a primary zone that is hosted on another server, it cannot be stored in AD DS.
Stub zone
When a zone that this DNS server hosts is a stub zone, this DNS server is a source only for information
about the authoritative name servers for this zone. The zone at this server must be obtained from another
DNS server that hosts the zone. This DNS server must have network access to the remote DNS server to
copy the authoritative name server information about the zone.
You can use stub zones to:
Keep delegated zone information current. By updating a stub zone for one of its child zones
regularly, the DNS server that hosts both the parent zone and the stub zone will maintain a
current list of authoritative DNS servers for the child zone.
Improve name resolution. Stub zones enable a DNS server to perform recursion using the stub
zone's list of name servers, without having to query the Internet or an internal root server for the
DNS namespace.
Simplify DNS administration. By using stub zones throughout your DNS infrastructure, you can
distribute a list of the authoritative DNS servers for a zone without using secondary zones.
However, stub zones do not serve the same purpose as secondary zones, and they are not an
alternative for enhancing redundancy and load sharing.
NOTE
If you've already registered schmmgmt.dll and built an Active Directory Schema console, you can skip this
section. If you don't know what I'm talking about, follow along here. You can't hurt anything by doing this again,
even if it was already done at some point.
To register the console, click Start, Run and type regsvr32 schmmgmt.dll in the dialog box. You'll receive
confirmation that the registration succeeded (see Figure 2).
3. From the File menu, select Add/Remove Snap-in. The Add/Remove Snap-in dialog box opens.
4. Click Add. The Add Standalone Snap-in dialog box appears. The Active Directory Schema should now be
available as a snap-in, as shown in Figure 3. Select it and click Add.
5. Click Close to close the Add/Remove Standalone Snap-in dialog box. Click OK in the Add/Remove Snap-
in dialog box. You should now see the Active Directory Schema snap-in in the Console1 MMC.
6. Choose File, Save As. The Save As dialog box opens. In the file name box, typeSchema.msc. In the
Save in box, select Desktop. Click Save. This saves a Schema console on the desktop.
Scope
Scope Possible Members Can Grant Permissions Possible Member of
Conversion
Univer Accounts from any domain Can be On any domain in the Other Universal groups in
sal in the same forest converted to same forest or trusting the same forest
Global groups from any Domain Local forests Domain Local groups in
domain in the same forest scope the same forest or
Other Universal groups Can be trusting forests
from any domain in the converted to Local groups on
same forest Global scope if computers in the same
the group does forest or trusting forests
not contain any
other Universal
groups
Global Accounts from the same Can be On any domain in the Universal groups from
domain converted to same forest, or trusting any domain in the same
Other Global groups from Universal scope domains or forests forest
the same domain if the group is Other Global groups
not a member from the same domain
of any other Domain Local groups
global group from any domain in the
same forest, or from any
trusting domain
Got an email asking about what the equivalent is in the IBM server for the RIB/ILO card in HP.
I have to confess not having played much with the IBM servers ILO, but as I understand it, you
have a IBM Remote Supervisor Adaptor which provides the same functionality: