Posts Tagged ‘Windows 2000’

Types of Trust Relationships in Windows 2008 Active Directory

Posted by Alin D on June 26, 2011

Simply stated, a trust relationship is a configured link that enables a domain to access resources in another domain, or a forest to access resources in another forest. A trust relationship provides such access to users without the need to create additional user accounts in the other forest or domain. Consequently, administrators do not need to configure multiple user accounts, and users do not need to remember multiple usernames and passwords.

This part of article introduces the following types of trust relationships:

■ Transitive trusts

■ Forest trusts

■ External trusts

■ Realm trusts

■ Shortcut trusts

Transitive Trusts

Microsoft introduced the concept of transitive trusts in Windows 2000. This represented a considerable improvement over the previous Windows NT trusts that required explicitly defining each and every trust relationship, a requirement that could become unwieldy in a large enterprise network.To understand the principle of transitive trusts. In a nontransitive trust, as was the case in Windows NT 4.0, if you configured Domain A to trust Domain B and Domain B to trust Domain C, Domain A does not trust Domain C unless you configure a separate trust relationship. Furthermore, the trust relationship worked in one direction; for a two-way trust relationship, you had to create two separate trusts, one in each direction.

In all versions of Active Directory back to Windows 2000, the default behavior is that all domains in the forest trust each other with two-way transitive trust relationships. Whenever you add a new child domain or a new domain tree to an existing forest, new trust relationships are automatically created with each of the other domains in the forest. These trusts do not require administrative intervention. The other types of trust relationships, which we discuss next, require manual configuration by the administrator.

Forest Trusts

A forest trust is used to share resources between forests. This type of trust relationship consists of transitive trusts between every domain in each forest. The trust relationship is created manually and can be either one-way or two-way. The following are several benefits of a forest trust:

■ They provide simple management of resource sharing by reducing the number of external trusts required in multidomain forests.

■ They enable a wider scope of user principal name (UPN) authentication across all domains in the trusting forests.

■ They provide increased administrative flexibility by allowing administrators to collaborate on task delegation across forest boundaries.

■ Each forest remains isolated in certain aspects, such as directory replication, schema modification, and adding domains, all of which affect only the forest to which they apply.

■ They improve the trustworthiness of authorization data. You can use both the Kerberos and NTLM authentication protocols when authenticating across forests.

External Trusts and Realm Trusts

External trusts are one-way individual trust relationships that you can set up between two domains in different forests. They are nontransitive, which means you use them explicitly to define a one-to-one relationship between domains. You can use them to create trust relationships with AD DS domains operating at the Windows 2000 domain functional level or with Windows NT 4.0 domains. Furthermore, you can use an external trust if you need to create a trust relationship that involves only specific domains within two different forests.

You can use a realm trust to share information between an AD DS domain and any non-Windows realm that supports Kerberos version 5 (V5), such as UNIX. A realm trust supports UNIX identity management to enable users in UNIX realms to seamlessly access Active Directory resources by means of password synchronization with Windows Server 2008’s Server for Network Information Service (NIS) feature. Password synchronization enables users with accounts in UNIX realms in AD DS to synchronize password changes across both the AD DS domain and the UNIX realm. Furthermore, an AD DS domain controller can act as a master NIS server for the UNIX realm.

Shortcut Trusts

Unlike the previously discussed trusts, a shortcut trust relationship exists within a single forest. It is an additional trust relationship between two child domains, which optimizes the authentication process when a large number of users require access to resources in another domain. It is especially useful if the normal authentication path must cross several domains.

Suppose that users in the C.A.A.com domain require access to the C.B.B.com domain, which is located in another tree of the same forest. The authentication path must cross five domain boundaries to access the C.B.B.com domain. If an administrator sets up a shortcut trust between these two domains, the logon process speeds up considerably. This is also true for other possible authentication paths such as B.A.com to B.B.com or even C.A.A.com to B.A.com.

Posted in Windows 2008 | Tagged: AD DS domain controller, Administrator, Network Information Service, UNIX, Windows 2000, Windows NT 4.0, windows server 2008 | Leave a Comment »

DNS and Active Directory Integration Overview

Posted by Alin D on March 2, 2011

DNS and Active Directory Integration Overview

DNS is the primary name registration and resolution service in Windows 2000 and Windows Server 2003, and provides a hierarchically distributed and scalable database; provides name registration, name resolution and service location for Windows 2000 and Windows Server 2003 clients; and locates domain controllers for logon. A DNS server is a computer running the DNS Server service that provides domain name services. The DNS server manages the DNS database that is located on it. The information in the DNS database of a DNS server pertains to a portion of the DNS domain tree structure or namespace.

A DNS zone is the contiguous portion of the DNS domain name space over which a DNS server has authority, or is authoritative. A zone is a portion of a namespace – it is not a domain. A domain is a branch of the DNS namespace. A DNS zone can contain one or more contiguous domains. A DNS server can be authoritative for multiple DNS zones. Zone files store resource records for the zones over which a DNS server has authority

In DNS, a standard primary DNS server is the authoritative DNS server for a DNS zone. There are a number of zones used in Windows Server 2003 DNS. The different types of zones used in Windows Server 2003 DNS are listed below:

Primary zone: This is the only zone type that can be edited or updated because the data in the zone is the original source of the data for all domains in the zone. Updates made to the primary zone are made by the DNS server that is authoritative for the specific primary zone. You can also back up data from a primary zone to a secondary zone.
Secondary zone: A secondary zone is a read-only copy of the zone that was copied from the master server during zone transfer.
Active Directory-integrated zone: An Active Directory-integrated zone is a zone that stores its zone data in Active Directory. DNS zone files are not needed. This type of zone is an authoritative primary zone. Zone data of an Active Directory-integrated zone is replicated during the Active Directory replication process. Active Directory-integrated zones also enjoy the security features of Active Directory.
Stub zone: A stub zone is a new Windows Server 2003 feature. Stub zones only contain those resource records necessary to identify the authoritative DNS servers for the master zone.

The main zone types used in Windows Server 2003 DNS environments are primary zones and Active Directory-integrated zones. Both primary zones and secondary zones are standard DNS zones that use zone files. The main difference between primary zones and secondary zones is that primary zones can be updated. Secondary zones contain read-only copies of zone data.

An Active Directory-integrated zone can be defined as an improved version of a primary DNS zone because it can use multi-master replication and the security features of Active Directory. The zone data of Active Directory-integrated zones are stored in Active Directory. Active Directory-integrated zones are authoritative primary zones.

A few advantages that Active Directory-integrated zone implementations have over standard primary zone implementations are:

Active Directory replication is faster, which means that the time needed to transfer zone data between zones is far less.
The Active Directory replication topology is used for Active Directory replication, and for Active Directory-integrated zone replication. There is no longer a need for DNS replication when DNS and Active Directory are integrated.
Active Directory-integrated zones can enjoy the security features of Active Directory.
The need to manage your Active Directory domains and DNS namespaces as separate entities is eliminated. This in turn reduces administrative overhead.
When DNS and Active Directory are integrated; the Active Directory-integrated zones are replicated, and stored on any new domain controllers automatically. Synchronization takes place automatically when new domain controllers are deployed

Anuj Sharma(System Administartor)

http://www.winservers.co.in

Article from articlesbase.com

Posted in Windows 2008 | Tagged: Active, Anuj Sharma, Directory, dns, domain name services, Integration, Overview, Windows 2000, Windows Server 2003 | Leave a Comment »

Configuring and Troubleshooting Active Directory Replication

Posted by Alin D on February 16, 2011

An Overview of Active Directory Replication

Active Directory is a distributed multimaster replicated database. All domain controllers host a full replica of the domain information for its own domain. Domain controllers in Windows 2000 and Windows Server 2003 environments hold a read/write copy of the Active Directory database. In these environments, changes can be made to the Active Directory database on any domain controller within the Active Directory environment. Replication is the process that ensures that changes made to a replica on one domain controller are transferred to replicas on the remainder of the domain controllers. When an object in Active Directory is created, deleted, moved, or changed; Active Directory replication is triggered.

In Windows 2000 and Windows Server 2003 environments, the types of Active Directory replication that can be defined are:

Intrasite Replication: Intrasite replication takes place between domain controllers within the same site. This makes intrasite replication an uncomplicated process. Intrasite replication utilizes the Remote Procedure Call (RPC) protocol to convey replication data over fast, reliable network connections. Replication data within a site is not compressed.
Intersite Replication: Intersite replication takes place between sites. Intersite replication can utilize either RPC over IP or SMTP to convey replication data. Intersite replication has to be manually configured. Intersite replication occurs between two domain controllers that are called bridgeheads or bridgehead servers. With intersite replication, packets are compressed to conserve bandwidth.

The information replicated in Active Directory is summarized below:

Configuration partition data: Objects stored in the configuration partition relate to the domain structure and replication topology, and is replicated to each domain controller in each domain, and in a forest.
Domain partition data: All objects that are stored in a domain exist in the domain partition. Domain partition data is replicated to the domain controllers within a domain.
Schema partition data: Schema partition data include information on the objects that can be created in Active Directory and is replicated to each domain controller in domains/forests.
Application partition data: A new feature introduced in Windows Server 2003 is the application partition. Applications and services store data in the application partition.

You can use the Active Directory Sites and Services console to configure intersite replication. Configuring intersite replication typically involves:

Renaming the Default-First-Site-Name object
Creating site objects and subnet objects
Creating site link objects
Configuring site link attributes: Site link cost, site link replication frequency, site link replication availability
Specifying or designating a preferred bridgehead server (BS).
Creating site link bridges
Manually creating connection objects

How to rename the Default-First-Site-Name Site (first site object)

You have to rename the default site object to something that has meaning in your organization. To do this,

Open the Active Directory Sites and Services console
Right-click Default-First-Site-Name, and select Rename from the shortcut menu.
Proceed to set a meaningful name for the site.

How to create a new site object

Open the Active Directory Sites and Services console
Right-click the Sites folder and select New Site from the shortcut menu.
When The New Object – Site dialog box opens, enter a name for the site in the Name box.
You ca accept DefaultIPSiteLink in the Link Name box.
Click OK.

How to create a new subnet object

Open the Active Directory Sites and Services console
Right-click the Subnets folder, and select New Subnet from the shortcut menu
When The New Object – Subnet dialog box opens, in the first section of the dialog box, specify the subnet address and the number of bits in the subnet mask.
In the Select a site object for this subnet section, specify the site object to which this particular subnet is associated with.
Click OK.

How to create a site link

When you create a site link you can specify the transport protocol for replicating data over site links as either IP or SMTP.

IP replication is typically selected for a site link when a reliable connection exists between domain controllers in different sites.
SMTP replication is normally selected when connections are unreliable and slow.

To create a site link,

Open the Active Directory Sites and Services console
Open the Sites folder, and then open the Inter-Site Transports folder
Right-click either the IP folder or the SMTP folder, and choose New Site Link from the shortcut menu.
The New Object-Site Link dialog box opens
In the Name field, enter a name for the new site link.
In the Sites Not In This Site Link box, select the sites to connect. Click Add
Click OK.

How to configure site link attributes or properties

Configuring site link attributes involves specifying site link costs, the site link replication frequency, and setting site link replication availability. When you set the site link cost, you are basically defining the cost of the network connection proportionate to the speed of the link. Lower costs are utilized for fast links, while higher costs are associated with slower links. The site link replication frequency can be a number ranging from 15 minutes to 10,080 minutes. Setting site link replication availability involves specifying when a site link is available for replication.

To configure site link attributes,

Open the Active Directory Sites and Services console
Open the Sites folder, and then open the Inter-Site Transports folder.
Open the IP folder or SMTP folder which contains the site link that you want to configure site link attributes for.
Right-click the particular site link and then select Properties from the shortcut menu.
In the Description box in the General tab of the Properties dialog box for the site, you can enter a description for the site link.
In the Cost box, you can change the default cost for the site link, and assign a cost to the link. The default cost setting is 100.
In the Replicate Every box, you can change the default replication interval. This is basically the number of minutes between replications. The default setting is 180 minutes. The shortest replication interval that can be set is 15 minutes, and the longest interval that can be specified is 10,080 minutes.
Click the Change Schedule button to configure when the site link is available for replication.
When the Schedule dialog box for the site link opens, you can set when the site link is available for replication, or when it is not available for replication.
Click OK to save configuration changes you made in the Schedule dialog box.
Click OK to save changes in the Properties dialog box of the site.

How to configure replication to disregard/ignore schedules

Open the Active Directory Sites and Services console
Open he Sites folder, and then open the Inter-Site Transports folder.
Right-click the IP folder or SMTP folder and choose Properties from the shortcut menu.
When the Properties dialog box of the folder which you selected opens, click the Ignore Schedules checkbox.
Click OK.

How to add a site to an existing site link

Open the Active Directory Sites and Services console
Open the Sites folder, and then open the Inter-Site Transports folder.
Open the IP folder or SMTP folder that contains the site link to which the site should be added.
Right-click the particular site link and then select Properties from the shortcut menu.
Use the Sites Not In This Site Link box to select the site that should be added to the site link. Click Add.
Click OK.

How to rename an existing site link

Open the Active Directory Sites and Services console
Open the Sites folder, and then open the Inter-Site Transports folder.
Open the IP folder or SMTP folder that contains the site link that you want to rename.
Right-click the particular site link and then select Rename from the shortcut menu.
Proceed to set a new name for the site link.

How to designate a preferred bridgehead server (BS)

The Knowledge Consistency Checker (KCC) could possibly not designate a bridgehead server that is the most optimal domain controller in a site. In cases like this, to improve performance, you can manually designate a preferred bridgehead server(s).
To designate a preferred BS,

Open the Active Directory Sites and Services console
In the console tree, expand the Sites folder, expand the site in which you want to create the bridgehead server, and then expand the Servers folder.
Right-click on the particular server, and select Properties from the shortcut menu.
When the Properties dialog box of the server opens, in the Transports available for inter-site transfer section, select the protocol for which the server is to be a bridgehead server. Click Add.
Click OK.

How to disable transitive site links, or automatic bridging

Because site link transitivity is enabled by default, you would typically need to disable it if you want to create site link bridges.

Open the Active Directory Sites and Services console
Open the Sites folder, and then open the Inter-Site Transports folder.
Right-click either the IP folder or SMTP folder and choose Properties from the shortcut menu.
On the General tab, uncheck the Bridge All Site Links checkbox to disable site link transitivity.
Click OK.

How to create a site link bridge

Open the Active Directory Sites and Services console
Open the Sites folder, and then open the Inter-Site Transports folder.
Right-click either the IP folder or SMTP folder and choose New Site Link Bridge from the shortcut menu.
The New Object-Site Link Bridge dialog box opens.
Enter a name for the new site link bridge in the Name field.
Use the Site links not in this bridge box to select two or more sites to connect. Click Add
Click OK

How to manually create and configure a connection object

Connection objects in Active Directory are automatically created by the KCC. You can however manually create connection objects to customize the topology of the network, or to decrease the number of hops from one domain controller to another particular domain controller. When connection objects are created by the KCC, they are automatically removed by the KCC when the replication topology changes. Connection objects hat are manually created are not removed when the replication topology changes. You have to manually remove these connection objects.

To manually create and configure connection objects,

Open the Active Directory Sites and Services console
In the console tree, expand the Sites folder, expand the site in which you want to create the connection object, and then expand the Servers folder.
Select the particular server that you want to enable the connection for.
Right-click NTDS Settings and select New Active Directory Connection from the shortcut menu.
When the Find Domain Controllers dialog box opens, choose the domain controller. Click OK
When the New Object-Connection dialog box opens, enter a name for the connection object. Click OK
Proceed to right-click the connection that you have just created in the details pane and select Properties from the shortcut menu.
When the Properties dialog box of the connection object opens, in the Description field, provide a description for the new connection object.
In the Transport drop down list, verify that RPC is specified as the transport protocol.
If you want to modify the default schedule for intrasite replication, click the Change Schedule button.
When the Schedule dialog box for the connection object opens, set the appropriate replication frequency and Click OK.
Click OK to save changes made in the Properties dialog box of the connection object.

How to manually force immediate replication

Open the Active Directory Sites and Services console
In the console tree, expand the Sites folder, expand the site that Active Directory has to replicate to and then expand the name of the server to use for replication.
Click NTDS Settings to display the inbound connection objects of the server in the right pane.
Right-click the server that you want to replicate from and click Replicate Now from the shortcut menu.

Troubleshooting Active Directory Replication

Although domain controllers generally automatically manage the replication process, there are instances when incorrect configuration settings or troublesome network connections can prevent Active Directory information from being replicated between domain controllers. There are quite a few mechanisms that can be used to monitor and troubleshoot the Active Directory replication process.
The tools available are:

Active Directory Replication Monitor (Replmon.exe)
Replication Diagnostics Tool (Repadmin.exe)
The Dsastat.exe command-line tool
You can also configure Active Directory event logging

A few common methods that you can use to monitor or troubleshoot Active Directory replication are summarized below:

Verify network connectivity in your environment: When Active Directory replication has stopped, verify your existing network connections. For replication to occur, your domain controllers have to be connected by capable LAN links. Using high speed links typically improves replication performance.
Verify site links: In order for domain controllers in different sites to exchange Active Directory data or information, you have to configure the appropriate site links. When replication is not occurring between sites, verify that a site link object does link the current site to a site which is connected to the remainder of the sites of the network.
Verify the replication topology: You can use the Active Directory Sites and Services console to check that your replication topology is reliable and constant. Errors are displayed in a dialog box in the console.
Manually verify that Active Directory information has been synchronize. You should on a regular basis verify that information is synchronized between domain controllers within domains.
When replication errors are encountered, check the Directory Service event log in Event Viewer. Active Directory replication errors are written to the Directory Service event log.

There may be instances when Active Directory replication is quite slow. A few methods of correcting this problem are summarized below:

Having no site link bridge can result in Active Directory information taking quite a while to be replicated between domain controllers. You can create a site link bridge or you can bridge all sites. This is typically necessary when there are only site links in your network, but no site link bridges.
If the configuration value specified for the frequency of intersite replication is set too low, you may experience large delays between when changes are made on one domain controller and when it is replicated on a domain controller in a different site. To fix this problem, consider changing the setting of the replication frequency.
When your existing network resources are unable to cope with the quantity of traffic being generated by Active Directory replication consider the following:
- If realistic, modify the setting of the replication frequency
- If feasible, configure additional resources for Active Directory replication
- Create site links
- Create site link bridges

How to use Active Directory Replication Monitor to monitor/troubleshoot replication

Replication Monitor (Replmon) is a graphical management tool included in the Windows Support Tools. In order to open and use Replmon, it must be installed on a computer running. The computer can be a domain controller, member server, member workstation or stand-alone computer. Replication Monitor can be used to perform the following activities:

View the replication topology or replication information in a highly useful graphical format.
Determine whether domain controllers are replicating Active Directory information correctly.
Determine the status of Active Directory replication
Manually force replication between domain controllers

The information displayed in the main Replication Monitor window is listed below:

Naming contexts: All the naming contexts that a server contains are displayed here.
Replication partners: Each naming context shows the inbound replication partners for that particular naming context.
Server icons: Server icons enable you to determine information at a glance.
Log entries: The replication log entries for the connection are displayed in the right pane.

Once you have specified a domain controller for monitoring, you can set view options to suit your needs. To specify view options, open Replication Monitor, and select Options from the View menu. The options that can be selected on the General tab are:

Show Retired Replication Partners
Show Transitive Replication Partners and Extended Data
Notify When Replication Fails After This Number Of Attempts
Log Files: Settings under Log Files are used to change the default location for the log files.
Enable Debug Logging: This setting relates to debugging Replmon.

The Replmon replica synchronization options that can be selected are listed below. These options can be configured by right-clicking a monitored server object, and then selecting Synchronize Each Directory Partition with All Servers. The synchronization options that you can select are:

Disable Transitive Replication: This option can be selected if you want to troubleshoot a ailed replication process to a particular domain controller, and you want to manually start the replication process.
Push Mode: When enabled, push mode is enabled for replication and the DRA is no longer enabled to pull updates.
Cross Site Boundaries: When enabled, you can start intersite replication for RPC connections only.

How to start Replication Monitor

Remember that you first have to install Replication Monitor.

Click Start, Windows Support Tools, Command Prompt and enter replmon.exe.
When the Replication Monitor opens, in the console tree, right-click Monitored Servers and select Add Monitored Server from the shortcut menu.
The Add Monitored Server Wizard now starts
Select the Add The Server Explicitly By Name option. Click Next.
In the Add Server To Monitor page, use the Enter The Name Of The Server To Monitor Explicitly box to specify the name of the server that should be monitored.
Click Finish
The server that you specified for monitoring is now displayed in the console tree.

How to synchronize the Active Directory directory partition

Domain controllers that are indicated for a directory partition are regarded as source servers. Source servers can be a Direct Replication Partner, a Transitive Replication Partner or a Bridge Head Connection.
To synchronize the directory partition,

Open Replication Monitor
Right-click the direct replication partner and then choose Synchronize Replica from the shortcut menu.
Replication Monitor now starts the replication process and reports on the status of replication as well.

How to use the Replication Diagnostics Tool to monitor/troubleshoot Active Directory replication

The Replication Diagnostics Tool (Repadmin) is a command-line interface that can be quite useful when troubleshooting Active Directory replication. Through Repadmin, you can perform the following:

View the replication topology
View replication metadata
Determine the status/validity of Active Directory information on each domain controller
Force replication between domain controllers
Manually create the replication topology

The online help shows the syntax for options and switches of Repadmin. Run repadmin /? for online help. If you want to determine the status of the KCC for replication, run repadmin/kcc. If you want to determine what the replication result was for the last replication process performed, run repadmin/showreps. If you are running Windows Server 2003, Repadmin offers a few additional functions that can be performed. To view these, run repadmin/experthelp.

How to configure Active Directory event logging

You can also configure Active Directory event logging. A few key events that can be specified for event logging are listed below:

Directory access
Internal configuration
Internal processing
Intersite messaging
KCC
MAPI events
Replication events
Security events

You can set one of the following logging levels for an event:

0 – None, 1 – Minimal, 2 – Basic, 3 – Extensive, 4 – Verbose, 5 – Internal

How to enable Active Directory event logging

Click Start, Run and enter regedit in the Run dialog box. Click OK
This opens the Registry Editor.
Click the HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesNTDSDiagnostics registry key.
The entries that are displayed in the right pane are the types of events that can be logged. The default logging level for each entry is 0 – None.
Open the entry for each type of event that you want to log by double-clicking it.
In the Value data box of each entry, enter the logging level.
Click OK.

How to use Dsastat.exe tomonitor/troubleshoot Active Directory replication

You can use Dsastat.exe to compare the attributes of replicated objects and to determine differences between directory partitions hosted by domain controllers. Dsastat.exe uses statistics such as objects per server, and megabytes per server to determine what the differences are in Active Directory information between domain controllers.

The syntax for Dsastat is:

dsastat [/loglevel:option] [/output:option] [/s:servername[portnumber][;servername[portnumber];…]] [/t:option] [/sort:option] [/p:entrynumber] [/scope:option] [/b:searchpath] [/filter:ldapfilter] [/gcattrs:option[;option;…]] [/u:username] [/pwd:password] [/d:domain]

/loglevel:option, indicates the type of logging. A value of Info, Trace or Debug can be specified.
/output:option, indicates how results will be displayed. A value of Screen, File or both of these can be specified.
/s:servername[portnumber][;servername[portnumber];…], for defining the server names that are to be included in the comparison by Dsastat.exe.
/t:option, for setting whether a statistics comparison or a full-content comparison should be performed. Values that can be set are True for statistics comparison, and False for full-content comparison.
/sort:option, for setting whether sorted queries should be performed or not. Values are True for sorted queries to be performed, and False for specifying that sorted queries should not be performed.
/p:pagesize, for specifying the number of entries that should be returned on a page. With a default value of 64, you can specify any value from 1 – 999.
/scope:option, for setting what the search should include. Values that can be set are Base, Onelevel, Sub-tree.
/b:searchpath, for specifying the distinguished name of the base search path.
/filter:ldapfilter, for specifying the LPAD filter that should be used.
/gcattrs:option[;option;…], for indicating what attributes should be returned. Values that can be set are all, LDAPattributes, ObjectClass, auto.
/u:username, for setting the username that should be used for the search.
/pwd:password, the password associated with the above username.
/d:domain, the domain that should be used to validate the username/passwo

Posted in Windows 2008 | Tagged: bridge head, domain controller, General, Microsoft Windows, particular domain controller, Registry Editor, Windows 2000 | Leave a Comment »

Event Tracing for Windows

Posted by Alin D on January 28, 2011

While most Windows developers know of Event Tracing for Windows (ETW) as a logging and tracing mechanism, many administrators have never heard of it. Simply put, ETW includes event logging and tracing capabilities provided by the operating system. Implemented in the kernel, it traces events in user mode applications, the operating system kernel and kernel-mode device drivers.

Event Tracing for Windows is used by a number of core OS components and some third-party applications to provide event logging and tracing. Although it required access to a checked build of Windows to gather ETW information when first released with Windows 2000, more recent versions provide built-in tools with normal (free) Windows builds.

Getting started with Event Tracing for Windows

When diagnosing and troubleshooting Windows Server issues, it seems there is never too much data. The admin is always looking for additional details on what is going on with various components to pinpoint the problem. As such, there are a number of tools like

Process Monitor, Process Explorer, Performance Monitor (Perfmon) and Performance Analysis for Logs (PAL) that dig considerably deeper than the event log, but there are times when we need to dig even further down than that.

ETW allows additional instrumentation for gathering data that would not otherwise be available and has a number of advantages. For example:

it uses per-processor kernel buffers from a non-paged pool that are not impacted by application crashes or hangs

it uses very low CPU overhead

it’s available for x86, x64 and IA64 architectures

it can enable and disable tracing without rebooting or restarting applications

Event Tracing for Windows may seem like a great tool, but using it is another issue since there is no GUI or user guide. It also requires a few preliminary steps just to produce output that can be used for analysis.

In order to provide useful output you need a consumer. The consumer built in to Windows Server is Tracerpt.exe. As you can imagine, there are a number of flags for Tracerpt to provide specific output formats, so it’s important to become familiar with the Tracerpt and Logman utilities that are native in Windows Server 2003 and up, as well as Windows 7 and Vista.

It’s also important to understand the architecture for ETW. As you can see in Figure 1, the controllers are used to start and stop a tracing session. The tool used to do this in Windows Server 2003 and 2008 is Logman.exe.

Figure 1. The ETW architecture

Image credit: Microsoft Corp.

Windows Server 2003 also contains a handful of event providers that return specific events, including the following Active Directory-related providers:

Active Directory: CoreActive Directory: KerberosActive Directory: SAMActive Directory: NetLogon

For instance, specifying Active Directory: Kerberos as a provider will only return Kerberos-specific events.

Event providers differ between Windows versions, however. For example, Windows Server 2003 has 22 providers, while Windows 2008 has 387. This gives more power to the trace and offers more granularities. Yet when it comes to LDAP traffic, the Active Directory: Core provider appears to give the same detail for either Windows version.

You can also combine event providers into a single trace. Since Kerberos authentication was involved in the example above, I used the Active Directory: Kerberos and the Active Directory: Core providers and applied the Logman option-pf, as shown in the following example:

Logman Create Trace CoreKerb –pf c:etwinput.txt –o c:etwcoreKerb

The –pf option reads an input text file (input.txt in this case). The format of the input file is shown in Figure 2.

Figure 2. Input text file format

Putting Event Tracing for Windows to work

The best way to explain ETW is with a case study. Recently, I was contacted by an engineer who needed information about how Active Directory was responding to an LDAP request for a Unix client authenticating against an AD domain controller. He used a Unix command to see the bind request/response on the Unix side and wanted to see similar output on the Windows side. The output looked something like this:

[23/Sep/2010:15:04:44 +0200] conn=31 fd=65 slot=65 connection from 10.50.20.173 to 10.50.12.119

[23/Sep/2010:15:04:44 +0200] conn=31 op=0 BIND dn="uid=dorsa,ou=people,o=Corp.net" method=128 version=3

[23/Sep/2010:15:04:44 +0200] conn=31 op=0 RESULT err=0 tag=97 nentries=0 etime=0 dn="uid=dorsa,ou=people,o=corp.net"

[23/Sep/2010:15:04:44 +0200] conn=31 op=1 SRCH base="ou=people,o=hp.com" scope=2 filter="(|(uid=dorsa)(cn=mdilln.dodgcty))" attrs=ALL

[23/Sep/2010:15:04:44 +0200] conn=31 op=1 RESULT err=0 tag=101 nentries=2 etime=0

[23/Sep/2010:15:04:44 +0200] conn=31 op=2 UNBIND

[23/Sep/2010:15:04:44 +0200] conn=31 op=2 fd=65 closed – U1

[23/Sep/2010:15:04:44 +0200] conn=29 op=-1 fd=64 closed error 11 (Resource temporarily unavailable) –

To work through the output, I used the NTDS Diagnostics registry key at HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesNTDSDiagnostics and defined the LDAP Interface for a value of 5. It only provided the elapsed time of the operation and wasn’t close to the Unix output, so I decided to try Event Tracing for Windows. Since this was on Windows Server 2003, I used the Active Directory: Core provider, which gave LDAP details.

Below are the steps and commands I used to create an ETW trace and generate a log. The commands were used to dump LDAP data during authentication for the Unix engineer. I also created a C:ETW directory to store all my data.

C:>Logman Query Providers — This command lists all available providers. Note that the provider we are interested in for LDAP information is the Active Directory: Core provider.

Logman create trace “LDAP1” –p “Active Directory: core” –o c:etwLDAP1 LDAP1 — This is the name of the trace (we’ll see it when we look at the list of traces). -identifies identifies Active Directory: Core as the provider we want to use.-o specifies the path for the output (.etl) file as C:etwldap1 . The output file will be saved as LDAP1_000001.etl. Note that when the trace runs a second time the output file will be named LDAP1_000002.etl, etc.

Once the trace is executed successfully with the Logman create trace command it can be seen in the queue with the command: C:>Logman Query. A sample output is shown in Figure 3. The LDAP1 trace is shown in the red box outline in the figure. Note that there are a number of traces I defined which can be reused simply by starting and stopping them.

Figure 3. ETW trace (click to enlarge)

The following command starts the trace:

Logman Start LDAP1

Issuing Logman Query at this point would show LDAP1 as “Running”.

Reproduction operations are then needed to reproduce the problem or situation you want to trace. In this case, I performed a logon and ran some LDIFDE commands to perform LDAP searches. Having these commands ready as soon as the trace starts will minimize the noise in the trace and make it easier to read.

Next, stop the trace: Logman Stop LDAP1

The C:ETW directory now shows that the LDAP1 trace file LDAP1_000002.etl was created:

C:ETW>dir ldap1*
Volume in drive C has no label.
Volume Serial Number is 309D-BA04

Directory of C:ETW

10/13/2010 04:22 PM     1,015 ldap1
10/13/2010 04:20 PM     262,144 LDAP1_000001.etl
01/21/2011 02:12 AM     262,144 LDAP1_000002.etl

Because this is the second time running that trace, the file name was bumped to 000002.

Since the .etl log is unreadable we can use Tracerpt to give us some useful data. The command for this example would be:

TRACERPT LDAP1_000001.etl -o Ldap1.csv

-of sets the file type (default CSV) (See online help for more formats.)-o represents the output file name default, which is dumpfile.csv and produces the most interesting dump of LDAP activity-Summary, -Report represents statistical data (not used in this example)

Opening the LDAP1.csv file in Excel (or Notepad) will allow a look at the data. Figure 4 shows part of my output file with the LDAP requests and responses highlighted. As you can see, the search and bind requests from the text are in column A, while in column B you can see the start and end of the requests, which can be paired up. Further to the right you can see the user data, the filter and scope of the LDAP request, and so on.

Figure 4. View of LDAP1.csv data (click to enlarge)

The exciting thing about Event Tracing for Windows is that the opportunities with providers seem endless. Providers for Group Policy, Kerberos, LDAP clients, Netlogon, FSRM, IIS and many more are all available in Windows Server 2008.

While I used to rely exclusively on event logs and similar log files, I can now go a level deeper with Event Tracing for Windows and get a lot more verbose data to help me solve whatever problem I’m troubleshooting. The commands to produce the traces and reports are very easy to use as well. Of course, you can find more command options and details online.

Posted in Windows 2003, Windows 2008 | Tagged: event tracking, Microsoft Windows, UNIX, Windows 2000, Windows 2008, Windows 7, Windows Server, Windows Server 2003, windows server 2008 | Leave a Comment »

Active Directory Lightweight Directory Service Part 1

Posted by Alin D on January 16, 2011

Introduction

many directory services requirements for an organization. However, AD DS also has many dependencies that make its deployment and management a complex task. Because AD DS provides the core authentication and authorization services for most organizations, it can also be very difficult to make changes such as schema changes to the directory. At the same time, many organizations are deploying applications that use an external directory service. These applications may require the directory service to provide authentication services or to store application configuration information.

Although AD DS could be configured to support these applications, this may not be the best solution because of the issues related to incompatible schema change, replication traffic, or the risks of making changes to the infrastructure directory. As an alternative, Windows Server 2008 provides the Active Directory Lightweight Directory Services (AD LDS) server role, which you can use to deploy a Lightweight Directory Access Protocol (LDAP)–compliant directory service to provide support for these directory-enabled applications. AD LDS provides much of the same directory service functionality as AD DS but does not require the deployment of domains or domain controllers. AD LDS provides a much more flexible deployment model; for example, you can run multiple instances of AD LDS concurrently on a single computer, with an independently managed schema for each AD LDS instance. You can also configure AD LDS replication so that the same AD LDS data is distributed across multiple computers.

AD LDS Overview

The Lightweight Directory Service is useful for situations in which applications need access to a directory service, but you do not want to risk compromising your Active Directory database. In this article, you will be introduced to the Lightweight Directory Services, its uses, and capabilities.

When Microsoft introduced the Active Directory with Windows 2000, it didn’t take long before people began to realize that the Active Directory was really little more than a centralized database, and that the Active Directory could be used for purposes for which it was never intended.

For a while, it seemed as though almost every software vendor was designing their wares to be Active Directory integrated. Many such applications stored their configuration information in the Active Directory, and some even whet so far as to actually treat the Active Directory as an alternative to a SQL database and store actual application data in the Active Directory database.

Today, most of the third party software publishers seem to take less invasive approach to the way that they interface with the Active Directory. Many applications read Active Directory data, but not nearly as many applications seem to store data within the Active Directory as did a few years back. Although I can only speculate on the reasons for this, I suspect that it has something to do with the fact that the Active Directory has become a critical component of the network infrastructure, and many administrators are reluctant to perform unnecessary schema extensions (which are almost always necessary to support applications that store data within the Active Directory).

Even though software publishers may not use the Active Directory to quite the extent that they once did, I think that it is safe to say that the Active Directory can be very useful for supporting various applications. To show you what I mean, consider the fact that Microsoft still designs many of their server applications with a high degree of Active Directory integration. Exchange Server 2007 and Exchange Server 2010 for example, are designed in such a way that all of the server configuration information is stored in the Active Directory, rather than being stored locally on the server. The advantage to doing so is that it makes it possible to regenerate a failed server on the fly.

Suppose for instance that you had a catastrophic hard disk failure on an Exchange 2010 server that was hosting the Hub Transport Server Role. Because of the way that Exchange stores its configuration information in the Active Directory, you wouldn’t even have to restore a backup in order to fix the problem. Instead, you would start out by resetting the Computer account for the failed server within the Active Directory. You would then install Windows and any applicable service packs onto a new server. Next, you would assign that server the same computer name as your failed server had used, and join the new server to the Active Directory. Because you reset the Active Directory computer account, the new server is able to use it.

From there, fixing the problem is as simple as running Exchange Server’s Setup program with a special switch. Setup installs the necessary binaries, and then configures the server according to the configuration information found in the Active Directory. The new server can be up and running in less than an hour, and without ever restoring a backup.

My point is that the Active Directory can be very useful for application support, but that many software publishers are reluctant to use it to the extent that Microsoft does, because of the stigma that’s attached to making Active Directory schema extensions.

Another reason why you don’t see more software publishers storing a lot of data in the Active Directory has to do with Active Directory replication. Generally speaking, any data that is stored in the Active Directory must be replicated to all of the domain controllers in the domain (possibly even all of the domain controllers in the forest). As such, if an application were to store a large volume of data in the Active Directory, that data could impact the speed of the normal replication process – especially if that data changes frequently.

In spite of these challenges, there is a way to reap the benefits of Active Directory integration, without impacting your Active Directory database in the process. Windows Server 2008 and Windows Server 2008 R2 include a service called the Active Directory Lightweight Directory Service, or AD LDS. A similar service also exists in Windows Server 2003, but goes by the name Active Directory Application Mode (or ADAM).

Conclusion

Now that I have talked about what the AD LDS means and what it is used for, I want to turn my attention to using this service in your own organization. In Part 2, I will begin discussing the hardware and the software requirements for using AD LDS.

In case you are not familiar with AD LDS, it provides you with an environment that is very similar to, but completely separate from, the Active Directory. AD LDS is a standalone service that has no dependency on the Active Directory Directory Service. In fact, it is common to deploy AD LDS in environments in which no Active Directory domains exist.

A perfect example of such a situation is Microsoft Exchange Server. Earlier I said that Exchange Server 2007 and 2010 are both designed to store all of their configuration information in the Active Directory database. There is one big exception to this however.

Exchange Server defines a series of roles that dictate how an Exchange Server is configured, and what tasks the server performs. All but one of the server roles are designed to store the server configuration in the Active Directory.

The server role that does not use the Active Directory is known as the Edge Transport Server Role. The Edge Transport Server is designed to reside at the network perimeter and keep the other Exchange Servers from being directly exposed to the Internet.

Because the Edge Transport Server is exposed to various Internet based threats, making it a member of an Active Directory domain could be a potential security risk. If someone were able to compromise the edge transport server, they may be able to use it to gain information about the Active Directory.

To keep this from happening, the Edge Transport Server cannot be a domain member, and it cannot host any other Exchange Server roles. Even so, the Edge Transport Server does require access to a minimal amount of Active Directory information so that it can do its job. Rather than provide the server with direct access to the Active Directory, Microsoft has designed the Edge Transport Server role to use AD LDS.

One of the backend Exchange Servers reads the required information from the Active Directory, and sends the information to the AD LDS partition on the Edge Transport Server. That way, the Edge Transport Server has access to the information that it needs, without being able to access the Active Directory. Incidentally, the Edge Transport Server also stores its own configuration information in the AD LDS partition, just as other Exchange Server roles store configuration information in the Active Directory.

Posted in Windows 2008 | Tagged: Active Directory Directory Service, AD LDS, ADAM, Lightweight Directory Service, Microsoft Windows, Windows 2000, Windows Server 2003 | Leave a Comment »

Get Mcsa Certified Easily and Quickly

Posted by Alin D on December 3, 2010

Get Mcsa Certified Easily and Quickly

Get MCSA 2003 Certification in Days

According to our survey, over 85% of the candidates acknowledge that they have spent needless time and money before finding the most suitable solution to pass the exams. It doesn’t matter if you are just starting out and looking for the most suitable way to get certified, or a skilled technician looking for the most efficient way to get certified, we have the right solution for you.

We provide the following to help you get certified in the most convenient way

24/7, around the clock, consulting service that will assist you, guide you and help you, until you get certified. This price also includes; exam vouchers and all other related expenses. There is no further cost to attain your certification.

Our Guarantee

We will refund any payment that you make, should you for any reason fail to get certified. The refund is an unconditional total refund of any moneys paid.

Why MCSA 2003

The Microsoft Certified Systems Administrator (MCSA) certification will advance your career by ensuring that you have the skills to successfully manage and troubleshoot system environments running on the Microsoft Windows operating system.

This internationally recognized (MCSA) Microsoft Certified Systems Administrator training provides expert instruction on the Microsoft? Windows Server 2003 family, making it easier to deploy, manage, and use. Achieving the Microsoft Certified Systems Administrator (MCSA) on Microsoft Windows 2003 credential provides a valid and reliable measure of technical proficiency and expertise to successfully manage and maintain the typically complex computing environment of medium to large-sized companies operating on the Microsoft Windows Server 2003 System.

MCSA 2003 Certification Requirement:

1. Core exams (three exams required):

•Networking systems (two exams required):

Exam 70-290: Managing and Maintaining a Windows Server 2003 Environment.

Exam 70-291: Implementing, Managing, and Maintaining a Windows Server 2003 Network Infrastructure.

• Client operating system (one exam required)

Exam 70-620: TS: Microsoft Windows Vista Client, Configuring.

Exam 70-270: Installing, Configuring, and Administering Microsoft Windows XP Professional.

Exam 70-210: Installing, Configuring, and Administering Microsoft Windows 2000 Professional.

2. Elective exams (one exam required):

Exam 70-089: Designing, Implementing, and Managing a Microsoft Systems Management Server 2003 Infrastructure.

Exam 70-227: Installing, Configuring, and Administering Microsoft Internet Security and Acceleration (ISA) Server 2000, Enterprise Edition.

Exam 70-228: Installing, Configuring, and Administering Microsoft SQL Server 2000 Enterprise Edition.

Exam 70-235: TS: Developing Business Process and Integration Solutions Using BizTalk Server 2006.

Exam 70-236: TS: Microsoft Exchange Server 2007, Configuring.

Exam 70-262: TS: Microsoft Office Live Communications Server 2005 – Implementing, Managing, and Troubleshooting.

Exam 70-284: Implementing and Managing Microsoft Exchange Server 2003.

Exam 70-299: Implementing and Administering Security in a Microsoft Windows Server 2003 Network.

Exam 70-350: Implementing Microsoft Internet Security and Acceleration (ISA) Server 2004.

Exam 70-431: TS: Microsoft SQL Server 2005 – Implementation and Maintenance.

Exam 70-445: Microsoft SQL Server 2005 Business Intelligence – Implementation and Maintenance.

Exam 70-500: TS: Microsoft Windows Mobile 5.0, Implementing and Managing.

Exam 70-501: TS: Windows Server 2003 Hosted Environments, Configuring, and Managing.

Exam 70-620: TS: Microsoft Windows Vista Client, Configuring.

Exam 70-624: TS: Deploying and Maintaining Windows Vista Client and 2007 Microsoft Office System Desktops.

Exam 70-630: TS: Microsoft Office SharePoint Server 2007, Configuring.

Exam 70-631: TS: Microsoft Windows SharePoint Services 3.0, Configuring.

With rich experience in writing, often in the major websites, newspapers published articles and welcomed by a large number of readers,and articles written by others with a large number of quote.

Article from articlesbase.com

Posted in Windows 2003 | Tagged: Administrator, Certified, Easily, Internet Security, Mcsa, Microsoft Windows, Quickly, skilled technician, suitable solution, valid and reliable measure, Windows 2000, Windows Server 2003, Windows Vista, Windows XP | Leave a Comment »

Active Directory Lightweight Directory Service

Posted by Alin D on November 26, 2010

Introduction

Now that I have talked about what the AD LDS is and what it is used for, I want to turn my attention to using this service in your own organization. In Part 2, I will begin discussing the hardware and the software requirements for using AD LDS.

The Planning Process

Planning for the deployment of AD LDS can actually be something of a trial and error experience because Microsoft really doesn’t give you a lot to go on. If you look at Microsoft’s AD LDS Overview on TechNet, you can see that the Hardware and Software Considerations section consists of a block of text telling you to “Use performance counters, testing in the lab, data from existing hardware in a production environment, and pilot roll outs to determine the capacity needs of your server.”

So what is Microsoft really saying here? Well, I think that the statement in the paragraph above can best be summarized like this:

In order to deploy AD LDS, one needs only to have a server that is capable of running Windows Server 2008. However, depending on how AD LDS is being used the server may have to support a considerable workload. It is therefore necessary to take measures to ensure that your server hardware is up to the job.

If this statement is true, then the most logical approach to AD LDS planning is to take a look at the types of resources AD LDS consumes, and base any capacity planning efforts on those types of resource consumption.

Being that Microsoft doesn’t seem to provide a lot of clear guidelines for AD LDS capacity planning, I tend to think that one of the best approaches is to treat the capacity planning process similarly to the capacity planning process that you would use for domain controllers. After all, an AD LDS server is very similar to a domain controller. Both AD LDS servers and domain controllers host nearly identical directory services. Of course there are differences that you have to keep in mind. Active Directory capacity planning usually takes the number of users into account, while AD LDS capacity planning is usually more about anticipating the number of LDAP requests that will be made against the server. However, both Active Directory and AD LDS capacity planning often require you to plan for things like topology and replication.

The Differences between Domain Controllers and AD LDS Servers

Of course even though domain controllers and AD LDS servers are very similar at the architectural level, the simple fact that domain controllers are used to authenticate logins and implement Windows security policies means that there are some aspects of domain controller planning that simply will not apply to the planning process for AD LDS.

One such difference is that AD LDS does not use the concept of forests like the Windows Active Directory does. In an Active Directory environment, a forest is a collection of domains. Every forest is completely independent, although forests can be joined together through the use of federated trusts.

AD LDS does not use the concept of forests and domains like Windows domain controllers do. Instead, the primary structural element used by AD LDS is that of a service instance (which Microsoft often refers to as an instance). An instance refers to a single AD LDS partition. Each instance has its own individual service name, directory data store, and service description.

As I’m sure you probably already know, a Windows domain controller can only service a single domain. In contrast, a single server running AD LDS can host multiple instances. This means that a single AD LDS server can contain multiple directories.

Of course this raises an interesting question. In an Active Directory environment, clients communicate with domain controllers using the Lightweight Directory Access Protocol (LDAP). Like most other protocols, LDAP is designed to use specific port numbers. For example, LDAP typically uses port 389 for directory queries. If LDAP communications need to be encrypted then port 636 is uses instead. Domain controllers that are functioning as global catalog servers use ports 3268 and 3269 for global catalog related functions. With all of this in mind, you may be wondering which ports AD LDS uses.

Well, AD LDS does not have to worry about performing any global catalog functions, so we can rule out the use of ports 3268 and 3269 right off the bat. AD LDS does however make use of ports 389 and 636 in exactly the same way that a domain controller would.

So what happens if a server is hosting multiple AD LDS instances? Typically, the first instance to be created would be assigned to use ports 389 and 636. When the second instance is created, Windows sees that these ports are in use, and begins scanning for unused ports beginning with port 50,000. Assuming that port 50,000 is available it will be used for standard LDAP communications with the second AD LDS instance. Port 50,001 will be used for SSL encrypted LDAP communications with the second AD LDS instance.

If you were to create a third AD LDS instance on the server, then Windows would see that ports 389 and 636 were in use, so it would begin looking for unused ports starting with 50,000. Since ports 50,000 and 50,001 have already been assigned, the third LDAP partition will be assigned to ports 50,002 and 50,003.

DNS Requirements

Another difference between the Active Directory and AD LDS is that the Active Directory is totally dependent on DNS servers. Without DNS, the Active Directory cannot function. AD LDS on the other hand does not require DNS.

In some ways this makes sense. The Active Directory uses DNS as a mechanism for maintaining the domain hierarchy. There is no domain hierarchy associated with AD LDS, so DNS is unnecessary.

Installing the Active Directory Lightweight Directory Service

Installing AD LDS is actually a very simple process. To do so, open the Server Manager, and then click on the Add Roles link. When you do, Windows will launch the Add Roles Wizard. Click Next to bypass the wizard’s welcome screen and you will be taken to a screen that displays all of the available server roles.

Select the Active Directory Lightweight Directory Services check box, as shown in Figure A.

Figure A: Active Directory Lightweight Directory Service.

Click Next, and you will see an introductory screen that explains what the AD LDS is and what it does. Click Next and Windows will display a confirmation message indicating that the AD LDS server role is about to be installed. Click theInstall button to begin the installation process.

The entire installation process usually only takes about 30 seconds to complete. After the server role finishes installing, click the Close button to complete the installation process. Unlike some of the Windows 2008 server roles, installing the AD LDS role does not require you to reboot the server.

Conclusion

In this article, I have explained some of the differences between the Active Directory and AD LDS. In Part 3 of this series, I will begin showing you the basics of working with AD LDS.

Posted in Windows 2008 | Tagged: Active Directory, Active Directory Directory Service, Active Directory Lightweight Directory Service, AD LDS, ADAM, dns, domain controller, identical directory services, Lightweight Directory Service, Microsoft, Microsoft Windows, server applications, server hardware, Server Manager, Software, software requirements, Sql, SSL, transport server, Windows 2000, Windows 2008, Windows domain controller, Windows Server 2003, windows server 2008 | Leave a Comment »

How To Raise Windows Server 2008 Active Directory Domain and Forest Functional Levels

Posted by Alin D on October 25, 2010

When the first Windows Server 2008–based Domain Controller is deployed in a domain or forest, the domain or forest operates by default at the lowest functional level that is possible in that environment, meaning Windows 2000 Native Mode. This allows you to take advantage of the default Active Directory features while running versions of Windows earlier than Windows Server 2008. When you raise the functional level of a domain or forest, a set of advanced features becomes available.

Note: In the Windows Server 2008 version of DCPROMO, when you install a new domain in a new forest, you are prompted for the function level of your choice. Therefore, it may very well be that a brand new installation of Active Directory will not hold the “default” domain or forest function levels.

Raising Domain Function Levels

To activate new domain features that available in Windows Server 2008, all domain controllers in the domain must be running Windows Server 2008. After this requirement is met, the administrator can raise the domain functional level to Windows Server 2008.

Important

Raising the domain functional levels to Windows Server 2008 is a nonreversible task and prohibits the addition of Windows 2000–based or Windows Server 2003–based Domain Controllers to the environment. Any existing Windows 2000–based or Windows Server 2003–based Domain Controllers in the environment will no longer function, and in fact, the upgrading wizard will not allow you to continue with the operation. Before raising functional levels to take advantage of advanced Windows Server 2008 features, ensure that you will never need to install domain controllers running Windows 2000-based or Windows Server 2003–based Domain Controllers in your environment.

Membership in Domain Admins, Enterprise Admins, or equivalent, is the minimum required to complete this procedure.

In order to raise the domain functional level:

Log on the PDC Emulator of the domain with domain administrator credentials.

Note: The PDC Emulator is usually the first DC in the domain.

Open Active Directory Users and Computers by clicking Start > All Programs > Administrative Tools, and then click Active Directory Users and Computers (you can also perform this action from the Active Directory Domains and Trusts snap-in).
In the console tree, right-click the domain node and then click Raise Domain Functional Level.

Under Select an available domain functional level, do one of the following:

Click Windows Server 2003, and then click Raise to raise the domain functional level to Windows Server 2003.

Click Windows Server 2008, and then click Raise to raise the domain functional level to Windows Server 2008.

Read the warning message, and if you wish to perform the action, click Ok.

You will receive an acknowledgement message telling you that the operation was completed successfully. Click Ok.

You can check the function level by performing step 3 again and viewing the current function level.

Note: The current domain functional level appears under Current domain functional level in the Raise Domain Functional Level dialog box. The level increase is performed on the PDC Emulator FSMO and requires the domain administrator.

Raising Forest Function Levels

To activate new forest features that available in Windows Server 2008, all domain function levels in the forest must be running in Windows Server 2008 mode. After this requirement is met, the administrator can raise the forest functional level to Windows Server 2008.

Note that domains that are set to the domain functional level of Windows Server 2003 will automatically be raised to Windows Server 2008 at the same time that the forest functional level is raised to Windows Server 2008.

Important

Raising the forest functional levels to Windows Server 2008 is a nonreversible task and prohibits the addition of Windows 2000–based or Windows Server 2003–based Domain Controllers to any of the domains in the environment. Any existing Windows 2000–based or Windows Server 2003–based Domain Controllers in the environment will no longer function, and in fact, the upgrading wizard will not allow you to continue with the operation. Before raising functional levels to take advantage of advanced Windows Server 2008 features, ensure that you will never need to install domain controllers running Windows 2000-based or Windows Server 2003–based Domain Controllers in your environment.

Membership in Enterprise Admins, or equivalent, is the minimum required to complete this procedure.

In order to raise the forest functional level:

Log on to the PDC Emulator of the forest root domain with a user account that is a member of the Enterprise Administrators group.
Open Active Directory Domains and Trusts by clicking Start > All Programs > Administrative Tools, and then click Active Directory Domains and Trusts.
In the console tree, right-click Active Directory Domains and Trusts, and then click Raise Forest Functional Level.

Under Select an available forest functional level, do one of the following:

Click Windows Server 2003, and then click Raise to raise the forest functional level to Windows Server 2003.

Click Windows Server 2008, and then click Raise to raise the forest functional level to Windows Server 2008.

Read the warning message, and if you wish to perform the action, click Ok.

You will receive an acknowledgement message telling you that the operation was completed successfully. Click Ok.

You can check the function level by performing step 3 again and viewing the current function level.

Note: To raise the forest functional level to Windows Server 2008, you must upgrade (or demote) all existing Windows 2000 or Windows Server 2003 Domain Controllers in your forest.

If you cannot raise the forest functional level, you can click Save As in the Raise Forest Functional Level dialog box to save a log file that specifies which domain controllers in the forest still must be upgraded from older operating systems.

Posted in Windows 2008 | Tagged: Administrator, Domain Administrator, domain controller, Microsoft Windows, operating systems, Windows 2000, Windows Server 2003, windows server 2008 | Leave a Comment »

How to Rename Windows Server 2008 Domain Controllers

Posted by Alin D on October 22, 2010

The procedure of renaming a regular server (Windows 2000/2003/2008) is quite simple. It is done through the My Computer properties, and usually requires one reboot. However, DCs should be renamed by using a totally different approach.

The command

In order to rename a DC you will need the NETDOM command. In Windows Server 2008, this is part of the operating system, and not a separate download as in previous versions. By using the NETDOM command, you ensure that there is little or no disturbance for the domain and client operations.

Renaming a domain controller requires that you first provide a FQDN as a new computer name for the domain controller. All of the computer accounts for the domain controller must contain the updated SPN attribute and all the authoritative DNS servers for the domain name must contain the host (A) resource record for the new computer name. Both the old and new computer names are maintained until you remove the old computer name. This ensures that there will be no interruption in the ability of clients to locate or authenticate to the renamed domain controller, except when the domain controller is restarted.

Important: To rename a domain controller using the NETDOM command, the domain functional level must be set to at least Windows Server 2003.

The bad news: As usual, you will need to reboot the renamed DC.

The good news: You don’t have to sit near the DC you’re renaming. You can accomplish it from any computer that has the NETDOM command, and if you have the appropriate user credentials.

Permissions

You must be a member of the Domain Admins group.

To rename a DC with the name from KUKU-SERVER in the WINDOWS-DOMAIN.LOCAL domain to DC-SERVER follow the next steps:

1. Open Command Prompt and type:

NETDOM computername KUKU-SERVER.WINDOWS-DOMAIN.LOCAL /add:DC-SERVER.WINDOWS-DOMAIN.LOCAL

This command will update the service principal name (SPN) attributes in Active Directory for this computer account, and register DNS resource records for the new computer name. The SPN value of the computer account must be replicated to all DCs for the domain, and the DNS resource records for the new computer name must be distributed to all the authoritative DNS servers for the domain name. If the updates and registrations have not occurred prior to removing the old computer name, then some clients may be unable to locate this computer using the new or old name. Therefore, it’s very important to wait till the Active Directory replication finishes a replication cycle. You can check that by using tools such as REPADMIN and REPLMON.

You can verify the new name was indeed added to the computer object by viewing it through ADSIEDIT.MSC (which, for Windows Server 2008, is installed by default). Navigate to the computer object and right-click it. Select Properties:

Scroll down in the list of available attributes till you reach the attribute called msDS-AdditionalDnsHostName.

2. Ensure the computer account updates and DNS registrations are completed, then type:

NETDOM computername KUKU-SERVER.WINDOWS-DOMAIN.LOCAL /makeprimary:DC-SERVER.WINDOWS-DOMAIN.LOCAL

Again, you can inspect the change with ADSIEDIT.MSC. Scroll down in the list of available attributes for the computer object (notice how the server now appears with the new name) till you reach the attribute called msDS-AdditionalDnsHostName.

Notice that the old name should appear in the attribute’s properties.

3. Restart the computer.

4. From the command prompt, type:

NETDOM computername DC-SERVER.WINDOWS-DOMAIN.LOCAL /remove:KUKU-SERVER.WINDOWS-DOMAIN.LOCAL

5. Make sure that the changes have successfully been replicated to all the DCs.

Conclusion

In this article, I have explained how to use the NETDOM command to rename Windows Server 2008 Domain Controllers.

Posted in Windows 2008 | Tagged: DC, dns, domain controller, Microsoft Windows, operating system, regular server, renamed domain controller, Windows 2000, Windows Server 2003, windows server 2008 | Leave a Comment »

How to create user accounts and mailboxes with PowerShell

Posted by Alin D on October 21, 2010

There are lots of tools available to the admin for creating new users in Active Directory, including Active Directory Users and Computers, the Active Directory Administrative Center, and the command line tools like dsadd and net user. When administering Exchange 2010, you will probably find yourself creating mailboxes using the GUI when you provision new user accounts, however, there are times where you need to create a mailbox outside of using ADUC. Whether there is a one off need, something happened during user creation that wasn’t quite right (like the user’s name was misspelled in AD,) you’re creating a resource or a shared mailbox, or you want to programmatically create user accounts and mailboxes with a script, the Exchange Management Shell (EMS,) or PowerShell to its friends, is a great way to go when you want to script this out.

The biggest benefit to using the Exchange Management Shell over dsadd is that you can specify the parameters needed for mailboxes, like SMTP addresses and mailbox databases. DSADD is still a very useful tool, but if you are looking for a one-stop shop command and you are using Exchange, the new-mailbox command will be your go-to guy.

The new-mailbox command

New-mailbox is an Exchange Management Shell cmdlet with more options than you can count. As with every other PowerShell cmdlet, you can get more information about it using the get-help cmdlet (aliased as man) or by checking out the online help on TechNet. This command, when entered without parameters, will walk you through creating an AD user with a mailbox, prompting you for the minimum required parameters.

While this might be enough to get you going, let’s look at some of the more useful options for this command. You can check out the full list by either checking out the TechNet site linked below, or by entering the man new-mailbox cmd.

-Name <String> This is, of course, the mailbox name.
-Password <SecureString> The user’s password, stored as a SecureString meaning we cannot display it again later.
-UserPrincipalName <String> The user’s UPN name in AD, in the formatusername@domain.
-Alias <String> An alias, which will simplify finding the user in the GAL.
-Database <DatabaseIdParameter> The database to store the user’s mailbox.
-DisplayName <String> The user’s display name in AD.
-FirstName <String> The user’s first name.
-LastName <String> The user’s surname.
-PrimarySmtpAddress <SmtpAddress> The primary SMTP address is their email address, in the form mailbox@fqdn.
-ResetPasswordOnNextLogon <$true | $false> Sets the flag controlling whether or not the user must change their password at next logon.
-SamAccountName <String> The user’s pre-Windows 2000 name, which is specified simply as a 15 character (or less) string.

Here are two examples of how to use this command.

Example one

This command creates an Active Directory user for John Smith in the CorpUsers OU, with a mailbox on the UserDatastore database, and an initial password that must be changed at next logon. It first prompts you for the password which it will store “-AsSecureString” meaning that it cannot be displayed again.

$password = Read-Host "Enter password" -AsSecureString
New-Mailbox -UserPrincipalName jsmith@example.com -Alias john
-Database "UserDatastore" -Name JohnSmith –OrganizationalUnit
CorpUsers -Password $password -FirstName John -LastName Smith
-DisplayName "John Smith" -ResetPasswordOnNextLogon $True

Example two

This command creates a resource mailbox for a conference room in the CorpResources OU, using the CorpResources database, and requiring the password to be set at next logon. This sets the alias as ChaConf1, and will prompt you for the password once you hit enter.

New-Mailbox -UserPrincipalName CharlotteConferenceRoom1@example.com
-Alias ChaConf1 -Name CharlotteConferenceRoom1 -Database
"CorpResources" -OrganizationalUnit ConferenceRooms -Room
-ResetPasswordOnNextLogon $True

Example three

This command creates a mailbox for an existing user without a mailbox.

Enable-Mailbox -Identity:’example.com/CorpUsers/Joe Smith'
-Alias:'JoeSmith' -Database: 'UserDatastore'

This is just a taste of what you can do with PowerShell and the new-mailbox command. There is even more information available about using the new-mailbox command using the online help in the shell, or on TechNet.

Posted in Exchange, Scripting | Tagged: command-line tools, GUI, Joe Smith, John Smith, online help, Windows 2000 | Leave a Comment »

« Previous Entries

A wealth of tutorials Windows Operating Systems SQL Server and Azure

Pages

Top Posts & Pages

Latest Articles

Spam Blocked

Follow Blog via Email

RSS Feed

SCCM Tools

Posts Tagged ‘Windows 2000’

Transitive Trusts

Forest Trusts

External Trusts and Realm Trusts

Shortcut Trusts

Rate this:

Share this:

Rate this:

Share this:

An Overview of Active Directory Replication

How to rename the Default-First-Site-Name Site (first site object)

How to create a new site object

How to create a new subnet object

How to create a site link

How to configure site link attributes or properties

How to configure replication to disregard/ignore schedules

How to add a site to an existing site link

How to rename an existing site link

How to designate a preferred bridgehead server (BS)

How to disable transitive site links, or automatic bridging

How to create a site link bridge

How to manually create and configure a connection object

How to manually force immediate replication

Troubleshooting Active Directory Replication

How to use Active Directory Replication Monitor to monitor/troubleshoot replication

How to start Replication Monitor

How to synchronize the Active Directory directory partition

How to use the Replication Diagnostics Tool to monitor/troubleshoot Active Directory replication

How to configure Active Directory event logging

How to enable Active Directory event logging

How to use Dsastat.exe tomonitor/troubleshoot Active Directory replication

Rate this:

Share this:

Getting started with Event Tracing for Windows

Putting Event Tracing for Windows to work

Rate this:

Share this:

Introduction

AD LDS Overview

Conclusion

Rate this:

Share this:

Rate this:

Share this:

Introduction

The Planning Process

The Differences between Domain Controllers and AD LDS Servers

DNS Requirements

Installing the Active Directory Lightweight Directory Service

Conclusion

Rate this:

Share this:

Raising Domain Function Levels

Raising Forest Function Levels

Rate this:

Share this:

The command

Permissions

Conclusion

Rate this:

Share this:

The new-mailbox command

Example one

Example two

Example three

Rate this:

Share this: