Unlimited, though, that it’s the Administrator account, not any account that’s part of the Administrators group.
Showing posts with label L3. Show all posts
Showing posts with label L3. Show all posts
How to configure Certificate Templates?
You can create a new certificate template by duplicating an existing template and using the existing template's properties as the default for the new template. Different applications and types of certification authorities (CAs) support different certificate templates. For example, some certificate templates can only be issued and managed by enterprise CAs running Windows Server 2003, and some may require that the CA be running Windows Server 2008. Review the list of default certificate templates, and examine their properties to identify the existing certificate template that most closely meets your needs. This will minimize the amount of configuration work that you need to do.
To create a new certificate template
- Open the Certificate Templates snap-in.
- Right-click the template to copy from, and then click Duplicate Template.
- Choose the minimum version of CA that you want to support.
- Type a new name for this certificate template.
- Make any necessary changes, and click OK.
Labels:
Active Directory,
L3,
Wintel
What is Certificate Template?
Enterprise certification authorities (CAs) use certificate templates to define the format and content of certificates, to specify which users and computers can enroll for which types of certificates, and to define the enrollment process, such as autoenrollment, enrollment only with authorized signatures, and manual enrollment. Associated with each certificate template is a discretionary access control list (DACL) that defines which security principals have permissions to read and configure the template, as well as to enroll or autoenroll for certificates based on the template. The certificate templates and their permissions are defined in Active Directory Domain Services (AD DS) and are valid within the forest. If more than one enterprise CA is running in the Active Directory forest, permission changes will affect all enterprise CAs.
Labels:
Active Directory,
L3,
Wintel
What is merging and replace mode in loopback processing?
Normal user Group Policy processing specifies that computers located in their organizational unit have the GPOs applied in order during computer startup. Users in their organizational unit have GPOs applied in order during logon, regardless of which computer they log on to.
In some cases, this processing order may not be appropriate. For example, when you do not want applications that have been assigned or published to the users in their organizational unit to be installed when the user is logged on to a computer in a specific organizational unit. With the Group Policy loopback support feature, you can specify two other ways to retrieve the list of GPOs for any user of the computers in this specific organizational unit:
- Merge Mode : In this mode, when the user logs on, the user's list of GPOs is typically gathered by using the GetGPOList function. The GetGPOList function is then called again by using the computer's location in Active Directory. The list of GPOs for the computer is then added to the end of the GPOs for the user. This causes the computer's GPOs to have higher precedence than the user's GPOs. In this example, the list of GPOs for the computer is added to the user's list.
- Replace Mode : In this mode, the user's list of GPOs is not gathered. Only the list of GPOs based on the computer object is used.
Labels:
Active Directory,
L3
What are the Loopback policies?
Group Policy applies to the user or computer in a manner that depends on where both the user and the computer objects are located in Active Directory. However, in some cases, users may need policy applied to them based on the location of the computer object alone. You can use the Group Policy loopback feature to apply Group Policy Objects (GPOs) that depend only on which computer the user logs on to.
To set user configuration per computer, follow these steps:
1. In the Group Policy Microsoft Management Console (MMC), click Computer Configuration.
2. Locate Administrative Templates, click System, click Group Policy, and then enable the Loopback Policy option.
This policy directs the system to apply the set of GPOs for the computer to any user who logs on to a computer affected by this policy. This policy is intended for special-use computers where you must modify the user policy based on the computer that is being used. For example, computers in public areas, in laboratories, and in classrooms.
When users work on their own workstations, you may want Group Policy settings applied based on the location of the user object. Therefore, we recommend that you configure policy settings based on the organizational unit in which the user account resides. However, there may be instances when a computer object resides in a specific organizational unit, and the user settings of a policy should be applied based on the location of the computer object instead of the user object.
Note: You cannot filter the user settings that are applied by denying or removing the AGP and Read rights from the computer object specified for the loopback policy.
Labels:
Active Directory,
L3
What is LSDOU?
It’s group policy inheritance model, where the policies are applied to :-
Local machines, Sites, Domains and Organizational Units.
Labels:
Active Directory,
L3
I am trying to create a new universal user group. Why can’t I?
Universal groups are allowed only in native-mode Windows Server 2003 environments. Native mode requires that all domain controllers be promoted to Windows Server 2003 Active Directory.
Labels:
Active Directory,
L3
What are the differences between Enterprise Admins and Domain Admins groups in AD?
Enterprise Admins : Members of this group have full control of all domains in the forest. By default, this group is a member of the Administrators group on all domain controllers in the forest. By default, the Administrator account is a member of this group. Because this group has full control of the forest, add users with caution.
Domain Admins : Members of this group have full control of the domain. By default, this group is a member of the Administrators group on all domain controllers, all domain workstations, and all domain member servers at the time they are joined to the domain. By default, the Administrator account is a member of this group. Because the group has full control in the domain, add users with caution.
Labels:
Active Directory,
L3
What is the Netlogon folder?
Sysvol is an important component of Active Directory. The Sysvol folder is shared on an NTFS volume on all the domain controllers in a particular domain. Sysvol is used to deliver the policy and logon scripts to domain members.
By default, sysvol includes 2 folders, the scripts folder is shared with the name NETLOGON
- Policies - (Default location - %SystemRoot%\Sysvol\Sysvol\domain_name\Policies)
- Scripts - (Default lcation - %SystemRoot%\Sysvol\Sysvol\domain_name\Scripts)
Labels:
Active Directory,
L3
What is DR of ADS Server Failed?
Restoring AD DS after reinstalling the operating system
If you reinstall the operating system, you can restore AD DS in one of the following ways:
- Use Dcpromo to reinstall AD DS and allow replication from another, healthy domain controller in the domain to update the domain controller.
- Restore AD DS from backup (nonauthoritative restore). Then, allow replication from another, healthy domain controller in the domain to update the domain controller. This method requires less replication than reinstalling AD DS.
- Install AD DS from installation media. This method, called install from media (IFM), requires that you have created installation media that can be used to install AD DS.
Labels:
Active Directory,
L3
What is AD Database white space?
After an object is deleted it will remain in the directory for the tombstone-lifetime (60 or 180 days by default). The tombstone-lifetime assures that the tombstone will be replicated to every DC, so that every DC knows that the object is deleted. This is the reason why you cannot use a backup to restore Active Directory which is older than the tombstone-lifetime - it would reintroduce objects which have been deleted prior.
The garbage collection process one every domain controller takes care that tombstones which are older than the tombstone-lifetime are deleted permanently. The garbage-collection process runs by default every 12 hours on each DC. You can also configure other periods by modifying the garbageCollPeriod Attribute of the CN=Directory Service,CN=Windows NT,CN=Services,CN=Configuration,DC=yourdomain,DC=com Object.
However, the object is permanently deleted now, but the NTDS.dit Databasefile which contains the Active Directory will not decrease its size. Instead the new "Whitespace" will be used for new objects. The only possibility to release the Whitespace in the database is to perform an offline defragmentation using NTDSUtil in the Directory Services Restore Mode.
Labels:
Active Directory,
L3
How to force the Garbage Collection?
You can initiate garbage collection manually by using a published LDAP control. This doesn’t alter the what objects are collected, nor does it alter how may go into the dumpster. It simply says to do garbage collection right then rather than waiting until the next 12hour interval has passed.
You can use LDP.EXE to do the garbage collection control. Here are the steps:
1. In Ldp.exe, when you click Browse on the Modify menu, leave the Distinguished name box empty.
2. In the Edit Entry Attribute box, type “DoGarbageCollection” (without the quotation marks),
3. In the Values box, type “1” (without the quotation marks).
4. Set the Operation value set to Add and click the Enter button, and then click Run.
It’s possible that the garbage collection you start using the above method could stop in favor of more important tasks like AD replication in the same way as the scheduled garbage collection does. If that happens you can simply repeat the garbage collection steps above until all of the objects are removed.
The process for completing garbage collection has changed in Windows Server 2003 to improve storage conditions in the directory database. Garbage collection removes a maximum of 5,000 objects per pass to avoid indefinitely delaying other directory service tasks. However, the rate at which remaining tombstones are deleted when more than 5,000 tombstones have expired has increased from Windows 2000 Server to Windows Server 2003, as follows:
Windows 2000 Server: If collection stops because of the 5,000-object limit (rather than by running out of objects to collect), the next garbage collection pass is scheduled for half the normal garbage collection interval (by default, every 6 hours instead of 12 hours). Garbage collection continues running at this accelerated pace until all objects have been collected.
Windows Server 2003: Rather than waiting a set time to remove a subsequent set of 5,000 tombstones, a domain controller continues deleting tombstones according to CPU availability. If no other process is using the CPU, garbage collection proceeds. Removing tombstones in this way keeps the database size from increasing inordinately as a result of the inability of garbage collection to fully complete removal of all tombstones during a garbage collection interval.
Labels:
Active Directory,
L3
Explain Active Directory database garbage collection process
Garbage collection is a housekeeping process that is designed to free space within the Active Directory database. This process runs on every domain controller in the enterprise with a default lifetime interval of 12 hours. You can change this interval by modifying the garbageCollPeriod attribute in the enterprise-wide DS configuration object (NTDS).
The path of the object in the Contoso.com domain would resemble the following:
CN=Directory Service,CN=Windows NT,CN=Services,CN=Configuration,DC=CONTOSO,DC=COM
Use an Active Directory editing tool to set the garbageCollPeriod attribute. Supported tools include Adsiedit.msc, Ldp.exe, and Active Directory Service Interfaces (ADSI) scripts.
When an object is deleted, it is not removed from the Active Directory database. Instead, the object is instead marked for deletion at a later date. This mark is then replicated to other domain controllers. Therefore, the garbage collection process starts by removing the remains of previously deleted objects from the database. These objects are known as tombstones. Next, the garbage collection process deletes unnecessary log files. Finally, the process starts a defragmentation thread to claim additional free space.
Labels:
Active Directory,
L3
What is the difference between online and offline de-fragmentation?
The size of NTDS.DIT will often be different sizes across the domain controllers in a domain. Remember that Active Directory is a multi-master independent
model where updates are occurring in each of the domain controllers with the changes being replicated over time to the other domain controllers.
The changed data is replicated between domain controllers, not the database, so there is no guarantee that the files are going to be the same size across
all domain controllers.
Windows 2000 and Windows Server 2003 servers running Directory Services (DS) perform a directory online defragmentation every 12 hours by default as part
of the garbage-collection process. This defragmentation only moves data around the database file (NTDS.DIT) and doesn’t reduce the file’s size - the
database file cannot be compacted while Active Directory is mounted.
An NTDS.DIT file that has been defragmented offline (compacted), can be much smaller than the NTDS.DIT file on its peers.
However, defragmenting the NTDS.DIT file isn’t something you should really need to do. Normally, the database self-tunes and automatically tombstoning the
records then sweeping them away when the tombstone lifetime has passed to make that space available for additional records.
Defragging the NTDS.DIT file probably won’t help your AD queries go any faster in the long run.
So why defrag it in the first place?
One reason you might want to defrag your NTDS.DIT file is to save space, for example if you deleted a large number of records at one time.
To create a new, smaller NTDS.DIT file and to enable offline defragmentation, perform the following steps:
Back up Active Directory (AD).
Reboot the server, select the OS option, and press F8 for advanced options.
Select the Directory Services Restore Mode option, and press Enter. Press
Enter again to start the OS.
Server will start in safe mode, with no DS running.
Use the local SAM’s administrator account and password to log on.
You’ll see a dialog box that says you’re in safe mode. Click OK.
From the Start menu, select Run and type cmd.exe
In the command window, you’ll see the following text. (Enter the commands in bold.)
C:\> ntdsutil
ntdsutil: files
file maintenance:info
....
file maintenance:compact to c:\temp
You’ll see the defragmentation process. If the process was successful, enter quit to return to the command prompt.
Then, replace the old NTDS.DIT file with the new, compressed version. (Enter the commands in bold.)
C:\> copy c:\temp\ntds.dit %systemroot%\ntds\ntds.dit
Restart the computer, and boot as normal.
One last thing you need to perform this operation on every DC because changed data is replicated between domain controllers, not the database itself.
Labels:
Active Directory,
L3
What is Active Directory De-fragmentation?
De-fragmentation of AD means separating used space and empty space created by deleted objects and reduces directory size (only in offline De-fragmentation)
Labels:
Active Directory,
L3
What will happen if you do not perform the FSMO role seize in time?
FSMO Role Loss implications:
Schema: The schema cannot be extended. However, in the short term no one will notice a missing Schema Master unless you plan a schema upgrade during that time.
Domain Naming: Unless you are going to run DCPROMO, then you will not miss this FSMO role.
RID: Chances are good that the existing DCs will have enough unused RIDs to last some time, unless you're building hundreds of users or computer object per week.
PDC Emulator: Will be missed soon. NT 4.0 BDCs will not be able to replicate, there will be no time synchronization in the domain, you will probably not be able to change or troubleshoot group policies and password changes will become a problem.
Infrastructure: Group memberships may be incomplete. If you only have one domain, then there will be no impact.
Labels:
Active Directory,
L3
Why it is recommended to never turn a DC back on after the role has been seized from it?
With the PDC Emulator and Infrastructure roles, this doesn't apply; they're able to recover just fine from a seizure. With the rest (RID, Schema, and Naming), it's not that you can't transfer back. It's that the recommendation is to never turn a DC back on after the role has been seized from it. The risk is that the two DCs both think they own the role; divergent schema changes, overlapping RIDs, and overlapping domains in the forest are the potential results.
How difficult it is to create these scenarios is another matter entirely (knowledge of the seizure will replicate to the old role holder and it will cease thinking it's the master - broken replication/connectivity is needed to create any risk); the recommendation to not bring the old DC back online is made due to an abundance of caution on Microsoft's part.
If you have to seize a RID, Naming, or Schema master's role, the safe course is to do metadata cleanup and reinstall the OS.
Labels:
Active Directory,
L3
How can I forcibly transfer (seize) some or all of the FSMO Roles from one DC to another?
In most cases an administrator can keep the FSMO role holders (all 5 of them) in the same spot (or actually, on the same DC) as has been configured by the Active Directory installation process. However, there are scenarios where an administrator would want to move one or more of the FSMO roles from the default holder DC to a different DC.
Moving the FSMO roles while both the original FSMO role holder and the future FSMO role holder are online and operational is called Transferring.
However, when the original FSMO role holder went offline or became non operational for a long period of time, the administrator might consider moving the FSMO role from the original, non-operational holder, to a different DC. The process of moving the FSMO role from a non-operational role holder to a different DC is called Seizing.
To seize the FSMO roles by using Ntdsutil, follow these steps:
1. On any domain controller, click Start, click Run, type Ntdsutil in the Open box, and then click OK.
2. Type roles, and then press ENTER.
3. Type connections, and then press ENTER.
4. Type connect to server, where is the name of the server you want to use, and then press ENTER.
5. At the server connections: prompt, type q, and then press ENTER again.
6. Type seize, where is the role you want to seize. For example, to seize the RID Master role, you would type seize rid master:
7. You will receive a warning window asking if you want to perform the seize. Click on Yes.
fsmo maintenance:Seize infrastructure master
Attempting safe transfer of infrastructure FSMO before seizure.
ldap_modify_sW error 0x34(52 (Unavailable).
Ldap extended error message is 000020AF: SvcErr: DSID-03210300, problem 5002 (UNAVAILABLE) data 1722 Win32 error returned is 0x20af(The requested FSMO
operation failed. The current FSMO holder could not be contacted.)
[Depending on the error code this may indicate a connection, ldap, or role transfer error.]
Transfer of infrastructure FSMO failed, proceeding with seizure ...
Server "server100" knows about 5 roles
Schema - CN=NTDS Settings,CN=SERVER200,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=dpetri,DC=netDomain - CN=NTDS
Settings,CN=SERVER100,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=dpetri,DC=net
PDC - CN=NTDS Settings,CN=SERVER100,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=dpetri,DC=net
RID - CN=NTDS Settings,CN=SERVER200,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=dpetri,DC=net
Infrastructure - CN=NTDS Settings,CN=SERVER100,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=dpetri,DC=net
fsmo maintenance:
Note: All five roles need to be in the forest. If the first domain controller is out of the forest then seize all roles. Determine which roles are to be on
which remaining domain controllers so that all five roles are not on only one server.
8. Repeat steps 6 and 7 until you've seized all the required FSMO roles.
9. After you seize or transfer the roles, type q, and then press ENTER until you quit the Ntdsutil tool.
Note: Do not put the Infrastructure Master (IM) role on the same domain controller as the Global Catalog server (unless every domain controller is Global Catalog server). If the Infrastructure Master runs on a GC server it will stop updating object information because it does not contain any references to objects that it does not hold. This is because a GC server holds a partial replica of every object in the forest.
Important: If the RID, Schema, or Domain Naming FSMOs are seized, then the original domain controller must not be activated in the forest again. It is necessary to reinstall Windows if these servers are to be used again.
Another consideration before performing the seize operation is the administrator's group membership, as this table lists:
- Schema: Schema Admins
- Domain Naming: Enterprise Admins
- RID: Domain Admins
- PDC Emulator: Domain Admins
- Infrastructure: Domain Admins
Labels:
Active Directory,
L3
How can I determine who are the current FSMO Roles holders in my domain/forest?
How to find out which DC is holding which FSMO role? Well, one can accomplish this task by many means. Here a list of few available methods.
Method #1:
Know the default settings
The FSMO roles were assigned to one or more DCs during the DCPROMO process. The following table summarizes the FSMO default locations:
|
FSMO Role |
Number of DCs holding this role |
Original DC holding the FSMO role |
|
Schema |
One per forest |
The first DC in the first domain in the forest (i.e. the Forest Root Domain) |
|
Domain Naming |
One per forest |
|
|
RID |
One per domain |
The first DC in a domain (any domain, including the Forest Root Domain, any Tree Root Domain, or any Child Domain) |
|
PDC Emulator |
One per domain |
|
|
Infrastructure |
One per domain |
Method #2:
Use the GUI
The FSMO role holders can be easily found by use of some of the AD snap-ins. Use this table to see which tool can be used for what FSMO role:
|
FSMO Role |
Which snap-in should I use? |
|
Schema |
Schema snap-in |
|
Domain Naming |
AD Domains and Trusts snap-in |
|
RID |
AD Users and Computers snap-in |
|
PDC Emulator |
|
|
Infrastructure |
Finding the RID Master, PDC Emulator, and Infrastructure Masters via GUI
To find out who currently holds the Domain-Specific RID Master, PDC Emulator, and Infrastructure Master FSMO Roles:
1. Open the Active Directory Users and Computers snap-in from the Administrative Tools folder.
2. Right-click the Active Directory Users and Computers icon again and press Operation Masters.
3. Select the appropriate tab for the role you wish to view.
4. When you're done click close.
Finding the Domain Naming Master via GUI
To find out who currently holds the Domain Naming Master Role:
1. Open the Active Directory Domains and Trusts snap-in from the Administrative Tools folder.
2. Right-click the Active Directory Domains and Trusts icon again and press Operation Masters.
3. When you're done click close.
Finding the Schema Master via GUI
To find out who currently holds the Schema Master Role:
1. Register the Schmmgmt.dll library by pressing Start > RUN and typing: regsvr32 schmmgmt.dll
2. Press OK. You should receive a success confirmation.
3. From the Run command open an MMC Console by typing MMC.
4. On the Console menu, press Add/Remove Snap-in.
5. Press Add. Select Active Directory Schema.
6. Press Add and press Close. Press OK.
7. Click the Active Directory Schema icon. After it loads right-click it and press Operation Masters.
8. Press the Close button.
Method #3 : Use the Ntdsutil command
The FSMO role holders can be easily found by use of the Ntdsutil command.
1. On any domain controller, click Start, click Run, type Ntdsutil in the Open box, and then click OK.
2. Type roles, and then press ENTER.
3. Type connections, and then press ENTER.
4. Type connect to server , where is the name of the server you want to use, and then press ENTER.
5. At the server connections: prompt, type q, and then press ENTER again.
6. At the FSMO maintenance: prompt, type Select operation target, and then press ENTER again.
At the select operation target: prompt, type List roles for connected server, and then press ENTER again.
select operation target: List roles for connected server
Server "server100" knows about 5 roles
Schema - CN=NTDS Settings,CN=SERVER100,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=dpetri,DC=net
Domain - CN=NTDS Settings,CN=SERVER100,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=dpetri,DC=net
PDC - CN=NTDS Settings,CN=SERVER100,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=dpetri,DC=net
RID - CN=NTDS Settings,CN=SERVER100,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=dpetri,DC=net
Infrastructure - CN=NTDS Settings,CN=SERVER100,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=dpetri,DC=net
select operation target:
8. Type q 3 times to exit the Ntdsutil prompt.
Method #4:
Use the Netdom command
The FSMO role holders can be easily found by use of the Netdom command.
- On any domain controller, click Start, click Run, type CMD in the Open box, and then click OK.
- In the Command Prompt window, type netdom query /domain:<domain> fsmo
- Close the CMD window.
Labels:
Active Directory,
L3
Which FSMO role is responsible for changing group policy?
PDC Emulator.
Labels:
Active Directory,
L3
Subscribe to:
Posts (Atom)