Search This Blog

What are the differences between Enterprise Admins and Domain Admins groups in AD?

Enterprise Admins : Members of this group have full control of all domains in the forest. By default, this group is a member of the Administrators group on all domain controllers in the forest. By default, the Administrator account is a member of this group. Because this group has full control of the forest, add users with caution.

Domain Admins : Members of this group have full control of the domain. By default, this group is a member of the Administrators group on all domain controllers, all domain workstations, and all domain member servers at the time they are joined to the domain. By default, the Administrator account is a member of this group. Because the group has full control in the domain, add users with caution.


What is the Netlogon folder?

Sysvol is an important component of Active Directory. The Sysvol folder is shared on an NTFS volume on all the domain controllers in a particular domain. Sysvol is used to deliver the policy and logon scripts to domain members.

By default, sysvol includes 2 folders, the scripts folder is shared with the name NETLOGON

  1. Policies - (Default location - %SystemRoot%\Sysvol\Sysvol\domain_name\Policies)
  2. Scripts - (Default lcation - %SystemRoot%\Sysvol\Sysvol\domain_name\Scripts)

What is DR of ADS Server Failed?

Restoring AD DS after reinstalling the operating system

If you reinstall the operating system, you can restore AD DS in one of the following ways:

  • Use Dcpromo to reinstall AD DS and allow replication from another, healthy domain controller in the domain to update the domain controller.
  • Restore AD DS from backup (nonauthoritative restore). Then, allow replication from another, healthy domain controller in the domain to update the domain controller. This method requires less replication than reinstalling AD DS.
  • Install AD DS from installation media. This method, called install from media (IFM), requires that you have created installation media that can be used to install AD DS.

What is AD Database white space?

After an object is deleted it will remain in the directory for the tombstone-lifetime (60 or 180 days by default). The tombstone-lifetime assures that the tombstone will be replicated to every DC, so that every DC knows that the object is deleted. This is the reason why you cannot use a backup to restore Active Directory which is older than the tombstone-lifetime - it would reintroduce objects which have been deleted prior.

The garbage collection process one every domain controller takes care that tombstones which are older than the tombstone-lifetime are deleted permanently. The garbage-collection process runs by default every 12 hours on each DC. You can also configure other periods by modifying the garbageCollPeriod Attribute of the CN=Directory Service,CN=Windows NT,CN=Services,CN=Configuration,DC=yourdomain,DC=com Object.

However, the object is permanently deleted now, but the NTDS.dit Databasefile which contains the Active Directory will not decrease its size. Instead the new "Whitespace" will be used for new objects. The only possibility to release the Whitespace in the database is to perform an offline defragmentation using NTDSUtil in the Directory Services Restore Mode.


How to force the Garbage Collection?

You can initiate garbage collection manually by using a published LDAP control. This doesn’t alter the what objects are collected, nor does it alter how may go into the dumpster. It simply says to do garbage collection right then rather than waiting until the next 12hour interval has passed.

You can use LDP.EXE to do the garbage collection control. Here are the steps:

1. In Ldp.exe, when you click Browse on the Modify menu, leave the Distinguished name box empty.

2. In the Edit Entry Attribute box, type “DoGarbageCollection” (without the quotation marks),

3. In the Values box, type “1” (without the quotation marks).

4. Set the Operation value set to Add and click the Enter button, and then click Run.

It’s possible that the garbage collection you start using the above method could stop in favor of more important tasks like AD replication in the same way as the scheduled garbage collection does. If that happens you can simply repeat the garbage collection steps above until all of the objects are removed.

The process for completing garbage collection has changed in Windows Server 2003 to improve storage conditions in the directory database. Garbage collection removes a maximum of 5,000 objects per pass to avoid indefinitely delaying other directory service tasks. However, the rate at which remaining tombstones are deleted when more than 5,000 tombstones have expired has increased from Windows 2000 Server to Windows Server 2003, as follows:

Windows 2000 Server: If collection stops because of the 5,000-object limit (rather than by running out of objects to collect), the next garbage collection pass is scheduled for half the normal garbage collection interval (by default, every 6 hours instead of 12 hours). Garbage collection continues running at this accelerated pace until all objects have been collected.

Windows Server 2003: Rather than waiting a set time to remove a subsequent set of 5,000 tombstones, a domain controller continues deleting tombstones according to CPU availability. If no other process is using the CPU, garbage collection proceeds. Removing tombstones in this way keeps the database size from increasing inordinately as a result of the inability of garbage collection to fully complete removal of all tombstones during a garbage collection interval.


Explain Active Directory database garbage collection process

Garbage collection is a housekeeping process that is designed to free space within the Active Directory database. This process runs on every domain controller in the enterprise with a default lifetime interval of 12 hours. You can change this interval by modifying the garbageCollPeriod attribute in the enterprise-wide DS configuration object (NTDS).

The path of the object in the Contoso.com domain would resemble the following:

CN=Directory Service,CN=Windows NT,CN=Services,CN=Configuration,DC=CONTOSO,DC=COM

Use an Active Directory editing tool to set the garbageCollPeriod attribute. Supported tools include Adsiedit.msc, Ldp.exe, and Active Directory Service Interfaces (ADSI) scripts.

When an object is deleted, it is not removed from the Active Directory database. Instead, the object is instead marked for deletion at a later date. This mark is then replicated to other domain controllers. Therefore, the garbage collection process starts by removing the remains of previously deleted objects from the database. These objects are known as tombstones. Next, the garbage collection process deletes unnecessary log files. Finally, the process starts a defragmentation thread to claim additional free space.

What is the difference between online and offline de-fragmentation?

The size of NTDS.DIT will often be different sizes across the domain controllers in a domain. Remember that Active Directory is a multi-master independent model where updates are occurring in each of the domain controllers with the changes being replicated over time to the other domain controllers.

The changed data is replicated between domain controllers, not the database, so there is no guarantee that the files are going to be the same size across all domain controllers.

Windows 2000 and Windows Server 2003 servers running Directory Services (DS) perform a directory online defragmentation every 12 hours by default as part of the garbage-collection process. This defragmentation only moves data around the database file (NTDS.DIT) and doesn’t reduce the file’s size - the database file cannot be compacted while Active Directory is mounted.

An NTDS.DIT file that has been defragmented offline (compacted), can be much smaller than the NTDS.DIT file on its peers.

However, defragmenting the NTDS.DIT file isn’t something you should really need to do. Normally, the database self-tunes and automatically tombstoning the records then sweeping them away when the tombstone lifetime has passed to make that space available for additional records.

Defragging the NTDS.DIT file probably won’t help your AD queries go any faster in the long run.

So why defrag it in the first place?

One reason you might want to defrag your NTDS.DIT file is to save space, for example if you deleted a large number of records at one time.
To create a new, smaller NTDS.DIT file and to enable offline defragmentation, perform the following steps:
Back up Active Directory (AD).
Reboot the server, select the OS option, and press F8 for advanced options.
Select the Directory Services Restore Mode option, and press Enter. Press
Enter again to start the OS.
Server will start in safe mode, with no DS running.
Use the local SAM’s administrator account and password to log on.
You’ll see a dialog box that says you’re in safe mode. Click OK.
From the Start menu, select Run and type cmd.exe
In the command window, you’ll see the following text. (Enter the commands in bold.)
C:\> ntdsutil
ntdsutil: files
file maintenance:info

....
file maintenance:compact to c:\temp

You’ll see the defragmentation process. If the process was successful, enter quit to return to the command prompt.

Then, replace the old NTDS.DIT file with the new, compressed version. (Enter the commands in bold.)

C:\> copy c:\temp\ntds.dit %systemroot%\ntds\ntds.dit

Restart the computer, and boot as normal.

One last thing you need to perform this operation on every DC because changed data is replicated between domain controllers, not the database itself.

What is Active Directory De-fragmentation?

De-fragmentation of AD means separating used space and empty space created by deleted objects and reduces directory size (only in offline De-fragmentation)

What will happen if you do not perform the FSMO role seize in time?

FSMO Role Loss implications:

Schema: The schema cannot be extended. However, in the short term no one will notice a missing Schema Master unless you plan a schema upgrade during that time.

Domain Naming: Unless you are going to run DCPROMO, then you will not miss this FSMO role.

RID: Chances are good that the existing DCs will have enough unused RIDs to last some time, unless you're building hundreds of users or computer object per week.

PDC Emulator: Will be missed soon. NT 4.0 BDCs will not be able to replicate, there will be no time synchronization in the domain, you will probably not be able to change or troubleshoot group policies and password changes will become a problem.

Infrastructure: Group memberships may be incomplete. If you only have one domain, then there will be no impact.

Why it is recommended to never turn a DC back on after the role has been seized from it?

With the PDC Emulator and Infrastructure roles, this doesn't apply; they're able to recover just fine from a seizure. With the rest (RID, Schema, and Naming), it's not that you can't transfer back. It's that the recommendation is to never turn a DC back on after the role has been seized from it. The risk is that the two DCs both think they own the role; divergent schema changes, overlapping RIDs, and overlapping domains in the forest are the potential results.

How difficult it is to create these scenarios is another matter entirely (knowledge of the seizure will replicate to the old role holder and it will cease thinking it's the master - broken replication/connectivity is needed to create any risk); the recommendation to not bring the old DC back online is made due to an abundance of caution on Microsoft's part.

If you have to seize a RID, Naming, or Schema master's role, the safe course is to do metadata cleanup and reinstall the OS.