Search This Blog

What do you understand by forests, trees, and domains?


The Active Directory framework that holds the objects can be viewed at a number of levels. The forest, tree, and domain are the logical divisions in an Active Directory network.

Within a deployment, objects are grouped into domains. The objects for a single domain are stored in a single database (which can be replicated). Domains are identified by their DNS name structure, the namespace.

A domain is defined as a logical group of network objects (computers, users, devices) that share the same active directory database.

A tree is a collection of one or more domains and domain trees in a contiguous namespace, linked in a transitive trust hierarchy.

At the top of the structure is the forest. A forest is a collection of trees that share a common global catalog, directory schema, logical structure, and directory configuration. The forest represents the security boundary within which users, computers, groups, and other objects are accessible .

What is an enforced group policy object?

Enforced Group Policy Object (GPO): A Group Policy Object (GPO) that is specifically associated with a scope of management (SOM) so that the associated GPO has a higher GPO precedence compared to non-enforced GPOs that are associated with the same SOM and compared to all GPOs that are associated with descendant SOMs. An enforced GPO cannot be blocked by a descendant SOM using the gpOptions attribute.

The “Enforced” within the GPMC controls how the Group Policy Object and the settings within the Group Policy Object are handled with regard to precedence of the settings. In short, when all GPOs apply from Active Directory, those GPOs that are linked to organizational units (OUs) have the highest precedence, then those linked to the domain, and finally those linked to Active Directory sites. Local GPOs on the target endpoint have the weakest precedence of all. What this means is that if there is a conflicting setting within two GPOs at different levels, the setting within the highest precedence GPO will “win” and be applied over the setting in the GPO that has lower precedence.

What is the order in which GPOs are applied?

The Group Policy objects (GPOs) that apply to a user (or computer) do not all have the same precedence. Settings that are applied later can override settings that are applied earlier.

Order of processing settings

Group Policy settings are processed in the following order:

1. Local Group Policy object - Each computer has exactly one Group Policy object that is stored locally. This processes for both computer and user Group Policy processing.

2. Site - Any GPOs that have been linked to the site that the computer belongs to are processed next. Processing is in the order that is specified by the administrator, on the Linked Group Policy Objects tab for the site in Group Policy Management Console (GPMC). The GPO with the lowest link order is processed last, and therefore has the highest precedence.

3. Domain - Processing of multiple domain-linked GPOs is in the order specified by the administrator, on the Linked Group Policy Objects tab for the domain in GPMC. The GPO with the lowest link order is processed last, and therefore has the highest precedence.

4. Organizational units - GPOs that are linked to the organizational unit that is highest in the Active Directory hierarchy are processed first, then GPOs that are linked to its child organizational unit, and so on. Finally, the GPOs that are linked to the organizational unit that contains the user or computer are processed.

At the level of each organizational unit in the Active Directory hierarchy, one, many, or no GPOs can be linked. If several GPOs are linked to an organizational unit, their processing is in the order that is specified by the administrator, on the Linked Group Policy Objects tab for the organizational unit in GPMC. The GPO with the lowest link order is processed last, and therefore has the highest precedence.

This order means that the local GPO is processed first, and GPOs that are linked to the organizational unit of which the computer or user is a direct member are processed last, which overwrites settings in the earlier GPOs if there are conflicts. (If there are no conflicts, then the earlier and later settings are merely aggregated.)

Exceptions to the default order of processing settings

The default order for processing settings is subject to the following exceptions:

  • A GPO link may be enforced, or disabled, or both. By default, a GPO link is neither enforced nor disabled.
  • A GPO may have its user settings disabled, its computer settings disabled, or all settings disabled. By default, neither user settings nor computer settings are disabled on a GPO.
  • An organizational unit or a domain may have Block Inheritance set. By default, Block Inheritance is not set.

What are GPOs?

Group Policy Object (GPO) is a collection of settings that control the working environment of user accounts and computer accounts. GPOs defines registry-based polices, security options, software installation and maintenance options, scripts options, and folder redirection options.

Microsoft provides a program snap-in that allows you to use the Group Policy Microsoft Management Console (MMC). The selections result in a Group Policy Object. Group Policy Object Editor can be thought of as an application whose document type is the Group Policy object, just as a word processor might use .doc or .txt files.

There are two kinds of Group Policy objects: local and nonlocal. Local Group Policy objects are stored on individual computers. Only one local Group Policy object exists on a computer, and it has a subset of the settings that are available in a nonlocal Group Policy object. Local Group Policy object settings can be overwritten by nonlocal settings if they are in conflict; otherwise, both groups of settings apply. For more information, see Local Group Policy.

Nonlocal Group Policy objects, which are stored on a domain controller, are available only in an Active Directory environment. They apply to users and computers in the site, domain, or organizational unit with which the Group Policy object is associated.

What Are Lingering Objects?

When restoring a backup file, Active Directory generally requires that the backup file be no more than 180 days old. If attempt to you restore a backup that is expired, you may encounter problems due to “lingering objects”.

A lingering object is a deleted AD object that re-appears (“lingers”) on the restored domain controller (DC) in its local copy of Active Directory. This can happen if, after the backup was made, the object was deleted on another DC more than 180 days ago.

When a DC deletes an object it replaces the object with a tombstone object. The tombstone object is a placeholder that represents the deleted object. When replication occurs, the tombstone object is transmitted to the other DCs, which causes them to delete the AD object as well.

Tombstone objects are kept for 180 days, after which they are garbage-collected and removed.

If a DC is restored from a backup that contains an object deleted elsewhere, the object will re-appear on the restored DC. Because the tombstone object on the other DCs has been removed, the restored DC will not receive the tombstone object (via replication), and so it will never be notified of the deletion. The deleted object will “linger” in the restored local copy of Active Directory.

How to Remove Lingering Objects

Windows Server 2003 and 2008 have the ability to manually remove lingering objects using the console utility console utility REPADMIN.EXE. Use the command:

REPADMIN.EXE /removelingeringobjects .

Why cannot you restore a DC that was backed up 4 months ago?

When restoring a backup file, Active Directory generally requires that the backup file be no more than 180 days old. If attempt to you restore a backup that is expired, you may encounter problems due to “lingering objects”.

How do you change the DS Restore admin password?

To Reset the DSRM Administrator Password

1. Click, Start, click Run, type ntdsutil, and then click OK.

2. At the Ntdsutil command prompt, type set dsrm password.

3. At the DSRM command prompt, type one of the following lines:

o To reset the password on the server on which you are working, type reset password on server null. The null variable assumes that the DSRM password is being reset on the local computer. Type the new password when you are prompted. Note that no characters appear while you type the password.

-or-

o To reset the password for another server, type reset password on server servername, where servername is the DNS name for the server on which you are resetting the DSRM password. Type the new password when you are prompted. Note that no characters appear while you type the password.

4. At the DSRM command prompt, type q.

5. At the Ntdsutil command prompt, type q to exit.

How do you backup AD?

Backing up Active Directory is essential to maintain the proper health of the Active Directory database. Backing up the Active Directory is done on one or more of your Active Directory domain Controllers (or DCs), and is performed by backing up the System State on those servers. The System State contains the local Registry, COM+ Class Registration Database, the System Boot Files, certificates from Certificate Server (if it’s installed), Cluster database (if it’s installed), NTDS.DIT, and the SYSVOL folder.

Windows Server 2003

You can backup Active Directory by using the NTBACKUP tool that comes built-in with Windows Server 2003, or use any 3rd-party tool that supports this feature.

Method #1: Using NTBACKUP

1. Open NTBACKUP by either going to Run, then NTBACKUP and pressing Enter or by going to Start -> Accessories -> System Tools.

2. If you are prompted by the Backup or Restore Wizard, I suggest you un-check the "Always Start in Wizard Mode" checkbox, and click on the Advanced Mode link.

3. Inside NTBACKUP's main window, click on the Backup tab.

4. Click to select the System State checkbox. Note you cannot manually select components of the System State backup. It's all or nothing.

5. Enter a backup path for the BKF file. If you're using a tape device, make sure NTBACKUP is aware and properly configured to use it.

6. Press Start Backup.

7. The Backup Job Information pops out, allowing you to configure a scheduled backup job and other settings. For the System State backup, do not change any of the other settings except the schedule, if so desired. When done, press Start Backup.

8. After a few moments of configuration tasks, NTBACKUP will begin the backup job.

9. When the backup is complete, review the output and close NTBACKUP.

10. Next, you need to properly label and secure the backup file/tape and if possible, store a copy of it on a remote and secure location.

Method #2: Using the Command Prompt

1. You can use the command line version of NTBACKUP in order to perform backups from the Command Prompt.

2. For example, to create a backup job named "System State Backup Job" that backs up the System State data to the file D:\system_state_backup.bkf, type:

ntbackup backup systemstate /J "System State Backup Job" /F "D:\system_state_backup.bkf"

Windows Server 2008

Before you can backup Server 2008 you need to install the backup features from the Server Manager.

1. To install the backup features click Start → Server Manager.

2. Next click Features → Add Features

3. Scroll to the bottom and select both the Windows Server Backup and the Command Line Tools.

In Server 2008, there isn’t an option to backup the System State data through the normal backup utility . We need to go “command line” to backup Active Directory.

1. Open up your command prompt by clicking Start and type “cmd” and hit enter.

2. In your command prompt type “wbadmin start systemstatebackup -backuptarget:e:” and press enter.

Note: You can use a different backup target of your choosing

3. Type “y” and press enter to start the backup process.

When the backup is finished running you should get a message that the backup completed successfully. If it did not complete properly you will need to troubleshoot.

Windows Server 2008 R2

1. Open Windows Server Backup

2. In action panel click Backup Once

3. Different Options is Selected, click Next

4. Choose Custom, click Next

5. Click Add Items

6. Select System State, click Next

7. Specify Backup Destination, Local drive (Apart from System Volume) or Network Share

8. Click Backup to start System State Backup

9. You may close the wizard and the backup operation will continue to run in background.

How do you configure a "stand-by operation master" for any of the roles?

No utilities or special steps are required to designate a domain controller as a standby operations master. However, the current operations master and the standby operations master should be well connected . “Well connected” means that the network connection between them must support at least a 10-megabit transmission rate and be available at all times. In addition, creating a manual connection object between the standby domain controller and the operations master will ensure direct replication between the two operations masters. By making the operations master and the standby operations master direct replication partners, you reduce the chance of data loss in the event of a role seizure, which reduces the chance of directory corruption.

To ensure that the current operations master role holder and the standby operations master are replication partners, you can manually create connection objects between the two domain controllers. Even if a connection object is generated automatically, we recommend that you manually create a connection object on both the operations master and the standby operations master. The replication system can alter automatically created connection objects anytime. Manually created connections remain the same until an administrator changes them.

You can use this procedure to create the following:

  • A manual connection object that designates the standby server as the From Server on the NTDS Settings object of the operations master
  • A manual connection object that designates the operations master server as the From Server on the NTDS Settings object of the standby server

Administrative credentials

Membership in Domain Admins, or equivalent, is the minimum required to complete this procedure.

  1. Click Start, point to Administrative Tools, and then click Active Directory Sites and Services.
  2. Expand the site name in which the current operations master role holder is located to display the Servers folder.
  3. Expand the Servers folder to see a list of the servers in that site.
  4. To create a connection object from the standby server on the current operations master, expand the name of the operations master server on which you want to create the connection object to display its NTDS Settings object.
  5. Right-click NTDS Settings, click New, and then click Connection.
  6. In the Find Active Directory Domain Controllers dialog box, select the name of the standby server from which you want to create the connection object, and then click OK.
  7. In the New Object-Connection dialog box, enter an appropriate name for the connection object or accept the default name, and then click OK.
  8. To create a connection object from the current operations master to the standby server, repeat steps 4 through 7, but in step 4, expand the name of the standby server. In step 6, select the name of the current operations master.

What is the difference between transferring a FSMO role and seizing one? Which one should you NOT seize? Why?

Seizing an FSMO can be a destructive process and should only be attempted if the existing server with the FSMO is no longer available.

If the domain controller that is the Schema Master FSMO role holder is temporarily unavailable, DO NOT seizes the Schema Master role.

If you are going to seize the Schema Master, you must permanently disconnect the current Schema Master from the network.

If you seize the Schema Master role, the boot drive on the original Schema Master must be completely reformatted and the operating system must be cleanly installed, if you intend to return this computer to the network.