A domain controller is a server that has Active Directory Domain Services installed. By default, a domain controller stores one domain directory partition consisting of information about the domain in which it is located, plus the schema and configuration directory partitions for the entire forest. A domain controller can also store one or more application directory partitions. There are also specialized domain controller roles that perform specific functions in an AD DS environment. These specialized roles include global catalog servers and operations masters.
What are domain, trees, and forest?
A domain is defined as a logical group of network objects (computers, users, devices) that share the same active directory database, security policies, and trust relationships with other domains. In this way, each domain is an administrative boundary for objects. A single domain can span multiple physical locations or sites and can contain millions of objects.
Domain trees are collections of domains that are grouped together in hierarchical structures. When you add a domain to a tree, it becomes a child of the tree root domain. The domain to which a child domain is attached is called the parent domain.
A child domain might in turn have its own child domain. The name of a child domain is combined with the name of its parent domain to form its own unique Domain Name System (DNS) name such as Corp.nwtraders.msft. In this manner, a tree has a contiguous namespace.
A forest is a complete instance of Active Directory. Each forest acts as a top-level container in that it houses all domain containers for that particular Active Directory instance. A forest can contain one or more domain container objects, all of which share a common logical structure, global catalog, directory schema, and directory configuration, as well as automatic two-way transitive trust relationships. The first domain in the forest is called the forest root domain. The name of that domain refers to the forest, such as Nwtraders.msft. By default, information in Active Directory is shared only within the forest. In this way, the forest is a security boundary for the information that is contained in that instance of Active Directory.
Labels:
Active Directory,
L2
What is Active Directory Domain Services?
In Windows 2000 Server and Windows Server 2003, the directory service is named Active Directory. In Windows Server 2008 and Windows Server 2008 R2, the directory service is named Active Directory Domain Services (AD DS).
Labels:
Active Directory,
L2
What are Active Directory Logical and Physical Components?
Active directory physical structure is a hierarchal structure which fallows
Forests -> Trees -> Domains -> Child Domains -> Grand Child etc.
Active directory is logically divided into partitions
- Configuration partition
- Schema Partition
- Domain partition
- Application Partition (only in windows 2003 not available in windows 2000)
Labels:
Active Directory,
L3
What do you understand by forests, trees, and domains?
The Active Directory framework that holds the objects can be viewed at a number of levels. The forest, tree, and domain are the logical divisions in an Active Directory network.
Within a deployment, objects are grouped into domains. The objects for a single domain are stored in a single database (which can be replicated). Domains are identified by their DNS name structure, the namespace.
A domain is defined as a logical group of network objects (computers, users, devices) that share the same active directory database.
A tree is a collection of one or more domains and domain trees in a contiguous namespace, linked in a transitive trust hierarchy.
At the top of the structure is the forest. A forest is a collection of trees that share a common global catalog, directory schema, logical structure, and directory configuration. The forest represents the security boundary within which users, computers, groups, and other objects are accessible .
Labels:
Active Directory,
L2
What is an enforced group policy object?
Enforced Group Policy Object (GPO): A Group Policy Object (GPO) that is specifically associated with a scope of management (SOM) so that the associated GPO has a higher GPO precedence compared to non-enforced GPOs that are associated with the same SOM and compared to all GPOs that are associated with descendant SOMs. An enforced GPO cannot be blocked by a descendant SOM using the gpOptions attribute.
The “Enforced” within the GPMC controls how the Group Policy Object and the settings within the Group Policy Object are handled with regard to precedence of the settings. In short, when all GPOs apply from Active Directory, those GPOs that are linked to organizational units (OUs) have the highest precedence, then those linked to the domain, and finally those linked to Active Directory sites. Local GPOs on the target endpoint have the weakest precedence of all. What this means is that if there is a conflicting setting within two GPOs at different levels, the setting within the highest precedence GPO will “win” and be applied over the setting in the GPO that has lower precedence.
Labels:
Active Directory
What is the order in which GPOs are applied?
The Group Policy objects (GPOs) that apply to a user (or computer) do not all have the same precedence. Settings that are applied later can override settings that are applied earlier.
Order of processing settings
Group Policy settings are processed in the following order:
1. Local Group Policy object - Each computer has exactly one Group Policy object that is stored locally. This processes for both computer and user Group Policy processing.
2. Site - Any GPOs that have been linked to the site that the computer belongs to are processed next. Processing is in the order that is specified by the administrator, on the Linked Group Policy Objects tab for the site in Group Policy Management Console (GPMC). The GPO with the lowest link order is processed last, and therefore has the highest precedence.
3. Domain - Processing of multiple domain-linked GPOs is in the order specified by the administrator, on the Linked Group Policy Objects tab for the domain in GPMC. The GPO with the lowest link order is processed last, and therefore has the highest precedence.
4. Organizational units - GPOs that are linked to the organizational unit that is highest in the Active Directory hierarchy are processed
first, then GPOs that are linked to its child organizational unit, and so on. Finally, the GPOs that are linked to the organizational unit that contains
the user or computer are processed.
At the level of each organizational unit in the Active Directory hierarchy, one, many, or no GPOs can be linked. If several GPOs are linked to an
organizational unit, their processing is in the order that is specified by the administrator, on the Linked Group Policy Objects tab for
the organizational unit in GPMC. The GPO with the lowest link order is processed last, and therefore has the highest precedence.
This order means that the local GPO is processed first, and GPOs that are linked to the organizational unit of which the computer or user is a direct member are processed last, which overwrites settings in the earlier GPOs if there are conflicts. (If there are no conflicts, then the earlier and later settings are merely aggregated.)
Exceptions to the default order of processing settings
The default order for processing settings is subject to the following exceptions:
- A GPO link may be enforced, or disabled, or both. By default, a GPO link is neither enforced nor disabled.
- A GPO may have its user settings disabled, its computer settings disabled, or all settings disabled. By default, neither user settings nor computer settings are disabled on a GPO.
- An organizational unit or a domain may have Block Inheritance set. By default, Block Inheritance is not set.
Labels:
Active Directory
What are GPOs?
Group Policy Object (GPO) is a collection of settings that control the working environment of user accounts and computer accounts. GPOs defines registry-based polices, security options, software installation and maintenance options, scripts options, and folder redirection options.
Microsoft provides a program snap-in that allows you to use the Group Policy Microsoft Management Console (MMC). The selections result in a Group Policy Object. Group Policy Object Editor can be thought of as an application whose document type is the Group Policy object, just as a word processor might use .doc or .txt files.
There are two kinds of Group Policy objects: local and nonlocal. Local Group Policy objects are stored on individual computers. Only one local Group Policy object exists on a computer, and it has a subset of the settings that are available in a nonlocal Group Policy object. Local Group Policy object settings can be overwritten by nonlocal settings if they are in conflict; otherwise, both groups of settings apply. For more information, see Local Group Policy.
Nonlocal Group Policy objects, which are stored on a domain controller, are available only in an Active Directory environment. They apply to users and computers in the site, domain, or organizational unit with which the Group Policy object is associated.
Labels:
Active Directory
What Are Lingering Objects?
When restoring a backup file, Active Directory generally requires that the backup file be no more than 180 days old. If attempt to you restore a backup that is expired, you may encounter problems due to “lingering objects”.
A lingering object is a deleted AD object that re-appears (“lingers”) on the restored domain controller (DC) in its local copy of Active Directory. This can happen if, after the backup was made, the object was deleted on another DC more than 180 days ago.
When a DC deletes an object it replaces the object with a tombstone object. The tombstone object is a placeholder that represents the deleted object. When replication occurs, the tombstone object is transmitted to the other DCs, which causes them to delete the AD object as well.
Tombstone objects are kept for 180 days, after which they are garbage-collected and removed.
If a DC is restored from a backup that contains an object deleted elsewhere, the object will re-appear on the restored DC. Because the tombstone object on the other DCs has been removed, the restored DC will not receive the tombstone object (via replication), and so it will never be notified of the deletion. The deleted object will “linger” in the restored local copy of Active Directory.
How to Remove Lingering Objects
Windows Server 2003 and 2008 have the ability to manually remove lingering objects using the console utility console utility REPADMIN.EXE. Use the command:
REPADMIN.EXE /removelingeringobjects .
Labels:
Active Directory,
L3
Why cannot you restore a DC that was backed up 4 months ago?
When restoring a backup file, Active Directory generally requires that the backup file be no more than 180 days old. If attempt to you restore a backup that is expired, you may encounter problems due to “lingering objects”.
Labels:
Active Directory,
L2,
Wintel
Subscribe to:
Posts (Atom)