Ads DNS DHCP Raid

Windows Server 2003
Features of windows2003
• Multiple selection of directory objects
• Drag and Drop functionality
• Efficient search capabilities
• Saved Queries
• Install ADC in existing domains using backup media
• Universal Group membership cashing
• Domain and Forest functional levels
• Secure LDAP traffic
• Active Directory quotas
• RSOP
• Cross forest support
• Domain and domain controller renaming
Features of Windows 2008

• Main difference is Virtualization (Hyper-V for 64 bit) & management features
in 2008.
• 2008 has more inbuild components and updated third party drivers.
• Windows server 2008 45 times faster than Server 2003.
• New power-saving features in 2008.
• Support for IPv6
• IIS 7.0
Difference between PDC & BDC

PDC contains a write copy of SAM database where as BDC contains read only
copy of SAM database. It is not possible to reset a password with out PDC in
Windows NT. But both can participate in the user authentication. If PDC fails, we
have to manually promote BDC to PDC from server manger.
Difference between DC & ADC.

There is no difference between in DC and ADC both contains write copy of AD.
Both can also handles FSMO roles (If transfers from DC to ADC). Functionality wise
there is no difference. ADC just require for load balancing & redundancy. If two
physical sites are segregated with WAN link come under same domain, better to
keep one ADC in other site, and act as a main domain controller for that site. This
will reduce the WAN traffic and also user authentication performance will increase.
Difference between NT, Windows2000 and 2003 servers:

Features Windows
Windows NT 4 Windows 2003
2000
Database Flat Hierarchal
File system support Not to Support Fat32 Support Fat32
Plug n Play No Yes
Multi-master
No Yes
replication
Rename domain or dc
No No Yes
name
Authentication
NTLM NTLM, Kerberos
protocols
Number of objects 40,000 1,000,000
Dynamic Update (AD Integrated
DNS Manually Update
Zone)
So many more features introduced in windows 2000, those are not in Windows NT.
• NTFS v5 supports Disk quotas.
• Remote Installation Service
• Built in VPN & NAT support
• USB support.
• Distributed File System | Clustering support | ICS (Internet Connection
Sharing)
Active Directory: The Windows-based directory service. It stores information

about objects on a network and makes this information available to users and
network administrators. Active Directory gives network users access to permitted
resources anywhere on the network using a single logon process. It provides a
single point of administration for all network objects.
Active Directory’s the default authentication protocol is Kerberos version 5 and
the default directory access protocol is Lightweight Directory Access Protocol
(LDAP) version 3.
When you install AD, the NTDS and SYSVOL folder will be created.
NTDS folder contains the AD database in a file named Ntds.dit and database log
files. The default location is %Systemroot%\Ntds.
SYSVOL folder contains Group Policies and Scripts. The default location is
%Systemroot%\Sysvol.
Verify an Active Directory Installation:
• Open Active Directory Users and Computers and verify the Computers,
Users, Foreign Security Principles and domain Controller OU appear.
• Open Active Directory Sites and Services and verify the Default-First-Site
name appears.
• Verify the NTDS.dit, the Active Directory database in %system roor%NTDS
folder.
• Verify Global Catalog enabled.
• Check the computer role should be ‘Primary’ or ‘Backup’ by use the
command Net Accounts.
• Check the SYSVOL folder as shared by use the command Net share.
• Check SRV records in DNS Console.
 The physical components of Active Directory are sites and domain

controllers.
 The Logical components of Active Directory are domains, OUs, trees,
and forests.
 A Domain is a collection of computer, user, and group objects defined by
the administrator. These objects share a common directory database,
security policies, and security relationships with other domains.
 A Domain Controller is a computer running Windows Server 2003 that
stores a replica of the domain directory (local domain database). A domain
controller can service only one domain. A domain controller also
authenticates user logon attempts and maintains the security policy for a
domain.
 An OU is a container used to organize objects within a domain into a logical
administrative group. The primary reason for defining an OU is to delegate
administration.
 A Tree is a grouping or hierarchical arrangement of one or more domains
that you create by adding one or more child domains to an existing parent
domain.
 A Forest is a grouping or hierarchical arrangement of one or more separate,
completely independent domain trees.
 Recommended - 1 gigabyte (GB) of space to install Active Directory.
Minimum of 200 megabytes (MB) of disk space for the Active Directory
database and 50 MB for the log files.
 NSLOOKUP – the Command-line utility for verifying DNS.
 Group policies are collections of user and computer configuration settings
that can be linked to computers, sites, domains, and OUs to specify the
behavior of users’ desk-tops.
 The Network Connectivity Tester (Netdiag) is a command-line,
diagnostic tool that helps isolate networking and connectivity problems by
performing a series of tests to determine the state of a network client.
 The Domain Controller Diagnostic tool (Dcdiag) is a command-line,
diagnostic tool that analyzes the state of domain controllers in a forest or
enterprise and reports any problems.
 The Active Directory diagnostic tool (Ntdsutil) is a command-line tool
that provides management facilities for Active Directory.
 The Resultant Set of Policy (RSoP) is provided to make policy
implementation and troubleshooting easier.
 The distinguished name (DN) uniquely identifies the object and contains
the name of the domain that holds the object, as well as the complete path
through the container hierarchy to the object.
 The relative distinguished name (RDN) is the part of an object’s DN that
is an attribute of the object itself.
 The globally unique identifier (GUID) is a 128-bit hexadecimal number
that is guaranteed to be unique within the enterprise.
 The user principal name (UPN) consists of a user account name and a
domain name identifying the domain in which the user account is located.
 File Transfer Protocol (FTP) is a standard way to transfer files between
computers. The method has built-in error checking.
 TELNET is a terminal emulation that enables a user to connect to a remote
host or device using a telnet client. Telnet is considered insecure because it
transfers all data in clear text.
The port numbers are divided into three ranges: They are…
 The Well Known Ports are those from 0 through 1023.

 The Registered Ports are those from 1024 through 49151
 The Dynamic and/or Private Ports are those from 49152 through
65535
Port Protocols
No.
88 KERBEROS
389 Lightweight Directory Access Protocol [LDAP]
443 SSL (Secure Socket Layer)
143 IMAP4
53 Domain Name System [DNS]
546 Dynamic Host Configuration Protocol [DHCPv6
client].
547 Dynamic Host Configuration Protocol [DHCPv6
server].
20,21 File Transfer Protocol [FTP]
80 Hypertext Transfer Protocol [HTTP]
110 Post office Protocol [POP]
25 Simple mail Transfer Protocol [SMTP]
23 Telnet
3389 RDP
3268 & Global Catalog lookup The De-
3269 Militarized
Zone (DMZ) prevents users outside a local or wide area network from obtaining
access to company data that is only for internal use and prevents access to all
other internal services.
Master Boot Record (MBR) is the first sector of the computer hard disk drive
used to determine from which partition a computer will boot. The MBR tells the
computer where to find and how to load the operating system.
Lmhost: A local hosts file used by Microsoft Wins Clients such as Microsoft
Windows 98 or Windows NT to provide mappings of IP addresses to NT computer
names (NetBIOS name). The lmhosts file is located in
Windows\System32\drivers\etc directory (WinXP, Win98), or
Winnt\System32\drivers\etc (W2k, W2k3).
A global catalog server is a domain controller; it is a master searchable

database that contains information about every object in every domain in a
forest. The global catalog contains a complete replica of all objects in Active
Directory for its host domain, and contains a partial replica of all objects in Active
Directory for every other domain in the forest.
It has two important functions:
o Provides group membership information during logon and authentication.
o Helps users to locate resources in Active Directory
By default, the first DC in the First Domain in the First Tree in the AD
Forest (the root domain) will be configured as the GC.
o Every forest requires at least one Global Catalog server. If a Global Catalog
server is not available, then nobody will be able to log into the domain
except for the Administrator.
o GC Server improves directory queries, support logon and provide data for
applications such as exchange server.
o Microsoft document that suggests placing a Global Catalog server into each
site. Port 3268 (Global Catalog lookup port)
o If a site does not contain GC server, configure Universal Group membership
caching to reduce user logon being denied.
o IF GC is not available UGMC is not available. If user logged on previous on
his computer, logon using cached credentials but cannot access network
access.
To configure a Windows 2003 Domain Controller as a GC server,

perform the following steps:
1. From the Start menu, select Programs, Administrative Tools, Active
Directory Sites and Services Manager.
2. Select the Sites branch.
3. Select the site that owns the server, and expand the Servers branch.
4. Select the server you want to configure.
5. Right-click NTDS Settings and select Properties.
6. Select or clear the Global Catalog Server checkbox, which the Screen shows.
7. Click Apply, OK.
You must allow for the GC to replicate itself throughout the forest. This process
might take anywhere between 10-15 minutes to even several days, all
depending on the AD infrastructure.
Domain Functional Level: It provides a way to enable domain-wide Active
Directory features within your network environment.
Four domain functional levels are available: Windows 2000 mixed (default),
Windows 2000 native, Windows Server 2003 interim, and Windows Server 2003.
• The Windows 2000 mixed functional level allows a Windows 2K3 DC to
interact with domain controllers in the same domain running Windows NT
4, Windows 2000, or the Windows Server 2003 family.
• The Windows 2000 native functional level allows a W2K3 DC to interact
with domain controllers in the domain running Windows 2000 or Windows
Server 2003.
• The Windows Server 2003 interim functional level allows a W2K3 DC to
interact with domain controllers in the domain running Windows NT 4 or
Windows Server 2003.
• The Windows Server 2003 functional level allows a W2K3 DC to interact
only with domain controllers in the domain running Windows Server 2003.
 The change in domain functional level is one-way only; you cannot change
from the Windows 2000 native or W2K3 functional level to the Windows 2000
mixed or W2K3 interim functional level.
To change the domain functional level to Windows 2000 native or

Windows Server 2003, complete the following steps:
1. Click Start, select Administrative Tools, and then click Active Directory
Domains and Trusts.
2. Right click the domain and then click Raise Domain Functional Level.
3. On the Raise Domain Functional Level dialog box, in the Select an Available
Domain Functional Level list, select the domain functionality you want. Click
Raise.
4. In the Raise Domain Functional Level message box, click OK.
Forest Functional Level: It provides a way to enable forest-wide Active

Directory features within your network environment.
Three forest functional levels are available: Windows 2000 (default),
Windows Server 2003 interim, and Windows Server 2003.
• The Windows 2000 functional level allows a W2K3 DC to interact with
domain controllers in the domain running Windows NT 4, Windows 2000,
or Windows Server 2003.
• The Windows Server 2003 interim functional level allows a W2K3 DC to
interact with domain controllers in the domain running Windows NT 4 or
Windows Server 2003.
• The Windows Server 2003 functional level allows a W2K3 DC to inter-
act only with domain controllers in the domain running Windows Server
2003.
To change the forest functional level to Windows Server 2003, complete

the following steps:
1. Click Start, select Administrative Tools, and then click Active Directory
Domains and Trusts.
2. Right click the Active Directory Domains and Trusts node and then click
Raise Forest Functional Level.
3. On the Raise Forest Functional Level dialog box, click Raise. And then click
OK.
Forest characteristics:
• All domains in a forest share a common schema and a common global
catalog.
• All domains in a forest are linked by implicit two-way transitive trusts.
• Trees in a forest have different naming structures, according to their
domains.
• Domains in a forest operate independently, but the forest enables
communication across the entire organization.
Backup: A duplicate copy of a program, a disk, or data.

Backup types: A type that determines which data is backed up and how it is
backed up.
There are five backup types: Copy, Daily, Differential, Incremental and Normal.
Copy backup: A backup that copies all selected files but does not mark each file
as having been backed up (in other words, the archive attribute is not cleared).
Copying is useful if you want to back up files between normal and incremental
backups because copying does not affect these other backup operations.
Daily backup: A backup that copies all selected files that have been modified the
day the daily backup is performed. The backed-up files are not marked as having
been backed up (in other words, the archive attribute is not cleared).
Differential backup: A backup that copies files created or changed since the last
normal or incremental backup. It does not mark files as having been backed up (in
other words, the archive attribute is not cleared). If you are performing a
combination of normal and differential backups, restoring files and folders requires
that you have the last normal as well as the last differential backup.
Incremental backup: A backup that copies only those files created or changed
since the last normal or incremental backup. It marks files as having been backed
up (in other words, the archive attribute is cleared). If you use a combination of
normal and incremental backups to restore your data, you will need to have the
last normal backup and all incremental backup sets.
Normal backup: A backup that copies all selected files and marks each file as
having been backed up (in other words, the archive attribute is cleared). With
normal backups, you need only the most recent copy of the backup file or tape to
restore all of the files. You usually perform a normal backup the first time you
create a backup set.
 For Windows Server 2003, the system state data comprises the
• Registry
• COM+ Class Registration database
• System boot files
• Files under Windows File Protection
• Certificate Services database (if the server is a certificate server)
• Active Directory and the Sysvol directory (if the server is a domain
controller)
 To restore the system state data on a domain controller, you must first start
your computer in a special safe mode called directory services restore
mode. This allows you to restore the Sysvol directory and Active Directory
directory services database.
 The default method of restoring the system state data to a domain controller
is nonauthoritative.
Non-authoritative Restore: A restore operation performed on an Active

Directory domain controller in which the objects in the restored directory are not
treated as authoritative. The restored objects are updated with changes held on
other domain controllers in the domain.
Authoritative Restore: A type of restore operation performed on an Active

Directory domain controller in which the objects in the restored directory are
treated as authoritative, replacing (through replication) all existing copies of those
objects.
To non-authoritatively restore Active Directory, complete the following

steps:
1. Restart the computer.
2. During the phase of startup where the operating system is normally selected,
press F8.
3. On the Windows Advanced Options Menu, select Directory Services
Restore Mode and press Enter. This ensures that the domain controller is
offline and is not connected to the network.
5. Log on to your domain as Administrator.
o Note: When you restart the computer in directory services restore mode,
you must log on as an Administrator by using a valid Security Accounts
Manager (SAM) account name and password, not the Active Directory
Administrator’s name and password. This is because Active Directory is
offline, and account verification cannot occur. Rather, the SAM accounts
database is used to control access to Active Directory while it is offline.
You specified this password when you set up Active Directory.
6. In the Desktop message box that warns you that Windows is running in safe
mode, click OK.
7. Point to Start, All Programs, Accessories, System Tools, and then select
Backup.
8. On the Welcome to the Backup or Restore Wizard page, click Next.
9. On the Backup or Restore page, select Restore Files and Settings. Click Next.
10. On the What to Restore page, expand the media type that contains the data
that you want to restore in the Items to Restore box or click Browse. The media
can be either tape or file. Expand the appropriate media set until the data that
you want to restore is visible. Select the data you want to restore, such as
system state, and then click Next.
11. Ensure that media containing the backup file is in the correct location.
12. On the Completing The Backup Or Restore Wizard page, do one of the
following:
o Click Finish to start the restore process. The Backup Or Restore Wizard
requests verification for the source of the restore data and then performs
the restore. During the restore, the Backup Or Restore Wizard displays
status information about the restore.
o Click Advanced to specify advanced restore options. Refer to the next
section, “Specifying Advanced Restore Settings for a Nonauthoritative
Restore” for details.
13. In the Warning message box that warns you that restoring system state will
always overwrite current system state, click OK.
14. The Restore Progress dialog box displays status information about the
restore process. As with the backup process, when the restore is complete, you
can choose to view the report of the restore. The report contains information
about the restore, such as the number of files that have been restored and the
duration of the restore process.
15. Close the report when you have finished viewing it and then click Close to
close the restore operation.
16. When prompted to restart the computer, click Yes.
Performing an Authoritative Restore

An authoritative restore occurs after a nonauthoritative restore and designates the
entire directory, a subtree, or individual objects to be recognized as authoritative
with respect to replica domain controllers in the forest. The Ntdsutil utility allows
you to mark objects as authoritative so that they are propagated through
replication, thereby updating existing copies of those objects throughout the
forest.
To authoritatively restore Active Directory, complete the following steps:
1. Perform a nonauthoritative restore as described previously.
3. During the phase of startup where the operating system is normally selected,
press F8.
4. On the Windows Advanced Startup Options Menu, select Directory Services
Restore Mode and press Enter. This ensures that the domain controller is offline
and is not connected to the network.
6. Log on as Administrator.
7. In the Desktop message box that warns you that Windows is running in safe
mode, click OK.
8. Point to Start, and then select Command Prompt.
9. At the command prompt, type ntdsutil and press Enter.
10. At the Ntdsutil prompt, type authoritative restore and press Enter.
11. At the authoritative restore prompt, do the following:
o To authoritatively restore the entire directory, type restore database
and press Enter.
o To authoritatively restore a portion or subtree of the directory, such as
an OU, use the OU’s distinguished name, type restore subtree
subtree_distinguished_name and press Enter.
For example, to restore the Security1 OU in the microsoft.com domain, the
commands would be
ntdsutil authoritative restore restore subtree
OU=Security1,DC=microsoft,DC=com
12. Type quit and press Enter to exit the Ntdsutil utility and close the Command
Prompt window. Replication also propagates the authoritatively restored
object(s) to other domain controllers in the forest. The deleted objects that
were marked as authoritative are replicated from the restored domain
controller to the additional domain controllers. Because the objects that are
restored have the same object globally unique identifier (GUID) and object SID,
security remains intact, and object dependencies are maintained.
13. Restart the domain controller in normal mode and connect the restored
domain controller to the network. When the restored domain controller is online
and connected to the network, normal replication brings the restored domain
controller
-------------------------------------------------------------------------------------------------------------------
------------------
 A security principal is a user, group, computer, or service that is assigned a
unique security identifier (SID).
To rename a domain controller:
1. Click Start, and then click Command Prompt.
2. At the command prompt, type: netdom computername
CurrentComputer-Name /add:NewComputerName,
3. Wait for replication latency time interval to ensure replication of the
registered DNS host (A) resource record(s) to all authoritative DNS servers.
4. At the command prompt type: netdom computername
CurrentComputerName /makeprimary: NewComputerName
6. Wait for the replication of the domain controller locator resource records to
occur on all authoritative DNS servers. These records are registered by the
domain controller after the renamed domain controller has been restarted and
contain the new computer name. The records that are registered are available
on the domain controller in the %Systemroot%\System32\Config\Netlogon.dns
file.
7. To ensure that the domain controller has been successfully renamed, make
the following checks:
o Click Start, point to Control Panel, and then click System. On the
Computer Name tab, verify that the correct name appears after Full
Computer Name. Click Cancel.
o Click Start, and then click Command Prompt. At the command prompt,
validate the names that the computer is currently configured with by
typing: netdom computername NewComputerName /enumerate:,
Note that the domain controller has two names.
8. At the command prompt, type: netdom computername
NewComputerName /remove:OldComputerName. This action removes the
old domain controller name.
Flexible Single Master Operation (FSMO) Roles:
In a forest, there are at least five FSMO roles that are assigned to one or more
domain controllers. The five FSMO roles are:
Role
FSMO Roles Placement
Controls all updates and modification to
the schema.
Role Failed: Can't modify the schema &
Schema
Can't raise the forest functional role.
Master
Availability: It can remain offline
For simpler
indefinitely until schema changes are
[Schema management,
necessary.
Snap-in] the Schema
** It can't be transferred back to original
Forest and Domain
master after having been seized.
Specif naming
It must be decommissioning.
ic master can be
Controls the addition or removal of domain
Roles Domain on the same
and promote or demote DC.
Naming machine
Role Failed: Can't add or remove a domain
Master which should
and can't promote or demote DC.
[AD also be a GC.
Availability: It can remain offline
Domains
indefinitely until above said.
and
** It can't be transferred back to original
Trusts
Snap-in]
Domai Responsible for processing RID pool request PDC and RID
n from all DCs in a particular domain. masters
RID
Specif Role Failed: Can't create new users or should be on
Master
ic groups. the same
Roles Availability: Without this role, can create machine,
[AD users
users and groups by DC receives a sizable because PDC
&
pool of RIDs from RID Master. is large
Computer
** It can't be transferred back to original consumer of
s Snap-in]
master after having been seized. RID.
PDC It emulates the functions of Windows NT 4.0
Emulato PDC. It is root time server for synchronizing
r the clocks of all windows computers in the
forest. It is also the Domain Master browser
[AD users and it handles password discrepancies.
& Role Failed: Users can't logon, Can't change
Computer passwords, Account Lockout not working and
s Snap-in] can't raise domain functional level.
Availability: The most immediate impact on
normal operation and on users if it becomes
unavailable.
** It can be transferred back to original
**Any time a user enters an incorrect
password, the authentication is forwarded to
PDC Emulator for a second opinion.
Responsible for updating references from
This role
objects in its domain to objects in other
should not be
Infrastru domains.
placed on a
cture Role Failed: Problem with universal group
GC. It is OK to
Master membership.
put, forest has
[AD users Availability: Failure noticeable to
only one
& administrator not to users.
domain or if
Computer ** It can be transferred back to original
every DC in a
s Snap-in] master after having been seized.
forest has the
** Responsible for updating the names of
GC.
group members from other domains.
Schema - The set of definitions for the universe of objects that can be stored in
a directory.
Netdom Query FSMO - Command line utility for verifies the

FSMO Roles.
Purpose of distribute FSMO Roles: To reduce the single point of failure instances
and improve performance.
Recognizing Operation Master failures: 1. Examining directory

service event log.
2. To perform a function managed by the master and the function fails.
Transfer the Schema Master Role

Use the Active Directory Schema Master snap-in to transfer the schema master
role. Before you can use this snap-in, you must register the Schmmgmt.dll file.
Register Schmmgmt.dll
1 Click Start, and then click Run.
.
2 Type regsvr32 schmmgmt.dll in the Open box,
. and then click OK.
3 Click OK when you receive the message that the
. operation succeeded.
Transfer the Schema Master Role
1 Click Start, click Run, type mmc in the Open box, and then click OK.
.
2 On the File, menu click Add/Remove Snap-in.
.
3 Click Add.
.
4 Click Active Directory Schema, click Add, click Close, and then click OK.
.
5 In the console tree, right-click Active Directory Schema, and then click
. Change Domain Controller.
6 Click Specify Name, type the name of the domain controller that will be the new
. role holder, and then click OK.
7 In the console tree, right-click Active Directory Schema, and then click
. Operations Master.
8 Click Change.
.
9 Click OK to confirm that you want to transfer the role, and then click Close.
.
Transfer the Domain Naming Master Role

1 Click Start, point to Administrative Tools, and then click Active Directory
. Domains and Trusts.
2 Right-click Active Directory Domains and Trusts, and then click Connect to
. Domain Controller.
3 Do one of the following:
. • In the Enter the name of another domain controller box, type the name
of the domain controller that will be the new role holder, and then click OK.
-or-
• In the Or, select an available domain controller list, click the domain
controller that will be the new role holder, and then click OK.
4 In the console tree, right-click Active Directory Domains and Trusts, and
. then click Operations Master.
5 Click Change.
.
.
Transfer the RID Master, PDC Emulator, and Infrastructure Master Roles
1 Click Start, point to Administrative Tools, and then click Active Directory
. Users and Computers.
2 Right-click Active Directory Users and Computers, and then click Connect
. to Domain Controller.
3 Do one of the following:
. • In the Enter the name of another domain controller box, type the name
of the domain controller that will be the new role holder, and then click OK
-or-
• In the Or, select an available domain controller list, click the domain
controller that will be the new role holder, and then click OK.
4 In the console tree, right-click Active Directory Users and Computers, point
. to All Tasks, and then click Operations Master.
5 Click the appropriate tab for the role that you want to transfer (RID, PDC, or
. Infrastructure), and then click Change.
.
Transfer or Seize the FSMO roles:

To transfer or seize the FSMO roles by using the Ntdsutil utility, follow
these steps:
1 Log on to the domain controller that you are assigning FSMO roles to. The
. logged-on user should be a member of the Enterprise Administrators group to
transfer Schema master or Domain naming master roles, or a member of the
Domain Administrators group of the domain where the PDC emulator, RID master
and the Infrastructure master roles are being transferred.
2 Click Start, click Run, type ntdsutil in the Open box, and then click OK.
.
3 Type roles, and then press ENTER.
. Note To see a list of available commands at any one of the prompts in the
Ntdsutil utility, type ?, and then press ENTER.
4 Type connections, and then press ENTER.
.
5 Type connect to server servername, and then press ENTER, where
. servername is the name of the domain controller you want to assign the FSMO
role to.
6 At the server connections prompt, type q, and then press ENTER.
.
7 Type transfer (or Seize) role, where role is the role that you want to transfer.
. For a list of roles that you can transfer, type ? at the fsmo maintenance
prompt, and then press ENTER, or see the list of roles at the start of this article.
For example, to transfer the RID master role, type transfer rid master. The one
exception is for the PDC emulator role, whose syntax is transfer pdc, not
transfer pdc emulator.
8 At the fsmo maintenance prompt, type q, and then press ENTER to gain access
. to the ntdsutil prompt. Type q, and then press ENTER to quit the Ntdsutil utility.
-------------------------------------------------------------------------------------------------------------------
------------------
A trust is a logical relationship established between domains to allow pass-
through authentication, in which a trusting domain honors the logon
authentications of a trusted domain.
Trust Types
o Tree-root trust: Implicitly (automatically) established when you add a new
tree root domain to a forest. The trust is transitive and two-way.
o Parent-child trust: Implicitly (automatically) established when you add a new
child domain to a tree. The trust is transitive and two-way.
o Shortcut trust: Explicitly (manually) created by a systems administrator
between two domains in a forest to improve user logon times. The trust is
transitive and can be one- or two-way. A shortcut trust may also be referred to
as a cross-link trust.
o Realm trust: Explicitly (manually) created by a systems administrator
between a non– Windows Kerberos realm and a Windows Server 2003 domain.
This trust provides interoperability between Windows Server 2003 and any
realm used in Kerberos version 5 implementations. It can be transitive or
nontransitive and one-or two-way.
o External trust: Explicitly (manually) created by a systems administrator
between Windows Server 2003 domains that are in different forests or between
a Windows Server 2003 domain and a domain whose domain controller is
running Windows NT 4 or earlier. This trust provides backward compatibility
with Windows NT environments. The trust is nontransitive and can be one- or
two-way.
o Forest trust: Explicitly (manually) created by a systems administrator
between two forest root domains. If a forest trust is two-way, it effectively
allows all authentication requests made from one forest to reach another. The
trust is transitive between two forests only and can be one- or two-way.
 A Site is a set of IP subnets connected by a highly reliable and fast link,
usually a LAN.
 The main purpose of a site is to physically group computers to optimize
network traffic.
 For optimum network response time and application availability, place at
least one domain controller in each site or two domain controllers in each
domain.
 The Active Directory Sites and Services console to configure sites.
The two main roles of Sites:
o To facilitate authentication, by determining the nearest domain controller
when a user logs on from a workstation
o To facilitate the replication of data between sites
Replication ensures that changes to a domain controller are reflected in all
domain controllers within a domain. Directory information is replicated to domain
controllers both within and among sites.
Multimaster replication is a replication model in which any domain controller
accepts and replicates directory changes to any other domain controller. Because
multiple domain controllers are employed, replication continues, even if any single
domain controller stops working.
 Active Directory replicates information in two ways: Intrasite (within a site) and
Inter-site (between sites).
Intrasite Replication Intersite Replication
To save CPU time, To save WAN bandwidth,
Compression replication data is not replication data greater than 50
compressed. kilobytes (KB) is compressed.
To reduce replication
To save WAN bandwidth,
latency, replication
Replication replication partners do not notify
partners notify each other
model each other when changes need to
when changes need to be
be replicated.
replicated.
Replication partners poll each
Replication Replication partners poll
other at specified intervals, only
frequency each other periodically.
during scheduled periods.
Transport Remote procedure call IP or Simple Mail Transport
protocols (RPC). Protocol (SMTP).
What Information Is Replicated?
The information stored in the directory (in the Ntds.dit file) is logically partitioned
into four categories. A directory partition is also referred to as a naming
context. The directory contains the following partitions:
■ Schema partition: This partition defines the objects that can be created in the
directory and the attributes those objects can have. This data is common to all
domains in a forest and is replicated to all domain controllers in a forest.
■ Configuration partition: This partition describes the logical structure of the
deployment, including data such as domain structure or replication topology. This
data is common to all domains in a forest and is replicated to all domain
controllers in a forest.
■ Domain partition: This partition describes all of the objects in a domain. This
data is domain-specific and is not replicated to any other domains. However, the
data is replicated to every domain controller in that domain.
■ Application Directory partition: This partition stores dynamic application-
specific data in Active Directory without significantly affecting network
performance by enabling you to control the scope of replication and the placement
of replicas. The application directory partition can contain any type of object
except security principals (users, groups, and computers).
Replication Triggers:
The following actions trigger replication between domain controllers:
• Creating |Modifying |Moving |Deleting an object
A domain controller stores and replicates:

• The schema partition data for a forest.
• The configuration partition data for all domains in a forest.
• The domain partition data (all directory objects and properties) for its domain.
A global catalog stores and replicates:

• The schema partition data for a forest
• The configuration partition data for all domains in a forest
• A partial replica containing commonly used attributes for all directory
objects in the forest
• A full replica containing all attributes for all directory objects in the
domain in which the GC is located.
Initiating Replication: several different methods to force replication.

1. Using the Active Directory Sites and Services MMC snap-in (Dssite.msc)
2. Using Repadmin
3. Using Replmon
4. Using a script
A site link is a logical, transitive connection between two or more sites that
mirrors the network links and allows replication to occur. By default, all site links
are transitive.
A site link bridge connects two or more site links in a transport where transitivity
has been disabled in order to create a transitive and logical link between two sites
that do not have an explicit site link.
Site Link Transitivity: By default, all site links are transitive, which simply
means that if sites A and B are linked and sites B and C are linked, then site A and
site C are transitively linked. Site link transitivity is enabled or disabled by
selecting the Bridge All Site Links check box in the Properties dialog box for either
the IP or the SMTP intersite transport. By default, site link transitivity is enabled for
each transport.
The following are some reasons why you might want to disable site link
transitivity:
o To have total control over replication traffic patterns
o To avoid a particular replication path, such as a path that involves a firewall
o If your IP network is not fully routed
A bridgehead server is a single domain controller in a site, the contact point,

used for replication between sites, and is designated automatically by the KCC.
Pull replication is more efficient for intersite replication because the destination
domain controller knows which replication data to request. In contrast, notification
and push replication are more efficient for intrasite replication, when domain
controllers are well connected and not restrained by site link schedules.
To configure a site:
1. Create a site
2. Create a subnet and associate it with site
3. Create or move a domain controller object into the site
4. Designate a site license server for the site
To create a site:
1. Click Start, point to Administrative Tools, and then click Active Directory Sites
And Services.
2. Right-click the Sites container, and then click New Site.
3. In the New Object–Site dialog box, type the name of the new site in the
Name box. Assign a site link to the site by selecting a site link in the Link Name
column, and then click OK.
4. In the Active Directory message box, note that to finish the configuration of a
site, you must
o Ensure that the site is linked to other sites with site links as appropriate.
o Add subnets for the site to the Subnets container.
o Install one or more domain controllers in the site or move existing domain
controllers into the site.
o Select the licensing computer for the site.
5. Click OK.
Creating Subnets: Computers on TCP/IP networks are assigned to sites based on

their location in a subnet or a set of subnets. Subnet information is used to find a
domain controller in the same site as the computer that is authenticated during
the logon process, and is used during Active Directory replication to determine the
best routes between domain controllers. Each site must have at least one subnet,
but a subnet can be assigned to only one site.
To create a subnet:
And Services.
2. Double-click the Sites folder.
3. Right-click the Subnets folder, and then click New Subnet.
4. In the New Object–Subnet dialog box, type the subnet address in the Address
box. In the Mask box, type the subnet mask that describes the range of
addresses included in this site’s subnet. Choose a site to associate this subnet.
5. Click OK.
For optimum network response time and application availability, place at
least
o One domain controller in each site. A domain controller in each site
provides users with a local computer that can service query requests for
their domain over LAN connections.
o Two domain controllers in each domain. By placing at least two domain

controllers in each domain, you provide redundancy and reduce the load on
the existing domain controller in the domain.
Reasons for placing additional domain controllers in a site are the
following:
o There are a large number of users in the site, and the link to the site is
slow or near capacity. If a site has slow logon times and slow authentication
when attempting to access user resources, capacity might be insufficient. By
monitoring domain controller usage, you can determine whether there is
enough processing power and bandwidth to service requests. If performance
is lagging, you should consider adding another domain controller to the site.
o The link to the site is historically unreliable or only intermittently

unavailable. If a single domain controller in a site fails, clients can connect to
other domain controllers in other sites in the domain by crossing site links.
How-ever, if site links are unreliable, users on that site may not be able to
log on to their computers. In this case, you should consider adding another
domain controller to the site.
In some situations, it might not be efficient to place a domain controller

in a site. These situations include:
o Sites with small numbers of users For sites with a small number of users,
using available bandwidth to log on and query the directory might be more
economical than adding a domain controller.
o Small sites that have client computers but no servers for sites with no
servers, a domain controller is not necessary. Users can still log on using
cached credentials if the site link fails. Because there are no server-based
resources at the site, there is no need for further authentication.
To create a domain controller object in a site:
and Services.
2. In the Active Directory Sites and Services console tree, double-click the site
that you want to contain the new domain controller object.
3. Right-click the Servers folder, point to New, and then clicks Server.
4. In the New Object–Server dialog box, type the name for the new domain
controller object in the Name box.
5. Click OK.
To move a domain controller object into a site:

and Services.
2. In the Active Directory Sites and Services console tree, right-click the domain
controller object that you want to move to a different site, and then click Move.
3. In the Move Server dialog box, click the site to which you want to move the
domain controller object, and then click OK.
 The License Logging service on each server in a site collects and replicates
this licensing information to a centralized database on a server for the site
called the site license server.
To view the site license server for a site:

And Services.
2. In the console tree, click the site.
3. In the details pane, click Licensing Site Settings.
4. On the Action menu, click Properties.
5. In the Licensing Site Settings Properties dialog box, the cur-rent site license
server is listed in the Computer and Domain boxes.
To change a license server for a site:

and Services.
2. Click the site for which you want to assign a licensing computer.
3. In the details pane, right-click Licensing Site Settings, and then click
Properties.
4. In the Licensing Site Settings Properties dialog box, click Change in the
Licensing Computer box.
5. In the Select Computer dialog box, select the computer you want to
designate as the licensing computer for this site, and then click OK.
6. In the Licensing Site Settings Properties dialog box, click OK.
Creating Site Links

When you install Active Directory on the first domain controller in a site, the Active
Directory Installation Wizard automatically creates an object named
DEFAULTIPSITELINK in the IP container for the first default site. You can rename
the DEFAULTIPSITELINK to the name you want to use for the site link.
To create a site link:

And Services.
2. Open the Inter-Site Transports folder and right-click either the IP or SMTP
folder, depending on which protocol you want the site to use. Select New Site
Link.
3. In the New Object–Site Link dialog box, type the name to be given to the site
link in the Name field. Use a name that includes the sites that you are linking.
4. In the Sites Not In This Site Link box, click two or more sites to connect, and
then click Add. Click OK.
Designating a Preferred Bridgehead Server

Bridgehead servers are the contact point for exchange of directory information
between sites. Replication occurs between bridgehead servers in different sites.
When two sites are connected by a site link, the KCC automatically selects
bridgehead servers one in each site for each domain that has domain controllers
in the site. The KCC then creates inbound-only connection objects between
bridgehead servers. You can designate bridgehead servers manually if you want
the same servers to be always used as bridge-head servers.
The Implications of Using a Preferred Bridgehead Server

If the active preferred bridgehead server fails, Active Directory selects another
preferred bridgehead server to be the active preferred bridgehead server from the
set you designate. If no other preferred bridgehead servers are specified or no
other preferred bridgehead servers are available, replication does not occur to
that site even if there are servers that can act as bridgehead servers.
In addition, if you specify preferred bridgehead servers, you must assign one
bridge-head server for each domain and writable directory partition combination in
your forest, which might result in high costs in a large organization.
Replacement of a Failed Preferred Bridgehead Server
If a preferred bridgehead server fails and you want the KCC to be able to fail over
to other domain controllers but there are no other preferred bridgehead servers
available, you must perform one of the following tasks at a domain controller in
each site:
o Add new domain controllers and designate them as preferred bridgehead
servers for the corresponding directory partitions, site, and transport. If
there is more than one domain represented in the site, you must add a
preferred bridgehead server for each domain.
o Remove all preferred bridgehead designations that you have made for the
corresponding directory partition, site, and transport, and allow the KCC to
select new bridgehead servers automatically.
Because the KCC creates only inbound connections, a bridgehead server cannot
create an outbound connection to another bridgehead server. This is the reason
why changes to preferred bridgehead server status must be made on a domain
controller in each affected site so that inbound connections are created in each
site.
To designate a preferred bridgehead server:

And Services.
2. In the Active Directory Sites And Services console tree, click the site that
contains the domain controller that you want to make a preferred bridgehead
server.
3. In the Active Directory Sites And Services console tree, right-click the domain
controller that you want to make a bridgehead server, and then click Properties.
4. In the Properties dialog box for the domain controller, in the Transports
Available For Inter-Site Data Transfer box, select the intersite transport or
transports for which this computer will be a preferred bridgehead server. Click
Add, and then click OK.
Creating Site Link Bridges

When more than two sites are linked for replication and use the same transport,
by default, all of the site links are “bridged” in terms of cost, assuming the site
links have common sites. If site link transitivity is enabled, which it is by default,
creating a site link bridge has no effect. It is seldom necessary to create site link
bridges. However, if site link transitivity has been disabled, you need to create a
site link bridge manually if a transitive link is required to handle your
organization’s replication strategy.
To create a site link bridge:

And Services.
2. Open the Inter-Site Transports folder and right-click either the IP or SMTP folder,
and then click New Site Link Bridge.
3. In the New Object–Site Link Bridge dialog box, type a name for the site link
bridge in the Name box.
4. In the Site Links Not In This Site Link Bridge box, click two or more sites to
connect, and then click Add. Click OK.
To disable site link transitivity:

And Services.
2. Open the Inter-Site Transports folder and right-click either the IP or SMTP folder,
then click Properties.
3. On the General tab in the IP Properties or SMTP Properties dialog box, clear the
Bridge All Site Links check box. Click OK.
Windows Support Tools provide the following tools for monitoring and
troubleshooting replication:
o Replmon.exe: Active Directory Replication Monitor
o Repadmin.exe: Replication Diagnostics Tool
o Dsastat.exe
Replmon.exe: Active Directory Replication Monitor
The Active Directory Replication Monitor (Replmon) enables administrators to view
the low-level status of Active Directory replication, force synchronization between
domain controllers, view the topology in a graphical format, and monitor the
status and performance of domain controller replication.
To start Replmon:
1. Click Start, point to Command Prompt, type replmon, and then press Enter.
2. In the console tree, right-click Monitored Servers, and select Add Monitored
Server.
3. On the Add Monitored Server Wizard page, select Add the Server Explicitly by
Name, and then click Next.
4. On the Add Server To Monitor page, type the name of the server you want to
monitor in the Enter The Name Of The Server To Monitor Explicitly box, and then
click Finish.
5. In the Active Directory Replication Monitor window, the server you chose for
monitoring appears in the console tree. You can now monitor replication
processes for this server.
Repadmin.exe: Replication Diagnostics Tool: The Replication Diagnostics

Tool (Repadmin), a command-line tool, allows you to view the replication topology
as seen from the perspective of each domain controller.
Dsastat.exe
Dsastat.exe compares and detects differences between directory partitions on
domain controllers and can be used to ensure that domain controllers are up-to-
date with one another. The tool retrieves capacity statistics such as megabytes
per server, objects per server, and megabytes per object class, and compares the
attributes of replicated objects.
Some of the common problems you might encounter with Active

Directory replicationŽinclude the following:
o New users are not recognized.
o Directory information is out-of-date.
o Service requests are not handled in a timely fashion.
o Domain controllers are unavailable.
-------------------------------------------------------------------------------------------------------------------
------------------
The components that are monitored in Windows are:
Monitor CPU usage - check if CPUs are running at full

CPU Utilization
capacity or are they being underutilized.
Avoid the problem of your windows system running out
Memory Utilization of memory. Get notified when the memory usage is high
(or memory is dangerously low).
Maintain a margin of available disk space. Get notified
Disk Utilization
when the disk space falls below the margin.
Monitor critical processes running in your system. Get
Process Monitoring
notified when a particular process fails.
Monitor the critical Windows Services running in your
Windows Service
Windows system. Monitoring is possible only in WMI
Monitoring
mode of monitoring.
Windows Event Log Monitor the windows events generated, if the mode of
Monitoring monitoring is WMI.
Windows Performance Monitors the windows performance counters values
Counters through WMI.
 To monitor performance by using the directory service log, the file
replication service log, and System Monitor.
 The directory service log contains errors, warnings, and information
generated by Active Directory.
 The File Replication service (FRS) is a service that provides multimaster file
replication for designated directory trees between designated servers
running Windows Server 2003. The designated directory trees must reside
on disk partitions formatted with the version of the NTFS file system used in
the Windows Server 2003 family. FRS is used by Active Directory to
automatically synchronize content of the system volume information across
domain controllers. The file replication service log contains errors, warnings,
and information generated by FRS.
 System Monitor is a tool that supports detailed monitoring of the use of
operating system resources.
System Monitor enables you to
o Collect real-time performance data from a local computer or from a specific
computer on the network where you have permission
o View current or previously recorded performance data
o Present data in a printable graph, histogram, or report view
o Create reusable monitoring configurations that can be installed on other
computers using Microsoft Management Console (MMC)
o Incorporate System Monitor functionality into applications that support
ActiveX controls: for example, Web pages, Microsoft Word, or other
applications in the Microsoft Office suite
o Create HTML pages from performance views
Performance Objects and Performance Counters

To monitor performance, you select performance objects and their associated
performance counters. A performance object is a logical collection of performance
counters that is associated with a resource or service that can be monitored. A
performance counter is a data item associated with a performance object. For
each performance counter selected, System Monitor presents a value
corresponding to a particular aspect of the performance that is defined for the
performance object.
To monitor Active Directory, you monitor the activity of the NT Directory Services
(NTDS) performance object. The counters in the NTDS performance object reflect
the functions of Active Directory, including the
o Address book (AB)
o Asynchronous thread queue (ATQ)
o Directory Replication Agent (DRA)
o Directory service (DS)
o Key distribution center (KDC)
o Kerberos authentications | LDAP | NTLM authentications | Security Accounts
Manager (SAM)
There are over 120 performance counters provided for the NTDS performance
object.
Monitoring Active Directory Performance
To monitor Active Directory performance, you must first select the performance
counters to monitor. Then you can set sampling parameters and display options.
To select performance counters:

1. Click Start, point to Administrative Tools, and then click Performance.
2. Right-click the System Monitor details pane and click Add Counters.
Alternatively, click the plus sign (+) icon on the System Monitor menu bar.
3. In the Add Counters dialog box, select one of the following:
o To monitor the computer on which System Monitor is running, click Use Local
Computer Counters.
o To monitor a specific computer, regardless of where System Monitor is
running, click Select Counters From Computer and select the Uniform
Naming Convention (UNC) name (the name of the local computer is selected
by default) of the computer you want to monitor in the text box. Or, you can
type the Internet Protocol (IP) address of the computer you want to monitor.
4. In the Performance Object list, select NTDS.
5. To select the counters to monitor, choose one of the following:
o To monitor all counters for the NTDS performance object, click All Counters.
o To monitor only selected counters, click Select Counters From List, and
select the counters you want to monitor from the list. You can select
multiple counters by clicking on a counter and holding the Ctrl key.
6. Click Add.
7. When you are finished adding counters, click Close. The counters that you
selected appear in the lower part of the System Monitor screen; each counter is
represented by its own color. Choose either the graph, histogram, or report
display view by clicking the appropriate toolbar button.
Counter Logs: Counter logs record sampled data about hardware resources and
system services based on performance objects and counters in the same manner
as System Monitor.
Trace Logs: Trace logs collect event traces that measure performance statistics
associated with events such as disk and file I/O, page faults, and thread activity.
Managing Active Directory Performance from the Command Line:

In addition to using the Performance console, you can use the following command-
line utilities to monitor and manage Active Directory performance:
o Logman: The Logman command manages and schedules performance
counter and event trace log collections on local and remote systems.
o Perfmon: The Perfmon command allows you to open a Performance console
configured with the System Monitor ActiveX control and Performance Logs
And Alerts service.
o Relog: The Relog command extracts performance counters from
performance counter logs into other formats, such as text-TSV (tab-delimited
text), text-CSV (comma-delimited text), binary-BIN, or SQL.
o Tracerpt: The Tracerpt command processes event trace logs or real-time
data from instrumented event trace providers and allows you to generate
trace analysis reports and CSV files for the events generated.
o Typeperf: The Typeperf command writes performance counter data to the
command window or to a supported log file format.
o Lodctr: The Lodctr command registers new performance counter names
and Explain text for a service or device driver and saves and restores
counter settings and Explain text.
o Unlodctr: The Unlodctr command removes performance counter names and
Explain text for a service or device driver from the system registry.
Dynamic Host Configuration Protocol
 Dynamic Host Configuration Protocol used to assign an IP address to a
computer or device connected to a network automatically.
 Netsh - Command-line administration tool that for DHCP servers.
 BOOTstrap Protocol (BOOTP) is a protocol that allows a diskless

workstation to discover certain network information; for example, its own IP
address.
DHCP terminology
Term Description
A scope is the full consecutive range of possible IP addresses for a
scope
network.
A superscope is an administrative grouping of scopes that can be
superscop
used to support multiple logical IP subnets on the same physical
e
subnet.
Multicast scopes are supported through the use of Multicast Address
Dynamic Client Allocation Protocol (MADCAP).
Multicast
The multicast address range uses an additional address class, Class D
Scope
that includes IP addresses that range from 224.0.0.0 to
239.255.255.255 for use in IP multicasting.
exclusion An exclusion range is a limited sequence of IP addresses within a
range scope, excluded from DHCP service offerings.
After define a DHCP scope and apply exclusion ranges, the remaining
address addresses form the available address pool within the scope. Pooled
pool addresses are eligible for dynamic assignment by the server to DHCP
clients on your network.
A lease is a length of time that a DHCP server specifies, during which a
lease
client computer can use an assigned IP address..
A reservation to create a permanent address lease assignment by the
reservatio
DHCP server. Reservations assure that a specified hardware device on
n
the subnet can always use the same IP address.
option Option types are other client configuration parameters a DHCP server
types can assign when serving leases to DHCP clients.
An options class is a way for the server to further manage option
types provided to clients. When an options class is added to the server,
clients of that class can be provided class-specific option types for their
options
configuration. For Microsoft® Windows® 2000 and Windows XP, client
class
computers can also specify a class ID when communicating with the
server. Options classes can be of two types: vendor classes and user
classes.
User-defined classes are used for managing DHCP options assigned to
User Class clients identified by a common need for a similar DHCP options
configuration.
Vendor Vendor-defined classes are used for managing DHCP options assigned
Class to clients identified by vendor type.
Backup Maintaining a backup of the DHCP database protects you from data
and loss if the DHCP database is lost.
Restore • Synchronous backups that occur automatically. The default
backup interval is 60 minutes.
• Asynchronous (manual) backups, performed by using the Backup
command on the DHCP console.
DHCP Lease Stages

1. Lease Request - The client sends a broadcast requesting an IP address
2. Lease Offer - The server sends the information and marks the offered
address as unavailable. The message sent is a DHCPOFFER broadcast
message.
3. Lease Acceptance - The first offer received by the client is accepted. The
acceptance is sent from the client as a broadcast (DHCPREQUEST
message) including the IP address of the DNS server that sent the accepted
offer. Other DHCP servers retract their offers and mark the offered address
as available and the accepted address as unavailable.
4. Server lease acknowledgement - The server sends a DHCPACK or a
DHCPNACK if an unavailable address was requested.
DHCP discover message - The initial broadcast sent by the client to obtain a
DHCP lease. It contains the client MAC address and computer name. This is a
broadcast using 255.255.255.255 as the destination address and 0.0.0.0 as the
source address. The request is sent and then the client waits one second for an
offer. The request is repeated at 9, 13, and 16 second intervals with additional 0 to
1000 milliseconds of randomness. The attempt is repeated every 5 minutes
thereafter.
The client uses its own port 68 as the source port with port 67 as the destination
port on the server to send the request to the server. The server uses its own port
67 as the source port with port 68 as the destination port on the client to reply to
the client. Therefore the server is listening and sending on its own port 67 and the
client is listening and sending on its own port 68.
DHCP Lease Renewal - After 50% of the lease time has passed, the client will
attempt to renew the lease with the original DHCP server that it obtained the lease
from using a DHCPREQUEST message. At 87.5% of the lease completion, the
client will attempt to contact any DHCP server for a new lease. If the lease expires,
the client will send a request as in the initial boot when the client had no IP
address. If this fails, the client TCP/IP stack will cease functioning.
Using the 80/20 rule for scopes
For balancing DHCP server usage, a good practice is to use the "80/20" rule to
divide the scope addresses between the two DHCP servers. If Server 1 is
configured to make available most (approximately 80%) of the addresses, then
Server 2 can be configured to make the other addresses (approximately 20%)
available to clients. The following illustration is an example of the 80/20 rule:
Using more than one DHCP server on the same subnet provides increased fault
tolerance for servicing DHCP clients located on it. With two DHCP servers, if one
server is unavailable, the other server can take its place and continue to lease
new addresses or renew existing clients
To start or stop a DHCP server using command:
o net start dhcpserver

o net stop dhcpserver
DHCP Relay Agents

May be placed in two places:
• Routers
• Subnets that don't have a DHCP server to forward DHCP requests.
The DHCP Relay Agent in the Windows Server 2003 family must be configured
with the IP address of the DHCP server in order to relay DHCP requests between
Subnet A and Subnet B. For more information about setting up the DHCP Relay
Agent.
To configure the DHCP Relay Agent to work over remote access:
1. Click Start, point to Programs, point to Administrative Tools, and

then click Routing and Remote Access.
2. In the object tree, expand Your_Server, expand IP Routing, right-
click General, and then click New Routing Protocol.
3. In the Routing Protocols list, click DHCP Relay Agent, and then
click OK.
4. Right-click DHCP Relay Agent, and then click Properties.
5. In the DHCP Relay Agent Properties dialog box, type the IP
addresses of your DHCP servers in the Server Address box, click ADD,
and then click OK.
6. Right-click DHCP Relay Agent, and then click New Interface.
7. Click Internal.
Internal represents the virtual interface that is connected to all remote
access clients.
Domain Name System
DNS is a hierarchical, distributed database of names and IP addresses that is
stored on servers all over the Internet. A DNS name consists of a single host name
plus a domain name that consists of two or more words, separated by periods.
A zone is an administrative entity you create on a DNS server to represent a

discrete portion of the namespace.
A DNS server that contains no zones and is hosting no domains is called a

caching-only server.
A forwarder is a DNS server that receives queries from other DNS servers that
are explicitly configured to send them.
Conditional forwarders: A conditional forwarder is a DNS server on a network

that is used to forward DNS queries according to the DNS domain name in the
query. For example, a DNS server can be configured to forward all the queries it
receives for names ending with widgets.example.com to the IP address of a
specific DNS server or to the IP addresses of multiple DNS servers.
Understanding Zone Types: Every zone consists of a zone database, which

contains the resource records for the domains in that zone. The three zone types
are as follows:
■ Primary zone: A primary zone contains the master copy of the zone database,
where administrators make all changes to the zone’s resource records, is in the
primary zone.
■ Secondary zone: A duplicate of a primary zone on another server, the

secondary zone contains a backup copy of the primary master zone database file,
stored as an identical text file on the server’s local drive. You cannot modify the
resource records in a secondary zone manually; you can only update them by
replicating the primary master zone database file, using a process called a zone
transfer. You should always create at least one secondary zone for each primary
zone in your namespace, both to provide fault tolerance and to balance the DNS
traffic load.
■ Stub zone: A copy of a primary zone that contains Start Of Authority (SOA) and
Name Server (NS) resource records, plus the Host (A) resource records that
identify the authoritative servers for the zone.
• Keep delegated zone information current. By updating a stub zone for

one of its child zones regularly, the DNS server hosting both the parent
zone and the stub zone will maintain a current list of authoritative DNS
servers for the child zone.
• Improve name resolution. Stub zones enable a DNS server to perform
recursion using the stub zone's list of name servers without needing to
query the Internet or internal root server for the DNS namespace.
• Simplify DNS administration. By using stub zones throughout your DNS
infrastructure, you can distribute a list of the authoritative DNS servers for
a zone without using secondary zones. However, stub zones do not serve
the same purpose as secondary zones and are not an alternative when
considering redundancy and load sharing.
You can use each of these zone types to create forward lookup zones or reverse
lookup zones. Forward lookup zones contain name-to-address mappings
and reverse lookup zones contain address-to-name mappings. If you want a
DNS server to perform name and address resolutions for a particular domain, you
must create both forward and reverse lookup zones containing that domain.
Active Directory-Integrated Zones: When you are running the DNS server
service on a computer that is an Active Directory domain controller and you select
the Store the Zone in Active Directory (Available Only If DNS Server is a
Domain Controller) check box while creating a zone in the New Zone Wizard, the
server does not create a zone database file.
In Active Directory-integrated zones, the zone database is replicated

automatically, along with all other Active Directory data. Active Directory uses a
multiple master replication system so that copies of the database are updated on
all domain controllers in the domain. You don’t have to create secondary zones or
manually configure zone transfers, because Active Directory performs the
database replication automatically. Active Directory conserves network bandwidth
by replicating only the DNS data that has changed since the last replication, and
by compressing the data before transmitting it over the network. The zone
replications also use the full security capabilities of Active Directory, which are
considerably more robust than those of file-based zone transfers.
DNS record types.

Type Name Function
SOA Start of Authority Defines a DNS zone of authority
Zone
NS Name Server Identifies servers for a zone
A Address Name to address translation
Basic PTR Pointer Address to name translation
MX Mail Exchanger Controls EMail routing
CNAME Canonical Name Nicknames for a host
HINFO Host info Identifies hardware and OS
Responsible
RP Technical contact for a host
Optional Person
Well Known
WKS Services provided by a host
Services
TXT Text Comments
The SOA Record: The SOA record marks the start of a zone. A DNS domain
maps into at least two zones: One for forward DNS - translating a hostname to an
IP address, and the other for reverse DNS - translating an IP address to a
hostname.
The NS Record: The NS (Name Server) record identifies the servers that are
authoritative for a given zone.
The A Record: The A (Address) records provide the mapping from hostname
to IP addresses.
The PTR Record: The PTR (Pointer) record provides the reverse mapping
from IP address to hostname. As with the A record, a host must have one for
each network interface.
The MX Record: The MX (Mail Exchange) records are used by the mail systems
to route mail more efficiently. An MX record also provides a way to deliver mail to
an alternate host when the destination host is not available.
The CNAME Record: The CNAME (Canonical name) records are used to assign
nicknames (or alias) to a host. Nicknames are commonly used to either shorten a
name, or to associate a function to a host. CNAME's must refer to a real name, not
another CNAME.
The HINFO Record: The HINFO (Host information) record specifies the
manufacturer and the operating system type. Most sites do not use HINFO records
because of security reasons, if everyone knows what type of hardware you have
and what type of OS is running, you are more vulnerable to break-ins.
The RP Record: The RP (Responsible Person) record, is a new type of record,

that offers a way to assign an EMail (with the @ sign replaced by a., eg.
ahj@aber.ac.uk would become ahj.aber.ac.uk) address to a host.
The WKS Record: The WKS records are used to list well known services that a
host supports. Again for security reasons, most do not use it.
The TXT Record: The WKS record is used to add text to hosts DNS records.
Command-line utilities:
Command Description
Nslookup Used to perform query testing of the DNS domain namespace.
A command-line interface for managing DNS servers. This utility is useful in scripting batch
Dnscmd files to help automate routine DNS management tasks, or to perform simple unattended
setup and configuration of new DNS servers on your network
This command is used to view and modify IP configuration details used by the computer.
Ipconfig Additional command-line options are included with this utility to provide help in
troubleshooting and supporting DNS clients.
DNS Query Types: DNS servers recognize two types of name resolution
requests: recursive queries and iterative queries.
In a recursive query, the DNS server receiving the name resolution request takes
full responsibility for resolving the name. If the server possesses information about
the requested name, it replies immediately to the requestor. If the server has no
information about the name, it sends referrals to other DNS servers until it obtains
the information it needs. TCP/IP client computers send recursive queries to their
designated DNS servers.
In an iterative query, the servers that receive the name resolution request
immediately respond with the best information they possess at the time, whether
that information is a fully resolved name or a reference to another DNS server.
DNS servers use iterative queries when communicating with each other.
DNS query process:

When the DNS server receives a query, it first checks to see if it can answer the
query authoritatively based on resource record information contained in a locally
configured zone on the server. If the queried name matches a corresponding
resource record in local zone information, the server answers authoritatively, using
this information to resolve the queried name.
If no zone information exists for the queried name, the server then checks to see if
it can resolve the name using locally cached information from previous queries. If
a match is found here, the server answers with this information. Again, if the
preferred server can answer with a positive matched response from its cache to
the requesting client, the query is completed.
If the queried name does not find a matched answer at its preferred server —
either from its cache or zone information — the query process can continue, using
recursion to fully resolve the name. This involves assistance from other DNS
servers to help resolve the name. By default, the DNS Client service asks the
server to use a process of recursion to fully resolve names on behalf of the client
before returning an answer. In most cases, the DNS server is configured, by
default, to support the recursion process.
In order for the DNS server to do recursion properly, it first needs some helpful
contact information about other DNS servers in the DNS domain namespace. This
information is provided in the form of root hints, a list of preliminary resource
records that can be used by the DNS service to locate other DNS servers that are
authoritative for the root of the DNS domain namespace tree. Root servers are
authoritative for the domain root and top-level domains in the DNS domain
namespace tree.
Finally, the "example.microsoft.com." server is contacted. Because this server

contains the queried name as part of its configured zones, it responds
authoritatively back to the original server that initiated recursion. When the
original server receives the response indicating that an authoritative answer was
obtained to the requested query, it forwards this answer back to the requesting
client and the recursive query process is completed.
Dynamic update enables DNS client computers to register and dynamically

update their resource records with a DNS server whenever changes occur. This
reduces the need for manual administration of zone records, especially for clients
that frequently move or change locations and use DHCP to obtain an IP address.
Dynamic updates can be sent for any of the following reasons or events:
• An IP address is added, removed, or modified in the TCP/IP properties
configuration for any one of the installed network connections.
• An IP address lease changes or renews with the DHCP server any one of the
installed network connections. For example, when the computer is started or
if the ipconfig /renew command is used.
• The ipconfig /registerdns command is used to manually force a refresh of
the client name registration in DNS.
• At startup time, when the computer is turned on.
• A member server is promoted to a domain controller.
When one of the previous events triggers a dynamic update, the DHCP Client
service (not the DNS Client service) sends updates. This is designed so that if a
change to the IP address information occurs because of DHCP, corresponding
updates in DNS are performed to synchronize name-to-address mappings for the
computer. The DHCP Client service performs this function for all network
connections used on the system, including connections not configured to use
DHCP.
How dynamic update works:
Dynamic updates are typically requested when either a DNS name or IP address
changes on the computer. For example, suppose a client named "oldhost" is first
configured in System properties with the following names:
Computer name oldhost

DNS domain name of
example.microsoft.com
computer
oldhost.example.microso
Full computer name
ft.com
In this example, no connection-specific DNS domain names are configured for the
computer. Later, the computer is renamed from "oldhost" to "newhost", resulting
in the following name changes on the system:
Computer name newhost

DNS domain name of
example.microsoft.com
computer
newhost.example.micros
Full computer name
oft.com
Once the name change is applied in System properties, you are prompted to
restart the computer. When the computer restarts Windows, the DHCP Client
service performs the following sequence to update DNS:
1. The DHCP Client service sends a start of authority (SOA) type query
using the DNS domain name of the computer.
The client computer uses the currently configured FQDN of the computer
(such as "newhost.example.microsoft.com") as the name specified in this
query.
2. The authoritative DNS server for the zone containing the client
FQDN responds to the SOA-type query.
For standard primary zones, the primary server (owner) returned in the SOA
query response is fixed and static. It always matches the exact DNS name as
it appears in the SOA RR stored with the zone. If, however, the zone being
updated is directory-integrated, any DNS server loading the zone can
respond and dynamically insert its own name as the primary server (owner)
of the zone in the SOA query response.
3. The DHCP Client service then attempts to contact the primary DNS
server.
The client processes the SOA query response for its name to determine the
IP address of the DNS server authorized as the primary server for accepting
its name. It then proceeds to perform the following sequence of steps as
needed to contact and dynamically update its primary server:
a. It sends a dynamic update request to the primary server determined in

the SOA query response.
If the update succeeds, no further action is taken.
b. If this update fails, the client next sends an NS-type query for the zone
name specified in the SOA record.
c. When it receives a response to this query, it sends an SOA query to
the first DNS server listed in the response.
d. After the SOA query is resolved, the client sends a dynamic update to
the server specified in the returned SOA record.
If the update succeeds, no further action is taken.
e. If this update fails, then the client repeats the SOA query process by
sending to the next DNS server listed in the response.
4. Once the primary server is contacted that can perform the update,
the client sends the update request and the server processes it.
The contents of the update request include instructions to add A (and

possibly PTR) RRs for "newhost.example.microsoft.com" and remove these
same record types for "oldhost.example.microsoft.com", the name that was
previously registered.
The server also checks to ensure that updates are permitted for the client
request. For standard primary zones, dynamic updates are not secured, so
any client attempt to update succeeds. For Active Directory–integrated
zones, updates are secured and performed using directory-based security
settings.
Dynamic updates are sent or refreshed periodically. By default, computers send a

refresh once every 7 days. If the update results in no changes to zone data, the
zone remains at its current version and no changes are written. Updates result in
actual zone changes or increased zone transfer only if names or addresses
actually change.
Note that names are not removed from DNS zones if they become inactive or are
not updated within the refresh interval (7 days). DNS does not use a mechanism to
release or tombstone names, although DNS clients do attempt to delete or update
old name records when a new name or address change is applied.
When the DHCP Client service registers A and PTR resource records for a
computer, it uses a default caching Time to Live (TTL) of 15 minutes for host
records. This determines how long other DNS servers and clients cache a
computer's records when they are included in a query response.
RAID (Redundant Array of Independent Disks)
RAID is a method of combining multiple disk drives into a single entity in order to
improve the overall performance and reliability of your system. The different
options for combining the disks are referred to as RAID levels. There are several
different levels of RAID available depending on the needs of your system. One of
the options available to you is whether you should use a Hardware RAID solution
or a Software RAID solution.
RAID Hardware is always a disk controller to which you can cable up the disk
drives. RAID Software is a set of kernel modules coupled together.
RAID 0 – Striping (minimum 2 HDD required)

RAID 1- Mirroring (minimum 2 HDD required)
RAID 5 – Striping with Parity (Minimum 3 HDD required)
RAID levels 1 and 5 only gives redundancy
RAID Level 0 requires a minimum of 2 drives to implement
For Highest performance, the controller must be able to perform two concurrent separate Reads per mirrored pair
or two duplicate Writes per mirrored pair.
Each entire data block is written on a data disk; parity for blocks in the same rank is generated on Writes,
recorded in a distributed location and checked on Reads.
RAID Level 0+1 requires a minimum of 4 drives to implement
RAID Levels 0+1 (01) and 1+0 (10) (Required Minimum 4 hard disks)
Common Name(s): RAID 0+1, 01, 0/1, "mirrored stripes", RAID 1+0, 10, 1/0, "striped mirrors"
Technique(s) Used: Mirroring and striping without parity.
• Strengths: Highest performance, highest data protection (can tolerate multiple drive failures).
• Weaknesses: High redundancy cost overhead; Because all data is duplicated, twice the storage
capacity is required; Requires minimum of four drives.
DRIVE 1 DRIVE 2 DRIVE 3 DRIVE 4

Data A Data A mA mA
Data B Data B mB mB
Data C Data C mC mC
Original Data Original Data Mirrored Data Mirrored Data
INFORMATION TECHNOLOGY INFRASTRUCTURE LIBRARY
ITIL: Information Technology Infrastructure Library is a framework of best

practices to manage IT operations and services.
Incident Management: It is a process to manage disruptions in critical IT
Services and restore them ASAP.
An Incident is a disruption of normal service that affects the user and the business.
The goal of IM is to restore IT services to normal state ASAP with work around or
solution to make sure that it does not affect the business.
Problem Management: It is to find the root cause of incidents and reduce the
impact of business. Problem management is a proactive approach that prevents
the recurrence of incidents.
Change Management: The Change management process helps you coordinate
changes with minimal disruptions and accepted risk.
Release Management: The goal of Release management is to plan, educate
users and implement changes smoothly.
CMDB(Configuration Management DataBase): The goal of CMDB is to build and
maintain an asset database of hardware, software, associated documents and
their relationships.
CLUSTER
Clustering is a technology, which is used to provide high availability for mission
critical applications. We can configure cluster by installing MCS (Microsoft Cluster
Service) component from Add/Remove programs, which can available in Enterprise
Editions and Data Center Edition.
NLB (Network Load Balancing) Cluster for balancing load between servers.
This cluster will not provide any high availability.
Server Cluster provides high availability by configuring active-active or active-
passive cluster.
Quorum: A shared storage need to provide for all servers which keeps information
about clustered application and session state is useful in FAILOVER situation. This
is very important if quorum disk fails entire cluster will fails.
Heartbeat is a private connectivity between the servers in the cluster, which is
used to identify the status of other servers in cluster.
FIREWALL
A firewall is used to prevent unauthorized users from accessing private networks
that are connected to other networks.
Typically, a firewall prevents external users from accessing internal corporate
network from the Internet.
INTERNETWORKING
Internetworking: Take two or more LANs or WANS and connect them via a Router
and configure a logical address networking scheme with a protocol like IP.
Network Segmentation: Breaking up a larger network into a number of smaller

ones.
Possible Causes of LAN traffic congestion:

• Too many hosts in a broad cast domain | Broadcast storms
• Multicasting | Low bandwidth
Routers: are used to connect networks together and route packets of data from
one network to another.
By default routers break up a broadcast domain and collision domain.
By default routers don’t forward broadcast.
Switches: The main purpose of switch is to make a LAN work better, to optimize
its performance and providing more bandwidth for LAN users.
Switches don’t forward packets to other networks.
“Switch“frames from one port to another within the switched network.
By default, switches break up broadcast domain and collision domain.
Each and Every port on a switch represent its own collision domain.
HUB: It has only one broadcast and collision domain.
Bridge: It has only two or four ports (upto 16 ports)
OSI (Open System Interconnection): In 1970, the OSI reference model was
created by ISO (International Organization for Standardization).
OSI Model: It is the primary architectural model for networks. It described how
data and network information are communicated from an application on one
computer through the network media, to an application on another computer.The
primary purpose of OSI model is to allow different vendors network to
interoperate.
OSI Layers: The OSI has seven different layers, divided into two groups. The top
3 layers define how the application within the end stations will communicate with
each other and with users. The bottom 4 layers defined how data is transmitted
end to end.
Application Layer – File print, message, database and application service

Presentation Layer – Data Encryption, compression and translation services
Session Layer – Dialog Control
Transport Layer – End to End connection – Segment
Network Layer – Routing – Packets
Datalink Layer – Framing – Frames
Physical Layer – Physical topology – Bits
Three types of Cables are

1. Straight through – Host to Switch & Router to Switch
2. Cross Over – Host to Host, Switch to Switch & Router to Host
3. Rolled – Router console serial communication
1. Straight Through Cable: 2. Cross Over Cable:
11 1 1
22 2 2
33 3 3
66 6 6
WG
G
WO
B
WB
O
WB
B
Private IP Address Range:

Class A – 10.0.0.0 through 10.255.255.255
Class B – 172.168.0.0. through 172.31.255.255
Class C – 192.168.0.0 through 192.168.255.255
Subnetting: Take one larger network and break it into a bunch of smaller
networks.
Reason for subnetting:

• Reduced network traffic
• Optimized network performance
• Simplified Management
IP Routing: It is process of moving packets from one network to another network

using Router.
Routing Protocol: It is used by routers to dynamically find all the networks in the
internetwork and to ensure that all routers have the same routing table.
Eg.: RIP, IGRP, EIGRP & OSPF
Routed Protocols: This can be used to send user data (packets) through the
established enterprise.
Eg.: IP & IPX
Types of Routing:
1. Static Routing
2. Default Routing
3. Dynamic Routing
Static Routing: Manually add routes in each router’s routing table.

Default Routing: To send packets with a remote destination network host in the
routing table to the next hop counter.
Dynamic Routing: Protocols are used to find networks and update routing tables
on routers.
Administrative Distance: It is used to rate the trustworthiness of routing

information received on a router from a neighbor router. AD - 0 to 255, 0 is the
most trusted | 255 no traffic will be passed via this route.
Route Source Default AD:

Connected Interface 0
Static Route 1
EIGRP 90
IGRP 100
OSPF 110
RIP 120
External EIGRP 170
Unknown 255
Hop: Each time a packet goes through a router.
RIP & IGRP (Using) - Distance Vector Protocol

OSPF (Using) – Link State Protocol
EIGRP (Using) – Hybrid protocols
RIP (Routing Information Protocol): It send the complete routing table out to
all active interfaces every 30 seconds.
Hop count – 15 by default
IGRP (Interior Gateway Routing Protocol): Same as RIP but use Autonomous
System Number. All routers must be the same number inorder to share routing
table information.
Hop count – 100 by default
Autonomous System Number – 1 to 65535
Access List: It can be used to permit or deny packets moving through the router.
Access list is filtering unwanted packets when implementing security policies.
Three types of modes:

1. User mode
2. Privileged mode
3. Global Configuration Mode
Router Aux port – to connect the modem

Router AUI port – Attachment Unit Interface for a 10Mbps Ethernet network
connection
Running Configuration stored in DRAM

Startup Configuration stored in NVRAM
EXCHANGE SERVER 2003
Pre-requisites:
• .NET Framework
• ASP.NET
• WWW Service
• SMTP
• NNTP
ForestPrep updates the schema and configuration partition in Active Directory.

\setup.exe /forestprep
Domainprep updates the domain partition in Active Directory.

\setup.exe /domainprep
 Exchange Server 2003 is licensed in per seat mode only.
 Unattended installation answer file type is .ini
Front End Server – Incoming client connections

Back End Servers – Mail boxes and Public folders
The front end and back end servers for mainly load balancing and redundancy.
Recipient Object Types:

• User
• Contact
• Group
• Public folder
User Recipient:
• Mailbox enabled user – Mailbox in exchange server, user account in AD
• Mail enabled user – does not have mailbox in Exchange Server. Official Email
ID assign to personal Email ID.
Contact Recipient: Similar to mail enabled user, send mail to a particular

address outside the organization.
 Deleted mailbox retention period is 30 days by default.

 Deleted items retention period is 7 days by default.
 Backup data – transaction logs and database files.

Ads DNS DHCP Raid

Uploaded by

Document Informationclick to expand document information

Copyright:

Available Formats

Ads DNS DHCP Raid

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Ads DNS DHCP Raid

Uploaded by

Copyright:

Available Formats

Windows Server 2003

Features of Windows 2008

Difference between PDC & BDC

Difference between DC & ADC.

Difference between NT, Windows2000 and 2003 servers:

Active Directory: The Windows-based directory service. It stores information

Verify an Active Directory Installation:

 The physical components of Active Directory are sites and domain

 The Well Known Ports are those from 0 through 1023.

A global catalog server is a domain controller; it is a master searchable

To configure a Windows 2003 Domain Controller as a GC server,

To change the domain functional level to Windows 2000 native or

Forest Functional Level: It provides a way to enable forest-wide Active

To change the forest functional level to Windows Server 2003, complete

Backup: A duplicate copy of a program, a disk, or data.

Non-authoritative Restore: A restore operation performed on an Active

Authoritative Restore: A type of restore operation performed on an Active

To non-authoritatively restore Active Directory, complete the following

Performing an Authoritative Restore

Netdom Query FSMO - Command line utility for verifies the

Recognizing Operation Master failures: 1. Examining directory

Transfer the Schema Master Role

Transfer the Domain Naming Master Role

Transfer or Seize the FSMO roles:

A domain controller stores and replicates:

A global catalog stores and replicates:

Initiating Replication: several different methods to force replication.

A bridgehead server is a single domain controller in a site, the contact point,

Creating Subnets: Computers on TCP/IP networks are assigned to sites based on

o Two domain controllers in each domain. By placing at least two domain

o The link to the site is historically unreliable or only intermittently

In some situations, it might not be efficient to place a domain controller

To move a domain controller object into a site:

To view the site license server for a site:

To change a license server for a site:

Creating Site Links

To create a site link:

Designating a Preferred Bridgehead Server

The Implications of Using a Preferred Bridgehead Server

Replacement of a Failed Preferred Bridgehead Server

To designate a preferred bridgehead server:

Creating Site Link Bridges

To create a site link bridge:

To disable site link transitivity:

Repadmin.exe: Replication Diagnostics Tool: The Replication Diagnostics

Some of the common problems you might encounter with Active

Monitor CPU usage - check if CPUs are running at full

Performance Objects and Performance Counters

To select performance counters:

Managing Active Directory Performance from the Command Line:

 Netsh - Command-line administration tool that for DHCP servers.

 BOOTstrap Protocol (BOOTP) is a protocol that allows a diskless

DHCP Lease Stages

Using the 80/20 rule for scopes

To start or stop a DHCP server using command:

o net start dhcpserver

DHCP Relay Agents

To configure the DHCP Relay Agent to work over remote access: