Microsoft Windows Servers 2003 kc.docx

7/24/2019 Microsoft Windows Servers 2003 kc.docx

1/162

Microsoft Windows Servers - Command Reference

Network File System Command Reference

1. mapadmin

The mapadmin command-line utility administers User Name Mapping on the local or remote

computer running Microsoft Services for Network File System. If you are logged on with an

account that does not have administrative credentials you can specify a user name and

password of an account that does.

Synta!"

mapadmin #$computer%& #-u $user% #-p $password%&&

mapadmin #$computer%& #-u $user% #-p $password%&& 'start ( stop)mapadmin #$computer%& #-u $user% #-p $password%&& config $option#...&%

mapadmin #$computer%& #-u $user% #-p $password%&& add -wu $*indowsUser% -uu

$UNI+User% #-setprimary&

mapadmin #$computer%& #-u $user% #-p $password%&& add -wg $*indows,roup% -ug

$UNI+,roup% #-setprimary&

mapadmin #$computer%& #-u $user% #-p $password%&& setprimary -wu $*indowsUser% #-uu

$UNI+User%&

mapadmin #$computer%& #-u $user% #-p $password%&& setprimary -wg $*indows,roup% #-

ug $UNI+,roup%&

mapadmin #$computer%& #-u $user% #-p $password%&& delete $option#...&%

mapadmin #$computer%& #-u $user% #-p $password%&& list $option#...&%mapadmin #$computer%& #-u $user% #-p $password%&& ackup $filename%

mapadmin #$computer%& #-u $user% #-p $password%&& restore $filename%

mapadmin #$computer%& #-u $user% #-p $password%&& adddomainmap -d

$*indowsomain% '-y $$NISdomain%% ( -f $path%)

mapadmin #$computer%& #-u $user% #-p $password%&& removedomainmap -d

$*indowsomain% -y $$NISdomain%%

mapadmin #$computer%& #-u $user% #-p $password%&& removedomainmap -all

mapadmin #$computer%& #-u $user% #-p $password%&& listdomainmaps


2/162

". Mount

The mountcommand-line utility mounts the file system identified y ShareNamee!ported

y the NFS server identified y ComputerNameand associates it with the drive letterspecified yDeviceNameor if an asterisk 0#1 is used y the first availale driver letter.

Users can then access the e!ported file system as though it were a drive on the local

computer. *hen used without options or arguments mountdisplays information aout all

mounted NFS file systems.

The mount utility is availale only if 4lient for NFS is installed.

The following options and arguments can e used with the mountutility.

Synta! "

mount #-o $5ption%#...&& #-u"$UserName%& #-p"'$2assword% ( 6)&

'77$4omputerName%7$ShareName% ( $4omputerName%"8$ShareName%) '$eviceName% (

6)

5ptions -o rsi$e%


3/162

Synta!"

nfsadmin server +ComputerName, +-u UserName+-pPassword,,-l

nfsadmin server +ComputerName, +-u UserName +-pPassword,,-r client all/

nfsadmin server +ComputerName, +-u UserName +-pPassword,, start stop/

nfsadmin server +ComputerName, +-u UserName +-pPassword,, config Option+...,

nfsadmin server +ComputerName, +-u UserName +-pPassword,,creategroupName

nfsadmin server +ComputerName, +-u UserName +-pPassword,,listgroups

nfsadmin server +ComputerName, +-u UserName +-pPassword,,deletegroupName

nfsadmin server +ComputerName, +-u UserName +-pPassword,,renamegroup OldName

NewName

nfsadmin server +ComputerName, +-u UserName +-pPassword,,addmemersName

Host+...,

nfsadmin server +ComputerName, +-u UserName +-pPassword,,listmemers

nfsadmin server +ComputerName, +-u UserName +-pPassword,,deletememers Group

Host+...,

nfsadmin client +ComputerName, +-u UserName +-pPassword,, start stop/

nfsadmin client +ComputerName, +-u UserName +-pPassword,,config Option+...,

In addition to service-specific command arguments and options nfsadminaccepts the

following"

ComputerName

Specifies the remote computer you want to administer. /ou can specify the computerusing a *indows Internet Name Service 0*INS1 name or a omain Name System

0NS1 name or y Internet 2rotocol 0I21 address.

-u UserName

Specifies the user name of the user whose credentials are to e used. It might e

necessary to add the domain name to the user name in the formdomain!UserName

-pPassword

Specifies the password of the user specified using the -uoption. If you specify the -

uoption ut omit the -poption you are prompted for the user3s password.

0. Nfssare


4/162

*ithout arguments the nfssarecommand-line utility lists all Network File System 0NFS1

shares e!ported y Server for NFS. *ith ShareNameas the only argument nfssarelists the

properties of the NFS share identified y ShareName. *hen ShareNameandDrive'Pathare

provided nfssaree!ports the folder identified yDrive'Pathas ShareName. *hen

the 2deleteoption is used the specified folder is no longer made availale to NFS clients.

Synta! "

nfsshare $ShareName%H$rive"2ath% #-o $5ptionHvalue%...&

nfsshare '$ShareName% ( $rive%"$2ath% ( 6 ) 8delete

3. Nfsstat

*hen used without the -$option the nfsstatcommand-line utility displays the numer of

NFS J


5/162

The showmount command-line utility displays information aout mounted file systems

e!ported y Server for NFS on the computer specified y Server. If Server is not provided

showmount displays information aout the computer on which the showmount command is

run.

Synta! "

sowmount-e -a -d/ +Server,

-e isplays all file systems e!ported on the server.

-a isplays all Network File System 0NFS1 clients and the directories on the server each has

mounted.

-d isplays all directories on the server that are currently mounted y NFS clients.

6. (mount

The umount command-line utility disconnects the specified NFS-mounted drive. /ou must

supply at least one of the following options or arguments.

Synta! "

umount#-f& #'-a (DriveLetter"#...& (NetworkMount#...&)&

-fForces deletion of Network File System 0NFS1 network drives.

-aeletes all NFS network drives. If there are active connections umount prompts you for

confirmation unless you also use the -f option.

7rive8etter- The letter of the logical drive to e disconnected.

NetworkMount- The network mount point to e disconnected. This mount must have een

created using the net use *indows command-line utility without specifying a drive letter.

Def " http"88technet.microsoft.com8en-us8lirary8ccG@@E>=0vHws.;E1.asp!

Windows Server Backup Command Reference

1. Wbadmin enable backup

To configure or modify a daily ackup schedule you must e a memer of either the

:dministrators or Cackup 5perators group. In addition you must run wadmin from an

elevated command prompt.

Synta! for *indows Server "


6/162

wadmin enale ackup

#-addtarget"$CackupTargetisk%&

#-removetarget"$CackupTargetisk%&

#-schedule"$TimeToDunCackup%&

#-include"$JolumesToInclude%-all4ritical&

#-uiet&

Synta! for *indows Server D


7/162

wadmin disale ackup

#-uiet&

Def " http"88technet.microsoft.com8en-us8lirary8ccGGE@=E0vHws.;E1.asp!

3. Wbadmin start backup

4reates a ackup using specified parameters. If no parameters are specified and you have

created a scheduled daily ackup this sucommand creates the ackup y using the settings

for the scheduled ackup. If parameters are specified it creates a Jolume Shadow 4opy

Service 0JSS1 copy ackup and will not update the history of the files that are eing acked

up.

To create a one-time ackup with this sucommand you must e a memer of the Cackup

5perators group or the :dministrators group or you must have een delegated the

appropriate permissions. In addition you must run wadmin from an elevated command

prompt.

Synta: for Windows Server ";;6'

wadmin start ackup

#-ackupTarget"'$CackupTargetKocation% ( $TargetNetworkShare%)&

#-include"$JolumesToInclude%&

#-all4ritical&

#-noJerify-user"$UserName%&

#-password"$2assword%&

#-noinherit:cl&

#-vssFull&

#-uiet&

Synta: for Windows Server ";;6 R"'

*admin start ackup

#-ackupTarget"'$CackupTargetKocation% ( $TargetNetworkShare%)&

#-include"$ItemsToInclude%&

#-nonDecurseInclude"$ItemsToInclude%&

#-e!clude"$ItemsToL!clude%&

#-nonDecurseL!clude"$ItemsToL!clude%&

#-all4ritical&

#-systemState&

#-noJerify&

#-user"$UserName%&

#-password"$2assword%-noInherit:cl&


8/162

#-vssFull ( -vss4opy&

#-uiet&

:ample'

2erform a one-time ackup of f"7folder; and h"7folder< to volume d".

Cackup the system state

Make a copy ackup so that the normally scheduled differential ackup is not impacted.

wadmin start ackup ackupTarget"d" -include"g7folder;h"7folder< systemstate -vsscopy

0.W&admin stop =o&

4ancels the ackup or recovery operation that is currently running. 4anceled operations

cannot e restartedPyou must rerun a canceled ackup or recovery operation from the

eginning.

To stop a ackup or recovery operation with this sucommand you must e a memer of the

Cackup 5perators group or the :dministrators group or you must have een delegated the

appropriate authority. In addition you must run wadmin from an elevated command prompt.

Synta: '

wadmin stop Qo

#-uiet&

-uiet --%Duns the sucommand with no prompts to the user.

3.W&admin >et versions

Kists details aout the availale ackups that are stored on the local computer or another

computer. *hen this sucommand is used without parameters it lists all ackups of the local

computer even if those ackups are not availale. The details provided for a ackup include

the ackup time the ackup storage location the version identifier 0needed for the wadmin

get items sucommand and to perform recoveries1 and the type of recoveries you can

perform.

To get details aout availale ackups using this sucommand you must e a memer of the



9/162


prompt.

Synta: '

wadmin get versions

#-ackupTarget"'$CackupTargetKocation% ( $NetworkShare2ath%)&

#-machine"CackupMachineName&

L!ample " To see a list of availale ackups that are stored on volume h type"

wadmin get versions -ackupTarget"h"

4. W&admin >et items

To use this sucommand you must e a memer of the Cackup 5perators group or the

:dministrators group or you must have een delegated the appropriate permissions. In

addition you must run wadmin from an elevated command prompt.

Synta:'

wadmin get items

-version"$JersionIdentifier%

#-ackupTarget"'$CackupTargetKocation% ( $NetworkShare2ath%)-machine"$CackupMachineName%&

:ample'

To list items from the ackup that was run on March @;


10/162

-items"'$JolumesToDecover% ( $:ppsToDecover% ( $Files5rFoldersToDecover%)

-itemtype"'Jolume ( :pp ( File)

#-ackupTarget"'$JolumeOostingCackup% ( $NetworkShareOostingCackup%)&

#-machine"$CackupMachineName%&

#-recoveryTarget"'$TargetJolumeForDecovery% ( $Target2athForDecovery%)&

#-recursive-overwrite"'5verwrite ( 4reate4opy ( Skip)&

#-notDestore:cl&

#-skipCad4luster4heck&

#-noDollForward&

#-uiet&

-uiet --%Duns the sucommand with no prompts to the user.

L!ample " To run a recovery of the ackup from March @;


11/162

1;.W&admin start systemstaterecovery

2erforms a system state recovery to a location and from a ackup that you specify.

To perform a system state recovery with this sucommand you must e a memer of the



prompt.

Synta: '

wadmin start systemstaterecovery

-version"$JersionIdentifier%

-showsummary

#-ackupTarget"'$CackupestinationJolume% ( $NetworkShare2ath%)&

#-machine"$CackupMachineName%&

#-recoveryTarget"$Target2athForDecovery%&

#-authsysvol&

#-uiet&

:ample 'To perform a system state recovery of the ackup from E@8@;8


12/162

:ample 'To create a system state ackup and store it on volume f type"

wadmin start systemstateackup -ackupTarget"f"

9ctive 7irectory 7omain Services Command Reference

1. 9dprep

L!tends the :ctive irectory schema and updates permissions as necessary to prepare a

forest and domain for a domain controller that runs the *indows Server operating

system.

:dprep.e!e is a command-line tool that is availale on the *indows Server installation

disc in the 7sources7adprep folder and it is availale on the *indows Server Dory )otential )ro&lems

omain controllers

8: Kow 42U or memory resources on domain controllers Kow disk space on volumes

housing the Sysvol folder the : dataase 0NTS.IT1 file and8or the : transactional log

files Slow or roken connections etween domain controllers Slow or failed client network

logon authentication reuests Slow or failed K:2 uery responses Slow or failed Beyistriution 4enter 0B41 reuests Slow or failed : synchroni9ation reuests NetKogon

0KS:SS1 service not functioning properly irectory Service :gent 0S:1 service not

functioning properly B44 not functioning properly L!cessive numer of SMC connections

Insufficient DI allocation pool si9e on local server 2rolems with transitive or e!ternal

trusts to *in


20/162

Kow-level network connectivity prolems.T428I2 routing prolems.O42 I2 address

allocation pool shortages.*INS server uery or replication failures 0for legacy NetCI5S

.systems and applications1Naming conte!t lost W found items e!ist.:pplication or service

failures or performance prolems.

$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$

Monitoring and Troubleshooting the DHCP Server

/ou can use the Lvent Jiewer tool located in the :dministrative Tools folder to monitor

O42 activity. Lvent Jiewer stores events that are logged in the system log application log

and security log. The system log contains events that are associated with the operating

system. The application log stores events that pertain to applications running on the computer.

Lvents that are associated with auditing activities are logged in the security log. :ll events

that are DHCP!speci"ic are logged in the S#stem log. The O42 system event log contains

events that are associated with activities of the O42 service and O42 server such as when

the O42 server started and stopped when O42 leases are close to eing depleted and

when the O42 dataase is corrupt.

: few O42 system event log Is are listed elow"

$vent %D &'() *%n"ormation+" Indicates that the O42 server has egun to clean up

the O42 dataase.

$vent %D &'(, *%n"ormation+" Indicates that the O42 server cleaned up the O42

dataase for unicast addresses"

o E I2 address leases were recovered.

o E records were deleted.

Event ID 1039 (Information)% ndicates t&at t&e !'C( server cleaned upt&e !'C( database for multicast addresses%

E I2 address leases were recovered.

o E records were deleted.

Event ID 1044 (Information)% ndicates t&at t&e !'C( server &as concludedt&at it is aut&ori)ed to start* and is currentl+ servicing !'C( clientre,uests for ( addresses.

Event ID 1042 (Warning)% ndicates t&at t&e !'C( service running on t&eserver &as detected t&e following servers on t&e network.


21/162

Event ID 1056 (Warning)% ndicates t&at t&e !'C( service &as determinedt&at it is running on a domain controller* and no credentials are con-guredfor !!S registrations.

Event ID 1046 (Error)% ndicates t&at t&e !'C( service running on t&e

server &as determined t&at it is not aut&ori)ed to start to service !'C(clients.

Using Syste Monitor to Monitor DHCP A!tivity

The System Monitor utility is the main tool for monitoring system performance. System

Monitor can track various processes on the *indows system in real time. The utility uses a

graphical display that you can use to view current data or log data. /ou can specify specific

elements or components that should e tracked on the local computer and remote computers.

/ou can determine resource usage y monitoring trends. System Monitor can e displayed in

a graph histogram or report format. System Monitor uses oQects counters and instances to

monitor the system

System Monitor is a valuale tool when you need to monitor and trouleshooting O42

traffic eing passed etween the O42 server and O42 clients. Through System Monitor

you can set counters to monitor"

The O42 lease process.

The O42 ueue length

uplicate I2 address discards

O42 server-side conflict attempts

To start System Monitor

;. 4lick Start :dministrative Tools and then click 2erformance.


22/162

eclines8sec indicates the rate at which the O42 server receives O42L4KINL

messages.

iscovers8sec indicates the rate at which the O42 server receives

O42IS45JLD messages.

uplicaed ropped8sec indicates the rate at which duplicated packets are eing

received y the O42 server.

Informs8sec indicates the rate at which the O42 server receives O42INF5DM

messages.

Milliseconds per packet 0:vg.1 indicates the average time which the O42 server

takes to send a response.

Nacks8sec indicates the rate at which O42N:4B messages are sent y the O42

server.

2ackets L!pired8sec indicates the rate at which packets are e!pired while waiting in

the O42 server ueue.

2ackets Deceived8sec indicates the rate that the O42 server is receiving packets.

Deleases8sec indicates the rate at which O42DLKL:SL messages are received y

the O42 server.

Deuests8sec indicates the rate at which O42DLXULST messages are received y

the O42 server.

Using "et#or$ Monitor to Monitor DHCP %ease Tra&!

/ou can use Network Monitor to monitor network traffic and to trouleshoot network issues

or prolems. Network Monitor shipped with *indows Server


23/162

The Network Monitor version 0full1 included with Microsoft Systems Management

Server 0SMS1" *ith this version you can monitor network activity on all devices on a

network segment. /ou can capture frames from a remote computer resolve device

names to M:4 addresses and determine the user and protocol that is consuming the

most andwidth.

Cecause of these features you can use Network Monitor to monitor and trou-leshoot DHCP

lease tra""ic. /ou can use the Network Monitor version included in *indows Server


24/162

@. If you want to e!amine captured data during he capture select Stop :nd Jiew from

the 4apture menu.

Understanding DHCP Server log 'iles

O42 server log files are comma-delimited te!t files. Lach log entry represents one line ofte!t. Through O42 logging you can log many different events. : few of these events are

listed elow"

O42 server events

O42 client events

O42 leasing

O42 rogue server detection events

:ctive irectory authori9ation

TheDHCP server log "ile "ormatis depicted elow. Lach log file entry has the fields listed

elow and in this particular order as well"

%D" This is the O42 server event I code. Lvent codes are used to descrie

information on the activity which is eing logged.

Date" The date when the particular log file entry was logged on your O42 server.

.ime" The time when the particular log file entry was logged on your O42 server.

Description" This is a description of the particular O42 server event.

%P/ddress" This is the I2 address of the O42 client.

HostName" This is the host name of the O42 client.

M/C/ddress" This is the M:4 address used y the O42 client3s network adapter.

DHCP server log "iles use reserved event %D codes. These event I codes descrie

information on the activities eing logged. The actual log file only descries event I codes

which are lower than RE.

: few common DHCP server log event %D codesare listed elow"

EE indicates the log was started.

E; indicates the log was stopped.


25/162

E< indicates the log was temporarily paused due to low disk space.

;E indicates a new I2 address was leased to a client.

;; indicates a lease was renewed y a client.

;< indicates a lease was released y a client

;@ indicates an I2 address was detected to e in use on the network.

;= indicates a lease reuest could not e satisfied due to the scope3s address pool

eing e!hausted.

;R indicates a lease was denied.

;? indicates a lease was deleted

;G indicates a lease was e!pired


26/162

R; :uthori9ation succeeded" The O42 server was authori9ed to start on the

network.

R< Upgraded to a *indows Server Server could not find domain" The O42 server could not locate the specified

:ctive irectory domain.

R Network failure" : network-related failure prevented the server from determining

if it is authori9ed.

?E No 4 is S enaled" No :ctive irectory 4 was located. For detecting

whether the server is authori9ed a domain controller that is enaled for :ctive

irectory is needed

?; Server found that elongs to S domain" :nother O42 server that elongs to

the :ctive irectory domain was found on the network.

?< :nother server found" :nother O42 server was found on the network.

?@ Destarting rogue detection" The O42 server is trying once more to determine

whether it is authori9ed to start and provide service on the network.

?= No O42 enaled interfaces" The O42 server has its service indings ornetwork connections configured so that it is not enaled to provide service.


27/162

Oow to change O42 log files location

;. 5pen the O42 console.


28/162

o The O42 server as eing enaled

o The I2 address is displayed as I2 :ddress. It should not e displayed as

:utoconfiguration I2 :ddress.

3. /ou can also use t&e status dialog bo0 for t&e network connection todetermine t&e ( address t+pe for t&e client.

. 2o view t&is information* doubleclick t&e appropriate network connectionin t&e etwork Connections dialog bo0.

#. Click t&e Support tab.

4. 2&e ( address t+pe s&ould be displa+ed as being Assigned B+ !'C(.

If after the aove checks you can conclude that the I2 address was assigned to the client y

the O42 server some other network issue is the cause of the O42 server connectivity

issues eing e!perienced. The issue is not due to an I2 addressing issue on the client.

*hen clients have the incorrect %P address it was proaly due o the computer not eing

ale to contact the O42 server. *hen this occurs the computer assigns its own I2 address

through :utomatic 2rivate I2 :ddressing 0:2I2:1.

4omputers could e unale to contact the O42 server for a numer of reasons"

: prolem might e!ist with the hardware or software of the O42 server.

: data-link protocol issue could e preventing the computer from communicating

with the network.

The O42 server and the client are on different K:Ns and there is no O42 Delay

:gent. : O42 Delay :gent enales a O42 server to handle I2 address reuests of

clients that are located on a different K:N.

*hen a O42 client is assigned an I2 address that is currently eing used y another client

then an address con"licthas occurred.

The process that occurs to detect duplicate I2 addresses is illustrated elow"

;. *hen the computer starts the system checks for any duplicate I2 addresses.


29/162

=. The computer that initially owned the duplicate I2 address e!periences no

interruptions and operates as normally.

R. /ou have to reconfigure the conflicting computer with a uniue I2 address so that the

T428I2 protocol stack can e enaled on that particular computer again.

*hen address conflicts e!ist a warning message is displayed"

: warning is displayed in the system tray

: warning message is displayed in the System log which you can view in Lvent

Jiewer.

:ddresses conflicts usually occur under the following circumstances"

/ou have competing DHCP serversin your environment" /ou can use the

hcploc.e!e utility to locate any rogue O42 servers. The hcploc.e!e utility is

included with the *indows Support Tools. To solve the competing O42 server

issue you have to locate the rogue O42 servers remove the necessary rogue O42

servers and then check that no two O42 servers can allocate I2 address leases from

the same I2 address range.

:scope redeplo#menthas occurred" /ou can recover from a scope redeployment

through the following strategy"

o Increase the conflict attempts on the O42 server.

o Denew your O42 client leases

5ne of the following methods can e used to renew your O42 client leases"

Use the Ipconfig 8renew command

o The Depair utton of the status dialog o! 0Support ta1 of the connection can

e used to renew the O42 client lease.

W&en +ou click t&e Repair button of t&e status dialog bo0 5Support tab6 of

t&e connection to renew t&e !'C( client lease* t&e following process

occurs%

;. : O42DLXULST message is roadcast on the network to renew your O42

clients3 I2 address leases.


30/162

=. The NS cache is flushed.

R. The NetCI5S name and I2 address of the client is registered again with the *INS

server.

?. The computer name and I2 address of the client is registered again with the NS

server.

/ou can enale server-side conflict detection through the following process

;. 5pen the O42 console


31/162

o Jerify that the O42 server is authori9ed.

w&en troubles&ooting t&e scope con-gured for t&e !'C( server%

o &eck t&at t&e scope is enabled.

o &eck w&et&er all t&e available ( leases &ave alread+ been assignedto clients

: few trouleshooting strategies which you can use when a DHCP client o-tains an %P

address "rom the incorrect scope are summari9ed elow"

First determine whether competing O42 servers e!ist on your network. Use the

hcploc.e!e utility included with the *indows Support Tools to locate rogue O42

servers that are allocating I2 addresses to clients.

If no rogue O42 servers are located through the hcploc.e!e utility your ne!t step

is to verify that each O42 server is allocating I2 address leases from uniue scopes.

There should e no overlapping of the address space.

If you have multiple scopes on your O42 server and the O42 server is assigning

I2 addresses to clients on remote sunets verify that a O42 Delay :gent that is used

to enale communication with the O42 server has the correct address

Troubleshooting the DHCP Server Con(guration

If you have clients that cannot otain I2 addresses from the O42 server even though they

can contact the O42 server verify the following"

Jerify that the O42 Server service is running on the particular server.

4heck the actual T428I2 configuration settings on the O42 server.

If you are using the :ctive irectory directory service verify that the O42 server is

authori9ed.

The O42 server could e configured with the incorrect scope. 4heck that the scope

is correct on the O42 server and verify that it is active.

*hen you need to veri"# the con"iguration o" the DHCP server use the following process"

First check that the O42 server is configured with the correct I2 address. The

network I of the address eing used must e the same for the sunet for which the

O42 server is e!pected to assign I2 addresses to client.

Jerify the network indings of the O42 server. The O42 server must e ound tothe particular sunet. To check this


32/162



33/162

Troubleshooting DHCP Database )ssues

The O42 service uses a numer of dataase files to maintain O42-specific data or

information on I2 addresses leases scopes superscopes and O42 options. The O42

dataase files that are located in the systemrootSystem@


34/162


35/162

@. *hen the Deconcile :ll Scopes dialog o! opens click Jerify to start the O42

dataase reconciliation process.

=. *hen no inconsistencies are reported click 5B.

R. *hen inconsistencies are detected select the addresses which need to e reconciled

and then click Deconcile.

?. The inconsistencies are repaired.

Ho# to re!on!ile a single s!o*e



36/162

een devised. This duplication of effort consumes time and money and adds comple!ity to

already comple! systems.

D24 is designed to mitigate these issues y providing a common interface etween

applications. D24 serves as a goetween for client8server communications. D24 is designed

to make client8server interaction easier and safer y factoring out common tasks such as

security synchroni9ation and data flow handling into a common lirary so that developers

do not have to dedicate the time and effort into developing their own solutions.

2erms and !e-nitions

The following terms are associated with D24.

Client

: process such as a program or task that reuests a service provided y another program.

The client process uses the reuested service without having to deal with many working

details aout the other program or the service.

Server

: process such as a program or task that responds to reuests from a client.

Endpoint

The name port or group of ports on a host system that is monitored y a server program for

incoming client reuests. The endpoint is a network-specific address of a server process for

remote procedure calls. The name of the endpoint depends on the protocol seuence eingused.

Endpoint Mapper (EPM)

2art of the D24 susystem that resolves dynamic endpoints in response to client reuests and

in some configurations dynamically assigns endpoints to servers.

Client Stub

Module within a client application containing all of the functions necessary for the client to

make remote procedure calls using the model of a traditional function call in a

standalone application. The client stu is responsile for invoking the marshalling engine andsome of the D24 application programming interfaces 0:2Is1.

Server Stub

Module within a server application or service that contains all of the functions necessary for

the server to handle remote reuests using local procedure calls.

R(C !ependencies and nteractions

D24 is a client8server technology in the most generic sense. There is a sender and a receiverA

data is transferred etween them. This can e classic client8server 0for e!ampleMicrosoft 5utlookcommunicating with a server running Microsoft L!change Server1 or


37/162

system services within the computer communicating with each other. The latter is especially

common. Much of the *indows architecture is composed of services that communicate with

each other to accomplish a task. Most services uilt into the *indows architecture use D24

to communicate with each other.

The following tale riefly descries the services in *indows Server


38/162


39/162

Remote !esktop

'elp Session

:anager

:anages and controls Remote Assistance.

Remote Registr+


40/162

Cop+ backup and ot&er purposes.

Windows Audio :anages audio devices for Windowsbased programs.

Windows mage

Ac,uisition 5WA6

(rovides image ac,uisition services for scanners and

cameras.

Windows nstallernstalls* repairs* and removes software according to

instructions contained in .:S -les.

Windows nternet

ame Service

5WS6

Resolves etB7S names for 2C(@( clients b+ locating

network services t&at use etB7S names.

Windows

:anagement

nstrumentation

(rovides a common interface and ob=ect model to access

management information about operating s+stem* devices*

applications* and services. f t&is service is stopped* most

Windowsbased software will not function properl+.

Wireless

Con-guration


41/162

FS server face users can still continue accessing the data from ack up FS 0Target1

There is no interruption to accessing data.

*. 8oad &alancin>'

If all the FS root servers and targets are working fine it leads to load alancing.

This is achieved y specifying locations for separate users.

0. Security'

*e can implement security y using NTFS settings.

7FS erminolo>y'

;. FS root


42/162

has een shared.

Emplementation of 7FS

Creatin> a 7FS root'

5n 4

4reate a folder in any drive

Share it

,ive everyone full control

Use the folder name as FS root

4reate < more folders for links

Share them Z everyone full control

Start %p%admin tools%FS

Dight click on FS

New root

Select domain root

omain name

Crowse the server 4

Ne!t mention the root name

Crowse the folder to share

Ne!t finish.

Emplementin> 7FS links

5n 4

4reate < folders.

Share them Z give full control permission

5n Memer Server also same process

5n 4

Start % 2%:dmin tools%FS%right click on FS

New link

Kink name 0e.g. ,ermany1

Crowse the share folder from 4

5k

4reate all four links two from 4 Z two from memer server

9ccessin> te resources linksG'

Lither on 4 or memer server

77domain name7FS root name

e!" 779oom.com7FS root


43/162

Emplementin> of 7FS tar>et'

5n c

5pen Fs

Dight click on Fs rootSelect new root target

Crowse server name %ne!t

Crowse folder to share

Ne!t%finish

Replication'

:fter configuring the target we can configure the replication etween FS root and FS

target.

:nd this can e scheduled.Types of replication topologies"

Ding topology

Ou Z spoke topology

Mesh topology

Confi>urin> replication &etween 7FS root H tar>et.

5n 4

5pen FSDight click on the FS root

4onfigure replication%ne!t

Select topology

Finish

$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$

!isk(art commands Fuide

isk2art is a te!t-mode command interpreter that enales you to manage oQects 0disks

partitions volumes or virtual hard disks1 y using scripts or direct input from a command

prompt. Cefore you can use isk2art commands you must first list and then select an oQect

to give it focus. *hen an oQect has focus any isk2art commands that you type will act on

that oQect.

/ou can list the availale oQects and determine an oQect3s numer or drive letter y using

the list diskI list volumeI list partition and list vdiskcommands. The list diskI list


44/162

vdiskand list volumecommands display all disks and volumes on the computer. Oowever

the list partitioncommand only displays partitions on the disk that has focus. *hen you use

the listcommands an asterisk 061 appears ne!t to the oQect with focus.

*hen you select an oQect the focus remains on that oQect until you select a different oQect.

For e!ample if the focus is set on disk E and you select volume > on disk


45/162

EN9CEJ- Mark the selected partition as inactive.

8ES- isplay a list of oQects.

MRA- Merges a child disk with its parents.6

BN8EN- 5nline an oQect that is currently marked as offline.

BFF8EN- 5ffline an oQect that is currently marked as online.RCBJR- Defreshes the state of all disks in the selected pack. :ttempts recovery on disks

in the invalid pack and resynchroni9es mirrored volumes and D:IR volumes that have stale

ple! or parity data.6

RM- oes nothing. This is used to comment scripts.

RMBJ- Demove a drive letter or mount point assignment.

R)9ER- Depair a D:I-R volume with a failed memer.

RSC9N- Descan the computer looking for disks and volumes.

R9EN- 2lace a retained partition under a simple volume.

S9N- isplay or set the S:N policy for the currently ooted 5S.6

S8C- Shift the focus to an oQect.

SE7- 4hange the partition type.6

SKRENL- Deduce the si9e of the selected volume.6

(NEO(E7- isplays or sets the ,UI partition tale 0,2T1 identifier or master oot

record 0MCD1 signature of a disk.6

$$$$$$$$$$$$$$$$$$$$$$$$$

A!tive Dire!tory 0AD1 Windo#s Server 23

History /4 A!tive Dire!tory

:ctive irectorywas introduced to the world in the mid-;Es y Microsoft as a replacement

for *indows NT-style user authentication. *indows NT included a flat and non-e!tensile

domain model which did not scale well for large corporations. :ctive irectory on the other

hand was created as a true directory service versus a flat user-management service that NT

had. Though it was introduced in the ;Es it did not ecome a part of the 5perating System

until *indows


46/162

application protocol for uerying and modifying directory services developed at the

University of Michigan in the early ;Es. :n K:2 directory tree is a hierarchical structure

of organi9ations domains trees groups and individual units.

:ctive irectory is a irectory Sometimes its easy to get lost in all of the technology and

functions that are provided with : and forget that :ctive irectory is a directory. It is a

directory in oth the common use of the term like a white pages 0you can add in a persons

first name last name phone numer address email address etc1 and a directory of

information for use y applications and services 0such as Microsoft L!change for email1. :

is functionally a place to store information aout people things 0computers printers etc1

applications domains services security access permissions and more. :pplications and

services then use the directory to perform a function.

For e!ample Microsoft *indows uses :ctive irectory information to allow a user to login

to their computer and provide access to the security rights assigned in :ctive irectory.*indows is accessing the directory and then providing rights ased on what it finds. If a user

account is disaled in :ctive irectory the directory itself is Qust setting a flag which

*indows uses to disallow a user from logging in.

*e mentioned in the introduction that administrators use :ctive irectory to deploy

software this is an incomplete description. :dministrators can set policies and information

that a certain software application should e deployed to a certain user : itself does not

deploy the software ut a *indows service reads the information from :ctive irectory and

then installs the software.

$$$$$$$$$$$$$$$$$$$$$$

'le5ible Single Master /*erations 0'SM/ in AD1

Windows 2000/2003 ulti!aster odel

: multi-master enaled dataase such as the :ctive irectory provides the fle!iility of

allowing changes to occur at any 4 in the enterprise ut it also introduces the possiility of

conflicts that can potentially lead to prolems once the data is replicated to the rest of the

enterprise.

5ne way *indows


47/162

Windows 2000/2003 "in#le!aster odel

To prevent conflicting updates in *indows


48/162

also host the gloal catalog all the domain controllers have the current data and it is not

important which domain controller holds the infrastructure master role.

Relative E7 RE7G Master'

The DI master is responsile for processing DI pool reuests from all domain controllers

in a particular domain. *hen a 4 creates a security principal oQect such as a user or group

it attaches a uniue Security I 0SI1 to the oQect.

This SI consists of a domain SI 0the same for all SIs created in a domain1 and a relative

I 0DI1 that is uniue for each security principal SI created in a domain. Lach 4 in a

domain is allocated a pool of DIs that it is allowed to assign to the security principals it

creates.

*hen a 43s allocated DI pool falls elow a threshold that 4 issues a reuest foradditional DIs to the domain3s DI master. The domain DI master responds to the reuest

y retrieving DIs from the domain3s unallocated DI pool and assigns them to the pool of

the reuesting 4. :t any one time there can e only one domain controller acting as the

DI master in the domain.

)7C mulator'

The 24 emulator is necessary to synchroni9e time in an enterprise. *indows


49/162

:ccount lockout is processed on the 24 emulator.

Lditing or creation of ,roup 2olicy 5Qects 0,251 is always done from the ,25 copy found

in the 24 Lmulator3s S/SJ5K share unless configured not to do so y the administrator.

The 24 emulator performs all of the functionality that a Microsoft *indows NT =.E Server-

ased 24 or earlier 24 performs for *indows NT =.E-ased or earlier clients.

This part of the 24 emulator role ecomes unnecessary when all workstations memer

servers and domain controllers that are running *indows NT =.E or earlier are all upgraded

to *indows


50/162

Metod P1' Lnow te default settin>s

The FSM5 roles were assigned to one or more 4s during the 42D5M5 process. The

following tale summari9es the FSM5 default locations"

FSM5 DoleNumer of 4s holding

this role5riginal 4 holding the FSM5 role

Schema 5ne per forest The first 4 in the first domain in the

forest 0i.e. the Forest Doot omain1omain Naming 5ne per forest

DI 5ne per domain The first 4 in a domain 0any domain

including the Forest Doot omain any

Tree Doot omain or any 4hild

omain1

24 Lmulator 5ne per domain

Infrastructure 5ne per domain

Metod P"' (se te A(E

The FSM5 role holders can e easily found y use of some of the : snap-ins. Use this tale

to see which tool can e used for what FSM5 role"

FSM5 Dole *hich snap-in should I use

Schema Schema snap-in

omain Naming : omains and Trusts snap-in

DI

: Users and 4omputers snap-in24 Lmulator

Infrastructure

Findin> te RE7 MasterI )7C mulatorI and Enfrastructure Masters via A(E

To find out who currently holds the omain-Specific DI Master 24 Lmulator and

Infrastructure Master FSM5 Doles"

;.5pen the :ctive irectory Users and 4omputers snap-in from the :dministrative Tools

folder. te 7omain Namin> Master via A(E

To find out who currently holds the omain Naming Master Dole"

;. 5pen the :ctive irectory omains and Trusts snap-in from the :dministrative Tools

folder.


51/162

Masters.

@. *hen you3re done click 4lose.

Findin> te Scema Master via A(E

To find out who currently holds the Schema Master Dole"

;. Degister the Schmmgmt.dll lirary y pressing Start % DUN and typing"

re>svr*" scmm>mt.dll

. 2ress the 4lose utton.

Metod P*' (se te Ntdsutil command

The FSM5 role holders can e easily found y use of the Ntdsutil command.

4aution" Using the Ntdsutil utility incorrectly may result in partial or complete loss of :ctive

irectory functionality.

;. 5n any domain controller click Start click Dun type Ntdsutil in the 5pen o! and then

click 5B.

Microsoft Windows +Jersion 3.".*5Q;,

CG Copyri>t 1Q63-";;* Microsoft Corp.

C'!WEN7BWSntdsutil

ntdsutil'

;. Type roles and then press LNTLD.

ntdsutil' roles

fsmo maintenance'

Note" To see a list of availale commands at any of the prompts in the Ntdsutil tool type

and then press LNTLD.

Type connections and then press LNTLD.

fsmo maintenance' connections

server connections'

Type connect to server $servername% where $servername% is the name of the server you

want to use and then press LNTLD.

server connections" connect to server server;EE@indin> to server1;; ...


52/162

Connected to server1;; usin> credentials of locally lo>>ed on user.

server connections'

:t the server connections" prompt type and then press LNTLD again.

server connections' D

fsmo maintenance'

:t the FSM5 maintenance" prompt type Select operation target and then press LNTLD

again.

fsmo maintenance' Select operation tar>et

select operation tar>et'

:t the select operation target" prompt type Kist roles for connected server and then press

LNTLD again.

select operation tar>et' 8ist roles for connected server

Server ?server1;;? knows a&out 3 roles

Scema - CN%N7S Settin>sICN%SRJR1;;ICN%ServersICN%7efault-First-Site-NameICN%SitesICN%C

onfi>urationI7C%dpetriI7C%net

7omain - CN%N7S Settin>sICN%SRJR1;;ICN%ServersICN%7efault-First-Site-

NameICN%SitesICN%C

onfi>urationI7C%dpetriI7C%net

)7C - CN%N7S Settin>sICN%SRJR1;;ICN%ServersICN%7efault-First-Site-

NameICN%SitesICN%Conf

i>urationI7C%dpetriI7C%net

RE7 - CN%N7S Settin>sICN%SRJR1;;ICN%ServersICN%7efault-First-Site-

NameICN%SitesICN%Conf

i>urationI7C%dpetriI7C%net

Enfrastructure - CN%N7S Settin>sICN%SRJR1;;ICN%ServersICN%7efault-First-

Site-NameICN%Si

tesICN%Confi>urationI7C%dpetriI7C%net

select operation tar>et'

Type @ times to e!it the Ntdsutil prompt.

Note" /ou can download TOIS nice atch file that will do all this for you 0;k1.

:nother Note" Microsoft has a nice tool called umpfsmos.cmd found in the *indows


53/162

security. In *indows


54/162

Windows Server 8""3 domain functional level

The :ctive irectory domain features that are availale in *indows


55/162

The :ctive irectory domain features that are availale in *indows


56/162

The :ctive irectory domain features that are availale in *indows Server


57/162

!istribution group nesting

Securit+ group nesting

universal Froups

Froup conversion between Securit+ Froups and !istribution Froups

Flobal Catalog support

S! 'istor+

Ep to 1*"""*""" domain ob=ects are supported

Renaming domain controllers

Epdate logon timestamp

Esers@Computers container redirection

Constrained delegation

Eser password support on t&e net7rg(erson ob=ect

Kow to ceck wic domain function level is set for te domain

1. 7pen t&e Active !irector+ !omains And 2rusts console

8. Rig&tclick t&e particular domain w&ose functional level +ou want verif+*and select Raise !omain unctional evel from t&e s&ortcut menu.

3. 2&e Raise !omain unctional evel dialog bo0 opens

. /ou can view t&e e0isting domain functional level for t&e domain in Currentdomain functional level.

Kow to raise te domain functional level to te Windows ";;; native domain functional

level or Windows Server ";;* domain functional level

Cefore you can raise the domain functional level to *indows Server


58/162

. Ese t&e Select An Available !omain unctional evel list to c&oose t&edomain functional level for t&e domain.

#. Click Raise

4. Click 7?

'orest 'un!tional %evels

*hile *indow


59/162

mproved ?nowledge Consistenc+ C&ecker 5?CC6 replication algorit&ms

Application groups

net7rg(erson ob=ectClass

2!S.!2 si)e reduction

Windows Server ";;* Enterim Forest Functional 8evel

omain controllers in a domain running *indows NT = and *indows Server


60/162

!+namic au0iliar+ classes

Application groups

net7rg(erson ob=ectClass

2!S.!2 si)e reduction

Windows Server ";;* Forest Functional 8evel

:ll domain controllers in the forest have to e running *indows Server


61/162

8. Rig&tclick Active !irector+ !omains and 2rusts in t&e console tree* andselect Raise orest unctional evel from t&e s&ortcut menu.

3. 2&e Raise orest unctional evel dialog bo0 opens

. /ou can view t&e e0isting domain functional level for t&e domain in Currentforest functional level.

Kow to raise te forest functional level to Windows Server ";;* forest functional level

Lach domain controller in the forest has to e running *indows Server


62/162

,roups are containers that contain user and computer oQects within them as memers. *hen

security permissions are set for a group in the :ccess 4ontrol Kist on a resource all memers

of that group receive those permissions. omain ,roups enale centrali9ed administration in

a domain. :ll domain groups are created on a domain controller.

In a domain :ctive irectory provides support for different types of groups and group

scopes. The group type determines the type of task that you manage with the group. The

group scope determines whether the group can have memers from multiple domains or a

single domain.

6rou* Ty*es

Securit+ groups% Ese Securit+ groups for granting permissions to gainaccess to resources. Sending an email message to a group sends t&emessage to all members of t&e group. 2&erefore securit+ groups s&are t&ecapabilities of distribution groups.

!istribution groups% !istribution groups are used for sending emainmessages to groups of users. /ou cannot grant permissions to securit+groups.


63/162

Eniversal Froup Scope% t&ese groups are precisel+ used for emaildistribution and can be granted access to resources in all trusted domainas t&ese groups can onl+ be used as a securit+ principal 5securit+ groupt+pe6 in a windows 8""" native or windows server 8""3 domain functionallevel domain. Eniversal group members&ips are not limited like global

groups. All domain user accounts and groups can be a member ofuniversal group. Eniversal groups can be nested under a global or !omainocal group in an+ domain.

$$$$$$$$$$$$$$$$$$$$$$

Windows Server 8""3 2!Sutil Fuide

NTSutil is a *indows utility for configuring the heart of :ctive irectory. Ntdsutil.e!e is a

command-line tool that provides management facilities for :ctive irectory .Use Ntdsutil to

perform dataase maintenance of :ctive irectory to manage and control single master

operations and to remove metadata left ehind y domain controllers that were removedfrom the network without eing properly uninstalled. Cy default Ntdsutil is installed in the

*innt7System@< folder.

2reparation for NTSutil

Cegin y logging on at a *indows Server


64/162

Doles H FSM5 Maintenance. *hich omain 4ontroller has which Single 5perations

Master Sei9e roles such as 24 Lmulator. ,ood news for once you do get a message

detailing the transfer you are aout to make. My advice is to use Doles in conQunction with

netdom or the :ctive irectory Snap-ins. My point is I could not find a way of displaying

who holds which FSM5 role with NTSutil.

Deset SDM password. If you don3t know the server3s irectory Service account password

then here is your change to reset to a password that you will rememer.

Security :ccount Management. 4heck for duplicate SIs

+,ample -.Security :ccount Management 0Maintenance1

Ket us start gently and check for duplicate SIs. This e!periment is more for gaining

e!perience of the NTSutil interface than the proaility of finding any duplicate SIs. Thisis what I typed at the command prompt my commands are in old"

L"7ntdsutil%ntdsutil

ntdsutil" security account management

Security :ccount Maintenance" connect to server Server@

Security :ccount Maintenance" check duplicate sid

...

uplicate SI check completed successfully. 4heck dupsid.log for any duplicates

Security :ccount Maintenance"

;1 In the aove session I typed the full command security accounts management. Oowever

you can shorten commands thus" 3sec acc man3

Incidentally I am inventing these shorthand commands in the sense that NTSutil also

understands"

sec ac ma or even 3secu a m3. NTSutil3s rain works y analysing your letters and if there is

only one possile interpretation then it fills in the gaps and returns the service that you asked

for. For e!ample plain 3se3 will not work ecause there is another command which egins

with se Semantic....


65/162

+,ample 2.Deset password for SDM 0irectory Services Destore Mode1

Oere is where I challenge you to perform a real task. 5nce upon a time when your *indows

server


66/162

It is est to avoid sei9ing roles. The decision to sei9e an operations master role depends upon

the role and the e!pected length of the outage.

)rimary 7omain Controller mulator Failures

The loss of a domain controller that is the primary domain controller emulator role can e

visile to any user either users or administrators. Specifically an end user running *indows

NT *[email protected]; or *indows NT =.E *indows R or *indows > without the :ctive

irectory client cannot change their password without communicating with the

primary domain controller emulator. If the user[s password has e!pired the user is not ale to

log on.

Therefore you might need to repair a primary domain controller emulator failure uickly.If

the primary domain controller emulator is offline for a significant period of time and the

domain has users running *indows NT *orkstation @.R; or *indows NT =.E *indows R

or *indows > without the :ctive irectory client or domain controllers running earlierversions of *indows NT you should sei9e the primary domain controller emulator role to the

\Standy operations masterdomain controller.]

The user interface for this sei9ure is similar to that of a normal operations master role

transfer e!cept it reuires an e!tra confirmation from you. :gree to the confirmation only if

you know the current primary domain controller emulator will e offline for a significant

period. Kater when the original primary domain controller emulator domain controller comes

ack online transfer the role ack to the original role owner.

Enfrastructure Master Failures

Temporary loss of a domain[s infrastructure master is not visile to end users and is not

visile to you as an administrator unless you recently moved or renamed a large numer of

accounts. Therefore in most cases a temporary loss of the infrastructure master is not a

prolem worth fi!ing. If you anticipate a long outage of a domain[s infrastructure master and

you need to repair it first select a domain controller that is not a ,loal 4atalog server and

that has good network connectivity to a ,loal 4atalog server located in any domain.

Ideally the domain controller you have chosen should e within the same site as a ,loal

4atalog server. It is not important that the new infrastructure master e near the previous one.*hen you have selected the domain controller sei9e the infrastructure master role to

this domain controller.

The user interface for this sei9ure is similar to that of a normal operations master role

transfer e!cept it reuires an e!tra confirmation from you. :gree to the confirmation only if

you know that the current infrastructure master will e offline for a very long period. Kater

when the original infrastructure master comes ack online transfer the role ack to the

original role owner.

Bter Bperations Master Failures

Temporary loss of the schema master domain naming master or DI master is ordinarily not


67/162

visile to end users and does not usually inhiit your work as an administrator. Therefore

this is usually not a prolem worth fi!ing. Oowever if you anticipate an e!tremely long

outage of the domain controller holding one of these roles you can sei9e that role to the

\Standy operations master domain controller.]

Cut sei9ing any of these roles is a drastic stepA one that you would take only when the outage

is permanent as in the case when a domain controller is physically destroyed and cannot e

restored from ackup media. : domain controller whose schema master domain

naming master or DI master role is sei9ed must never come ack online. Cefore proceeding

with the role sei9ure you must ensure that the outage of this domain controller is permanent

y physically disconnecting the domain controller from the network.

The domain controller that sei9es the role should e fully up-to-date with respect to updates

performed on the previous role owner. Cecause of replication latency it is possile that

the domain controllermight not e up-to-date.

To check the status of updates for a domain controller you can use the Depadmin command-

line tool. The Depadmin command-line tool is a Desource Bit tool that performs replication

diagnostics. It is availale on the Microsoft *indows


68/162

server;E or use the Depadmin tool[s 8sync8force commands to make the replication happen

immediately.

:fter you have determined that the role owner is fully up-to-date you can sei9e the

operations master role using the Ntdsutil tool as in the following e!ample"

4"7% ntdsutil

ntdsutil" roles

fsmo maintenance" connections

server connections" connect toserver;E.reskit.com

inding to server;E.reskit.com

4onnected to server;E.reskit.com

using credentials of locally logged on user

server connections" Duit

fsmo maintenance" sei$e RE7 master

Server \server;E.reskit.com] knows aout R rolesSchema 4NHNTS Settings4NHserverE=4NHServers

4NHNew-/ork4NHSites4NH4onfiguration4Hreskit4Hcom

omain 4NHNTS Settings4NHserverE=4NHServers

4NHNew-/ork4NHSites4NH4onfiguration4Hreskit4Hcom

24 4NHNTS Settings4NHserver;E4NHServers

4NH4hicago4NHSites4NH4onfiguration4Hreskit4Hcom

DI 4NHNTS Settings4NHserver;E4NHServers

4NH4hicago4NHSites4NH4onfiguration4Hreskit4Hcom

Infrastructure 4NHNTS Settings4NHserver;


69/162

*hen you use the Ntdsutil command-line tool to sei9e an operations master role the tool

attempts a transfer from the current role owner first. Then if the e!isting operations master is

unavailale it performs the sei9ure. The Ntdsutil tool provides help information when you

type a uestion mark 01. The following is an e!ample showing the transfer of the domain

naming master role 0with user input shown in old type1"4"7% ntdsutil

ntdsutil"

2rint this help information

9utoritative restore :uthoritatively restore the IT dataase

7omain mana>ement 2repare for new domain creation

Files Manage NTS dataase files

Kelp 2rint this help information

E)7eny 8ist Manage K:2 I2 eny Kist

879) policies Manage K:2 protocol policies

Metadata cleanup 4lean up oQects of decommissioned servers

)opups s 0en8dis1ale popups with \on] or \off]

Ouit Xuit the utility

Roles Manage NTS role owner tokens

Security account mana>ement Manage Security :ccount ataase uplicate SI

4leanup

Semantic data&ase analysis Semantic 4hecker

ntdsutil" rolesfsmo maintenance"


4onnections 4onnect to a specific domain controller

Oelp 2rint this help information

Xuit Deturn to the prior menu

Sei9e domain naming master 5verwrite domain role on connected server

Sei9e infrastructure master 5verwrite infrastructure role on connected server

Sei9e 24 5verwrite 24 role on connected server

Sei9e DI master 5verwrite DI role on connected server

Sei9e schema master 5verwrite schema role on connected server

Select operation target Select sites servers domains roles and Naming 4onte!ts

Transfer domain naming master Make connected server the domain naming master

Transfer infrastructure master Make connected server the infrastructure master

Transfer 24 Make connected server the 24

Transfer DI master Make connected server the DI master

Transfer schema master Make connected server the schema master


70/162

fsmo maintenance" connections

server connections"


4lear creds 4lear prior connection credentials

4onnect to domain Vs 4onnect to NS domain name4onnect to server Vs 4onnect to server NS name or I2 address

Oelp 2rint this help information

Info Show connection information

Xuit Deturn to the prior menu

Set creds Vs Vs Vs Set connection creds as domain user pwd

Use \NUKK] for null password

server connections" connect to serverreskit;

Cinding to reskit;

4onnected to reskit; using credentials of locally logged on user

server connections" Duit

fsmo maintenance" transfer domain namin> master

Server \reskit;^ knows aout R roles

Schema 4NHNTS

Settings4NHDLSBIT;4NHServers4NH*ashington4NHSites4NH4onfiguration4Hresk

it4Hcom

omain 4NHNTS


it4Hcom

24 4NHNTSSettings4NHDLSBIT;4NHServers4NH*ashington4NHSites4NH4onfiguration4Hresk

it4Hcom

DI 4NHNTS


it4Hcom

Infrastructure 4NHNTS


it4Hcom

fsmo maintenance" Duit

ntdsutil" Duit

isconnecting from reskit;

4"7%

In the previous e!ample the availale Ntdsutil tool commands display after entering a

uestion mark 01. To transfer an operations master role the roles command is entered which

displays the fsmo maintenance menu. Lntering a uestion mark 01 displays the

sucommands within the fsmo maintenance menu. Cefore transferring the operations master

role you must connect to the domain controller that will receive the role 0\reskit;^ in the

e!ample aove1 y entering the connect to server sucommand. Then after leaving the serverconnections mode y entering \uit] issue the transfer domain naming master command. :


71/162

confirmation pop-up window 0not shown1 displays for the transfer domain naming master

operation.

Note

/ou must have sufficient permissions to e!ecute commands using the Ntdsutil tool. For more

information aout controlling access to operations master role placements see \4ontrolling

:ccess to Dole 2lacements] later in this chapter.

It is also possile to view the current operations master role owner using the Ntdsutil

command-line tool from the Select 5peration Target menu located under the Doles option. Cy

using the Kist roles for connected server command a list displays of all of the current

operations master role owners.

For more information aout using the Ntdsutil command-line tool see *indows


72/162

7utgoing 2rust% n t&is case* users in t&e ot&er domain able toaccess network resources in t&e initiating domain. Esers int&e initiating domain are not able to access an+ resources int&e ot&er domain.

o 2wowa+ trusts% A twowa+ trust relations&ip means t&at w&ere!omain1 trusts !omain8* t&en !omain8 trusts !omain1. 2&e trustbasicall+ works bot& wa+s* and users in eac& domain are able toaccess network resources in eit&erone of t&e dolmans. A twowa+*transitive trust relations&ip is t&e trust t&at e0ists between parentdomains and c&ild domains in a domain tree. n twowa+ transitivetrust* w&ere !omain1 trusts !omain8 and !omain8 trusts !omain3*t&en !omain1 would trust !omain3 and !omain3 would trust!omain1.2wowa+* transitive trust is t&e default trust relations&ipbetween domains in a tree. t is automaticall+ created and e0istsbetween toplevel domains in a forest.

2rusts can be implicit or e0plicit trusts%

o mplicit% Automaticall+ created trust relations&ips are called implicittrust. An e0ample of implicit trust is t&e twowa+* transitive trustrelations&ip t&at Active !irector+ creates between a parent andc&ild domains.

o


73/162

6orest trust4 Forest trust can e created etween two :ctive irectory forests.

$$$$$$$$$$$$$$$$$$

Planning Considerations 4or Trust +elationshi*s

Tree-root trust and 2arent-child trust is implicitly created y :ctive irectory when new

domains are created. *hat this means is that you do not need to e!plicitly create these trusts

nor do you have to perform any configuration or management tasks for the trust relationships.

Shortcut trust Dealm trust L!ternal trust and Forest trust differ to Tree-root and 2arent-child

trust in that the former four trusts have to e e!plicitly created and managed. Cecause of the

different types of trust relationships that can e created you need to plan which type of trust

relationship to create for the domains within your :ctive irectory environment.

S&ortcut 2rust

Cefore you can create any shortcut trusts you must e a memer of the Lnterprise :dmin or

omain :dmin groups in each domain in the forest. :nother reuirement is that the domains

you are creating shortcut trust for are *indows Server


74/162

In order to create realm trust you should have Lnterprise :dmin or omain :dmin

permissions for the *indows Server


75/162

Introduction

This document is part of a set of step-y-step guides that introduce IT managers and system

administrators to the features of the *indows


76/162

Adinistrative te*lates. 2&ese include registr+based Froup (olic+*w&ic& +ou use to mandate registr+ settings t&at govern t&e be&avior andappearance of t&e desktop* including t&e operating s+stem componentsand applications.

Se!urity settings. /ou use t&e Securit+ Settings e0tension to set securit+options for computers and users wit&in t&e scope of a Froup (olic+ ob=ect./ou can de-ne local computer* domain* and network securit+ settings.

So4t#are installation. /ou can use t&e Software nstallation snapin tocentrall+ manage software in +our organi)ation. /ou can assign andpublis& software to users and assign software to computers.

S!ri*ts. /ou can use scripts to automate computer startup and s&utdownand user logon and logoJ. /ou can use an+ language supported b+Windows Script 'ost. 2&ese include t&e :icrosoft isual BasicKdevelopment s+stem* Scripting IavaScript> ( and:S!7SKst+le batc& -les 5.bat and .cmd6.

+eote )nstallation Servi!es. /ou use Remote nstallation Services5RS6 to control t&e be&avior of t&e Remote 7perating S+stem nstallationfeature as displa+ed to client computers.

)nternet -5*lorer aintenan!e. /ou use nternet ure 1' e Kierarcy of Aroup )olicy and te 9ctive 7irectory,roup 2olicy oQects are linked to site domain and 5U containers in the :ctive irectory.


77/162

The default order of precedence follows the hierarchical nature of the :ctive irectory" sites

are first then domains and then each 5U. : ,25 can e associated with more than one

:ctive irectory container or multiple containers can e linked to a single ,25.

(rere,uisites and nitial Con-guration

Prerequisites

This Software Installation and Maintenance document is ased on Step-y-Step to a 4ommon

Infrastructure for *indows


78/162

snap-in for setting the scope of management to domain and organi9ational units 05Us1. /ou

can also use the :ctive irectory Sites and Services snap-in to set the scope of management

to a site. These two tools can e accessed from the :dministrative Tools program groupA the

,roup 2olicy snap-in e!tension is enaled in oth tools. :lternatively you can create a

custom MM4 console as descried in the ne!t section.

Con!"urin" a Custom Console

The e!amples in this document use the custom MM4 console that you can create y

following the procedure in this section. /ou need to create this custom console efore

attempting the remaining procedures in this document.

Note'If you want more e!perience uilding MM4 consoles run through the procedures

outlined in Step-y-Step ,uide to Microsoft Management 4onsole

o confi>ure a custom console

og on to t&e H8+-SDC9 domain controller server as anadministrator.

Click Start* click +un* t+pe !* and t&en click /K.

7n t&e Consolemenu* click Add:+eove Sna*in.

n t&e Add:+eove Sna*indialog bo0* click Add.

n t&e Add Standalone Sna*indialog bo0* in t&e Availablestandalone sna*inslist bo0* click A!tive dire!tory users and

!o*uters* and t&en click Add.

!oubleclick A!tive dire!tory sites and servi!es sna*infromt&e Available standalone sna*inslist bo0.

n t&e Available standalone sna*inslist bo0* doubleclick 6rou*Poli!y.

n t&e Sele!t 6rou* Poli!yob=ect dialog bo0* %o!al !o*uterisselected under 6rou* Poli!y ob;e!t. Click'inishto edit t&e local Froup(olic+ ob=ect. Click Closein t&e Add standalone sna*indialog bo0.

n t&e Add:+eove Sna*in dialog bo0* click t&e -5tensionstab. es

n t&e ::C console* on t&e Consolemenu* click Save.

n t&e Save Asdialog bo0* in t&e 'ilename te0t bo0*

t+pe 6PWal$through* and t&en click Save.


79/162

The console should appear as in Figure < elow"

Fi>ure "' Aroup )olicy MMC Console

Accessin" Group Policy

/ou can use the appropriate :ctive irectory tools to access ,roup 2olicy while focused on

any site domain or 5U.

o open Aroup )olicy from 9ctive 7irectory Sites and Services

n t&e 6PWal$through ::C console* in t&e console tree* click t&e


80/162

Scopin" a Domain or #$

To scope the domain or 5U use the ,2*alkthrough MM4 console that you saved earlier.

o scope Aroup )olicy for a domain or B(

Click Start* point to Progras* click Adinistrative Tools* and

click 6PWal$throughto open t&e ::C console +ou created earlier.

Click t&e < ne0t to A!tive Dire!tory Users and Co*utersto e0pandt&e tree.

Click t&e ement

Scopin" %ocal or &emote Computers

To access ,roup 2olicy for a local or a remote computer you add the ,roup 2olicy snap-in to

the MM4 console and focus it on a remote or local computer. To access ,roup 2olicy for the

local computer use the ,2*alkthrough console created earlier in this document and choosethe 8ocal Computer )olicynode. /ou can add other computers to the console namespace y


81/162

adding another ,roup 2olicy snap-in to the ,2*alkthrough console and clicking

the @rowseutton when the Select Aroup )olicyoQect dialog o! is displayed.

Note'Some of the ,roup 2olicy e!tensions are not loaded when ,roup 2olicy is run against

a local ,25.

Creatin" a Group Policy #b'ect

The ,roup 2olicy settings you create are contained in a ,roup 2olicy 5Qect 0,251 that is in

turn associated with selected :ctive irectory oQects such as sites domains or

organi9ational units 05Us1.

o create a Aroup )olicy B&=ect A)BG

7pen t&e 6PWal$through::C console.

Click t&e uarters Pro*ertiespage* click t&e 6rou* Poli!ytab.

Click "e#* and t+pe H8 Poli!y.

The KeadDuarters )ropertiespage should appear as in Figure = elow"


82/162

Fi>ure 0' KeadDuarters )roperties

:t this point you could add another ,25 for the Oeaduarters 5U giving each one that you

create a meaningful name or you could edit the OX 2olicy ,25 which starts the ,roup

2olicy snap-in for that ,25. :ll ,roup 2olicy functionality is derived from the snap-in

e!tensions. In this e!ercise all of these e!tensions are enaled. It is possilePusing standardMM4 methodsPto restrict the e!tension snap-ins that are loaded for any given snap-in. For

information on this capaility see the *indows


83/162

snapin* w&ic& is &ow t&e F(7 is modi-ed. 2&is is described in more detaillater in t&is document.

2o permanentl+ delete a F(7 from t&e list* select it from t&e list and clickt&e Deletebutton. 2&en* w&en prompted* select +eove the lin$ and

delete the 6rou* Poli!y ob;e!t *eranently. Be careful w&en deletingan ob=ect* because t&e F(7 ma+ be associated wit& anot&er site* domain*or 7E. f +ou want to remove a F(7 from t&e list* select t&e F(7 from t&elinks list* click Delete* and t&en w&en prompted* select +eove the lin$4ro the list.

2o determine w&at ot&er sites* domains* or 7Es are associated wit& agiven F(7* rig&tclick t&e F(7* selectPro*ertiesfrom t&e conte0t menu*and t&en click t&e %in$stab in t&e F(7 Pro*ertiespage.

2&e "o overridec&eck column marks t&e selected F(7 as one w&osepolicies cannot be overridden b+ anot&er F(7.

Note'/ou can enale the No 5verride property on more than one ,25. :ll ,25s that are

marked as No override will take precedence over all other ,25s not marked. 5f those ,25s

marked as No override the ,25 with the highest priority will e applied after all the other

similarly marked ,25s.

2&e Disabledc&eck bo0 simpl+ disables 5deactivates6 t&e F(7 wit&outremoving it from t&e list. 2o remove a F(7 from t&e list* select t&e F(7from t&e links list* click Delete* and t&en select +eove the lin$ 4rothe listin t&e Deletedialog bo0.

t is also possible to disable onl+ t&e Eser or Computer portion of t&e F(7.2o do t&is* rig&tclick t&e F(7* clickPro*erties* click eit&er Disable!o*uter !on(guration settingsor Disable user !on(gurationsettings* and t&en click /K. 2&ese options are available on t&eF(7 Pro*ertiespage* on t&e 6eneraltab.

2&e ?lo!$ *oli!y inheritan!ec&eck bo0 &as t&e eJect of negating allF(7s t&at e0ist &ig&er in t&e &ierarc&+. 'owever* it cannot block an+ F(7st&at are enforced b+ using t&e "o overridec&eck bo0> t&ose F(7s arealwaysapplied.

Note'2olicy settings contained within the local ,25 that are not specifically overridden y

domain-ased policy settings are also always applied. Clock 2olicy Inheritance at any level

will not remove local policy.

Editin" a Group Policy #b'ect

/ou can use the custom console to edit a ,25. /ou will need to log on to the OX-DLS-4-

E; server as an :dministrator if you have not already done so.

o edit a Aroup )olicy B&=ect A)BG

Click Start* point to Progras* click Adinistrative Tools* and t&enselect 6PWal$through.


84/162

Click t&e uarters* select Pro*erties* and t&en click t&e 6rou*Poli!ytab. H8 Poli!yin t&e 6rou* Poli!y ob;e!t lin$slist bo0 s&ould

be &ig&lig&ted.

!oubleclick t&e H8 Poli!yF(7 5or click -dit6.

This opens the ,roup 2olicy snap-in focused on a ,25 named OX 2olicy which is linked to

the 5U named Oeaduarters. It should appear as in Figure R elow"

Fi>ure 3' KO )olicy

Addin" or rosin" a Group Policy #b'ect

The 9dd a Aroup )olicy B&=ect 8inkdialog o! shows ,25s currently associated with

domains 5Us sites or all ,25s without regard to their current associations 0links1. The 9dd

a Aroup )olicy B&=ect 8inkdialog o! is shown in Figure ? elow.

Fi>ure 4' 9dd a Aroup )olicy B&=ect 8ink


85/162

F(7s are stored in eac& domain. 2&e %oo$ )ndropdown bo0 allows +ou toselect a diJerent domain to view.

n t&e Doains:/Ustab* t&e list bo0 displa+s t&e sub7Es and F(7s fort&e currentl+ selected domain or 7E. 2o navigate t&e &ierarc&+* double

click a sub7E or use t&e U* one leveltoolbar button.

2o add a F(7 to t&e currentl+ selected domain or 7E* eit&er doubleclickt&e ob=ect* or select it and click /K.

Alternativel+* +ou can create a new F(7 b+ clicking t&e Alltab* rig&tclicking in t&e open space* and selecting"e#on t&e conte0t menu* or b+using t&e Create "e# 6P/toolbar button. 2&e Create ew F(7

toolbar button is onl+ active in t&e All tab. 2o create a new F(7 and link itto a particular site* domain* or 7E* use t&e ew button on t&e Froup (olic+(ropert+ page.

Note'It is possile to create two or more ,25s with the same name. This is y design and is

ecause the ,25s are actually stored as ,UIs and the name shown is a friendly name

stored in the :ctive irectory.

n t&e Sitestab* all F(7s associated wit& t&e selected site are displa+ed.Ese t&e dropdown list to select anot&er site. 2&ere is no &ierarc&+ of sites.

2&e Alltab s&ows a Dat list of all F(7s t&at are stored in t&e selecteddomain. 2&is is useful w&en +ou want to select a F(7 t&at +ou know b+name* rat&er t&an w&ere it is currentl+ associated. 2&is is also t&e onl+place to create a F(7 t&at does not &ave a link to a site* domain* or 7E.

2o create an unlinked F(7* access t&e Add a 6rou* Poli!y %in$dialogbo0 from an+ site* domain* or 7E. Click t&e Alltab* select t&e toolbarbutton or rig&tclick t&e w&ite space* and select "e#. ame t&e new F(7*and click-nter* and t&en click Can!elLdo not li! #*. Clicking /Klinkst&e new F(7 to t&e current site* domain* or 7E. Clicking Can!elcreatesan unlinked F(7.

Registr+based (olicies

The user interface for registry-ased policies is controlled y using :dministrative Template

0.adm1 files. These files descrie the user interface that is displayed in the 9dministrative

emplatesnode of the ,roup 2olicy snap-in. These files are format-compatile with the

.adm files used y the System 2olicy Lditor tool 0poledit.e!e1 in Microsoft *indows NT =.E.

*ith *indows


86/162

*indows uration!9dministrative emplates under the System!Aroup )olicynodes. If you

set this policy to na&led the Sow policies onlycommand is turned on and administrators

cannot turn it off and the ,roup 2olicy snap-in displays only true policies. If you set this

policy to 7isa&ledor Not confi>ured the Sow policies onlycommand is turned on y

defaultA however you can view preferences y turning off the Sow policies onlycommand.

To view preferences you must turn off the Sow policies onlycommand which you access

y selecting the 9dministrative emplatesnode 0under either (ser

Confi>urationor Computer Confi>uration nodes1 and then clicking the Jiewmenu on the

,roup 2olicy console and clearing the Sow policies onlycheck o!. Note that it is not

possile for the selected state for this policy to persistA that is there is no preference for this

policy setting.

In ,roup 2olicy preferences are indicated y a red icon to distinguish them from true

policies which are indicated y a lue icon.

Use of non-policies within the ,roup 2olicy infrastructure is strongly discouraged ecause of

the persistent registry settings ehavior mentioned previously. To set registry policies on

*indows NT =.E and *indows R and *indows > clients use the *indows NT =.E System

2olicy Lditor tool 2oledit.e!e.

Cy default the System.adm Inetres.adm and 4onf.adm files are loaded and present this

namespace as shown in Figure G elow"


87/162

Fi>ure 5' (ser Confi>uration

The .adm files include the following settings"

S+stem.adm% 7perating s+stem settings

netres.adm% nternet


88/162

o Rig&tclick Adinistrative Te*lates* and select Add:+eoveTe*lates. 2&is s&ows a list of t&e currentl+ active templates -lesfor t&is Active !irector+ container.

o Click Add. 2&is s&ows a list of t&e available .adm -les in t&e

Ns+stemrootNOinf director+ of t&e computer w&ere Froup (olic+ isbeing run. /ou can c&oose an .adm -le from anot&er location. 7ncec&osen* t&e .adm -le is copied into t&e F(7.

o set re>istry-&ased settin>s usin> administrative templates

o n t&e F(Walkt&roug& console* doubleclick A!tive Dire!toryUsers and Co*uters* doubleclick t&eres$it=!odomain*doubleclick A!!ounts* rig&tclick t&e Head>uarters7E* and t&enclick Pro*erties.

o n t&e Head>uarters Pro*ertiesdialog bo0* click 6rou* Poli!y.

o !oubleclick t&e H8 Poli!yF(7 from t&e 6rou* Poli!y ob;e!tlin$slist to edit t&e 'P (olic+ F(7.

o n t&e Froup (olic+ console* under t&e User Con(gurationnode*click t&e plus sign 5


89/162

Note the )revious )olicyand Ne:t )olicyuttons in the dialog o!. /ou can use

these uttons to navigate the details pane to set the state of other policies. /ou can

also leave the dialog o! open and click another policy in the details pane of the

,roup 2olicy snap-in. :fter the details pane has the focus you can use

the (pand 7ownarrow keys on the keyoard and press nterto uickly rowsethrough the settings 0or :plaintas1 for each policy in the selected node.

o Click /K. ote t&e c&ange in state in t&e Settingcolumn* in t&edetails pane. 2&is c&ange is immediate> it &as been saved to

Microsoft Windows Servers 2003 kc.docx

Documents

Transcript of Microsoft Windows Servers 2003 kc.docx