Using the BurFlags registry key to reinitialize File Replication Service replica sets

Friday, February 27, 2009

Using the BurFlags registry key to reinitialize File Replication Service replica sets

 

Overview

FRS is a multi-threaded, multi-master replication engine that Windows Server 2003 and Windows 2000 domain controllers use to replicate system policies and logon scripts for Windows Server 2003, Windows 2000, and earlier-version clients. In Microsoft Windows NT, the LanMan Replication (LMREP) service handled replication. FRS replaced LMREP in Windows 2000. You can also use FRS to replicate content between Windows 2000 servers that host the same fault-tolerant Distributed File System (DFS) roots or child node replicas.

When you deploy Windows-based domain controllers or member servers that use FRS to replicate files in SYSVOL or DFS shares, you may have to restore or reinitialize individual members of a replica set if replication has stopped or is inconsistent. In some scenarios, you may have to rebuild the whole replica set from scratch.

The FRS BurFlags registry key is used to perform authoritative or nonauthoritative restores on FRS members of DFS or SYSVOL replica sets.

Note System state backups of Windows member servers and domain controllers do not include the FRS database that maintains a mapping of files that are held in local FRS trees and a master list of FRS files. For more information about exclusions for Ntbackup.exe, click the following article number to view the article in the Microsoft Knowledge Base:
233427  (http://support.microsoft.com/kb/233427/ ) Files and folders that are not backed up when the Ntbackup.exe tool is used in Windows Server 2003, Windows XP, and Windows 2000

Restoring FRS replicas

The global BurFlags registry key contains REG_DWORD values, and is located in the following location in the registry:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NtFrs\Parameters\Backup/Restore\Process at Startup
The most common values for the BurFlags registry key are:
  • D2, also known as a nonauthoritative mode restore
  • D4, also known as an authoritative mode restore
You can also perform BurFlags restores at the same time as you restore data from backup or from any other known good source, and then restart the service.

Nonauthoritative restore

Nonauthoritative restores are the most common way to reinitialize individual members of FRS replica sets that are having difficulty. These difficulties may include:
  • Assertions in the FRS service
  • Corruption of the local jet database
  • Journal wrap errors
  • FRS replication failures
Attempt nonauthoritative restores only after you discover FRS dependencies and you understand and resolve the root cause. For more information about how to discover FRS dependencies, see the "Considerations before configuring authoritative or nonauthoritative restores of FRS members" section later in this article.

Members who are nonauthoritatively restored must have inbound connections from operational upstream partners where you are performing Active Directory and FRS replication. In a large replica set that has at least one known good replica member, you can recover all the remaining replica members by using a nonauthoritative mode restore if you reinitialize the computers in direct replication partner order.

If you determine that you must complete a nonauthoritative restore to return a member back into service, save as much state from that member and from the direct replication partner in the direction that replication is not working. This permits you to review the problem later. You can obtain state information from the FRS and System logs in the Event Viewer.

Note You can configure the FRS logs to record detailed debugging entries. For more information about how to configure FRS logging, click the following article number to view the article in the Microsoft Knowledge Base:
221111  (http://support.microsoft.com/kb/221111/ ) Description of FRS entries in the registry
To perform a nonauthoritative restore, stop the FRS service, configure the BurFlags registry key, and then restart the FRS service. To do so:
  1. Click Start, and then click Run.
  2. In the Open box, type cmd and then press ENTER.
  3. In the Command box, type net stop ntfrs.
  4. Click Start, and then click Run.
  5. In the Open box, type regedit and then press ENTER.
  6. Locate the following subkey in the registry:
    HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\NtFrs\Parameters\Backup/Restore\Process at Startup
  7. In the right pane, double-click BurFlags.
  8. In the Edit DWORD Value dialog box, type D2 and then click OK.
  9. Quit Registry Editor, and then switch to the Command box.
  10. In the Command box, type net start ntfrs.
  11. Quit the Command box.
When the FRS service restarts, the following actions occur:
  • The value for BurFlags registry key returns to 0.
  • Files in the reinitialized FRS folders are moved to a Pre-existing folder.
  • An event 13565 is logged to signal that a nonauthoritative restore is started.
  • The FRS database is rebuilt.
  • The member performs an initial join of the replica set from an upstream partner or from the computer that is specified in the Replica Set Parent registry key if a parent has been specified for SYSVOL replica sets.
  • The reinitialized computer runs a full replication of the affected replica sets when the relevant replication schedule begins.
  • When the process is complete, an event 13516 is logged to signal that FRS is operational. If the event is not logged, there is a problem with the FRS configuration.
Note: The placement of files in the Pre-existing folder on reinitialized members is a safeguard in FRS designed to prevent accidental data loss. Any files destined for the replica that exist only in the local Pre-existing folder and did not replicate in after the initial replication may then be copied to the appropriate folder. When outbound replication has occurred, delete files in the Pre-existing folder to free up additional drive space.

Authoritative FRS restore

Use authoritative restores only as a final option, such as in the case of directory collisions.

For example, you may require an authoritative restore if you must recover an FRS replica set where replication has completely stopped and requires a rebuild from scratch.

The following list of requirements must be met when before you perform an authoritative FRS restore:
  1. The FRS service must be disabled on all downstream partners (direct and transitive) for the reinitialized replica sets before you restart the FRS service when the authoritative restore has been configured to occur.
  2. Events 13553 and 13516 have been logged in the FRS event log. These events indicate that the membership to the replica set has been established on the computer that is configured for the authoritative restore.
  3. The computer that is configured for the authoritative restore is configured to be authoritative for all the data that you want to replicate to replica set members. This is not the case if you are performing a join on an empty directory. For more information, click the following article number to view the article in the Microsoft Knowledge Base:
    266679  (http://support.microsoft.com/kb/266679/ ) Pre-staging the File Replication service replicated files on SYSVOL and Distributed file system shares for optimal synchronization
  4. All other partners in the replica set must be reinitialized with a nonauthoritative restore.
To complete an authoritative restore, stop the FRS service, configure the BurFlags registry key, and then restart the FRS service. To do so:
  1. Click Start, and then click Run.
  2. In the Open box, type cmd and then press ENTER.
  3. In the Command box, type net stop ntfrs.
  4. Click Start, and then click Run.
  5. In the Open box, type regedit and then press ENTER.
  6. Locate the following subkey in the registry:
    HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\NtFrs\Parameters\Backup/Restore\Process at Startup
  7. In the right pane, double click BurFlags.
  8. In the Edit DWORD Value dialog box, type D4 and then click OK.
  9. Quit Registry Editor, and then switch to the Command box.
  10. In the Command box, type net start ntfrs.
  11. Quit the Command box.
When the FRS service is restarted, the following actions occur:
  • The value for the BurFlags registry key is set back to 0.
  • An event 13566 is logged to signal that an authoritative restore is started.
  • Files in the reinitialized FRS replicated directories remain unchanged and become authoritative on direct replication. Additionally, the files become indirect replication partners through transitive replication.
  • The FRS database is rebuilt based on current file inventory.
  • When the process is complete, an event 13516 is logged to signal that FRS is operational. If the event is not logged, there is a problem with the FRS configuration.

Global vs. replica set specific reinitialization

There are both global- and replica set-specific BurFlags registry keys. Setting the global BurFlags registry key reinitializes all replica sets that the member holds. Do this only when the computer holds only one replica set, or when the replica sets that it holds are relatively small.

In contrast to configuring the global BurFlags key, the replica set BurFlags key permits you to reinitializes discrete, individual replica sets, allowing healthy replication sets to be left intact.

The global BurFlags registry key is found in the following location in the registry:
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\NtFrs\Parameters\Backup / Restore\Process At Startup


This key can contain the same values as those that are discussed earlier in this article for authoritative and nonauthoritative restores.

You can locate the replica set specific BurFlags registry key by determining the GUID for the replica set that you want to configure. To determine which GUID corresponds to which replica set and configure a restore, follow these steps:
  1. Click Start, and then click Run.
  2. In the Open box, type cmd and then press ENTER.
  3. In the Command box, type net stop ntfrs.
  4. Click Start, and then click Run.
  5. In the Open box, type regedit and then press ENTER.
  6. To determine the GUID that represents the replica set that you want to configure, follow these steps:
    1. Locate the following key in the registry:
      KEY_LOCAL_MACHINE\System\CurrentControlSet\Services\NtFrs\Parameters\Replica Sets
    2. Below the Replica Sets subkey, there are one or more subkeys that are identified by a GUID. In the left pane, click the GUID, and then in the right pane note the Data that is listed for the Replica Set Root value. This file system path will indicate which replica set is represented by this GUID.
    3. Repeat step 4 for each GUID that is listed below the Replica Sets subkey until you locate the replica set that you want to configure. Note the GUID.
  7. Locate the following key in the registry:
    KEY_LOCAL_MACHINE\System\CurrentControlSet\Services\NtFrs\Parameters\Cumulative Replica Sets
  8. Below the Cumulative Replica Sets subkey, locate the GUID you noted in step 6c.
  9. In the right pane, double click BurFlags.
  10. In the Edit DWORD Value dialog box, type D2 to complete a nonauthoritative restore or type D4 to complete an authoritative restore, and then click OK.
  11. Quit Registry Editor, and then switch to the Command box.
  12. In the Command box, type net start ntfrs.
  13. Quit the Command box.

Considerations before you configure authoritative or nonauthoritative restores of FRS members

If you configure an FRS member to complete an authoritative or nonauthoritative restore by using the BurFlags registry subkey, you do not resolve the issues that initially caused the replication problem. If you cannot determine the cause of the replication difficulties, the members will typically revert back to the problematic situation as replication continues.

A detailed breakdown on FRS interdependencies is beyond the scope of this article, but your troubleshooting should include the following actions:
  • Verify that Active Directory replication is successful. Resolve Active Directory replication issues before you perform additional FRS troubleshooting. Use the Repadmin /showreps command to verify that Active Directory replication is occurring successfully. The Repadmin.exe tool is located in the Support\Tools folder on the Windows 2000 CD-ROM.
  • Verify that inbound and outbound Active Directory replication occurs between all domain controllers that host SYSVOL replica sets and between all domain controllers that host computer accounts for servers that participate in DFS replica sets.
  • Verify that FRS member objects, subscriber objects and connection objects exist in the Active Directory for all the computers that participate in FRS replication.
  • Verify that inbound and outbound connection objects exist for all domain controllers in the domain for SYSVOL replica sets.
  • Verify that all the members of DFS replica sets have at least inbound connection objects in a topology to avoid islands of replication.
  • Review the FRS and SYSTEM event logs on direct replication partners that are having difficulty.
  • Review the FRS debug logs in the %SYSTEMROOT%\DEBUG\NTFRS_*.LOG between the direct replication partners that are having replication problems.
For more information about how to troubleshoot, click the following article number to view the article in the Microsoft Knowledge Base:
READ MORE - Using the BurFlags registry key to reinitialize File Replication Service replica sets

Posted by MicrosoftTech at 7:45 AM 0 comments  

3 WAN Protocols you should know: HDLC, PPP, and Frame-Relay

3 WAN Protocols you should know: HDLC, PPP, and Frame-Relay
 

What is HDLC?

HDLC stands for High-Level Data Link Control protocol. Like the two other WAN protocols mentioned in this article, HDLC is a Layer 2 protocol (see OSI Model for more information on Layers). HDLC is a simple protocol used to connect point to point serial devices. For example, you have point to point leased line connecting two locations, in two different cities. HDLC would be the protocol with the least amount of configuration required to connect these two locations. HDLC would be running over the WAN, between the two locations. Each router would be de-encapsulating HDLC and turning dropping it off on the LAN.

HDLC performs error correction, just like Ethernet. Cisco's version of HDLC is actually proprietary because they added a protocol type field. Thus, Cisco HDLC can only work with other Cisco devices.

HDLC is actually the default protocol on all Cisco serial interfaces. If you do a show running-config on a Cisco router, your serial interfaces (by default) won't have any encapsulation. This is because they are configured to the default of HDLC. If you do a show interface serial 0/0, you'll see that you are running HDLC. Here is an example:

What is PPP?

You may have heard of the Point to Point Protocol (PPP) because it is used for most every dial up connection to the Internet. PPP is documented in RFC 1661. PPP is based on HDLC and is very similar. Both work well to connect point to point leased lines.

The differences between PPP and HDLC are:

  • PPP is not proprietary when used on a Cisco router

  • PPP has several sub-protocols that make it function.

  • PPP is feature-rich with dial up networking features

Because PPP has so many dial-up networking features, it has become the most popular dial up networking protocol in use today. Here are some of the dial-up networking features it offers:

  • Link quality management monitors the quality of the dial-up link and how many errors have been taken. It can bring the link down if the link is receiving too many errors.

  • Multilink can bring up multiple PPP dialup links and bond them together to function as one.

  • Authentication is supported with PAP and CHAP. These protocols take your username and password to ensure that you are allowed access to the network you are dialing in to.

To change from HDLC to PPP, on a Cisco router, use the encapsulation ppp command, like this:

After changing the encapsulation to ppp, I typed ppp ? to list the PPP options available. There are many PPP options when compared to HDLC. The list of PPP options in the screenshot is only a partial list of what is available.

What is Frame-Relay?

Frame Relay is a Layer 2 protocol and commonly known as a service from carriers. For example, people will say "I ordered a frame-relay circuit". Frame relay creates a private network through a carrier's network. This is done with permanent virtual circuits (PVC). A PVC is a connection from one site, to another site, through the carrier's network. This is really just a configuration entry that a carrier makes on their frame relay switches.

Obtaining a frame-relay circuit is done by ordering a T1 or fractional T1 from the carrier. On top of that, you order a frame-relay port, matching the size of the circuit you ordered. Finally, you order a PVC that connects your frame relay port to another of your ports inside the network.

The benefits to frame-relay are:

  • Ability to have a single circuit that connects to the "frame relay cloud" and gain access to all other sites (as long as you have PVCs). As the number of locations grow, you would save more and more money because you don't need as many circuits as you would if you were trying to fully-mesh your network with point to point leased lines.

  • Improved disaster recovery because all you have to do is to order a single circuit to the cloud and PVC's to gain access to all remote sites.

  • By using the PVCs, you can design your WAN however you want. Meaning, you define what sites have direct connections to other sites and you only pay the small monthly PVC fee for each connection.

Some other terms you should know, concerning frame relay are:

  • LMI = local management interface. LMI is the management protocol of frame relay. LMI is sent between the frame relay switches and routers to communicate what DLCI's are available and if there is congestion in the network.

  • DLCI = data link connection identifier. This is a number used to identify each PVC in the frame relay network.

  • CIR = committed information rate. This is the amount bandwidth you pay to guarantee you will receive, on each PVC. Generally you have much less CIR than you have port speed. You can, of course, burst above your CIR to your port speed but that traffic is marked DE.

  • DE = discard eligible. Traffic marked DE (that was above your CIR) CAN be discarded by the frame-relay network if there is congestion.

  • FECN & BECN = forward explicit congestion notification & backward explicit congestion notification. These are bits set inside LMI packets to alert the frame-relay devices that there is congestion in the network.

READ MORE - 3 WAN Protocols you should know: HDLC, PPP, and Frame-Relay

Posted by MicrosoftTech at 7:28 AM 0 comments  

Backup Windows Server 2003 Active Directory

Backup Windows Server 2003 Active Directory
 

To ensure your ability to actually use this backup, you must be aware of the tombstone lifetime. By default, the tombstone is 60 days (for Windows 2000/2003 DCs), or 180 days (for Active Directory based upon Windows Server 2003 SP1 DCs).

Note: Longer tombstone lifetime decreases the chance that a deleted object remains in the local directory of a disconnected DC beyond the time when the object is permanently deleted from online DCs. The tombstone lifetime is not changed automatically when you upgrade to Windows Server 2003 with SP1, but you can change the tombstone lifetime manually after the upgrade. New forests that are installed with Windows Server 2003 with SP1 have a default tombstone lifetime of 180 days. Read my "Changing the Tombstone Lifetime Attribute in Active Directory" article for more info on that.

Any backup older than 60/180 days is not a good backup and cannot be used to restore any DC. You do not need to backup all your DCs' System States, usually backing up the first DC in the Forest + the first DCs in each domain is enough for most scenarios.

Purpose of Performing Regular Backups

You need a current, verified, and reliable backup to:

  • Restore Active Directory data that becomes lost. By using an authoritative restore process, you can restore individual objects or sets of objects (containers or directory partitions) from their deleted state. Read my "Recovering Deleted Items in Active Directory" article for more info on that.
  • Recover a DC that cannot start up or operate normally because of software failure or hardware failure.
  • Install Active Directory from backup media (using the dcpromo /adv command). Read my "Install DC from Media in Windows Server 2003" article for more info on that.
  • Perform a forest recovery if forest-wide failure occurs.

All these are reasons to have good working and reliable backups.

Note: One of the Active Directory features that was introduced in Windows Server 2003 with Service Pack 1 was the Directory Service Backup Reminders. With this reminder, a new event message, event ID 2089, provides the backup status of each directory partition that a domain controller stores. This includes application directory partitions and Active Directory Application Mode (ADAM) partitions. If halfway through the tombstone lifetime a partition has not been backed up, this event is logged in the Directory Service event log and continues daily until the partition is backed up.

Note: You can only back up the System State data on a local computer. You cannot back up the System State data on a remote computer.

Method #1: Using NTBACKUP

  1. Open NTBACKUP by either going to Run, then NTBACKUP and pressing Enter or by going to  Start -> Accessories -> System Tools.

     

  2. If you are prompted by the Backup or Restore Wizard, I suggest you un-check the "Always Start in Wizard Mode" checkbox, and click on the Advanced Mode link.

     

  3. Inside NTBACKUP's main window, click on the Backup tab.

     

  4. Click to select the System State checkbox. Note you cannot manually select components of the System State backup. It's all or nothing.

     

  5. Enter a backup path for the BKF file. If you're using a tape device, make sure NTBACKUP is aware and properly configured to use it.

     

  6. Press Start Backup.

     

  7. The Backup Job Information pops out, allowing you to configure a scheduled backup job and other settings. For the System State backup, do not change any of the other settings except the schedule, if so desired. When done, press Start Backup.

     

  8. After a few moments of configuration tasks, NTBACKUP will begin the backup job.

     

  9. When the backup is complete, review the output and close NTBACKUP.

    Next, you need to properly label and secure the backup file/tape and if possible, store a copy of it on a remote and secure location.

Method #2: Using the Command Prompt

You can use the command line version of NTBACKUP in order to perform backups from the Command Prompt.

For example, to create a backup job named "System State Backup Job" that backs up the System State data to the file D:\system_state_backup.bkf, type:

ntbackup backup systemstate /J "System State Backup Job" /F "D:\system_state_backup.bkf"

For Microsoft's official documentation on Active Directory backups, see: Active Directory Operations Guide - Active Directory Backup and Restore


READ MORE - Backup Windows Server 2003 Active Directory

Posted by MicrosoftTech at 6:34 AM 0 comments  

Determining FSMO Role Holders

 
Determining FSMO Role Holders
 

Windows 2000/2003 Active Directory domains utilize a Single Operation Master method called FSMO (Flexible Single Master Operation), as described in Understanding FSMO Roles in Active Directory.

The five FSMO roles are:

  • Schema master - Forest-wide and one per forest.

  • Domain naming master - Forest-wide and one per forest.

  • RID master - Domain-specific and one for each domain.

  • PDC - PDC Emulator is domain-specific and one for each domain.

  • Infrastructure master - Domain-specific and one for each domain.

In most cases an administrator can keep the FSMO role holders (all 5 of them) in the same spot (or actually, on the same DC) as has been configured by the Active Directory installation process. However, there are scenarios where an administrator would want to move one or more of the FSMO roles from the default holder DC to a different DC. The transferring method is described in the Transferring FSMO Roles article, while seizing the roles from a non-operational DC to a different DC is described in the Seizing FSMO Roles article.

In order to better understand your AD infrastructure and to know the added value that each DC might possess, an AD administrator must have the exact knowledge of which one of the existing DCs is holding a FSMO role, and what role it holds. With that knowledge in hand, the administrator can make better arrangements in case of a scheduled shut-down of any given DC, and better prepare him or herself in case of a non-scheduled cease of operation from one of the DCs.

How to find out which DC is holding which FSMO role? Well, one can accomplish this task by many means. This article will list a few of the available methods.

Method #1: Know the default settings

The FSMO roles were assigned to one or more DCs during the DCPROMO process. The following table summarizes the FSMO default locations:

FSMO Role

Number of DCs holding this role

Original DC holding the FSMO role

Schema

One per forest

The first DC in the first domain in the forest (i.e. the Forest Root Domain)

Domain Naming

One per forest

RID

One per domain

The first DC in a domain (any domain, including the Forest Root Domain, any Tree Root Domain, or any Child Domain)

PDC Emulator

One per domain

Infrastructure

One per domain

Method #2: Use the GUI

The FSMO role holders can be easily found by use of some of the AD snap-ins. Use this table to see which tool can be used for what FSMO role:

FSMO Role Which snap-in should I use?

Schema

Schema snap-in

Domain Naming

AD Domains and Trusts snap-in

RID

AD Users and Computers snap-in

PDC Emulator
Infrastructure

Finding the RID Master, PDC Emulator, and Infrastructure Masters via GUI

To find out who currently holds the Domain-Specific RID Master, PDC Emulator, and Infrastructure Master FSMO Roles:

  1. Open the Active Directory Users and Computers snap-in from the Administrative Tools folder.

  2. Right-click the Active Directory Users and Computers icon again and press Operation Masters.

  1. Select the appropriate tab for the role you wish to view.

  1. When you're done click Close.

Finding the Domain Naming Master via GUI

To find out who currently holds the Domain Naming Master Role:

  1. Open the Active Directory Domains and Trusts snap-in from the Administrative Tools folder.

  2. Right-click the Active Directory Domains and Trusts icon again and press Operation Masters.

  1. When you're done click Close.

Finding the Schema Master via GUI

To find out who currently holds the Schema Master Role:

  1. Register the Schmmgmt.dll library by pressing Start > RUN and typing:

regsvr32 schmmgmt.dll

  1. Press OK. You should receive a success confirmation.

  2. From the Run command open an MMC Console by typing MMC.

  3. On the Console menu, press Add/Remove Snap-in.

  4. Press Add. Select Active Directory Schema.

  5. Press Add and press Close. Press OK.

  6. Click the Active Directory Schema icon. After it loads right-click it and press Operation Masters.

  1. Press the Close button.

Method #3: Use the Ntdsutil command

The FSMO role holders can be easily found by use of the Ntdsutil command.

Caution: Using the Ntdsutil utility incorrectly may result in partial or complete loss of Active Directory functionality.

  1. On any domain controller, click Start, click Run, type Ntdsutil in the Open box, and then click OK.

Microsoft Windows [Version 5.2.3790] (C) Copyright 1985-2003 Microsoft Corp.  C:\WINDOWS>ntdsutil ntdsutil:

  1. Type roles, and then press ENTER. 

ntdsutil: roles fsmo maintenance:

Note: To see a list of available commands at any of the prompts in the Ntdsutil tool, type ?, and then press ENTER.

  1. Type connections, and then press ENTER. 

fsmo maintenance: connections server connections:

  1. Type connect to server <servername>, where <servername> is the name of the server you want to use, and then press ENTER. 

server connections: connect to server server100 Binding to server100 ... Connected to server100 using credentials of locally logged on user. server connections:

  1. At the server connections: prompt, type q, and then press ENTER again. 

server connections: q fsmo maintenance:

  1. At the FSMO maintenance: prompt, type Select operation target, and then press ENTER again. 

fsmo maintenance: Select operation target select operation target:

  1. At the select operation target: prompt, type List roles for connected server, and then press ENTER again. 

select operation target: List roles for connected server Server "server100" knows about 5 roles Schema - CN=NTDS Settings,CN=SERVER100,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=C onfiguration,DC=dpetri,DC=net Domain - CN=NTDS Settings,CN=SERVER100,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=C onfiguration,DC=dpetri,DC=net PDC - CN=NTDS Settings,CN=SERVER100,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Conf iguration,DC=dpetri,DC=net RID - CN=NTDS Settings,CN=SERVER100,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Conf iguration,DC=dpetri,DC=net Infrastructure - CN=NTDS Settings,CN=SERVER100,CN=Servers,CN=Default-First-Site-Name,CN=Si tes,CN=Configuration,DC=dpetri,DC=net select operation target:

  1. Type q 3 times to exit the Ntdsutil prompt.

Note: You can download THIS nice batch file that will do all this for you (1kb).

Another Note: Microsoft has a nice tool called Dumpfsmos.cmd, found in the Windows 2000 Resource Kit (and can be downloaded here: Download Free Windows 2000 Resource Kit Tools). This tool is basically a one-click Ntdsutil script that performs the same operation described above.

Method #4: Use the Netdom command

The FSMO role holders can be easily found by use of the Netdom command.

Netdom.exe is a part of the Windows 2000/XP/2003 Support Tools. You must either download it separately (from here Download Free Windows 2000 Resource Kit Tools) or by obtaining the correct Support Tools pack for your operating system. The Support Tools pack can be found in the \Support\Tools folder on your installation CD (or you can Download Windows 2000 SP4 Support Tools, Download Windows XP SP1 Deploy Tools).

  1. On any domain controller, click Start, click Run, type CMD in the Open box, and then click OK.

  2. In the Command Prompt window, type netdom query /domain:<domain> fsmo (where <domain> is the name of YOUR domain).

C:\WINDOWS>netdom query /domain:dpetri fsmo Schema owner server100.dpetri.net  Domain role owner server100.dpetri.net  PDC role server100.dpetri.net  RID pool manager server100.dpetri.net  Infrastructure owner server100.dpetri.net  The command completed successfully.

Close the CMD window.

Note: You can download THIS nice batch file that will do all this for you (1kb).

Method #5: Use the Replmon tool

The FSMO role holders can be easily found by use of the Netdom command.

Just like Netdom, Replmon.exe is a part of the Windows 2000/XP/2003 Support Tools. Replmon can be used for a wide verity of tasks, mostly with those that are related with AD replication. But Replmon can also provide valuable information about the AD, about any DC, and also about other objects and settings, such as GPOs and FSMO roles. Install the package before attempting to use the tool.

  1. On any domain controller, click Start, click Run, type REPLMON in the Open box, and then click OK.

  2. Right-click Monitored servers and select Add Monitored Server.

  1. In the Add Server to Monitor window, select the Search the Directory for the server to add. Make sure your AD domain name is listed in the drop-down list.

  1. In the site list select your site, expand it, and click to select the server you want to query. Click Finish.

  1. Right-click the server that is now listed in the left-pane, and select Properties.

  1. Click on the FSMO Roles tab and read the results.

  1. Click Ok when you're done.


READ MORE - Determining FSMO Role Holders

Posted by MicrosoftTech at 6:33 AM 0 comments  

Unattended Installation of Active Directory

Unattended Installation of Active Directory
 

You can automatically run DCPROMO during an unattended installation. Enter the command 

dcpromo /answer:%path_to_answer_file%

You'll see a dialog box that says DCPROMO is running in unattended mode. Then, the machine will reboot.

You can also add DCPROMO to the unattended file that's used to install your server.

The Microsoft Windows 2000 Resource Kit details the DCInstall section's parameters in the file Unattend.doc:

Value Explanation

AdministratorPassword

The new password for the domain Administrator account

AutoConfigDNS

Specifies whether the wizard should configure DNS

ChildName

Name of the child part of the domain

CreateOrJoin

Specifies whether the domain will join an existing forest or create a new one

DatabasePath

Location for the Active Directory database

DNSOnNetwork

Used when a new forest of domains is installed and no DNS client is configured on the computer

DomainNetBiosName

NetBIOS name for the domain

IsLastDCInDomain

Only valid when demoting an existing domain controller to a member server

LogPath

Path for the Directory Service (DS) logs

NewDomainDNSName

Name of the new tree or when a new forest is created

ParentDomainDNSName

Specifies the name of the parent domain

Password

Password for the username used to promote the server

RebootOnSuccess

Specifies whether an automatic reboot should be performed

ReplicaDomainDNSName

Name of the domain to be replicated from

ReplicaOrMember

Specifies whether a Windows NT 4.0 or 3.51 BDC being upgraded should become a replica domain controller or be demoted to a regular member server

ReplicaOrNewDomain

Specifies whether the machine is a new domain controller in a new domain or a replica of an existing domain

SiteName

Name of the site (Default-First-Site by default)

SysVolPath

Path of SYSVOL

TreeOrChild

Specifies whether entry is a new tree or child of existing domain

UserDomain

Domain for the user being used in promotion

UserName

Name of the user performing the upgrade

Because the DCPROMO process occurs after setup, the created answer file must be called $winnt$.inf and copied to the \system32 folder. You need to add the following text to the GUIRunOnce section of the unattended Setup answer file:

[GUIRunOnce] "DCpromo /answer:%systemroot%\system32\$winnt$.inf"

After the DCPROMO process completes, DCPROMO removes password information from the $winnt$.inf file. To make this process easier because the RunOnce command doesn't execute until someone logs on to the computer, you can add the following text to the unattended answer file.

[GUIUnattended] Autologon = yes ; automatically logs on the administrator account AutoLogoncount = n ; number of times to perform auto-admin logon

Don't use items such as %systemroot% or %windir%, because the unattended installation process doesn't understand them.

You can just create a DCInstall section directly in your unattend.txt file to avoid having multiple unattended setup files. Enter text such as the following:

[DCInstall] AdministratorPassword = password CreateOrJoin = Create DomainNetBiosName = dpetri NewDomainDNSName = dpetri.net RebootOnSuccess = Yes ReplicaOrNewDomain = Domain SiteName = "Lab" TreeOrChild = Tree

My example script would create a new forest with the domain dpetri.net at the top and the new domain controller in the site Lab. The SYSVOL, logs, and Active Directory (AD) files would be in the default locations. The new domain Administrator account password would be password.

READ MORE - Unattended Installation of Active Directory

Posted by MicrosoftTech at 6:32 AM 0 comments  

Seizing FSMO Roles

Seizing FSMO Roles
 

Windows 2000/2003 Active Directory domains utilize a Single Operation Master method called FSMO (Flexible Single Master Operation), as described in Understanding FSMO Roles in Active Directory.

The five FSMO roles are:

  • Schema master - Forest-wide and one per forest.

  • Domain naming master - Forest-wide and one per forest.

  • RID master - Domain-specific and one for each domain.

  • PDC - PDC Emulator is domain-specific and one for each domain.

  • Infrastructure master - Domain-specific and one for each domain.

In most cases an administrator can keep the FSMO role holders (all 5 of them) in the same spot (or actually, on the same DC) as has been configured by the Active Directory installation process. However, there are scenarios where an administrator would want to move one or more of the FSMO roles from the default holder DC to a different DC.

Moving the FSMO roles while both the original FSMO role holder and the future FSMO role holder are online and operational is called Transferring, and is described in the Transferring FSMO Roles article.

However, when the original FSMO role holder went offline or became non operational for a long period of time, the administrator might consider moving the FSMO role from the original, non-operational holder, to a different DC. The process of moving the FSMO role from a non-operational role holder to a different DC is called Seizing, and is described in this article.

If a DC holding a FSMO role fails, the best thing to do is to try and get the server online again. Since none of the FSMO roles are immediately critical (well, almost none, the loss of the PDC Emulator FSMO role might become a problem unless you fix it in a reasonable amount of time), so it is not a problem to them to be unavailable for hours or even days.

If a DC becomes unreliable, try to get it back on line, and transfer the FSMO roles to a reliable computer. Administrators should use extreme caution in seizing FSMO roles. This operation, in most cases, should be performed only if the original FSMO role owner will not be brought back into the environment. Only seize a FSMO role if absolutely necessary when the original role holder is not connected to the network.

What will happen if you do not perform the seize in time? This table has the info:

FSMO Role

Loss implications

Schema

The schema cannot be extended. However, in the short term no one will notice a missing Schema Master unless you plan a schema upgrade during that time.

Domain Naming

Unless you are going to run DCPROMO, then you will not miss this FSMO role.

RID

Chances are good that the existing DCs will have enough unused RIDs to last some time, unless you're building hundreds of users or computer object per week.

PDC Emulator

Will be missed soon. NT 4.0 BDCs will not be able to replicate, there will be no time synchronization in the domain, you will probably not be able to change or troubleshoot group policies and password changes will become a problem.

Infrastructure

Group memberships may be incomplete. If you only have one domain, then there will be no impact.

Important: If the RID, Schema, or Domain Naming FSMOs are seized, then the original domain controller must not be activated in the forest again. It is necessary to reinstall Windows if these servers are to be used again.

The following table summarizes the FSMO seizing restrictions:

FSMO Role Restrictions

Schema

Original must be reinstalled

Domain Naming

RID

PDC Emulator

Can transfer back to original

Infrastructure

Another consideration before performing the seize operation is the administrator's group membership, as this table lists:

FSMO Role Administrator must be a member of

Schema

Schema Admins

Domain Naming

Enterprise Admins

RID

Domain Admins

PDC Emulator

Infrastructure

To seize the FSMO roles by using Ntdsutil, follow these steps:

Caution: Using the Ntdsutil utility incorrectly may result in partial or complete loss of Active Directory functionality.

  1. On any domain controller, click Start, click Run, type Ntdsutil in the Open box, and then click OK.

Microsoft Windows [Version 5.2.3790] (C) Copyright 1985-2003 Microsoft Corp.  C:\WINDOWS>ntdsutil ntdsutil:

  1. Type roles, and then press ENTER. 

ntdsutil: roles fsmo maintenance:

Note: To see a list of available commands at any of the prompts in the Ntdsutil tool, type ?, and then press ENTER.

  1. Type connections, and then press ENTER. 

fsmo maintenance: connections server connections:

  1. Type connect to server <servername>, where <servername> is the name of the server you want to use, and then press ENTER. 

server connections: connect to server server100 Binding to server100 ... Connected to server100 using credentials of locally logged on user. server connections:

  1. At the server connections: prompt, type q, and then press ENTER again. 

server connections: q fsmo maintenance:

  1. Type seize <role>, where <role> is the role you want to seize. For example, to seize the RID Master role, you would type seize rid master:

Options are:

Seize domain naming master Seize infrastructure master Seize PDC Seize RID master Seize schema master

  1. You will receive a warning window asking if you want to perform the seize. Click on Yes.

fsmo maintenance: Seize infrastructure master Attempting safe transfer of infrastructure FSMO before seizure. ldap_modify_sW error 0x34(52 (Unavailable). Ldap extended error message is 000020AF: SvcErr: DSID-03210300, problem 5002 (UNAVAILABLE) , data 1722  Win32 error returned is 0x20af(The requested FSMO operation failed. The current FSMO holde r could not be contacted.) ) Depending on the error code this may indicate a connection, ldap, or role transfer error. Transfer of infrastructure FSMO failed, proceeding with seizure ... Server "server100" knows about 5 roles Schema - CN=NTDS Settings,CN=SERVER200,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=dpetri,DC=net Domain - CN=NTDS Settings,CN=SERVER100,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=dpetri,DC=net PDC - CN=NTDS Settings,CN=SERVER100,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=dpetri,DC=net RID - CN=NTDS Settings,CN=SERVER200,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=dpetri,DC=net Infrastructure - CN=NTDS Settings,CN=SERVER100,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=dpetri,DC=net fsmo maintenance:

Note: All five roles need to be in the forest. If the first domain controller is out of the forest then seize all roles. Determine which roles are to be on which remaining domain controllers so that all five roles are not on only one server.

  1. Repeat steps 6 and 7 until you've seized all the required FSMO roles.

  2. After you seize or transfer the roles, type q, and then press ENTER until you quit the Ntdsutil tool.

Note: Do not put the Infrastructure Master (IM) role on the same domain controller as the Global Catalog server. If the Infrastructure Master runs on a GC server it will stop updating object information because it does not contain any references to objects that it does not hold. This is because a GC server holds a partial replica of every object in the forest.

READ MORE - Seizing FSMO Roles

Posted by MicrosoftTech at 6:31 AM 0 comments  

Transferring FSMO Roles

 
Transferring FSMO Roles
 

Windows 2000/2003 Active Directory domains utilize a Single Operation Master method called FSMO (Flexible Single Master Operation), as described in Understanding FSMO Roles in Active Directory.

In most cases an administrator can keep the FSMO role holders (all 5 of them) in the same spot (or actually, on the same DC) as has been configured by the Active Directory installation process. However, there are scenarios where an administrator would want to move one or more of the FSMO roles from the default holder DC to a different DC.

Moving the FSMO roles while both the original FSMO role holder and the future FSMO role holder are online and operational is called Transferring, and is described in this article.

The transfer of an FSMO role is the suggested form of moving a FSMO role between domain controllers and can be initiated by the administrator or by demoting a domain controller. However, the transfer process is not initiated automatically by the operating system, for example a server in a shut-down state. FSMO roles are not automatically relocated during the shutdown process - this must be considered when shutting down a domain controller that has an FSMO role for maintenance, for example.

In a graceful transfer of an FSMO role between two domain controllers, a synchronization of the data that is maintained by the FSMO role owner to the server receiving the FSMO role is performed prior to transferring the role to ensure that any changes have been recorded before the role change.

However, when the original FSMO role holder went offline or became non operational for a long period of time, the administrator might consider moving the FSMO role from the original, non-operational holder, to a different DC. The process of moving the FSMO role from a non-operational role holder to a different DC is called Seizing, and is described in the Seizing FSMO Roles article.

You can transfer FSMO roles by using the Ntdsutil.exe command-line utility or by using an MMC snap-in tool. Depending on the FSMO role that you want to transfer, you can use one of the following three MMC snap-in tools:

  • Active Directory Schema snap-in

  • Active Directory Domains and Trusts snap-in

  • Active Directory Users and Computers snap-in

To transfer the FSMO role the administrator must be a member of the following group:

FSMO Role Administrator must be a member of

Schema

Schema Admins

Domain Naming

Enterprise Admins

RID

Domain Admins

PDC Emulator

Infrastructure

Transferring the RID Master, PDC Emulator, and Infrastructure Masters via GUI

To Transfer the Domain-Specific RID Master, PDC Emulator, and Infrastructure Master FSMO Roles:

  1. Open the Active Directory Users and Computers snap-in from the Administrative Tools folder.

  2. If you are NOT logged onto the target domain controller, in the snap-in, right-click the icon next to Active Directory Users and Computers and press Connect to Domain Controller.

  3. Select the domain controller that will be the new role holder, the target, and press OK.

  4. Right-click the Active Directory Users and Computers icon again and press Operation Masters.

  5. Select the appropriate tab for the role you wish to transfer and press the Change button.

  6. Press OK to confirm the change.

  7. Press OK all the way out.

Transferring the Domain Naming Master via GUI

To Transfer the Domain Naming Master Role:

  1. Open the Active Directory Domains and Trusts snap-in from the Administrative Tools folder.

  2. If you are NOT logged onto the target domain controller, in the snap-in, right-click the icon next to Active Directory Domains and Trusts and press Connect to Domain Controller.

  3. Select the domain controller that will be the new role holder and press OK.

  4. Right-click the Active Directory Domains and Trusts icon again and press Operation Masters.

  5. Press the Change button.

  6. Press OK to confirm the change.

  7. Press OK all the way out.

Transferring the Schema Master via GUI

To Transfer the Schema Master Role:

  1. Register the Schmmgmt.dll library by pressing Start > RUN and typing:

regsvr32 schmmgmt.dll

  1. Press OK. You should receive a success confirmation.

  2. From the Run command open an MMC Console by typing MMC.

  3. On the Console menu, press Add/Remove Snap-in.

  4. Press Add. Select Active Directory Schema.

  5. Press Add and press Close. Press OK.

  6. If you are NOT logged onto the target domain controller, in the snap-in, right-click the Active Directory Schema icon in the Console Root and press Change Domain Controller.

  7. Press Specify .... and type the name of the new role holder. Press OK.

  8. Right-click right-click the Active Directory Schema icon again and press Operation Masters.

  9. Press the Change button.

  10. Press OK all the way out.

Transferring the FSMO Roles via Ntdsutil

To transfer the FSMO roles from the Ntdsutil command:

Caution: Using the Ntdsutil utility incorrectly may result in partial or complete loss of Active Directory functionality.

  1. On any domain controller, click Start, click Run, type Ntdsutil in the Open box, and then click OK.

Microsoft Windows [Version 5.2.3790] (C) Copyright 1985-2003 Microsoft Corp.  C:\WINDOWS>ntdsutil ntdsutil:

  1. Type roles, and then press ENTER. 

ntdsutil: roles fsmo maintenance:

Note: To see a list of available commands at any of the prompts in the Ntdsutil tool, type ?, and then press ENTER.

  1. Type connections, and then press ENTER. 

fsmo maintenance: connections server connections:

  1. Type connect to server <servername>, where <servername> is the name of the server you want to use, and then press ENTER. 

server connections: connect to server server100 Binding to server100 ... Connected to server100 using credentials of locally logged on user. server connections:

  1. At the server connections: prompt, type q, and then press ENTER again. 

server connections: q fsmo maintenance:

  1. Type transfer <role>. where <role> is the role you want to transfer.

For example, to transfer the RID Master role, you would type transfer rid master:

Options are:

Transfer domain naming master Transfer infrastructure master Transfer PDC Transfer RID master Transfer schema master

  1. You will receive a warning window asking if you want to perform the transfer. Click on Yes.

  2. After you transfer the roles, type q and press ENTER until you quit Ntdsutil.exe.

  3. Restart the server and make sure you update your backup.


READ MORE - Transferring FSMO Roles

Posted by MicrosoftTech at 6:31 AM 0 comments  

Working with Group Policy

Working with Group Policy
 

Group Policy is a one of the most useful tools found in the Windows 2000/2003 Active Directory infrastructure. Group Policy can help you do the following:

  1. Configure user's desktops

  2. Configure local security on computers

  3. Install applications

  4. Run start-up/shut-down or logon/logoff scripts

  5. Configure Internet Explorer settings

  6. Redirect special folders

In fact, you can configure any aspect of the computer behavior with it. Although it is a cool toy; working with it without proper attention can cause unexpected behavior.

Terms

Here are some basic terms you need to be familiar with before drilling down into Group Policy:

Local policy - Refers to the policy that configures the local computer or server, and is not inherited from the domain. You can set local policy by running gpedit.msc from the Run command, or you can add "Group Policy Object Editor" snap-in to MMC. Local Policies also exist in the Active Directory environment, but have many fewer configuration options that the full-fledged Group Policy in AD.

GPO - Group Policy Object - Refers to the policy that is configured at the Active Directory level and is inherited by the domain member computers. You can configure a GPO – Group Policy Object - at the site level, domain level or OU level.

GPC – Group Policy Container - The GPC is the store of the GPOs; The GPC is where the GPO stores all the AD-related configuration. Any GPO that is created is not effective until it is linked to an OU, Domain or a Site. The GPOs are replicated among the Domain Controllers of the Domain through replication of the Active Directory.

GPT - Group Policy Templates - The GPT is where the GPO stores the actual settings. The GPT is located within the Netlogon share on the DCs.

Netlogon share - A share located only on Domain Controllers and contains GPOs, scripts and .POL files for policy of Windows NT/98. The Netlogon share replicates among all DCs in the Domain, and is accessible for read only for the Everyone group, and Full Control for the Domain Admins group. The Netlogon's real location is:

C:\WINDOWS\SYSVOL\sysvol\domain.com\SCRIPTS

When a domain member computer boots up, it finds the DC and looks for the Netlogon share in it.

To see what DC the computer used when it booted, you can go to the Run command and type %logonserver%\Netlogon. The content of the Netlogon share should be the same on all DCs in the domain.

GPO behavior

Group Policy is processed in the following order:

Local Policy > Site GPO > Domain GPO > OU GPO > Child OU GPO

and so on.

GPOs inherited from the Active Directory are always stronger than local policy. When you configure a Site policy it is being overridden by Domain policy, and Domain policy is being overridden by OU policy. If there is an OU under the previous OU, its GPO is stronger the previous one.

The rule is simple, as more you get closer to the object that is being configured, the GPO is stronger.

What does it mean "stronger"? If you configure a GPO and linke it to "Organization" OU, and in it you configure Printer installation – allowed and then at the "Dallas" OU you configured other GPO but do not allow printer installation, then the Dallas GPO is more powerful and the computers in it will not allow installation of printers.

The example above is true when you have different GPOs that have similar configuration, configured with opposite settings. When you apply couple of GPOs at different levels and every GPO has its own settings, all settings from all GPOs are merged and inherited by the computers or users.

Group Policy sections

Each GPO is built from 2 sections:

  • Computer configuration contains the settings that configure the computer prior to the user logon combo-box.

  • User configuration contains the settings that configure the user after the logon. You cannot choose to apply the setting on a single user, all users, including administrator, are affected by the settings.

Within these two section you can find more sub-folders:

  • Software settings and Windows settings both of computer and user are settings that configure local DLL files on the machine.

  • Administrative templates are settings that configure the local registry of the machine. You can add more options to administrative templates by right clicking it and choose .ADM files. Many programs that are installed on the computer add their .ADM files to %systemroot%\inf folder so you can add them to the Administrative Templates.

You can download .ADM files for the Microsoft operating systems

Tools used to configure GPO

You can configure GPOs with these set of tools from Microsoft (other 3rd-party tools exist but we will discuss these in a different article):

  1. Group Policy Object Editor snap-in in MMC - or - use gpedit.msc from the Run command.

  2. Active Directory Users and Computers snap in - or dsa.msc – to invoke the Group Policy tab on every OU or on the Domain.

  3. Active Directory Sites and Services - or dssite.msc – to invoke the Group Policy tab on a site.

  4. Group Policy Management Console - or gpmc.msc - this utility is NOT included in Windows 2003 server and needs to be separately installed. You can download it from HERE

Note that if you'd like to use the GPMC tool on Windows XP, you need to install it on computers running Windows XP SP2. Installing it on computers without SP2 will generate errors due to unsupported and newer .ADM files.

GPMC utility - Creating a GPO

When you create a GPO it is stored in the GPO container. After creation you should link the GPO to an OU that you choose.

Linking a GPO

To link a GPO simply right click an OU and choose Link an existing GPO or you can create and link a GPO in the same time. You can also drag and drop a GPO from the Group Policy Objects folder to the appropriate Site, Domain or OU.

When you right-click a link you can:

Edit a GPO - This will open the GPO window so you can configure settings.

Link/Unlink a GPO - This setting allows you to temporarily disable a link if you need to add settings to it or if you will activate it later.

Enabling/disabling computer or user settings

GPO has computer and user settings but if you create a GPO that contains only computer settings, you might want to disable the user settings in that GPO, this will reduce the amount of settings replicated and can also be used for testing.

To disable one of the configurations simply choose the GPO link and go to Details tab:

How do I know what are the settings in a GPO?

Prior to the use of GPMC, an administrator who wanted to find out which one of the hundreds of settings of a GPO were actually configured - had to open each GPO and manually comb through each and every node of the GPO sections. Now, with GPMC, you can simply see what the configurations of any GPO are if you point on that GPO and go to the Settings tab. There you can use the drop-down menus to see computer or user settings.

Block/Enforce inheritance

You can block policy inheritance to an OU if you don't want the settings from upper GPOs to configure your OU.

To block GPO inheritance, simply right click your OU and choose "Block Inheritance". Blocking inheritance will block all upper GPOs.

In case you need one of the upper GPOs to configure all downstream OUs and overcome Block inheritance, use the Enforce option of a link. Enforcing a GPO is a powerful option and rarely should be used.

You can see in this example that when you look at Computers OU, three different GPOs are inherited to it.

In this example you can see that choosing "Block inheritance" will reject all upper GPOs.

Now, if we configure the "Default domain policy" with the Enforce option, it will overcome the inheritance blocking.

Link order

When linking more than one GPO to an OU, there could be a problem when two or more GPOs have the same settings but with opposite configuration, like, GPO1 have Allow printer installation among other settings but GPO2 is configured to prevent printer installation among other settings. Because the two GPOs are at the same level, there is a link order which can be changed.

The GPO with the lowest link order is processed last, and therefore has the highest precedence.

Security Filtering

Filtering let you choose the user, group or computer that the GPO will apply onto. If you configured "Computers" OU with a GPO but you only want to configure Win XP stations with that GPO and exclude Win 2000 stations, you can easily create a group of Win XP computers and apply the GPO only to that group.

This option save you from creating complicated OU tree with each type of computer in it.

A user or a group that you configure in the filtering field have by default the "Read" and "Apply" permission. By default when you create a GPO link, you can see that "Authenticated users" are listed.

In the above example, Office 2K3 will be installed on all computers that are part of the two listed groups.

If we still were using Authenticated users, the installation of the Office suite could have followed the user to any computer that he logs onto, like servers or other machines. Using filtering narrows the installation options.

If you want to configure these permissions with higher resolution, you can go to Delegation tab and see the permissions. Going to the Advanced Tab will let you configure the ACL permission with the highest resolution.

How the GPO is updated on the computers

GPO inherited from AD is refreshed on the computers by several ways:

  1. Logon to computer (If the settings are of "user settings" in GPO)

  2. Restart of the computer (If the settings are of "computer settings" in GPO)

  3. Every 60 to 90 minutes, the computers query their DC for updates.

  4. Manually by using gpupdate command. You can add the /force switch to force all settings and not only the delta.

Note: Windows 2000 doesn't support the Gpupdate command so you need run a different command instead:

Secedit /refreshpolicy machine_policy

for computer settings.

Secedit /refreshpolicy user_policy

for user settings.

In both commands you can use the /enforce that is similar to the /force in gpupdate.

If any configuration change requires a logoff or a restart message will appear:

You can force logoff or reboot using gpupdate switches.

How to check that the GPO was deployed

To be sure that GPO was deployed correctly, you can use several ways. The term for the results is called RSoP – Resultant Sets of Policies.

  1. Use gpresult command in the command prompt.

The default result is for the logged on user on that machine. You can also choose to check what is the results for other users on to that machine. If you use /v or /z switches you will get very detailed information.

You can see what GPOs were applied and what GPOs were filtered out and the reason for not being deployed.

Microsoft (R) Windows (R) XP Operating System Group Policy Result tool v2.0 Copyright (C) Microsoft Corp. 1981-2001 Created On 04/24/2005 RSOP results for XPPRO\Administrator on XPPRO: Logging Mode ------------------------------------------------------------------------- OS Type: Microsoft Windows XP Professional OS Configuration: Member Workstation OS Version: 5.1.2600 Domain Name: NWTRADERS Domain Type: WindowsNT 4 Site Name: N/A Roaming Profile: Local Profile: C:\Documents and Settings\Administrator Connected over a slow link?	No  COMPUTER SETTINGS ------------------------- Last time Group Policy was applied: 04/24/2005 Group Policy was applied from: london.nwtraders.msft Group Policy slow link threshold: 500 kbps  Applied Group Policy Objects -------------------------------- Default Domain Policy Raanana WSUS Updates Local Group Policy  The following GPOs were not applied because they were filtered out ---------------------------------------------------------------------------- Raanana XP SP2 Behavior Filtering: Not Applied (Empty)  The computer is a part of the following security groups: -------------------------------------------------------------- BUILTIN\Administrators Everyone Debugger Users BUILTIN\Users NT AUTHORITY\NETWORK NT AUTHORITY\Authenticated Users  USER SETTINGS -------------- Last time Group Policy was applied: 04/24/2005 Group Policy was applied from: N/A Group Policy slow link threshold: 500 kbps  Applied Group Policy Objects -------------------------------- Local Group Policy  The user is a part of the following security groups: ---------------------------------------------------- Everyone, BUILTIN\Administrators, Remote Desktop Users, BUILTIN\Users, LOCAL, NT AUTHORITY\INTERACTIVE, NT AUTHORITY\Authenticated Users

  1. Resultant Set of Policy snap-in in MMC.

The snap-in has two modes:

Logging mode which tells you what are the real settings that were deployed on the machine

Planning mode which tells you what will be the results if you choose some options.

This option is not so compatible because you need to browse in the RSoP data to find the settings.

  1. Group Policy Results in GPMC.

This is the most comfortable option that let you check the RSoP data on every computer or user from a central location. This option also displays the summary of the RSoP and Detailed RSoP data in HTML format.

In the example above example you can see the summary of applied or non applied GPOs both of computer and user settings.

When looking at the Settings tab we can see what settings did applied on the computer and see which is the "Winning GPO" that actually configured the computer with the particular setting.


READ MORE - Working with Group Policy

Posted by MicrosoftTech at 6:30 AM 0 comments  

Planning FSMO Roles in Active Directory

Planning FSMO Roles in Active Directory
 

Windows 2000/2003 Active Directory domains utilize a Single Operation Master method called FSMO (Flexible Single Master Operation), as described in Understanding FSMO Roles in Active Directory.

In most cases an administrator can keep the FSMO role holders (all 5 of them) in the same spot (or actually, on the same DC) as has been configured by the Active Directory installation process. However, there are scenarios where an administrator would want to move one or more of the FSMO roles from the default holder DC to a different DC.

Windows Server 2003 Active Directory is a bit different than the Windows 2000 version when dealing with FSMO placement. In this article I will only deal with Windows Server 2003 Active Directory, but you should bear in mind that most considerations are also true when planning Windows 2000 AD FSMO roles.

Single Domain Forest

In a single domain forest, leave all of the FSMO roles on the first domain controller in the forest.

You should also configure all the domain controller as a Global Catalog servers. This will NOT place additional stress on the DCs, while allowing GC-related applications (such as Exchange Server) to easily perform GC queries.

Multiple Domain Forest

In a multiple domain forest, use the following guidelines:

  • In the forest root domain:

    • If all domain controllers are also global catalog servers, leave all of the FSMO roles on the first DC in the forest.

    • If all domain controllers are not also global catalog servers, move all of the FSMO roles to a DC that is not a global catalog server.

  • In each child domain, leave the PDC emulator, RID master, and Infrastructure master roles on the first DC in the domain, and ensure that this DC is never designated as a global catalog server (unless the child domain only contains one DC, then you have no choice but to leave it in place).

Configure a standby operations master - For each server that holds one or more operations master roles, make another DC in the same domain available as a standby operations master. Making a DC as a standby operation master involves the following actions:

  • The standby operations master should not be a global catalog server except in a single domain environment, where all domain controllers are also global catalog servers.

  • The standby operations master should have a manually created replication connection to the domain controller that it is the standby operations master for, and it should be in the same site.

  • Configure the RID master as a direct replication partner with the standby or backup RID master. This configuration reduces the risk of losing data when you seize the role because it minimizes replication latency.

To create a connection object on the current operations master:

  1. In Active Directory Sites and Services snap-in, in the console tree in the left pane, expand the Sites folder to see the list of available sites.

  2. Expand the site name in which the current role holder is located to display the Servers folder.

  3. Expand the Servers folder to see a list of the servers in that site.

  4. Expand the name of the server that is currently hosting the operations master role to display NTDS Settings.

  5. Right-click NTDS Settings, click New, and then click Connection.

  6. In the Find Domain Controllers dialog box, select the name of the standby operations master then click OK.

  7. In the New Object-Connection dialog box, enter an appropriate name for the connection object or accept the default name and click OK.

To create a connection object on the standby operations master perform the same procedure as above, and point the connection to the current FSMO role holder.

Note regarding Windows 2000 Active Directory domains: If the forest is set to a functional level of Windows 2000 native, you must locate the domain naming master on a server that hosts the global catalog. If the forest is set to a functional level of Windows Server 2003, it is not necessary for the domain naming master to be on a global catalog server.

Server performance and availability

Most FSMO roles require that the domain controller that holds the roles be:

Highly available server - FSMO functions require that the FSMO role holder is highly available at all times. A highly available DC is one that uses computer hardware that enables it to remain operational even during a hardware failure. For example, having a RAID1 or RAID5 configuration enables the server to keep running even if one hard disk fails.

Although most FSMO losses can be dealt with within a matter of hours (or even days at some cases), some FSMO roles, such as the PDC Emulator role, should never be offline for more than a few minutes at a time.

What will happen if you keep a FSMO role offline for a long period of time? This table has the info:

FSMO Role

Loss implications

Schema

The schema cannot be extended. However, in the short term no one will notice a missing Schema Master unless you plan a schema upgrade during that time.

Domain Naming

Unless you are going to run DCPROMO, then you will not miss this FSMO role.

RID

Chances are good that the existing DCs will have enough unused RIDs to last some time, unless you're building hundreds of users or computer object per week.

PDC Emulator

Will be missed soon. NT 4.0 BDCs will not be able to replicate, there will be no time synchronization in the domain, you will probably not be able to change or troubleshoot group policies and password changes will become a problem.

Infrastructure

Group memberships may be incomplete. If you only have one domain, then there will be no impact.

Not necessarily high capacity server - A high-capacity domain controller is one that has comparatively higher processing power than other domain controllers to accommodate the additional work load of holding the operations master role. It has a faster CPU and possibly additional memory and network bandwidth. FSMO roles usually do not place stress on the server's hardware.

One exception is the performance of the PDC Emulator, mainly when used in Windows 2000 Mixed mode along with old NT 4.0 BDCs. That is why you should:

  • Increase the size of the DC's processing power.

  • Do not make the DC a global catalog server.

  • Reduce the priority and the weight of the service (SRV) record in DNS to give preference for authentication to other domain controllers in the site.

  • Do not require that the standby domain controller be a direct replication partner (Seizing the PDC emulator role does not result in lost data, so there is no need to reduce replication latency for a seize operation).

  • Centrally locate this DC near the majority of the domain users.


READ MORE - Planning FSMO Roles in Active Directory

Posted by MicrosoftTech at 6:30 AM 0 comments  

Windows 2000 Domain Rename

Windows 2000 Domain Rename
 

You can rename a Windows 2000 Server AD Domain only if it's still configured as a Mixed mode domain.

Note: Windows Server 2003 AD Domains CAN be renamed (see Windows 2003 Domain Rename page for more info).

MS KB 292541 has more info:

Although you can rename a Windows 2000 domain in some situations that are described in this article, Microsoft highly recommends that you decide on the Fully Qualified Domain Name (FQDN) for DNS before you actually create a new domain or before you upgrade the domain from Windows NT 4.0 to Windows 2000. After you create the domain, you cannot rename a Windows 2000 domain controller. Renaming the domain involves a considerable amount of work, and it is only possible in a scenario that meets the following conditions:

  1. You have to keep the Windows 2000 domain in Mixed mode. After you change it to Native mode, you cannot return the domain to Mixed mode, thereby rendering renaming impossible. To determine the mode in which the domain is currently running, expand Active Directory Users and Computers, right-click the domain name, and then click Properties. The mode appears in the Domain operation mode dialog box.

  2. Because the domain is in Mixed mode, it must also either have one or more existing Windows NT 4.0 backup domain controllers (BDCs), or computers that are available to use as Windows NT 4.0 BDCs.

Because you must demote all existing Windows 2000 domain controllers to member servers before you rename the domain controller, review the following information in terms of logistics:

  • The renaming can only take place after you revert the domain back to Windows NT 4.0, and then during the upgrade to Windows 2000, after you have renamed it with the desired DNS (FQDN) name. The NetBIOS domain name remains the same.

  • If you have created one or more child domains, you have to revert the child domains back to Windows NT 4.0 first, and then revert the parent domain. Next, you rename the parent when you upgrade it to Windows 2000, and then you bring the child domain up again when you upgrade it to Windows 2000. The amount of time that this process requires depends on the number of Windows 2000 domain controllers that are in the domain, in addition to their physical location.

If your scenario meets the conditions listed in the "Summary" section of this article, you can use the following steps to rename the Windows 2000 domain. These steps involve a single domain situation. If a child domain exists:

  1. Complete the same steps to revert the domain back to Windows NT 4.0 on the child domain first, and then you stop after you complete step 6.

  2. Complete steps 1 through 8 on the parent domain.

  3. After you revert the parent domain back to Windows NT 4.0, and then upgrade it back to Windows 2000 with the desired name, you can complete the final upgrade steps to Windows 2000 on the former child domain, during which you make it a Windows 2000 child domain again.

To Rename a Windows 2000 Domain

  1. Create a backup of any and/or all domain controllers that may be involved in this process.

  2. If there are no existing Windows NT 4.0 BDCs in the Windows 2000 domain, then you have to install one that is preferably running service pack 6 or 6a. If you want, you can install a second BDC and then physically remove it from the domain to serve as a backup for the domain information as it contains all of the domain user accounts, and the Security Accounts Manager (SAM) and security information.

  3. Allow sufficient time for this BDC to acquire all domain security and SAM information. To force a full SAM/security database replication, run the following command on the BDC:

net accounts /sync

A record of the successful full replication events should be logged in the System log.

  1. If there is only one Windows 2000 domain controller in the domain, leave the Windows NT 4.0 BDC connected to the network, and then physically remove the Windows 2000 domain controller from the network. Make sure that the Windows 2000 domain controller is isolated from the rest of the network. If it is plugged into a hub, make sure it is not connected to the rest of the domain. If you have only one Windows 2000 domain controller, you can perform step 6 now before you continue with the demotion of the Windows 2000 domain controller.

  2. You must now demote all the Windows 2000 domain controllers to member servers by running the dcpromo command on the actual domain controller. To run this command, click Start, click Run, type dcpromo, and then click OK. If there are more than one Windows 2000 domain controller, run dcpromo on each of them to make each one a member server, until there is only one Windows 2000 domain controller remaining.

Now you can disconnect the Windows 2000 domain controller from the network, while leaving the Windows NT 4.0 BDC connected. Run dcpromo on this last domain controller, and be sure to choose the last domain controller in the domain option. When this completes, and the computer restarts, it will be a member server in a work group, which you can then rejoin to the domain if you want to. If you disconnected one Windows 2000 domain controller in step 4, then you simply run the dcpromo command on it as described in this step.

Note: To run dcpromo successfully, the network adapter must detect a network connection. Therefore, the Windows 2000 domain controller must be attached to an active hub or switch, even if there are no other connections to the hub or switch, and it is isolated from everything else which is desired.

  1. Open Server Manager on the Windows NT 4.0 BDC and promote this computer to a primary domain controller (PDC). If a message appears stating that it cannot contact the PDC and asks if you want to continue, click Yes, and then complete the promotion. When this is complete and the server restarts, verify in Server Manager that the computer it is now described as the PDC.

  2. Upgrade this Windows NT 4.0 PDC to Windows 2000. When the Windows 2000 upgrade is complete, the computer restarts to begin the Active Directory installation. During this process, enter the desired domain name.

  3. If you have demoted other Windows 2000 domain controllers earlier, you can now promote them back to domain controllers by running dcpromo on them.


READ MORE - Windows 2000 Domain Rename

Posted by MicrosoftTech at 6:29 AM 0 comments  

Subscribe to: Comments (Atom)
 
 
 

Popular Posts