Workgroup network:

` `

` `

All computers are peers; no computer has control over another computer. Each computer has a set of user accounts. To use any computer in the workgroup, you must have an account on that computer. There are typically no more than ten to twenty computers. All computers must be on the same local network or subnet.

` `

One or more computers are servers. Network administrators use servers to control the security and permissions for all computers on the domain. This makes it easy to make changes because the changes are automatically made to all computers. If you have a user account on the domain, you can log on to any computer on the domain without needing an account on that computer. There can be hundreds or thousands of computers. The computers can be on different local networks.

Active Directory was previewed in 1999, released first with Windows 2000 Server edition, and revised to extend functionality and improve administration in Windows Server 2003 Active Directory was refined further in Windows Server 2008 and Windows Server 2008 R2 and was renamed Active Directory Domain Services.

a) Scalability- Active directory provides scalability. You can have a million objects in Win2K AD and there was an improvement made to billion objects in Win2K3 b) Easy administration- By using group policies c) Security- By authentication protocols. d) Replication- Users can be created anywhere and they would get replicated. e) Ease of use of AD: Simple concepts and GUI available. So easy for understanding. f) Deployment of soft wares.

Active directory is a X500 standard implementation of the LDAP protocol.

FSMO- Flexible Single Master Operation Role. 5 FSMO Roles:

a) b) c) d) e)

Schema Master Domain Naming Master PDC Emulator RID Master Infrastructure Master

The Schema Master Domain Controller handles all of the updates and modifications to the Windows 2000 Active Directory Schema, and you must have access to the Schema Master to make the changes. There can be only one Schema Master in the entire forest, and you must be a member of the Schema Administrators group to make changes to the Schema.

Requirement of Schema master: When we need to extend the schema of the forest. Example: a) In order to install exchange, the schema of the forest needs to be upgraded. b) In Mphasis, if you need to have the employee id as the unique key to be used, we need to update the schema.

The domain naming master domain controller controls the addition or removal of domains in the forest. This DC is the only one that can add or remove a domain from the directory. There can be only one domain naming master in the whole forest.

Incase if there are a few administrator, yesterday one administrator created a domain called mphasis.chennai.com without informing the other administrator and if the second administrator tries to create another domain with same name, it is this FSMO role that prevents this action by throwing the error, this domain already exists

The PDC emulator is necessary to synchronize time in an enterprise. Password changes performed by other DCs in the domain are replicated preferentially to the PDC emulator. Authentication failures that occur at a given DC in a domain because of an incorrect password are forwarded to the PDC emulator before a bad password failure message is reported to the user.

` `

Account lockout is processed on the PDC emulator. Editing or creation of Group Policy Objects (GPO) is always done from the GPO copy found in the PDC Emulator's SYSVOL share, unless configured not to do so by the administrator. The PDC emulator performs all of the functionality that a Microsoft Windows NT 4.0 Server-based PDC or earlier PDC performs for Windows NT 4.0-based or earlier clients.

The RID master is responsible for processing RID pool requests from all domain controllers in a particular domain. When a DC creates a security principal object such as a user or group, it attaches a unique Security ID (SID) to the object. This SID consists of a domain SID (the same for all SIDs created in a domain), and a relative ID (RID) that is unique for each security principal SID created in a domain.

Each DC in a domain is allocated a pool of RIDs that it is allowed to assign to the security principals it creates. When a DC's allocated RID pool falls below a threshold, that DC issues a request for additional RIDs to the domain's RID master. The domain RID master responds to the request by retrieving RIDs from the domain's unallocated RID pool and assigns them to the pool of the requesting DC. At any one time, there can be only one domain controller acting as the RID master in the domain.

(RID Master)

Test.Local

ROOTDC

AP.TEST.LOCAL

EMEA.TEST.LOCA L

SID= DOMAIN ID+RID

This SID consists of a domain SID (the same for all SIDs created in a domain). The relative ID (RID) that is unique for each security principal SID created in a domain. 1-4999 (First DC) 5000- 9,999 (Second DC)

Windows 2000 Active Directory data store, the actual database file, is %SystemRoot%\ntds\NTDS.DIT (NTDS- New Technology Directory Service) (DIT)- Directory Information Tree. The NTDS.dit file is an indexed and sequential access method (ISAM) database. The Extensible Storage Engine (ESE) is responsible for indexing the data in the database file and for transferring the data in and out of the database.

The following characteristics of the ESE make it well suited to the storage needs of Active Directory. The ESE: ` Supports databases of up to 16 terabytes (TB) in size, and it can hold many millions of objects per domain. ` Supports indexing. ` Supports multivalued attributes.

The ntds.dit file is the heart of Active Directory including user accounts. Active Directory's database engine is the Extensible Storage Engine ( ESE ) which is based on the Jet database used by Exchange 5.5 and WINS. The ESE has the capability to grow to 16 terabytes which would be large enough for 10 million objects. Back to the real world. Only the Jet database can manipulate information within the AD datastore.

When an object is deleted from Active Directory, it is not immediately erased, but is marked for future deletion. You see, Active Directory uses a replication model that is characterized as "multi-master loose consistency with convergence". Changes can be made on any DC in the forest, and the changes are then incrementally replicated throughout the forest. Therefore, object deletions in this environment cannot simply remove an object, because doing so would remove the unit of replication itself.

The marker used to designate that an AD object scheduled to be destroyed is called "tombstone". A tombstone is an object whose IsDeleted property has be set to True, and it indicates that the object has been deleted but not removed from the directory, much like a deleted file is removed from the file allocation table but the data is not actually removed from the drive. The directory service moves tombstoned objects to the Deleted Objects container, where they remain until the garbage collection process removes the objects.

The garbage collection process by default runs every 12 hours on a DC. The length of time tombstoned objects remain in the directory service before being deleted is either 60 days for Windows 2000/2003 Active Directory, or 180 days for Windows Server 2003 SP1 Active Directory (by default). The tombstone lifetime must be significantly longer than the garbage collection frequency to ensure that deletion of objects is replicated to other DCs.

` ` ` ` `

Considering all the above, a delete operation is essentially a special modify operation that: Sets the IsDeleted value to True. Sets the internal WhenDeleted column to the IsDeleted metadata's TimeChanged time stamp. Sets the Windows NT security descriptor to a special value. Changes the relative distinguished name (RDN) to a value that is otherwise impossible, (that is, one that cannot be set by an LDAP program). Strips all attributes not needed at this point by Active Directory. Key attributes such as the following are hard-coded to survive deletion:

` ` ` `

Object-GUID Object-SID Object-Dist-Name USN

Adrestore is a tool from Microsoft which provides a way to restore a deleted object from the AD. Its a simple tool. It lists the deleted objects in the order as they were deleted and this can be easily restored using a command adrestore r (-r is the switch to restore) and just adrestore is a command to view the deleted object.

Non Authoritative Restore: Used most commonly in cases when a DC because of a hardware or software related reasons, this is the default directory services restore mode selection. In this mode, the operating system restores the domain controllers contents from the backup. After this, the domain controller then through replication receives all directory changes that have been made since the backup from the other domain controllers in the network.

Authoritative Restore:
An authoritative restore is most commonly used in cases in which a change was made within the directory that must be reversed, such as deleting an organization unit by mistake. This process restores the DC from the backup and then replicates to and overwrites all other domain controllers in the network to match the restored DC. The especially valuable thing about this is that you can choose to only make certain objects within the directory authoritative.

For example, if you delete an OU by mistake you can choose to make it authoritative. This will replicate the deleted OU back to all of the other DCs in the network and then use all of the other information from these other DCs to update the newly restored server back up to date. By default, whenever we try to restore the AD, it would be a non authoritative restore.

E:\ntdsutil>ntdsutil ntdsutil: authoritative restore authoritative restore: restore object OU=bosses,DC=ourdom,DC=com Opening DIT database... Done. The current time is 06-17-05 12:34.12. Most recent database update occurred at 06-16-05 00:41.25. Increasing attribute version numbers by 100000. Counting records that need updating... Records found: 0000000012

20- FTP (Data) 23- Telnet 25- Simple Mail Transfer Protocol (SMTP). 53- Domain Naming System (DNS). 80- HyperText Transmission Protocol (HTTP). 161/162- Simple Network Management Protocol (SNMP/SNMP Trap) 389- Light weight Directory Access Protocol (LDAP). 443- Hypertext Transfer Protocol over TLS/SSL (HTTPS). 3389- Microsoft Terminal Server.

` `

Active Directory Support Files The ESE engine used by Active Directory is based on Microsoft's Jet database technology. Jet uses a b-tree file structure with transaction logs to ensure recoverability in the event of a system or drive failure. When you promote a server to a domain controller, you select where to put the Active Directory files. The default path is in the boot partition under \Windows\NTDS. Generally, it is a good idea to put them on a separate volume from the operating system files to improve performance.

` `

The following list contains the Active Directory support files and their functions: Ntds.dit. This is the main AD database. NTDS stands for NT Directory Services. The DIT stands for Directory Information Tree. The Ntds.dit file on a particular domain controller contains all naming contexts hosted by that domain controller, including the Configuration and Schema naming contexts. A Global Catalog server stores the partial naming context replicas in the Ntds.dit right along with the full Domain naming context for its domain.

Edb.log. This is a transaction log. Any changes made to objects in Active Directory are first saved to a transaction log. During lulls in CPU activity, the database engine commits the transactions into the main Ntds.dit database. This ensures that the database can be recovered in the event of a system crash. Entries that have not been committed to Ntds.dit are kept in memory to improve performance. Transaction log files used by the ESE engine are always 10MB. Edbxxxxx.log. These are auxiliary transaction logs used to store changes if the main Edb.log file gets full before it can be flushed to Ntds.dit. The xxxxx stands for a sequential number in hex. When the Edb.log file fills up, an Edbtemp.log file is opened. The original Edb.log file is renamed to Edb00001.log, and Edbtemp.log is renamed to Edb.log file, and the process starts over again. ESENT uses circular logging. Excess log files are deleted after they have been committed. You may see more than one Edbxxxxx.log file if a busy domain controller has many updates pending.

Edb.chk. This is a checkpoint file. It is used by the transaction logging system to mark the point at which updates are transferred from the log files to Ntds.dit. As transactions are committed, the checkpoint moves forward in the Edb.chk file. If the system terminates abnormally, the pointer tells the system how far along a given set of commits had progressed before the termination.

Res1.log and Res2.log. These are reserve log files. If the hard drive fills to capacity just as the system is attempting to create an Edbxxxxx.log file, the space reserved by the Res log files is used. The system then puts a dire warning on the screen prompting you to take action to free up disk space quickly before Active Directory gets corrupted. You should never let a volume containing Active Directory files get even close to being full. File fragmentation is a big performance thief, and fragmentation increases exponentially as free space diminishes. Also, you may run into problems as you run out of drive space with online database defragmentation (compaction). This can cause Active Directory to stop working if the indexes cannot be rebuilt. Temp.edb. This is a scratch pad used to store information about inprogress transactions and to hold pages pulled out of Ntds.dit during compaction. Schema.ini. This file is used to initialize the Ntds.dit during the initial promotion of a domain controller. It is not used after that has been accomplished.

a) b) c) d) e) f) g) h) i)

www.microsoft.com www.wikipedia.org www.linfo.org www.about.com www.wiki.answers.com www.petri.co.il www.windowsnetworking.com http://articles.techrepublic.com.com http://www.computerperformance.co.uk