Inside Windows Server 1002003 [Electronic resources] نسخه متنی

This is a Digital Library

With over 100,000 free electronic resource in Persian, Arabic and English

جستجو بر اساس ... همه عنوان پدیدآور موضوع یادداشت تمام متن
اصطلاحنامه مجموعه ها مرورالفبایی لغت نامه دهخدا
جستجو در لغت نامه
بیشتر
کتابخانه شخصی پرسش از کتابدار ارسال منبع

Inside Windows Server 1002003 [Electronic resources] - نسخه متنی

Addison Wesley

| نمايش فراداده ، افزودن یک نقد و بررسی
افزودن به کتابخانه شخصی
میخواهم بخوانم
درحال خواندن
خوانده شده
ارسال به دوستان

آدرس پست الکترونیک گیرنده :

آدرس پست الکترونیک فرستنده :

نام و نام خانوارگی فرستنده :

پیغام برای گیرنده ( حداکثر 250 حرف ) :

کد امنیتی را وارد نمایید

ارسال
جستجو در متن کتاب
بیشتر
تنظیمات قلم

فونت

اندازه قلم

+ - پیش فرض

حالت نمایش

روز نیمروز شب
جستجو در لغت نامه
بیشتر
لیست موضوعات

Table of Contents
Index
Inside Windows® Server 2003
By William Boswell
></a></td> </tr> <tr align=left> <td width=Publisher : Addison Wesley
Date Published : April 11, 2003
ISBN : 0-7357-1158-5
Pages : 1376

Inside Windows .NET Server contains comprehensive information on deploying, managing, and troubleshooting systems using both Windows .NET and its predecessor. Readers get the in-depth, practical knowledge they need to master the hundreds of complex and often frustrating features found in Windows .NET Server. Inside Windows .NET Server is structured around a production deployment of Windows .NET in a global enterprise. Each chapter contains a lively feature description followed by extensively illustrated procedures for setting up and managing each service. All along the way, Boswell includes proven advice for improving stability, performance, and security. Readers of Boswell''s

Inside Windows 2000 Server declared it to be the best resource on the market.

Inside Windows .NET Server improves coverage of existing features while expanding the scope to include the new features and improvements that make Windows .NET a must-have upgrade.

توضیحات
افزودن یادداشت جدید









Loss of a Domain Controller


When a domain controller fails, the Kerberos service running at the clients will become aware of the loss when the locally cached Kerberos tickets time out and the Kerberos service attempts to renew them. When the client realizes that its logon server is not responding, it queries DNS for alternative domain controllers and uses one of them to reauthenticate. The user is none the wiser.

If the failed domain controller is the only domain controller in a site, the clients must reauthenticate across the WAN. This slows down the authentication, depending on the speed of the site link. During the period when a local domain controller is unavailable, LDAP queries such as searching for printers or using Outlook in an Exchange 2000 environment will be slow thanks to the latency across the WAN link.

If no other domain controllers are available for reauthentication, the client's Kerberos tickets will eventually expire and it will lose connection with member servers. If the clients log off, they can log back on with cached credentials but those credentials will not be sufficient to get access to member servers.

So, it is important to keep in mind that a cut WAN link can cause a loss of connection to local Windows servers if there are no local domain controllers. Your option would be to put a fallback WAN connection in place, such as an ISDN line that only goes hot when the primary connection goes down. Or, you can install a local domain controller. As we'll see in the next section, this domain controller either needs to be a Global Catalog server or it must be configured to cache Global Catalog records.

GC-Less Logons


Under normal circumstances, if a domain controller hosting a copy of the Global Catalog is not available, users are not permitted to log on to a domain. This is because the GC holds the membership list for Universal groups.

In addition, if users log on using their UPN (user@company.com), a GC is required to "crack" the UPN into its constituent parts. Windows XP will cache the cracked name after a user logs on the first time, but Windows 2000 needs a GC each time a user submits a UPN at logon.

In Windows Server 2003, a new feature has been added that permits standard domain controllers to cache Universal group membership information. This enables those domain controllers to authenticate users when a GC is unavailable. The Universal group membership cache does

not turn a domain controller into a GC. The caching domain controller does not listen for LDAP queries on port 3268 and it does not host objects from other domains apart from Universal group memberships.

Universal group caching does not require additional processors or memory on the part of the domain controllers in the site. When enabled, the Universal group cache is refreshed every eight hours. If a user is added to a Universal group after the last refresh, the permissions associated with that group (and any group to which that group belongs) will not be included in the user's PAC and therefore will not be included in any local access tokens created for the user on member servers. The Universal group membership cache holds about 500 groups.

You should enable Universal group membership caching for every site that does not have a Global Catalog server. Configure a site for GC-less logon caching by following Procedure 10.1.

Procedure 10.1 Enabling Universal Group Membership Caching


  1. Open AD Sites and Services.

  2. Highlight the site you want to configure.

  3. In the right pane, open the Properties window for the NTDS Site Settings object. Figure 10.1 shows an example.

    Figure 10.1. NTDS Settings Properties window showing GC-Less Logon option.

  4. Select the option Enable Universal Group Membership Caching. Leave the Refresh Cache From pick list empty. The Knowledge Consistency Checker (KCC) will determine the closest site with a GC server.

  5. Click OK to save the change and close the window.


Performing Metadata Cleanup on Failed Domain Controller


If you are unable to restore a failed domain controller, you must clean out references to it in Active Directory. This so-called

metadata must be removed before you can promote another server with the same name to be a domain controller. If you lose an entire domain, you must also remove the metadata information for that domain before creating another domain by the same name.

The tool to perform this metadata cleanup is a text-based utility called Ntdsutil. The cleanup is done with Active Directory up and running. Follow Procedure 10.2.

Procedure 10.2 Performing Metadata Cleanup


  1. Run Ntdsutil.

  2. At the ntdsutil: prompt, enter metadata cleanup. This opens the metadata cleanup: prompt.

  3. Enter ? for an options list:


    metadata cleanup: ?
    ?                                  - Show this help information
    Connections                        - Connect to a specific domain controller
    Help                               - Show this help information
    Quit                               - Return to the prior menu
    Remove selected domain             - Remove DS objects for selected domain
    Remove selected Naming Context     - Remove DS objects for selected Naming Context
    Remove selected server             - Remove DS objects for selected server
    Select operation target            - Select sites, servers, domains, roles and
    naming contexts

  4. Enter connections and then enter ? for an options list:

    [View full width]
    Clear creds                        - Clear prior connection credentials
    Connect to domain %s               - Connect to DNS domain name
    Connect to server %s               - Connect to server, DNS name or IP address
    Help                               - Print this help information
    Info                               - Show connection information
    Quit                               - Return to the prior menu
    Set creds %s %s %s                   - Set connection creds as domain, user, pwd (Use 
    "NULL" for null password)

  5. If you are working from a member server and you are not logged on with administrator credentials, use the set creds command to define your binding credentials.

  6. Enter connect to server <dsa> to bind to a server, where <dsa> is the fully qualified DNS name of the domain controller where you want to make the update to the Directory. Any functioning domain controller will do. The entries and transaction results so far look like this:


    server connections: set creds company.com administrator pw
    server connections: connect to server dc-01.company.com
    Binding to dc-11.company.com as user(administrator) in domain(company.com) ...
    Connected to dc-11.company.com as user(administrator) in domain(company.com) .

  7. Enter select operation target. This opens the select operation target: prompt. Enter ? for an options list:


    Connections                        - Connect to a specific domain controller
    Help                               - Print this help information
    List current selections            - List the current site/domain/server
    List domains                       - Lists all domains which have Cross-Refs
    List domains in site               - Lists domains in the selected site
    List roles for connected server    - Lists roles connected server knows about
    List servers for domain in site    - Lists servers for selected domain and site
    List servers in site               - Lists servers in selected site
    List sites                         - List sites in the enterprise
    Quit                               - Return to the prior menu
    Select domain %d                   - Make domain %d the selected domain
    Select server %d                   - Make server %d the selected server
    Select site %d                       - Make site %d the selected site

  8. Enter list sites. An example output looks like this:


    select operation target: list sites
    Found 4 site(s)
    0 - CN=Phoenix,CN=Sites,CN=Configuration,DC=company,DC=com
    1 - CN=Houston,CN=Sites,CN=Configuration,DC=company,DC=com
    2 - CN=Albuquerque,CN=Sites,CN=Configuration,DC=company,DC=com
    3 - CN=Salt_Lake,CN=Sites,CN=Configuration,DC=company,DC=com

  9. Enter select site <#> where <#> is the number of the site containing the server you want to remove:


    select operation target: select site 1
    Site - CN=Salt_Lake,CN=Sites,CN=Configuration,DC=company,DC=com
    No current domain
    No current server

  10. Enter list domains in site. An example output looks like this:


    select operation target: list domains in site
    Found 1 domain(s)
    0 - DC=subsidiary,DC=com
    1  DC=company,DC=com

  11. Enter select domain <#> where <#> is the number of the domain containing the server you want to remove:


    select operation target: select domain 1
    Site - CN=Salt_Lake,CN=Sites,CN=Configuration,DC=company,DC=com
    Domain - DC=company,DC=com
    No current server

  12. Enter list servers for domain in site. An example output looks like this:


    select operation target: list servers for domain in site
    Found 1 server(s)
    0 - CN=DC-11,CN=Servers,CN=Salt_Lake,CN=Sites,CN=Configuration, DC=company,DC=com

  13. Enter select server <#> where <#> is the number of the server you want to remove. An example output looks like this:


    select operation target: select server 0
    Site - CN=Salt_Lake,CN=Sites,CN=Configuration,DC=company,DC=com
    Domain - DC=subsidiary,DC=com
    Server - CN=DC-11,CN=Servers,CN=Salt_Lake,CN=Sites,CN=Configuration,DC=company,DC=com
    DSA object - CN=NTDS Settings,CN=DC-01,CN=Servers,CN=Salt_Lake,CN=Sites,
    CN=Configuration,DC=company,DC=com
    DNS host name - DC-11.company.com
    Computer object - CN=DC-11,OU=Domain Controllers,DC=company,DC=com

  14. We've now targeted the server object we want to delete. Enter q to return to the metadata cleanup: prompt.

  15. Enter remove selected server. A message window appears prompting you to verify your request.

  16. Click Yes and the deed is done. An example output looks like this:

    [View full width]
    Metadata cleanup: remove selected server
    "CN=DC-11,CN=Servers,CN=Salt_Lake,CN=Sites,CN=Configuration,DC=company, DC=com" removed 
    from server "dc-01.company.com"

  17. Quit out of Ntdsutil and wait for the change to replicate.


You can use the same technique to remove a domain that was not fully deleted when the last domain controller was removed from service. Needless to say, be very careful that you don't delete any operational domains.

FSMO Loss


A few tasksChapter 8, "Designing Windows Server 2003 Domains," discussed the jobs assigned to FSMOs. The following is a quick overview:


  • Domain Naming Master .
    This FSMO is responsible for ensuring the uniqueness of domain names in a forest. There is one Domain Naming Master in a forest.


  • Schema Master .
    This FSMO holds the only read/write copy of the schema. There is one Schema Master in a forest.


  • PDC Emulator .
    This FSMO replicates updates to classic NTbackup Domain Controllers (BDCs) while in Mixed. It also acts as a clearinghouse for password updates and a time standard for other domain controllers in a domain. There is one PDC Emulator in each domain.


  • RID Master .
    This FSMO holds the master copy of the Relative ID number list. In Mixed, these RIDs are passed out sequentially. In Native, each domain controller gets a bank of RIDs from the RID Master. There is one RID Master in each domain.


  • Infrastructure Master .
    This FSMO is responsible for the rapid transmission of name changes that affect inter-domain group memberships in a forest. There is one Infrastructure Master in each domain.



A short outage of a FSMO role master does not warrant special action, but if you plan on taking a role master down for an extended period, you should transfer its role or roles to another domain controller. This is especially true if the server is going under the knife with little hope of recovery.

If a FSMO role master crashes and cannot be recovered, you must seize its role or roles on behalf of another domain controller. In a normal transfer, the original role master must be online to accept the transfer request. In a seizure, the original role master is not online and the new role master simply takes the role.

After seizing a role, don't put the superceded role master back on the network. Treat it like Smokey Bear treats a campfire. Drown it, stir it, and drown it again. This prevents the old role master from passing out invalid information or providing a second means of updating controlled structures like the Schema or Partition container.


Role Master Designation


The item that designates a particular server as a FSMO role master takes the form of an attribute in the Active Directory object that controls a particular FSMO. For instance, the Domain object controls the PDC Emulator role. A FSMO attribute on this object contains the distinguished name of the server that has been designated as the PDC Emulator. When you transfer or seize a role, you change the distinguished name assigned to this role master attribute.


Recovering a Lost PDC Emulator


The only exception to the "don't bring back a superceded role master" rule is the PDC Emulator. If a superceded PDC Emulator is brought back online, it gets the name of the new PDC Emulator via replication and politely stops all of its role master activities.

In practice, the RID Master is usually placed on the same server as the PDC Emulator, so you would not put this server back in operation. Putting a superceded RID Master in operation can result in two objects having the same RID, which can cause security problems as well as database consistency errors. If the RID Master and PDC Emulator are on the same server and you must seize the role to another server, scrub the drive on the original sever and re-install Windows Server 2003.

Transferring a FSMO Role Master

When transferring a FSMO to a new role master, you have the option of using an MMC console or a command-line tool. The MMC console you use depends on the role you're transferring. Table 10.1 lists the FSMO roles and their associated MMC consoles along with precautions for placing the role.




































Table 10.1. FSMO Transfer Information

FSMO Role


Console


Precautions


PDC Emulator


Users and Computers


Ensure the PDC Emulator stays in communication with all downlevel NT BDCs. In addition, because the PDC Emulator acts as a "court of last resort" for password validation, make sure it stays connected to make the WAN.


RID Master


Users and Computers


Put this role master on the same server as the PDC Emulator. If you absolutely must put the RID Master on a different domain controller, make sure it stays well connected to the PDC Emulator. In Mixed, the RID Master must be available to create each new user, computer, or group.


Infrastructure Master


Users and Computers


Put this role master on any domain controller that is not a Global Catalog server. See the side bar titled "Infrastructure Master Operation."


Domain Naming Master


Domains and Trusts


Keep this rolemaster and the Schema Master on the same domain controller. These two roles are unique in the forest, so make sure they stay connected to the WAN.


Schema Master


Schema Management


See Domain Naming Master instructions.


Infrastructure Master Operation


When you make a security principal (user, group, or computer) a member of a group, the distinguished name of the security principal is added to an attribute called Members for the group object in Active Directory. Active Directory maintains internal consistency by creating a

back-link to the object representing the security principal. In this way, if the object name changes, the Member attribute in the group can be updated.

When you, as the administrator of a domain in a forest, add a security principal from another domain to a group in your domain, Active Directory is faced with a dilemma. It cannot create a back-link to an object in another Domain naming context. It solves this dilemma by creating a

phantom object , which is essentially a listing in its Domain naming context consisting of the distinguished name of the object, its GUID (Globally Unique Identifier), and its SID.

The Infrastructure Master in a domain discovers name changes made to security principals represented by phantom records in its own domain. Without this service, the names displayed in group membership lists would not correspond to the new names in the source domains. This does not affect resource access because the SID has not changed, but it can be confusing for administrators.

The Infrastructure Master accomplishes its task by periodically perusing the list of phantom records and checking their names against names in the Global Catalog. If it finds a mismatch, it updates the phantom record to reflect the new name. This change is then replicated to other domain controllers in its domain that have a copy of the phantom record.

Global Catalog servers already have a copy of objects from other domains and therefore do not store phantom records. For this reason, it is important that the Infrastructure Master not be assigned to a Global Catalog server.

Transferring a Role Master Using an MMC Console

Refer to Table 10.1 to find the applicable console and then proceed with the transfer as directed in Procedure 10.3.

Procedure 10.3 Changing a Role Master Using an MMC Console


  1. Open the applicable MMC console for the FSMO that you are going to transfer.

  2. If you are not at the domain controller that will become the new role master, right-click the very top icon, the one with the same name as the console. Select C

    ONNECT TO D

    OMAIN C

    ONTROLLER from the flyout menu.

  3. Select the name of the domain controller you want to be the new role master. This satisfies an LDAP requirement to bind to the server so that you can be authenticated.

  4. Click OK to connect to the domain controller.

  5. Right-click the top icon again. This time select O

    PERATIONS M

    ASTER from the flyout menu. The Operations window appears.

  6. Select the tab associated with the role you want to transfer.

  7. Verify that the domain controller listed under Current Focus is the name of the server where you want the role to be transferred.

  8. Click Change. You are prompted to verify.

  9. Click OK. After a short wait, you'll be informed that the Operations Master was successfully transferred. The Operations tab now shows the new name under Current Operations Master.

  10. Click OK to close the window.


At this point, you should wait for replication to fully converge so that all domain controllers know about the new role master. You can use the AD Sites and Services console or Replication Monitor (Replmon) from the Support Tools to force replication.

Transferring a Role Master Using Ntdsutil

If you prefer using a command-line tool (or you want to manage your servers via Telnet or SSH), you can use Ntdsutil to transfer role masters between domain controllers. Both the original role master and the target role master must be online (see Procedure 10.4).

Procedure 10.4 Transferring a Role Master Using Ntdsutil


  1. Log on using an account with administrator privileges in the domain. If the transfer involves either of the enterprise roles, Schema Master or Domain Naming Master, you must also have administrator rights in the Configuration naming context.

  2. Open a command session and run ntdsutil.

  3. At the ntdsutil: prompt, enter roles. This opens the FSMO maintenance: prompt.

  4. Enter

    ? to get the options list:


    fsmo maintenance: ?
    ?                                  - Print this help information
    Connections                        - Connect to a specific domain controller
    Help                               - Print this help information
    Quit                               - Return to the prior menu
    Seize domain naming master         - Overwrite domain role on connected server
    Seize infrastructure master        - Overwrite infrastructure role on connected server
    Seize PDC                          - Overwrite PDC role on connected server
    Seize RID master                   - Overwrite RID role on connected server
    Seize schema master                - Overwrite schema role on connected server
    Select operation target            - Select sites, servers, domains and roles
    Transfer domain naming master      - Make connected server the domain naming master
    Transfer infrastructure master     - Make connected server the infrastructure master
    Transfer PDC                       - Make connected server the PDC
    Transfer RID master                - Make connected server the RID master
    Transfer schema master               - Make connected server the schema master

  5. Type connections. This opens the server connections prompt.

  6. Type ? to get the options list:

    [View full width]
    server connections: ?
    ?                      - Print this help information
    Clear creds            - Clear prior connection credentials
    Connect to domain %s   - Connect to DNS domain name
    Connect to server %s   - Connect to server, DNS name or IP address
    Help                   - Print this help information
    Info                   - Show connection information
    Quit                   - Return to the prior menu
    Set creds %s %s %s       - Set connection creds as domain, user, pwd. Use "NULL" for 
    null password

  7. Enter connect to server %s where %s is the fully qualified DNS name of the domain controller where you want to transfer the role. For example, enter connect to server company.com. If successful, you get the following report:


    server connections: connect to server dc-02.company.com.
    Binding to \\DC-02.company.com ...
    Connected to \\DC-02.company.com using credentials of locally logged on user

  8. If you want to use another account, use the set creds command prior to issuing the connect to server command.

  9. Enter q to exit the module and return to the FSMO maintenance prompt.

  10. Select a role to transfer and enter the applicable command. For example, to transfer the PDC Emulator, enter transfer PDC.

  11. A window appears requesting that you verify this operation. Click OK to initiate the role transfer.

  12. If the transfer operation fails, you get an error message and the role remains with its original master. For example, if the target server is already the role master, you are notified of this. If the transfer operation proceeds without error, Ntdsutil responds with a list of the current role masters, indicating a successful end to the operation:

    [View full width]
    fsmo maintenance: transfer pdc
    Server "dc-01.subsidiary.com." knows about 5 roles
    Schema - CN=NTDS Settings,CN=DC-01,CN=Servers,CN=Phoenix,CN=Sites, CN=Configuration,
    DC=company,DC=com
    Domain - CN=NTDS Settings,CN=DC-01,CN=Servers,CN=Phoenix,CN=Sites, CN=Configuration,
    DC=company,DC=com
    PDC - CN=NTDS Settings,CN=DC-02,CN=Servers,CN=Phoenix,CN=Sites, CN=Configuration,
    DC=company,DC=com
    RID - CN=NTDS Settings,CN=DC-01,CN=Servers,CN=Phoenix,CN=Sites, CN=Configuration,
    DC=company,DC=com
    Infrastructure - CN=NTDS Settings,CN=DC-01,CN=Servers,CN=Phoenix,CN=Sites, 
    CN=Configuration,DC=company,DC=com


Shortcuts in Ntdsutil


You only need to enter enough of each word in an Ntdsutil entry to make it unambiguous. For instance, rather than typing out connect to server, you can enter con t s.

Seizing a FSMO Role Master

If the domain controller hosting a FSMO role master crashes or is otherwise permanently unavailable, you cannot use the management consoles to transfer roles. You must seize the role using Ntdsutil.

As a reminder, if you seize a FSMO from another domain controller, you must not reintroduce the superceded role master back onto the network. Formatting the hard drive is not too extreme.

Verify that the new target role master is online and follow Procedure 10.5.

Procedure 10.5 Seizing a FSMO Role


  1. Log on using an account with administrator privileges in the domain. If the seizure involves either of the enterprise roles, Schema Master or Domain Naming Master, you must also have administrator rights for the Configuration naming context.

  2. Open a command session and run Ntdsutil.

  3. Select roles from the prompt. This opens the FSMO maintenance prompt.

  4. Type connections. This opens the server connections prompt.

  5. Enter connect to server %s where %s is the fully qualified DNS name of the domain controller where you want to transfer the rolefor example, connect to server company.com. If successful, you get the following report:


    server connections: connect to server dc-03.company.com.
    Binding to \\DC-03.company.com ...
    Connected to \\DC-03.company.com using credentials of locally logged on user

  6. Enter q to exit the module and return to FSMO maintenance.

  7. Select a role to seize. For example, to seize the RID Master role you would enter seize RID master. A window appears requesting that you verify this operation. Click OK. (If the current role master is on the network, Ntdsutil will fall back and do a standard transfer.)

  8. If the seizure fails, you get an error message and the role remains with its original master. If the transfer operation proceeds without error, Ntdsutil responds with a list of the current role masters.



/ 245