KCC,ISTG,Replication,sites,BridgeHead in Active directory
How to seize FSMO role in Active Directory
What is Netlogon and sysvol.
=> Netlogon :It is a service which runs on every system and it create secure channel between Domain Controllers and client computers and then it authenticate the user credentials from client computer to domain controller.
->Service performs the registration of SRV records, CNAME and other DC records in the DNS Server to advertise the availability of Domain Controllers in the domain.
->SRV Records registered by NetLogon Service are stored in :\Windows\System32\Config\NetLogon.DNS
->Performs registration of SRV Records every 24 hours depending on the version of Operating System.
->Service performs the registration of SRV records, CNAME and other DC records in the DNS Server to advertise the availability of Domain Controllers in the domain.
->SRV Records registered by NetLogon Service are stored in :\Windows\System32\Config\NetLogon.DNS
->Performs registration of SRV Records every 24 hours depending on the version of Operating System.
->Registers the SRV Records for a site where there is no Domain Controller. This is called Site Coverage.
=>Sysvol Folder:
->In Active Directory sysvol is a very important folder and it will be shared by default, it contains group policies for users and groups, so that every client machine can access it and then group Policies get applied to users and client machine.
What is KCC (knowledge consistency checker) in AD.
->KCC is inbuilt process of domain controller and it run in every 15 minutes automatically,it creates connection(connection object) between 2 DCs ,so that both the dc can perform replication with others and if many no of DCs are configured then it will create ring topology between all of them so that all the dc will be interlinked and connected for replication.
What is ISTG (Inter site Replication Topology ) in Active Directory.
->ISTG is same as KCC , ISTG creates connection object in Inter site replication for BridgeHead server and bridgehead server perform replication.
->Default time interval for Intra site and Inter site Replication.
-> Intra site = 15 seconds
-> Inter site =180 minutes but can be brought down to 15 minutes
What is connection object in AD.
->When 1 DC has to replicate with another DC then it should have connection between then like source or destination address of the DC and its called connection object and it use to be created automatically by KCC and we can also manually create Connection object.please see the figure to understand connection object.
What is BridgeHead Server in AD.
->When we are taking about inter site replication then in a site one server is responsible to perform replication with other site server which is called Bridgehead server, Both the bridgehead server from different server perform replication.
->Active directory automatically create bridgehead server.
->We can also manually create Bridgehead Server by following below steps.
->Open Active Directory Sites and services ->sites->servers-> DC2 (select server)->right click and properties->then we 1st need to add the transport then it will become Bridgehead server when KCC run next time as shown in below figure.
What is Inter site Transport in Active Directory (AD).
->All the site link in AD will be connected through inter site link transport :wither using IP based or SMTP based.
IP Site Link :- while creating IP site link we have to choose the site and cost (lower cost decide more reliable site link between sites) and time interval is set to run at every specific period of time.
IP site link works over RPC(remote procedure call).
SMTP Site Link- When we don't have reliable network connection then we choose the option to create SMTP site link but SMTP site link does not replicate sysvol.
->It does replicate Global catalog, Schema Naming Context and the Default Domain Naming context.
What is RPC (Remote Procedure call)-> Its a protocol which is used to locate the server between different sites ,we can consider how one server will search another server in a site,so is uses RPC to locate the server using DNS on another site over LAN/WAN,once server get located then ISTG (inter site replication topology) creates connection object for inter site replication and KCC creates connection for intra site replication.
What is Inter site and Intra site replication in AD.
Intra Site Replication- Replication between same site is called Intra site replication ,we can consider that we have 5 Domain controller in one site and as we know every domain controller has to replication with each other ,so the replication between same site is Intra site replication and connection object is created by KCC.
Inter Site Replication- Replication Between Different site is call Inter site replication, if we have multiple sites then it has to replicate with other site then sites servers automatically create Bridgehead Server and Bridgehead server is responsible to replicate the changes to another site.
What is Site in AD.
->When an organization has multiple location or more than one location then it will be connected by WAN network with different network setup,so it will be called a site for that organization. We have sites and services in Active directory to create sites for different -different location and we can add domain controller as per the requirement.
We can see two sites (main & Second) are created as shown in below figure.
***We can manually move the domain controller to sites->servers list by drag-drop.***
What is Replication in AD.
->When we made any changes to object then it has to get updated to all across the DCs ,so that user can access any resource on the network without any issues and it will not create any conflict with another DCs.
What is Site Link in AD.
->When we have multiple sites then we require to create a link between them to replicate with each other,we can create a site link to create a shortest path so that replication can not be delayed. by default Active directory creates links between the sites :Default-First-Site-Name
What is Subnet in Active Directory.
-> We create subnet and link it to the sites and 1 subnet can have multiple sites associated with it,when we create subnet then client belongs to that subnet use to get authenticated from that site DCs.
How to find out which DC(domain contrller) hold FSMO role using command(cmd).
->run->cmd-> "netdom Query FSMO"
Protocols used in Active Directory.
-> LDAP
-> Kerberos Protocol
-> NTML
-> RPC
-> IP
-> SMTP
Difference between Kerberos and NTML Protocol.
-> NTML uses three way handshake between the client and server, kerberos uses two way handshake authentication and it uses ticket granting service (KDC-Key distribution center). In Kerberos the client should have access to a domain controller (which issues the tickets ) where NTML use client contacts the server which contacts the domain controller.
->NTML is older and unsecure as compare to Kerberos.
Why we seize FSMO role in AD or how to seize FSMO role.
->When a Domain control holds any of the FSMO role and get failed with any reason and there is no way that DC will come up as DC has crashed and no way it can come up online.Now we require to get the FSMO role back to any other DC and for that we need to Seize the FSMO role of the faulty DC to get it back.
=>Seize FSMO Role using Powers hell
power shell command-> Move-ADDirectoryServerOperationMasterRole -Identity <TargetDC> -OperationMasterRole domainnamingmaster (here we have to enter one of the FSMO role name) -Force
=>Seize FSMO Role using NTDS utility command
open command= start->run->cmd->ntdsutil
ntdsutil->role->connections->connect to server DC1(DC name) enter-> Quit ->seize domain naming master(role name)
Please see the below cmd line figure to seize fsmo role
->after performing above steps ,we need to perform metadata cleanup
We perform metadata cleaup for 2 reason-
1. if we are seize fsmo role
2. if any regular DC failed and it can not come back up or online.
How to perform metadata cleanup.
What are Active Directory Partition.
-> Schema Partition
-> Domain Partition
-> Configuration Partition
-> Application Partition
Explain all the Active Directory Partition.
-> Schema Partition - only one schema partition can exit in a forest and it will be stored in a all forest objects and it create rules for creation in an active directory. as per schema partition it will replicate all domain controller in forest.
-> Configuration Partition- Only one master configuration partition will exist as per forest and It will contains the forest-wide active directory topology including Domain Controllers and sites and services. It is replicated to all DCs in a forest.
-> Domain Partition- Domain partitions exist per forest and they stored on all Domain Controller in a domain. it will contain information about users, groups, computers and OUs and It will replicated to all Domain controller in a given domain.
-> Application Partition- Application Partition will store active directory partition information about applications in a domain, It stores information about AD integrated DNS Zones – ForestDNSZones and DomainDNSZones.
What is UPN in AD (User Principle Name )-
-> User Principal Name (UPN) is the name of a user or any account (service account ) in an e-mail address format. The user name (or "username") is followed by the " @ upn" followed by the name of upn in ad with which the user is associated.
What is distinguish name in Active directory.
What is distinguish name in Active directory.
-> The distinguished name identifies the object in active directory and its location in a domain Hierarchy.
ex- cn=Jeff Smith,ou=promotions,ou=marketing,dc=noam,dc=proseware,dc=com
If Schema partition is corrupted , Can We Restore it from Backup.
->We are not suppose to restore schema partition if its corrupted, if we need to restore then we need to perform forest wide restore operation.
->We are not suppose to restore schema partition if its corrupted, if we need to restore then we need to perform forest wide restore operation.
What is SPN (Service Principle Name) in Active Directory.
-> We Create SPN (service principle name) for a Service account /computer account /user account in AD and the Windows account will be responsible for the service can be ascertained and used for Kerberos authentication. This mapping is required because many clients will compose an SPN based on the hostname and port the client is connecting to. Many services register SPNs for this reason; for example, Microsoft SQL Server registers an SPN if TCP/IP is enabled to facilitate Kerberos authentication, thereby avoiding the use of NTLM.
SPN mapping allows a service on a particular server to be associated with an account responsible for the management of the service, thereby permitting mutual Kerberos authentication. To use mutual Kerberos authentication, the Windows security layer must be able to determine the account that a service is using.
-> How To create SPN (Service Principle Name) -
->1st open Active directory users and computers (dsa.msc)
->click on View ->advanced Features (should be checked)
->Now we require to locate the object manually ,we can not search the object and create SPN.
->right click on object -> Properties ->Attribute Editor ->service principle name)
-> How to create /set/view SPN( Service Principle name) using command line.
->setspn -F -S http/daserver daserver1
-> It will register SPN "http/daserver" for computer "daserver1", if no such SPN exists in the forest
->setspn -l svcc (-L = list SPNs registered to target account svcc)
How to backup and restore Active directory using windows default backup tools.
-> We can use command line tool or GUI ( to create backup Active directory backup)
->1st we need to installed windows server backup features (windows server backup, command line tool)
->run->cmd-> wbadmin start systemstatebackup -backuptarget:D: (it will create backup to drive D)
=>Command to restore from backup:
->Wbadmin get version
-> Wbadmin start sysrecovery -version:03/31/2013-09:00 -backupTarget:d:(03/31/2013-09:00 -this is the version which we want to restore)
GUI Tool-
=> Windows Server 2008 R2
-> Open Windows Server Backup
-> In action panel click Backup Once
-> Different Options is Selected, click Next
-> Choose Custom, click Next
-> Click Add Items
-> Select System State, click Next
-> Specify Backup Destination, Local drive (Apart from System Volume) or Network Share
-> Click Backup to start System State Backup
-> You may close the wizard and the backup operation will continue to run in background
What is DNS Server,how DNS works With Active Directory
No comments:
Post a Comment