Active Directory

How To Transfer FSMO (Flexible Single Master Operation) Role on Server 2003 Network Environment.

In a forest, there are at least five FSMO roles (Operation master Role) that are assigned to one or more domain controllers. Th.e five FSMO roles are
  • Schema Master: The schema master domain controller controls all updates and modifications to the schema. To update the schema of a forest, you must have access to the schema master. There can be only one schema master in the whole forest.
  • Domain naming master: The domain naming master domain controller controls the addition or removal of domains in the forest. There can be only one domain naming master in the whole forest.
  • Infrastructure Master: The infrastructure is responsible for updating references from objects in its domain to objects in other domains. At any one time, there can be only one domain controller acting as the infrastructure master in each domain.
  • Relative ID (RID) Master: The RID master is responsible for processing RID pool requests from all domain controllers in a particular domain. At any one time, there can be only one domain controller acting as the RID master in the domain.
  • PDC Emulator: The PDC emulator is a domain controller that advertises itself as the primary domain controller (PDC) to workstations, member servers, and domain controllers that are running earlier versions of Windows. For example, if the domain contains computers that are not running Microsoft Windows XP Professional or Microsoft Windows 2000 client software, or if it contains Microsoft Windows NT backup domain controllers, the PDC emulator master acts as a Windows NT PDC. It is also the Domain Master Browser, and it handles password discrepancies. At any one time, there can be only one domain controller acting as the PDC emulator master in each domain in the forest.
 
Transfer The Schema Master Role
Before transferring the schema master role must be resister "Schmmgmt.dll" file
Register Schmmgmt.dll

1. Click Start, and then click Run.

2. Type  "regsvr32 schmmgmt.dll"  in  the Open box, and  then click  OK.

3. Click OK when you receive the message that the operation succeeded.

Transfer the Schema Master Role

1. Click Start, click Run,  type mmc in the Open box,  and then  click OK.

2. On the File, menu and click Add/Remove Snap-in.

3. Click Add.

4. Click Active Directory Schema,click Add, click Close,and then click OK

5. In the console tree, right-click Active Directory Schema, and then click Change Domain Controller.

6. Click Specify Name, type the  name  of  the domain controller that will be the new role holder, and then click OK.

7. In the console tree, right-click Active Directory Schema, and then click Operations Master.

8. Click Change.

9. Click OK to confirm that you want to transfer the role, and then click Close.

Transfer the Domain Naming Master Role

1. Click Start, point to Administrative Tools, and then click Active Directory Domains and Trusts.

2. Right-click Active Directory Domains and Trusts, and then click Connect to Domain Controller.

 
[NOTE:- You must perform this step if you are not on the domain controller to which you want to transfer the role. You do not have to perform this step if you are already connected to the domain controller whose role you want to transfer.]
3. Do one of the following:
  • In the Enter the name of another domain controller box, type the name of the domain controller that will be the new role holder, and then click OK.
      -or-
  • select an available domain controller list, click the domain controller that will be the new role holder, and then click OK.
4. In the console tree, right-click Active Directory Domains and Trusts, and then click Operations Master.
5. Click Change.
6. Click OK to confirm that you want to transfer the role, and then click Close.
Transfer the RID Master, PDC Emulator, and Infrastructure Master Roles
1. Click Start, point to Administrative Tools, and then click Active Directory Users and Computers.
2. Right-click Active Directory Users and Computers, and then click Connect to Domain Controller.
[NOTE: -You must perform this step if you are not on the domain controller to which you want to transfer the role. You do not have to perform this step if you are already connected to the domain controller whose role you want to transfer.]
3. Do one of the following:
  • In the Enter the name of another domain controller box, type the name of the domain controller that will be the new role holder, and then click OK.
      -or-
  • Select an available domain controller list, click the domain controller that will be the new role holder, and then click OK.
4. In the console tree, right-click Active Directory Users and Computers, point to All Tasks, and then click Operations Master.
5. Click the appropriate tab for the role that you want to transfer (RID, PDC, or Infrastructure), and then click Change.
6. Click OK to confirm that you want to transfer the role, and then click Close.
 
Transfering The FSMO Roles Via NTDSUTIL
[Note: -Using the Ntdsutil utility incorrectly may result in partial or complete loss of Active Directory functionality]
  • On any domain controller, click Start, click Run, type Ntdsutil in the Open box, and then click OK.
Microsoft Windows [Version 5.2.3790] (C) Copyright 1985-2003 Microsoft Corp.  C:\WINDOWS>ntdsutil ntdsutil:
  • Type roles, and then press ENTER.
ntdsutil: roles fsmo maintenance:
[Note: -To see a list of available commands at any of the prompts in the Ntdsutil tool, "type ?" And then press ENTER]
  • Type connections, and then press ENTER.
fsmo maintenance: connections server connections:
  • Type connects to server, where is the name of the server you want to use, and then press ENTER.
Server connections: connect to server server100 Binding to server100 ... Connected to server100 using credentials of locally logged on user. server connections:
  • At the server connections: prompt, type q, and then press ENTER again.
Server connections: q fsmo maintenance:
  • Type transfer. Where is the role you want to transfer?
For example, to transfer the RID Master role, you would type transfer rid master:
Options are: Transfer domain naming master Transfer infrastructure master Transfer PDC Transfer RID master Transfer schema master
1. You then as a warning popup asking if you want to perform the transfer. Select yes to continue.
2. Then after you transfer the roles, type q and press ENTER until you quit Ntdsutil.exe.
3. Restart the server and make sure you update your backup.

How to Check Active Directory  Installation on Windows Server 2003 (Win-2k3)

You should now check to see if the AD installation went well.

1. First, see that the Administrative Tools folder has all the AD management tools installed.

[After install active directory five extra administrative tools install :-( 1) Active Directory Domain and Trust, (2) Active Directory Sites and Service, (3) Active Directory Users and Computers, (4) Domain Controller Security Policy, (5) Domain Security Policy]
2. Run Active Directory Users and Computers (or type "dsa.msc" from the Run command). See that all OUs and Containers are there.
 
3. Run Active Directory Sites and Services. See that you have a site named Default-First-Site-Name, and that in it your server is listed.  [Here ""NETWORKINGSTUDY"" is computer name]
 
4. If they don't (like in the following screenshot), your AD functions will be broken (a good sign of that is the long time it
took you to log on. The "Preparing Network Connections" windows will sit on the screen for many moments, and even when you do log on many AD operations will give you errors when trying to perform them).
 
Might happen if you did not manually configure your DNS server and let the DCPROMO process do it for you.
Another reason for the lack of SRV records (and of all other records for that matter) is the fact that you DID configure the DNS server manually, but you made a mistake, either with the computer suffix name or with the IP address of the DNS server (see steps 1 through 3).
 
Open the DNS console. See that you have a zone with the same name as your AD domain (the one you've just created, remember? Duh...). See that within it you have the 4 SRV record folders. They must exist.
To try and fix the problems first see if the zone is configured to accept dynamic updates.
 
5. Right-click the zone you created, and then click Properties
 
6. On the General tab, under Dynamic Update, click to select "Nonsecure and secure" from the drop-down list, and then click OK to accept the change.
 
7. You should now restart the NETLOGON service to force the SRV registration. You can do it from the Services console  
In Administrative tools:\services    or    Run- services.msc
-Or-
From the command prompt type "net stop netlogon", and after it finishes, type "net start netlogon".
 
Let it finish, go back to the DNS console, click your zone and refresh it (F5). If all is ok you'll now see the 4 SRV record folders.
If the 4 SRV records are still not present double check the spelling of the zone in the DNS server. It should be  exactly the same as the AD Domain name. Also check the computer's suffix (see step 1). You won't be able to change the computer's suffix after the AD is installed, but if you have a spelling mistake you'd be better off by removing the AD now, before you have any users, groups and other objects in place, and then after repairing the mistake - re-running DCPROMO.
 
8. Check the NTDS folder for the presence of the required files.
 
9. Check the SYSVOL folder for the presence of the required subfolders.
 
10. Check to see if you have the SYSVOL and NETLOGON shares, and their location.
 
If all of the above is ok, I think it's safe to say that your AD is properly installed. If not, read Troubleshooting Dcpromo Errors and re-read steps 1-4 in this article.

NS (Domain Name System or Service or Server), an Internet service that translates domain names into IP addresses. Because domain names are alphabetic, they're easier to remember. The Internet however, is really based on IP addresses. Every time you use a domain name, therefore, a DNS service must translate the name into the corresponding IP address. For example, the domain name www.example.com might translate to198.105.232.4.

             The Domain Name System (DNS) is a hierarchical naming system built on a distributed database for computers, services, or any resource connected to the Internet or a private network. Most importantly, it translates domain names meaningful to humans into the numerical identifiers associated with networking equipment for the purpose of locating and addressing these devices worldwide.
             Domain Name System is used to map IP address to host name and host name to IP Address. It organizes the name in hierarchical order. The root domain is repressed by a dot (.) or a Full Qualify Domain Name (FQDN) is identified by a dot in the last.
 
DNS Resolvers
DNS works in a client/server fashion. DNS servers respond to requests from DNS clients called resolvers. ISPs and other organizations set up local DNS resolvers as well as servers. Most DNS servers also act as resolvers, routing requests up the tree to higher-level DNS servers, and also delegating requests to other servers. DNS servers eventually return the requested mapping (either address-to-name or name-to-address) to the resolver.
 
DNS Records
DNS records or Zone files are used for mapping URLs to an IPs. Located on servers called the DNS servers, these records are typically the connection of your website with the outside world. Requests for your website are forwarded to your DNS servers and then get pointed to the Web Servers that serve the website or to Email servers that handle the incoming email.
DNS Records Types:-
This List of DNS record types provides an overview of types of resource records (database records) stored in the zone files of the Domain Name System (DNS). The DNS implements a distributed, hierarchical, and redundant database for information associated with Internet domain names and addresses. In these domain servers, different record types are used for different purposes.
The below DNS records are mostly used in all DNS Configurations. Now we will see each one with examples
 
Type
Value (decimal)
Defining RFC
Description
Function
 
A
 
1
 
RFC 1035
 
address record
Returns a 32-bit IPv4 address, most commonly used to map hostnames to an IP address of the host, but also used for DNSBLs, storing subnet masks in RFC 1101, etc.
AAAA
28
RFC 3596
IPv6 address
record
Returns a 128-bit IPv6 address, most commonly used to map hostnames to an IP address of the host.
CNAME
5
RFC 1035
Canonical name
record
Alias of one name to another: the DNS lookup will continue by retrying the lookup with the new name.
MX
15
RFC 1035
Mail exchange
record
Maps a domain name to a list of message transfer agents for that domain
 
PTR
 
12
 
RFC 1035
 
pointer record
Pointer to a canonical name. Unlike a CNAME, DNS processing does NOT proceed, just the name is returned. The most common use is for implementing reverse DNS lookups, but other uses include such things as DNS-SD.
NS
2
RFC 1035
name server
record
Delegates a DNS zone to use the given authoritative name servers
 
SOA
 
6
 
RFC 1035
 
start of authority
record
Specifies authoritative information about a DNS zone, including the primary name server, the email of the domain administrator, the domain serial number, and several timers relating to
 
SRV
 
33
 
RFC 2782
 
Service locator
Generalized service location record, used for newer protocols instead of creating protocol-specific records such as MX.
 
 
 
TXT
 
 
 
16
 
 
 
RFC 1035
 
 
 
Text record
Originally for arbitrary human-readable text in a DNS record. Since the early 1990s, however, this record more often carries machine-readable data, such as specified by RFC 1464, opportunistic encryption, Sender Policy Framework (although this provisional use of TXT records is deprecated in favor of SPF records), Domain Keys, DNS-SD, etc.
 
NAPTR
 
35
 
RFC 3403
Naming Authority Pointer
Allows regular expression based rewriting of domain names which can then be used as URIs, further domain names to lookups, etc

Name Space

The domain name space consists of a tree of domain names. Each node or leaf in the tree has zero or more resource records, which hold information associated with the domain name. The tree sub-divides into zones beginning at the root zone. A DNS zone may consist of only one domain, or may comprise many domains and sub-domains, depending on the administrative authority delegated to the manager.
             DNS is the name service provided by the Internet for TCP/IP networks. DNS is broken up into domains, a logical organization of computers that exist in a larger network. The domains exist at different levels and connect in a hierarchy that resembles the root structure of a tree.
DOMAIN NAME REGISTRATION
The right to use a domain name is delegated by domain name registrars which are accredited by the Internet Corporation for Assigned Names and Numbers (ICANN), the organization charged with overseeing the name and number systems of the Internet. In addition to ICANN, each top-level domain (TLD) is maintained and serviced technically by an administrative organization, operating a registry.
         ICANN publishes the complete list of TLD registries and domain name registrars. Registrant information associated with domain names is maintained in an online database accessible with the WHOIS service. For most of the more than 240 country code top-level domains (ccTLDs), the domain registries maintain the WHOIS (Registrant, name servers, expiration dates, etc.)
DNS ZONE
Zones are name space area represented by a FQDN in other words information about records of the resource within your DNS domain in stored in a zone file and this zone file exists on the hard drive of one of your name space server. General there is two types: - (1) Forward lookup zone (2) Reverse lookup zone.
 
Zone Categories
Zone in divided in three categories
  1. Primary Zone: - A primary zone server is the master server of that zone. It includes all the records.
  2. Secondary Zone: -This are called backup zone server and contains the copiers of master sever records.
  3. Stub Zone: -Stub zone one mini zone that contains few records that host for master zone. It is similar to the secondary zone but it contains only following records.
  • SOA(Start Of Authority)Record
  • NS (Name Space) Record
  • Host (A) Records
 
DNS Delegation
It is process of Transferring authority a zone from one server to another server.
Likewise, an organization administering a domain can divide it into sub domains. Each of those sub domains can be delegated to other organizations. This means that an organization becomes responsible for maintaining all the data in that sub domain. It can freely change the data, and even divide up its sub domain into more sub domains and delegate those. The parent domain retains only pointers to sources of the sub domain's data so that it can refer queries there.

How to Install Active Directory on Windows Server 2003 (Win-2k3) Step By Step

First make sure you read and understand Active Directory Installation Requirements. If you don't comply with all the Requirements of that article you will not be able to set up your AD (for example: you don't have a NIC or you're using a computer that's not connected to a LAN). Here is a quick list of what you must have:
  • An NTFS partition with enough free space.
  • An Administrator's username and password.
  • The correct operating system version (Windows server 2003 any version-web, standard, enterprises, datacenter).
  • A NIC.
  • Properly configured TCP/IP (IP address, subnet mask and - optional - default gateway, DNS).
  • A network connection (to a hub or to another computer via a crossover cable).
  • An operational DNS server (which can be installed on the DC itself) and proper configure or may be later.
  • A Domain name that you want to use.
  • The Windows Server 2003 CD media (or at least the i386 folder).
  • Brains (recommended, not required...).
[Note: - This article is only good for understanding how to install the FIRST DC in a NEW AD Domain, in a NEW TREE, in a NEW FOREST. Meaning - don't do it for any other scenario, such as a new replica DC in an existing domain. In order to install a Windows Server 2003 DC in an EXISTING Windows 2000 Domain follows the Windows 2003 AD Prep tip.]
 
Running DCPROMO
1. Click Start, point to Run and type "dcpromo".
   
2. The wizard windows will appear. Click Next.
  
3. In the Operating System Compatibility windows read the requirements for the domain's clients and if you like what you see -press next.
 
4. If you already configure TCP/IP then DC installation wizard is going on, otherwise see instruction of configuring TCP/IP, then configure properly and run DCPROMO again.   
 
5. Choose Domain Controller for a new domain when this server will become the first domain controller in the new domain and click next.
[Note:-If you have already a domain controller in your network environment and you want to create ADC -Additional domain controller then can select second option "Additional domain controller for an existing domain"
When you select this computer ask user name and password of domain controller]
 
6. Choose and create a new Domain in a new forest and click next.
 
7. Enter the full DNS name of the new domain, for example - networkingstudy.in - this must be the same as the DNS zone you will create, and the same as the computer name suffix you've created in Installation time and then click next.
This step might take some time because the computer is searching for the DNS server and checking to see if any naming conflicts exist.
 
8. Accept the down-level NetBIOS domain name, in this case it's NETWORKINGSTUDY, Click Next
 
9. Accept the Database and Log file location dialog box (unless you want to change them of course). Click Next
The location of the files is by default %systemroot%\NTDS (windows Folder\NTDS), and you should not change it unless you have performance issues in mind.
 
10. Accept the Sysvol folder location dialog box (unless you want to change it of course). Click Next.
The location of the files is by default %systemroot%SYSVOL (Windows Folder/SYSVOL) and you should not change it unless you have performance issues in mind. This folder must be on an NTFS v5.0 partition. This folder will hold all the GPO and scripts you'll create, and will be replicated to all other Domain Controllers.
[Note: - The SYSVOL folder stores the server's copy of the domain's public files. The contents of the folder are replicated to all domain controllers in the domain.]
 
11. If your DNS server, zone and/or computer name suffix were not configured correctly you will get the following warning:This means the Dcpromo wizard could not contact the DNS server, or it did contact it but could not find a zone with the name of the future domain.
  • If you want, Dcpromo can install the DNS service, create the appropriate zone, configure it to accept dynamic updates, and configure the TCP/IP settings for the DNS server IP address.To let Dcpromo do the work for you, Then select "Install and configure the DNS server..." (Best for first Time)
  • If you want install and configure DNS later after install AD then select "I will correct the problem………." Otherwise, you can accept the default choice and then quit Dcpromo and Install DNS first. Click Next.

 
12. Accept the Permissions compatible only with Windows 2000 or Windows Server 2003 settings, unless you have Legacy apps running on Pre-W2K servers. Click Next
[Note: -If you have only pre-Windows 2000 clients then select first option "Permissions compatible with pre-windows 2000 server OS"
If you have only windows 200, 2003, XP or latest client then selects second option "Permissions compatible only with windows 2000 or windows server 2003 operating systems"]
13. Enter the Restore Mode administrator's password. In Windows Server 2003 this password can be later changed via NTDSUTIL. Click Next.
 
14. Review your settings and if you like what you see - Click Next.
 
15. See the wizard going through the various stages of installing AD. Whatever you do - NEVER click Cancel!!! You'll
Wreck your computer if you do. If you see you made a mistake and want to undo it, you'd better let the wizard finish and then run it again to undo the AD.
 
16. If all went well you'll see the final confirmation window. Click Finish.
 
17. You must reboot in order for the AD to function properly. Click "Restart Now"
Active Directory Object
An Active Directory structure is a hierarchical framework of objects. The data stored in Active Directory, such as information about users, printers, servers, databases, groups, computers, and security policies, is organized into objects. The objects fall into two broad categories:- resources (e.g., printers) and security principals (user or computer accounts and groups). Security principals are Active Directory objects that are assigned unique security identifiers (SIDs) used to control access and set security.
         An object is a distinct named set of attributes that represents a network resource. Object attributes are characteristics of objects in the directory. For example, the attributes of a user account object might include the user's first name, last name, and logon name, while the attributes of a computer account object might include the computer name and description
  • All objects stored in Windows Server 2003's Active Directory Database will have the following attributes attached.
Method-Every object will have the following in common, such as creating the object, opening the object, and deleting the object. Properties-All Active Directory object have a set of properties or attributes. Collection-If an attribute can contain more then a single value (such as the member of a group object), these values are stored as collection or an array of values.
Computers
A computer object is a software representation of a physical entity, namely, the computer. It represents level of participation in the Active Directory domain. This level of participation usually has to do with security.
Users
User accounts comprise the meat and potatoes of Windows Server 2003 domain administrator. All computing activities, whether it be access to are source or backing up a file occur in the context of a user account. An account is needed to interact with the network and is issued an access token at logon time.
Groups
A group object is just another type of account, much like a user account. However, this account's purpose is to store a list. In this is an inventory of all the user account that belongs to the group account. The access token
Is a register of the user account and all the group to which it belongs. It is proffered to resource in the domain for the purpose of determining access.
Printers
In a windows server 2003 domain, you have the option of creating software object in Active Directory object shared printer in your enterprises. The advantage of creating an Active Directory object for each printer (rather then just creating the shared printer on a printer server) is that it enables users to find an enterprise's printer more easily by conducting a search through Active Directory.
 
FSMO Roles
Flexible Single Master Operations (FSMO, sometimes pronounced "fizz-mo") roles are also known as operations master roles. The active directory maintenance pair to pair model, each of this pair updates AD information using multi-master replication model. A certain change in active directory then this update to multi server. In a forest, there are at least five FSMO roles (Operation master Role) that are assigned to one or more domain controllers. The five FSMO roles are
 
Role Name
Scope
Description
 
Schema Master
 
1 per forest
The schema master domain controller controls all updates and modifications to the schema. To update the schema of a forest, you must have access to the schema master. There can be only one schema master in the whole forest.
Domain Naming Master
1 per forest
The domain naming master domain controller controls the addition or removal of domains in the forest. There can be only one domain naming master in the whole forest.
 
 
 
PDC Emulator
 
 
 
1 per domain
The PDC emulator is a domain controller that advertises itself as the primary domain controller (PDC) to workstations, member servers, and domain controllers that are running earlier versions of Windows. For example, if the domain contains computers that are not running Microsoft Windows XP Professional or Microsoft Windows 2000 client software, or if it contains Microsoft Windows NT backup domain controllers, the PDC emulator master acts as a Windows NT PDC. It is also the Domain Master Browser, and it handles password discrepancies. At any one time, there can be only one domain controller acting as the PDC emulator master in each domain in the forest.
 
RID (Relative ID) Master
 
1 per domain
The RID master is responsible for processing RID pool requests from all domain controllers in a particular domain. At any one time, there can be only one domain controller acting as the RID master in the domain.
Infrastructure Master
1 per domain/partition
The infrastructure is responsible for updating references from objects in its domain to objects in other domains. At any one time, there can be only one domain controller acting as the infrastructure master in each domain.
 
Trust
Trust is the relationship between different domains which perform cross domain logon and used of shared resources.
     To allow users in one domain to access resources in another, Active Directory uses trusts.] Trusts inside a forest are automatically created when domains are created. The forest sets the default boundaries of trust, not the domain, and implicit, transitive trust is automatic for all domains within a forest. As well as two-way transitive trust, AD trusts can be a shortcut (joins two domains in different trees, transitive, one- or two-way), forest (transitive, one- or two-way), realm (transitive or non transitive, one- or two-way), or external (non transitive, one- or two-way) in order to connect to other forests or non-AD domains.
Trusts in Windows 2000 (native mode)
  • One-way trust - One domain allows access to users on another domain, but the other domain does not allow access to users on the first domain.
  • Two-way trust - Two domains allow access to users on both domains.
  • Trusting domain - The domain that allows access to users from a trusted domain.
  • Trusted domain - The domain that is trusted; whose users have access to the trusting domain.
  • Transitive trust - A trust that can extend beyond two domains to other trusted domains in the forest.
  • Intransitive trust - A one way trust that does not extend beyond two domains.
  • Explicit trust - A trust that an admin creates. It is not transitive and is one way only.
  • Cross-link trust - An explicit trust between domains in different trees or in the same tree when a descendant/ancestor (child/parent) relationship does not exist between the two domains.
Windows 2000 Server - supports the following types of trusts:
  • Two-way transitive trusts.
  • One-way intransitive trusts.
Additional trusts can be created by administrators. These trusts can be:
  • Shortcut
Windows Server 2003 offers a new trust type - the forest root trust. This type of trust can be used to connect Windows Server 2003 forests if they are operating at the 2003 forest functional level. Authentication across this type of trust isKerberos based (as opposed to NTLM). Forest trusts are also transitive for all the domains in the forests that are trusted. Forest trusts, however, are not transitive.
 
ADAM/AD LDS
Active Directory Application Mode (ADAM) is a light-weight implementation of Active Directory. ADAM is capable of running as a service, on computers running Microsoft Windows Server 2003 or Windows XP Professional. ADAM shares the code base with Active Directory and provides the same functionality as Active Directory, including an identical API, but does not require the creation of domains or domain controllers.
  • Like Active Directory, ADAM provides a Data Store, which is a hierarchical data store for storage of directory data, a Directory Service with an LDAP Directory Service Interface. Unlike Active Directory, however, multiple ADAM instances can be run on the same server, with each instance having its own and required by applications making use of the ADAM directory service.
  • In Windows Server 2008, ADAM has been renamed AD LDS (Lightweight Directory Services).

Additional information

Commentics

<p>Currently under general maintenance.</p><p>Please check back shortly. Thanks.</p>