201. what is LDIFDE?
Its a command line utility available on all Windows server 2003
editions to automate the creation of groups.
#Command to create a group dsadd group GroupDN –scope {l/g/u}
#Group types can be changed only when the domain functional level
is at least windows 2000 native.
Computer accounts
We must be a member of administrator or Account operators group on
the domain controller to create a computer object in Active Directory. (Each
user in the authenticated users group is allowed to join 10 computers to the
domain and can therefore create as many as 10 computer objects in this manner.
We can use DSADD and NETDOM ADD, NETDOM JOIN commands to add
computers to a domain.
The compute container is the default location for computer objects
in Active Directory. When a machine joins the domain and there is no existing
account in the domain for that computer, a computer object is created
automatically in the computers container.
Windows server 2003 resource kit includes the REDIRCOMP tool which
allows redirecting the creation of automatic computer objects to an OU of our
choice.
COMPUTER ACCOUNTS
If we join a computer object that will be created automatically to
the computers OU.(Authenticated users are allowed to join 10 computers to the
domain and can there fore create as many as 10 computer objects in this manner)
To add a computer using DSADD
DSADD Computer DN
If a computer is taken offline or is not to be used for an
extended period of time we can disable the account. Disabling the account
doesn’t modify the computers SID or group membership . when the computer s
brought back online the account can be enabled.
If the computer fails to communicate to the domain we can try
reset as the first option.
Files and Folders
Shared
Permissions
Read: Users can display folder names, file names
Change: User can create folders; add files to folders, change data
in files, delete folders and files.
Full control: Users can change file permissions, take owner ship
of files and perform all tasks allowed by the change permission.
Share permissions can be allowed or denied. The effective set of
share permissions is the cumulative result of the allow permissions granted to
a user and all groups to which that user belongs. However deny permission will
override an allow permission.
Who can take ownership?
Administrators
Users if they are allowed to take ownership permission
Administrators can facilitate the transfer of ownership
IIS
To decrease the attack surface of a Windows server system IIS is
not installed by default. After installation it will appear in administrative
tools.
Users also can install device drivers if
1. The device driver has a digital signature
2. No further action is required to install the device.
3. The device driver is already on the computer.
Roll
back feature is accessible through Properties page of the device
Windows will automatically backs up the driver that is being
replaced through the update driver process making it available through the Roll
back option.
What
will happen if you select the last know configuration?
It will restore the HKLM\system\current control set with old
driver information.
When DNS is required?
1. Networks using Microsoft
Windows 2000 or Windows server 2003 Domains.
When computers are members of windows 2000 or windows server 2003
domains, DNS must be configured. Active directory is tightly integrated with
DNS and DNS is used by Active directory as its locator service.
2. DNS for internet or intranet
access: We must use DNS if we need to connect to
computers on network or the internet by specifying host names.
When NetBIOS is required?
All work groups using Win 95,
9.Me and NT are using NetBIOS. It is necessary for network clients using
applications or service that require NetBIOS as name resolution .Eg computer
browser service.
It is required in networks for
which DNS has not yet been fully configured. For eg a computer workgroup in
which no DNS server has been installed.
Advantages of disabling NetBIOS
1. The main advantage is that
it improves network security. NetBIOS as a service stores information about
network resources that can be collected by any host through broadcast based
queries.
2. It can simplify administration by reducing the number of naming
infrastructure that has to be configured, maintained and supported.
Disadvantage of disabling NetBIOS is that it renders inoperable
network browsing through Microsoft windows network icon as it depends on
NetBIOS and NetBT protocol.
Another disadvantage is that it decrease fault tolerance.
DNS
Name space:
The naming system on which DNS is based is a hierarchical and
logical tree structure called DNS Name Space. It has a unique root and can have
any number of sub domains.
Internet domain name space :
DNS root of domain namespace is managed by ICANN (Internet
Corporation for Assigned Names and Numbers)
There are 3 types of Top level domains.
Organisational
domain: It indicates primary function or activity of the organization.
Geographical
Domain: This contains 2 character country and region codes such as
uk,it(Italy)
Reverse
domains: These are special domains named in addr.arpa that are used for IP
Address to name mappings.
DNS
Zones : A DNS zone is a contiguous
portion of a namespace for which a server is authoritative. A server can be
authoritative for one or more zones and a zone can contain one or more contiguous
domains.
DNS Resolvers: A
DNS resolver is a service that uses the DNS protocol to query for information
from DNS servers .DNS resolvers communicate with either remote DNS servers or
the DNS server program running on the local computer.
Resource records: Resource records are DNS database entries
that are used to answer DNS client querries.Each DNS server contains the
resource records it needs to answer querries for its portion of the DNS
Namespace.Resource records are each described as specific record type,such as
host address(A),alias(CNAME) and Mail exchanger(MX).
Understanding
how a DNS Querry works
A DNS query contains 3 pieces of information
1. A DNS Domain name stated as an FQDN
2. A specified query type which can specify either a resource
record by type
3. A specialized class for the DNS domain name.
DNS Resolution methods
DNS Queries resolve in a number
of different ways. In the basic scenario the DNS client contacts a DNS server
which then uses its own database of resource records to answer a query. However
by referring to its cache first, a DNS Client can some times answer a query
without contacting a server at all. Another way that DNS queries are often
resolved through recursion. Using this process a DNS server can query other DNS
servers on behalf of requesting client in order to resolve the FQDN. When the
DNS server receives answer to the query it then sends an answer back to the client.
A final method by which DNS queries are resolved through iteration, through
this process the client itself attempts to contact additional DNS servers to
resolve a name. When the client does so it uses separate and additional queries
based on a referral answers from the DNS servers.
DNS
query steps
A query begins at client computer and it passed to the DNS client
service for resolution (The DNS resolver cache) to resolve the name by using
locally cached information.if the queried name can be resolved the query is
answered and the process is completed. The local resolved cache contains
information from two possible resources.
1, if a host file is configured locally any host name to address
mappings from that file are loaded to the cache when the DNS client service is
started and after the Host file is updated.
2. Resource records obtained in answered responded from the
previous DNS queries are added to the cache and kept for a period of time.
If the query is not answered the resolution process continuous
with the client querying a DNS server to resolve the name.
The DNS client service uses a server search list ordered by
preference .the list includes all preferred and alternate DNS servers
configured for each of te active network connections on the system. The client
first queries the DNS server specified as the preferred DNS server in the
connections internet protocol properties dialogue box. If no preferred DNS
servers are available alternated DNS servers are used.
When a DNS server receives a query it first checks to see whether
it can answer the query authoritatively-that is on the basis of information
contained in a locally configured zone on the server. If the queried name
matches a corresponding resource record in local zone information, the server
answers authoritatively, using this information to resolve the queried name.
If no zone information exists for the queried name the server then
checks to see whether it can resolve the name by using the locally cached
information from previous queries. If a match is found there the server answers
with this information. Again if the preferred server can answer with a positive
matched response from its cache to the requesting client. The query is
completed.
Recursion
If the queried name doesn’t fine a matched answer at its preferred
server the query continuous .The DNS server contacts other DNS servers on
behalf if an original querying client. If the recursion is dabbled on the DNS
server the client performs iterative queries by using root hint referrals from
the DNS server .Iteration refers to the process of a DNS client making repeated
queries to different DNS servers.
Root
hints
To perform recursion properly the DNS server first need to know
where to begin searching for names in the DNS domain space.This information is
provided in the form or root hints,a list of preliminary resource records used
by the DNS service to locate servers authoritative for the root of the DNS
domain name space.(There is a preconfigured root hints file in
windows\system32\Dns)folder.
Query
response types
1. Authoritative answer:
Its a positive answer
returned to the client and delivered with the authority bit set in the DNS message.
This authority bit indicates that the answer was obtained from a server with
direct authority for the queried name.
2. A positive answer.
It contains a queried
resource record matching the queried name and record type specified in the
original query message.
3.A referral answer:
This type of answer is returned to the client if the recursion
process is not supported by DNS server.These records are meant to act as
helpful reference answers that the client can use to continue the query by
using iteration.
4.a negative answer
This can indicate two possible results
1.An authoritative server reported that the queried name doesn’t
exist in the DNS name space.
2.An authoritative server reported that the queried name exists
but no records of the specified type exist for that name.
DNSCache
Client
cache:
Also known as DNS resolver cache. When ever DNS client service
starts all host name to IP address mappings contained in a static file named
hosts are preloaded into the DNS resolver cache, In addition it also includes
the responses to the query from DNS servers. The DNS resolver cache is emptied
when the DNS client service is stopped.
Server
cache:
A DNS server make recursive queries on behalf of clients, they
temporarily cache resource records .These cached resource records contain
information acquired in the process of answering queries on behalf of a client.
We can clear cache manually in the DNS console administrative tools-Right click
the server icon and click clear cache.
If support tools are installed cache can be cleared by entering
dnscmd/clear cache at command prompt. To view the cache contents from the view
menu select advanced .then a new folder will appear “Cached lookups”.
- DNS Appears in
the networking services tab of Add or Remove programs
- Before
installing a DNS service ensure that you have assigned a static IP Address
DNS Server settings can be customized through “Configure a DNS
server wizard” which will be invoked automatically after adding the DNS server
role.Also the same can be done through the server properties dialogue box in
the DNS console without ever running the configure a DNS server wizard.
Creating
zones
Zones are created in one of two categories .Forward look up and
Reverse look up.
In forward look up zone DNS server maps FQDN to IP Addresses and
in reverse IP to FQDN’s.
Zone types
Primary
.in this kind of zone the zone data provides the original source
data for all domains in the zone. In windows server 2003, primary zones can be
deployed in one of the two ways as standard primary zone or primary zones
integrated with active directory.
Standard primary zone: Only a single sever can be host and load
the master copy of the zone. If we create a standard primary zone no additional
primary servers are permitted.
Active directory integrated zones: Zone data is stored and
replicated in active directory. Using an active directory zone increases the
fault tolerance and turns every domain controller in the domain running a DNS
server into primary server.
Secondary: This
kind of zone is an authoritative backup zone for the primary zone or for other
secondary zones. Secondary servers provide means to offload DNS query traffic
in areas of network where a zone is heavily queried and used. Additionally if a
primary sever is down a secondary server provides name resolution in the zone
until the primary sever is available.
Stub zone: This
server hosts a stub zone which is a copy of a zone containing only those
resource records necessary to identify the authoritative DNS servers for the
master zone. Stub DNS servers host stub zones which is abbreviated copies of
zone that contain only a list of the authoritative name servers for its master
zone.
Creating resource records
New zones contains only two resource records .Start of authority
and Name server record
Resouce records that needs to be created manually
- Host(A)
- Alias
(CNAME)
- Mail
Exchanger(MX)
- Pointer(PTR)
- Service
location(
Host: It make up the majority of
the resource records in a zones database. They are used to associate domain
name of computers to IP Addresses.
Alias (CNAME) resource record:
They are also called canonical names. This record allows using
more than one name pointing to a single host.
MX resource records:
The mail exchanger (MX) resource record is used by E-mail
applications to locate a mail server within the zone.
PTR resource record
The
pointer resource record is used only in reverse lookup zones to support reverse
lookups which perform queries to resolve IP addresses to host names or FQDN’s.
They are used to specify the location of specific services in the
domain. Client applications that are SRV
aware can use DNS to retrieve the SRV
resource records for given application servers. Windows server 2003 active
directory is an example of an SRV -aware
application. The net logon service uses SRV
record to locate domain controllers in a
domain by searching the domain for the LDAP service.
All of the SR records
required for DC can be found in a file named Netlogon.dns located in
ssytem32\config folder. If SRV records are missing they can be reloaded
automatically by running netdiag /fix at command prompt
DNS sever
DNS server properties has tabs
1. Interfaces
It allows specifying which of the local computers IP Addresses the
DNS server should listen to for DNS requests.
2. Forwarders
It allows forwarding the DNS queries received by the local DNS
server to upstream DNS servers called forwarders. Forwarders allow DNS clients
and servers inside a firewall to resolve external names securely. Also this tab
allows disabling recursion on any queries.
3. Advanced
It allows enabling, disabling and configuring DNS server options
like recursion, round robin etc.
4. Root hints
5. Debugg logging
6. Event logging
7, monitoring tab
8. Security tab: This tab is available only when the DNS server is
also a domain controller.
DNS Zone properties tab
There are 5 tabs
- General
- Start
of Authority
- Name
servers
- WINS
- Zone
transfers.
1.General
Allows to temporarily
suspend name resolution and to configure four basic features such as Zone types,
Zone file name, Dynamic updates and aging.
The following events trigger the DHCP client service to send a
dynamic update to the DNS server.
- An
IP address is added, removed or modified in the TCP/IP properties
configuration for any one of the local computers installed network
connections.
- An
IP address lease changes or renews with the DHCP server for any one of the
local computers installed network connections.
- The
ipconfig/registerdns command is used on a DNS client computer to manually
force a refresh of the client name registration in DNS.
- The
DNS client computer is turned on.
- A
member server within the zone is promoted to a domain controller.
Aging
Aging in DNS refers to the process of placing a timestamp on a
dynamically registered resource record and then tracking the age of the record.
Scavenging refers to the process of deleting outdated resource records on which
time stamps have been placed. Scavenging can occur only when aging is enabled.
Both aging and scavenging are disabled by default.
2.SOA
tab
It allows to configure the SOA resource record for the zone.When a
DNS server loads a zone it uses the SOA resource record to determine the basic
authoritative information about the zone.
3.Name
servers tab
The name servers tab allows you to configure NS resource records
for a zone. These records cannot be created else where in the DNS console.
4.WINS
Tab
Its to configure the WINS configuration
5.Zone transfers
It allows restricting zone transfers from the local master server.
Delegating
zones:
Delegating zones
means to assign authority over portions of your DNS namespace to sub domains
within this namespace. A zone delegation occurs when the responsibility for the
resource records of a sub domain is passed from the owner of the parent domain
to the owner of the sub domain.
When to delegate zones?
If following conditions are
present:
- Need
to delegate the management of a DNS domain to a branch or department
within the organization
- Need
to distribute the load of maintaining one large DNS database among
multiple name servers to improve name resolution performance and fault
tolerance
- Need
hosts and host names to be structured according to branch or departmental
affiliation within organization.
Deploying
stub zone
A stub zone is an abbreviated copy of a zone, updated regularly
that contains only NS records belonging to the master zone. A server hosting a
stub zone doesn’t answer a query directly for the zone but instead directs
these queries to any of the name servers specified in the stub zones NS
resource records. In other words it contains only NS resource records needed to
locate the name servers of the master zone specified by the name of the stub
zone.
What are the benefits of stub zone?
1.
Improved name resolution: it enable a DNS server to perform
recursion by using the stub zones list of name servers without querying the
root server.
2. Keep
foreign zone information current: By updating the stub zone
regularly, the DNS server hosting the stub zone maintains a current list of
name servers for a different zone, such as a delegated zone on a different DNS
server.
3.
Simplify DNS administration: By using stub zone we can distribute zone
information without using secondary zones.
When to
use stub zone?
They are most frequently used to keep track of the name servers
authoritative for delegated zones.
A DNS server that has delegated
a child zone to a different DNS server is usually informed of new authoritative
DNS servers added to the child zone only when the resource records for these
new DNS servers are added to the parent zone manually. With stub zones, a DNS
server can host a stub zone foe one of its delegated zones and obtain updates
of those zones authoritative servers whenever additional name servers are added
to the master zone.
DNS
troubleshooting tools
Most common tools are NSlookup, DNS event logs and DNS logs.
NS lookup is used to query DNS servers directly and to determine
the contents of the zone
DNS event log is a file accessible through Event viewer to which
errors and other events related to the DNS server service are written.
DNS log; which is also called DNS debug log or DNS sever log is a
separate log maintained by the DNS server and configured on the debug logging
tab of the DNS server properties dialogue box.
We can view DNS Event log by using Event viewer node in the DNS
console.
DNS debug log is named as Dns.log and is stored in the
WINDOWS\System32\Dns \folder. We can view the file only after the server
service is stopped.
DNS troubleshooting
tools
Replication monitor and System monitor can be used to monitor DNS
functionality.
Replication monitor:
It performs the important function of monitoring DNS replication
in Active Directory-integrated zones. where as system monitor enables you to
track any of some 62 real time performance measurements related to DNS
Replication monitor can be used to perform the following functions
1. Force replication of DNS data
2. See when replication partner fails
3. Display replication topology.
4. Display changes that have not yet been replicated
5. Monitor replication status of domain controllers from multiple
forests.
We can use System monitor to monitor various aspects of server
activity,such as
1.Overall DNS performance statistics
2.DNS queries and responses
3.Recursive lookup counters etc.
------------------------------------------------------------------------------------------------------------
What is DHCP?
DHCP
allows automatically assign IP address, subnet mask and other configuration
information to client computers on the local network. For implementing a basic
DHCP server requires
1)
Installing
the server
2)
Authorizing
the server
3)
Configuring
the scopes
4)
Exclusion
5)
Reservation
6)
Activating
the scope
And
verifying the configuration
Benefits of DHCP
1)Greatly reduces the time required to configure and
reconfigure the computers on the network
2) DHCP simplifies administration by supplying not only
IP but address of default gateway, DNS servers, WINS server and other servers
useful to client.
3)It allows to avoid configuration errors resulting from
entering IP addresses manually at every host.
How to install DHCP Server Service?
·
Windows
component wizard(DHCP and DNS are the sub components of networking service)
·
Manage
your server wizard
What is the difference between Authorized
DHCP server and a Rogue server?
DHCP
server must be authorized if those are to be integrated in active directory
networks. The first DHCP server we install on the network must be an authorized
DHCP server. Stand alone DHCP servers implemented together with authorized
servers are known as Rogue servers. When a Rogue DHCP server running Windows
Server 2003 or Windows 2000 detects an authorized server on the same subnet.
the stand alone server automatically stops its own DHCP server service and
stops leasing IP address to DHCP Clients.Dhcploc.exe can be used to find the
rogue servers on the network (It is in support tools)
To
flush arp cache- arp-d* at command
prompt
To
flush Netbios cache-nbtstat-R
To
flush DNS cache – ipconfig/flushdns
What is a scope?
A
DHCP scope is a pool of IP address within a logical subnet. That the DHCP
server can assign to clients. An IP address within the defined scope that is
offered to a DHCP client is known as lease. The default lease duration is 8
days.The scope can be created using new scope wizard.The wizard has the
following pages.
1.Scope
name page:
2.IP
Address range page
3.Add
exclusions page :
4.Lease
duration page
5.Configure
DHCP options page
6.Router
page
7..Domain
name and DNS server page\
8.WINS
server page
9.Activate
scope page
When lease is renewed?
A.)
Client automatically attempts to renew its lease after 50% of the client lease
time elapses.
B)
Client attempts to renew lease upon restart
C)
When we execute ipconfig/renew command from DHCP Client computer
What is the difference
between Exclusion and reservation in DHCP?
Exclusion range is a set of one or more
IP addresses included within the range of a defined scope that we do not want
to lease to DHCP clients.
Exclusion ranges assure that the DHCP server do not offer to DHCP clients on that network any addresses in this
ranges. It is usually used to accommodate the servers within the subnet that
have the IP addresses that are configured manually.For eg if the servers on the
network have already been configured with a static addresses in the middle of
the subnet range such as 192.168.1.110 and 192.168.1.46 we should use exclusion
ranges to keep these addresses from being assigned to other computers.
Reservation is used to create a
permanent address lease assigned by the DHCP server. Reservation assures that a
specified hardware device on a subnet can always use the same IP address. For
example a print server can be given a reservation this will avoid IP address
conflict, centralized management etc.
Scope options
We can configure options at the
reservation level, scope level, or server level. Options set at the reservation
level override all others and scope level options override server level
options.
To configure options for the
scope select the scope options folder in the DHCP console tree and then from
the action or short cut menu select configure options. More than 60 standard
options are available .The most common of these include the following.
003 Router; A preferred list of
IP address of routers on the same subnet as DHCP clients. The client can then
contact these routers as needed to forward IP packets destined for remote
hosts.
006 DNS servers; The IP
addresses for DNS name servers that DHC P
clients can contact and use to resolve a domain host name query
015 DNS domain name: An option
that specifies the domain name that DHCP client should use when resolving
unqualified names during DNS domain name resolution.
044 WINS/NBNS servers: The IP
addresses of primary and secondary WINS servers for the DHCP client to use.
051 Lease: An option that
assigns a special lease during only to remote access clients.
What are the methods to change the DHCP Server status?
DHCP Console
Click Admin tools DHCP then Right click the
server All tasks that includes options to start,stop,pause ,resume and restart
Command line interface
At the command prompt type
Netstart Dhcpserver
Netstop Dhcpserve
Netpause Dhcpserver
Netcontinue Dhcpserver
Service Console
It is a graphical admin tool
that we can open by clicking start, selecting administrative tools and then
clicking services. To access controls for DHCP server service double click DHCP
server node in the list of services in the details pane. It contains an
additional option disabled. It is useful for e.g. when we need to move a DHCP
database to another computer and we want to ensure that the old server remains
stopped even after we perform migration.
Another command line tool is netshell-netsh.It is useful in the
following situations
·
When managing DHCP servers in WAN’s, this command can be used to
perform administrative tasks.
·
When managing large number of DHCP servers.
How is it possible to achieve DHCP fault tolerance?
For providing fault tolerance
we will use 80/20 rule. It divides the scope address between two DHCP servers.
If server1 is available to make the most of the address (80%) the other one is
configured to make other address available to clients. With two DHCP servers
deployed ,if one server is unavailable the other server can take its place and
continue to lease new addresses or renew the existing one.
Both server1 and 2 define same
range for the scope but exclusion will differ. On server 1 it will be 20% and
server 2 it will be 80 %.For eg consider 192.168.0.1 first 10 are reserved for
static assignment and the IP Address range for the DHCP
scope defined on the subnet is 192.168.1.11 through 192.168.1.254.To comply
with 80/20 rule both the servers define the same range for the scope but the
exclusions configured on each server differ. On server 1 exclusion range is
configured as the final 20% and server 2 exclusion range is configured as first
80% of the scope.
What is a DHCP Relay Agent?
DHCP relay agents are machines
that listen for lease requests from DHCP clients on their own subnet and
forward these requests to a DHCP server located on a different subnet.
What are the processes included while client receives an
Ip address from a DHCP server?
The DHCP client broadcasts a
DHCP discover message to the local subnet
The server responds with a DHCP
offer message that contains the IP address lease for the client.
In case no DHCP servers are not
available the client proceeds in two ways
1. Client itself configures an
APIPA
2. If it’s XP or 2003 it
configures the alternate IP Address otherwise it will assign APIPA.If the
client is running a version of windows earlier than windows 2000 or if no
static alternate address has been provided and IP autoconfiguration has been
disabled,the client fails to initialize.if left running it continous to resend
DHCP discover messages ( 4times every 5 minutes) untill it receives a DHCP
offer message from the server.
As soon as the offer message is
received the client selects the offered address by replying to the server with
a DHCP request message
Once the Cleint receives
acknowledgement it configures its TCP/IP properties using the information in
the reply and joins the network.
The steps involved in DHCP are
the following
IP lease request
IP lease offer
IP lease selection
IP lease acknowledgement
What is DHCP rebinding state?
If the client is unable to
communicate with its original DHCP server, the client waits until it reaches a
rebinding state. By default this state occurs seven days after the lease
renewal. When the client reaches this state it attempts to renew its current
lease with any available DHCP server.
The name of DHCP log file is
DhcpSrvlog-Mon and is found in System32/Dhcp.
How DHCP assigns address to a request outside the subnet?
By using RFC-1542 compliant
routers which can be configured not to block DHCP broadcasts or DHCP relay
agents. It transports the DHCP request to the DHCP server. Before passing the
request the DHCP relay agent or router write their own address inside a certain
field within that message. DHCP server identifies this address and it
understands the proper source of request and it issues the address from proper
scope
If we need to migrate to a new
scope we must add the new scope to the DHCP server and then migrate to the new
scope. For that first create and activate the new scope and then deactivate the
old scope. Do not delete the old scope until clients migrate to the new scope.
How to backup DHCP database
2 methods
Synchronous: That automatically after
every 60 minutes. Automatic is used to restore database only when the DHCP
service detects databases are corrupted.
Asynchronous: Manual using the backup command in DHCP console.
Only manual backup can be used to perform manual database restoration.
Backup includes
·
All scopes
·
Reservation
·
Exclusion
·
Al options
Default manual backup location
path is Windows/system32/dhcp/backup
How to compact a
dhcp database?
To support offline compaction
and repair of Jet databases such as DHCP
database and WINS database windows server 2003 includes jetpack.exe
tool. If database grows beyond 30 MB or if error messages are received offline
compaction is proffered.
To manually compact on DHCP
server computer open cmd and run jetpack.exe
How many scopes are in DHCP?
10.0.0.0-10.255.255.255
172.16.0.0-172.31.255.255
192.168.0.0-192.168.255.255
172.16.0.0-172.31.255.255
192.168.0.0-192.168.255.255
What is a super scope? A super
scope is an administrative grouping of scopes that is used to support multi
nets. Or multiple logical subnets on a single network segment. Multi netting
commonly occurs when the number of hosts on a physical segment grows beyond the
capacity of the original address space. To create a super scope first we should
create a scope and we can make it as super scope by right clicking the DHCP
server and selecting the option new super scope.
What is a DHCP lease and what is the default lease? An IP Address within a defined
scope that is offered to DHC P
client is known as lease and the default lease is 8 days
When lease will be
renewed?
Lease can be
renewed for a variety of reasons.
- The client automatically attempts to renew
lease after 50 percent of the lease time elapses.
- A client also attempts to renew lease upon
restarting. When a DHCP client shuts down and restarts it typically
obtains a fresh lease for the same IP address it had prior to shutdown.
- Leases are refreshed when we type ipconfig
/renew command from DHCP client computer.
what is the process of DHCP for getting the
IP address to the client
Discover ----- Client broadcast the
packets to find the DHCP server
Offer ----- Server
offers
Request for IP address ---- Client request
for IP address to the offered server.
Acknowledge ----- Server sends the
Acknowledgement to the client
NACK
-------- If client not get the IP address after server given offer, then Server
sends the Negative Acknowledgement.
Monitoring
DHCP
By default all DHCP server activity is recorded and written daily
to a text file. This feature is called audit logging. The logs are fond in the
folder WINDOWS\
System32\Dhcp.The name format is DhcpSrvlog-Mon .it records between midnight and 11.59 PM. The logs are overwritten after 7 days. We can disable audit logging and change the log file path in the advanced tab ofDHC P console (Audit logging is enabled by
default).The default max size of audit log file is 1 MB.
System32\Dhcp.The name format is DhcpSrvlog-Mon .it records between midnight and 11.59 PM. The logs are overwritten after 7 days. We can disable audit logging and change the log file path in the advanced tab of
DHCP server audit log files use reserved event ID codes to provide
information about the type of server events or activity logged. Event ID’s
lower than 50 are described in the log file itself and therefore doing not need
to be memorized. Examples are given below.
62. Another server found.
59: network failure
63. Restarting rogue detection.
Trouble
shooting DHCP
Verify client configuration:
ipconfig /all
Address conflicts: This conflict can be a sign of competing DHCP
server or of a sudden DHCP scope redeployment. To check for competitive DHCP servers,
you can use the Dhcploc.exe utility to local rogue DHCP servers on the network.
After removing rogue servers needed verify that no two remaining DHCP servers
can issue address leases from the same address range.
Failure
to obtain DHCP address
First refresh the ip configuration by using ipconfig/renew or
repair button in the connection status box.
If problem persists the situation can signal either the absence of
a DHCP server or rely agent redeployed within broadcast range, a break in the
physical connection or an error at the DHCP server or scope. Ensure the connectivity
to the server and rely agent by pinging them.
Address
obtained from incorrect scope
If the machine receives an IP
address from DHCP server and it belongs to an incorrect scope first verify that
no competing servers exist on the network.(Dhcploc.exe).
The correct DHCP server might
also have supplied an address from an incorrect scope. Multiple scopes can be
active on a single DHCP server. Scopes not native to the servers own subnet is
used for remote clients. However the DHCP server can match remote clients to
the proper scope only where the RFC compliant router or DHCP rely agent through
which the client communicates is properly addressed. in this scenario when a
remote client is assigned an incorrect address by the DHCP server, verify that
the DHCP relay agent or router forwarding the DHCP messages is itself correctly
addressed.
Verifying
server configuration.
1. Start with verifying the DHCP server address: The network id of
the server must be common to the logical subnet and check the network bindings.
2. Verify that the DHCP server is authorized in the active
directory. When a red arrow pointing down marks the server icon in the DHCP
console tree. When the server is authorized the server icon is marked by a
green arrow pointing up.
3. Verifying the scope configuration: Verify the scope is
activated. They can be easily identified by viewing the green up and down
arrows. Next make sure that address range for the scope has been properly
configured.
4. Once the address range has been verified make sure that the
available leases within the scope have not been assigned. If we need to
increase the number of available leases you can achieve this task in a number
of ways.
a. We can increase the scope address range.
b. Re create scope with a shortened subnet mask
c. Decrease the lease duration so that computers are shutdown or
temporarily removed from network do not keep their addresses for long and these
addresses are made available to other computers.
5. If the client with reserved address is not properly getting IP
address then check whether the same IP address is included in the Exclusion
range. Also verify that the reserved IP address lie in the scopes defined
address range. Finally verify the MAC address.
Reconciling
DHCP database
If the DHCP database information is missing or inconsistent we can
attempt to resolve the problem by reconciling DHCP data for any or all scopes. We
get this option in DHCP console Action Menu Click Reconcile all scopes.
To reconcile an individual scope open DHCP console tree click the
applicable scope and on the action menu click reconcile. The events related with DHCP will be stored
in the system log with Source as “DHCP Server”. Also in some cases the source
would be “dhcp”.
If the database is corrupted the following event can be found in
the System log
Event ID
Source
Description
.
1014
Dhcp Server the jet database returned the following
error.
CLUSTERING
A cluster is a group of two or more servers dedicated to run a
specific application and connected to provide fault tolerance and load
balancing. In a cluster server each computer is running the same critical
applications on that if one sever fails the other detect the failure and take
over at a moments notice. This is called failover. When the failed node returns
to service the other nodes take notice and the cluster begins to use the
recovered ode again. This is called fail back. Clustering capabilities are
installed automatically in 2003.It has to be installed separately in windows
2000.
Clustering types
In clustering all the computers are connected to a common data set
such as a shared SCSI bus or the storage area network, because all the nodes
have access to the same application data, any one of them can process a request
from a client at any time. We configure each node in a cluster to be active or
passive. Active node receives and processes requests from clients while a passive
node remains idle and functions as a fall back, should an active node fail.
- The
main disadvantage of this two node active/passive design is like that one
of the servers is being wasted most of the time,doing nothing but
functioning as a passive standby.
- A
server cluster has its own name and IP address separate from those of the
individual computers in the cluster.There for when a server failure occurs there is no
apparent change in the functionality to the clients which continue to send
their requests to the same destination.The passive node takes over the
active role almost instantaneously so there is no appreciable delay in
performance.
- Enterprise
Edition and Datacenter edition supports server clusters consisting of upto
8 nodes.(In 2000 max 4)
Network
Load balancing
It is another type of clustering that provides a high availability
and high reliability with the addition of high scalability as well.NLB is
intended for applications with relatively small data sets that rarely change(Stateless).
and that do not have long running in memory states. Normally includes Web, FTP,
and VPN servers. Every client request to a stateless application is a separate
transaction so it is possible to distribute the requests among multiple servers
to balance the processing load.
Instead of being connected to a single data source as in a server
cluster the servers in an NLB cluster all have identical cloned data sets and
are all active nodes. The clustering software distributes incoming client
requests among the nodes each of which processes its requests independently.
Using its own data.
This model is not suitable for database and such applications.
Because if one server receives an update the other servers would not have
access to that record until the next database replication.
Standard, Enterprise and Datacenter edition supports NLB clusters
up to 32 nodes.
Designing
a cluster: Cluster
can provide a solution that protects agains three types of failures
Software
failures: This
can be resulted from applying upgrades,from conflicts with newly installed
programs or from the introduction of viruses or other type of malicious
code.System administrators can avoid this situation by not installing software
updates on all the servers in a cluster
simultaneously.
Hardware
failures: If one
server fails other server will take care the cluster
Site
failures: Multisite
cluster enables the applications to continue running even if a fire or a
natural disaster occurs
Scaling
clusters
There are two methods to increase the cluster performance
Scaling up: Improving individual performance by
modifying the computers hardware configuration like adding RAMS, processors
etc.
Scaling out: Adding
servers to an existing cluster. Scaling out in NLB is very easy but server
cluster is more complicated because the servers in the cluster must all have
access to a common data store.
Geographically dispersing the server cluster is not easy. But NLB
is very easy. We can create a separated NLB cluster at each site and then use
the DNS round robin technique to distribute client requests evenly among the
clusters.
Using network load balancing
We can configure Network load balancing Manager Application in
Windows server 2003 to create, manage and monitor NLB clusters. It supports up to 32 servers referred as
hosts. It works by creating on each host a Virtual network adapter that
represents the cluster as a single entity. The virtual adapter has its own IP
and media access control addresses. Independent of the addresses assigned to
the physical network interface adapters in the computers. Client address their
application requests to the cluster IP Address instead of an individual servers
ip address.
NLB operational modes
1, Unicast mode
2. Multi cast mode
1. Unicast mode
In Unicast mode NLB replaces the MAC address of the physical
network interface adapter in each server with the MAC address of the virtual adapter
representing the cluster. The server doesn’t use the computers original MAC
address at all. Effectively transforming the computers physical network
interface adapter into a virtual class adapter. The ARP resolves both of the
servers IP Addresses to the single MAC address for the cluster.
The cluster traffic between NLB servers take the form of a
heartbeat message that each server transmits once per second to the other servers in the cluster. If one cluster
server fails it stops transmitting its heart beat messages, and the other
servers detect the absence of the heartbeats. Once the servers in the cluster
miss five consecutive heart beat messages from a server, they begin a process
called convergence, in which they recalculate their traffic distribution
algorithm to compensate for the missing server. In the same way and in a new server to an NLB cluster introduces a
new heartbeat to the network which triggers a convergence in the other servers,
enabling them to redistribute the traffic so that the new server receives an
equal share of the load.
We can monitor NLB by using Network load Balancing Manager and
Event viewer
Server
Cluster
Server clusters are intended to provide advanced failover
capabilities for state full applications, particularly database and E-mail
servers. Since the data needs to be shared server clusters are based on a
shared data storage solution. If its geographically dispersed need to construct
a SAN connecting to various sites, as well as standard WAN.
Planning a server cluster hardware configuration
For maximum availability having two network interface adapters in
each computer is preferable. one providing the connection to the client network
and one connecting to network dedicated to communications between the servers
in the cluster.
In addition to standard network connections each server must have
a separate connection to the shared storage device. Windows server 2003 support
3 types of storage connections SCSI and two types of fiber channel.
Application development plan
Single instance applications: Application that can run on not more
than one server at a time using the given configuration. The classic example is
DHCP. This type of applications will run in one server and the other will
function as standby. In such cases the single application will be installed on
multiple nodes and configuring one node to be active. while others remain
passive until thy are needed.
When we deploy more than one single instance application we can
configure one as active and the other as passive or we can create a3 node
cluster with two active nodes and the third one would be passive which must
have capacity to run both the application s incase both the hosts fails. or we
can install both the applications in both the servers and one will be active
and incase if it fails the other will take over,
Multiple
instance applications:
Applications in which duplicated code can run on multiple nodes in
a cluster or in which the code can be partitioned or split into several instances.
More than one node in a cluster can be running the same application at the same
time. we need to partition applications .it means splitting the applications
functionality into separate instances and deploy each one on a separate cluster
node
Selecting
a Quorum Model
Every node in a server cluster
maintains a copy of the cluster database in its registry. The cluster database
contains the properties of all the clusters elements, including physical
components such as servers, network adapters and shared storage devices and
cluster objects such as applications and other logical resources. When a
cluster server goes offline for any reason its cluster database is no longer
updated as the clusters status changes. When the mode comes back online it must
have a current copy of the database to rejoin the cluster and it obtains that
copy from the clusters quorum resource.
A clusters quorum contains the
entire configuration data needed for the recovery of the cluster and the quorum
resource is the drive where the quorum is stored. To create a cluster the first
node must be able to take control of the quorum resource so that it can save
the quorum data there. Only one system can have control of the quorum resource
at any time. Additional nodes must be able to access the quorum resources so
that they can create the cluster database in their registries.
Selecting the location of Quorum is very difficult.2003 support 3
quorum models
- Single node
cluster:
Cluster consists of only one server. So application data and Quorum
resource are located on the computers hard drive. The primary reason for
creating single node cluster is for testing and development.
- Single quorum
device cluster: The cluster uses a single quorum
resource which is one of the shared storage devices accessible by all the
nodes in the cluster. this is the quorum model that most server cluster
installations use.
- Majority node
set cluster:
a separate copy if the quorum is stored in each cluster node with the
quorum resource responsible for keeping all copies of the quorum
consistent. Majority node set clusters are particularly well suited to
geographically dispersed server clusters and clusters that do not have
shared data storage devices.
To
create a new cluster we need to following information
1. Name of the domain
2. Host name going to assign to the cluster
3. The static IP address going to assign to the cluster
4. The name and password for cluster service account.
What is
a cluster resource?
A cluster resource is any physical or logical element that the
cluster service can manage by bringing it online or offline and moving it to a
different node. By default the cluster resources supported by server clusters
running windows 2003 include storage devise, configuration parameters, scripts
and applications. When we deploy applications the application developer
typically includes resource types that are specific to that application.
Configuring failover policies
1.
Failover pairs : in a large server cluster running several applications each
application is running on one node and
has one designated stand by node.
2. Hot
stand by server : A single node functions as the designated standby server for
two or more applications. This option uses the clusters processing capacity
more efficiently but might not handle multiple node failures well.
3.N+1 : An
expanded form on the hot standby server policy. in which you configure a number
of active nodes running different applications(N) to fail over to any one of a
number of idle servers. For eg we can create a 6 node cluster with 4
applications running on 4 nodes and 2 will act as standby which will be idle.
4.Failover
ring :Each node in a server cluster runs an application and we
configure each application to fail over to the next node. This policy is
suitable for relatively small applications because in the event of failure a
server might have to run two or more applications at once.
5.
Random
The best policy is for administrator not to define any specific
failover relationship at all and let the cluster service be responsible for
failing over resources to other nodes in the cluster.
Disk storage options
Basic
disks: It is the most familiar type. Each basic disk is partitioned and
each partition functions as a physically separate unit of storage. The
information about the location and size of each partition is stored in the
partition table of the MBR on the drive. A basic disk can contain as many as
four partitions, consisting of either four primary partitions or three primary
partitions and one extended partition.
Primary
partitions: Each primary partition maintains one logical volume on a basic
disk. It is a basic disk is used to start the operating system one and only one
primary partition on the disk must be marked as active.
Extended
partition: A basic disk may also contain an extended partition. Unlike
primary partitions extended partitions are not formatted or assigned driver
letters. Instead extended partitions are further divided into logical drives.
Logical drives are logical volumes on a basic disk.
Dynamic
Disks : The
difference between Basic and dnamic are dynamic disks support unlimited number
of volumes and that the configuration information about the volume is stored in
a database controlled by the logical disk manager service.
The different types of Dynamic volumes are given below.
1.
Simple volume: Its equivalent to Basic
disk partition. Simple volumes utilize space on a single physical disk and
correspond to a single logical volume. They are not fault tolerant.
2.
Spanned volume: A spanned volume includes
space on more than one physical disk. Up to 32 physical disks can participate
in spanned volume. and the amount of space used on each disk can be different.
Data is written to the volume beginning with the space on the first disk in the
volume. When the space on the first disk fills the second disk is written to
and so on. They are also not fault tolerant. If any one of the spanned volume
is corrupted or fails entire data in that volume will be lost. We cannot
install 2003 OS in spanned volume.
3.
Striped volume: A stripped volume (RAID-0) combines areas of
free space from multiple hard disks into one logical volume, unlike a spanned volume
however data is written to all physical volume in the same rate and performance
is good. But if a disk in striped volume fails the data in the entire volume is
lost.
4.
Mirrored volume : A mirrored volume known as
RAID-1 consists of two identical copies of simple volume on separate hard disk.
They are fault tolerant.
5. RAID
-5 volumes: Its
fault tolerant striped volume. Data is
written to all physical disks at the same rate but unlike striped volume
the data is interlaces with checksum information called partiy.Should a single
disk in the volume fails the data on that disk can be regenerated through
calculations involving the remaining
data and the checksum information.
Installing a new disk
After attaching a disk if the new disk is not showing in disk
management window “rescan” to identify the disk. After that initialize the disk.
The newly initialized disk is a basic disk .We can create primary and extended
partitions to that. If we need a dynamic disk we can right click and select the
option to make the disk dynamic. Then we can select the unallocated volume and
configure volumes.
Moving disk from one server to another server:
If required refer 11-16 of 2003 environment.
Chkdsk: Chkdsk allows you to fix the
system errors (/f) and bad sectors ( r )
Disk
quotas: When quotas are enabled quota
manager tracks files on volume that are owned by the user. it then compares the
calculated total of disk usage by that user to limits that have been configured
by an administrator and when those limits are reached the user and the volume
is near quota or prevents the user from writing to the disk.
RAID : Striped volume or RAID 0 uses two or more
disks and writes data to all disks at the same rate. So read and write
performance is beneficiary. Up to 32 disks can be participated in a striped
volume. There is no fault tolerance. If one disk fails entire data will be lost
in that volume.
Mirrored
volumes: Minimum disks required is 2.The
recovery process for a failed disk within a mirrored volume depends on the type
of failure that occurs. If a disk has experienced transient I/O errors, both
portions of the mirror will show a status of failed redundancy. The disk with
errors will report a status of offline or missing. After correcting the cause
of error right click the volume and reactivate it. The mirror will synch
automatically.
If we want stop mirroring we have 3 choices.
1. Delete the volume: If we delete the volume the volume and all
the information it contains are removed. The resulting unallocated space is
then available for new volumes.
2. Remove the mirror: If we remove the mirror the mirror is broken
and the space on one of the disks becomes unallocated. The other disk maintains
a copy of the data that had been mirrored. But that data is of course no longer
fault tolerant.
3.Break the mirror : If you break the mirror the mirror is broken
and both disks maintain copes of the data.
RAID -5
volumes
It uses 3 or more physical
disks to provide fault tolerance and excellent read performance. Data is
written to all but one disk in a RAID 5. The volume receives a chunk of data
called parity. This acts as a checksum and provides fault tolerance for the
stripe. The parity is distributed among each disk in the set. But from storage
capacity perspective the amount of space used for fault tolerance is equivalent
of the space used by one disk in the volume.
From storage capacity
perspective that makes RAID-5 more economical than mirroring .In a minimal
three disk RAIID-5 volume, one third of the capacity is used for parity as
opposed to one half of a mirrored volume being used for fault tolerance
.Because as many as 32 disks can participate in a RAID -5 Volume we can
configure a fault tolerant volume which uses only 1/32 of its capacity to
provide fault tolerance for the entire volume.Recovering a failed RAID-5 Volume
If a single disk fails in
RAID-5 volume data can continue to be accessed. During read operations any missing
data is regenerated on the fly through a calculation involving remaining data
an parity information. and performance will be degraded during the activity. If
second disk fails need to restore from backup.
RAID -5 and Mirrored volume can
sustain any single disk failure.
Difference between Mirror and RAID-5
|
Mirrored
|
RAID -5
|
|
Can protect system or boot partition
|
Can not protect
|
|
Requires 2 hard disks
|
Min 3 and max 32
|
|
Higher cost per MB
|
Lower cost /MB
|
|
50 percent redundancy
|
33 percent maximum redundancy
|
|
Good read and write
performance
|
Excellent read and moderate
write performance
|
|
Use less system memory
|
Requires more system memory
|
RAID 0+1: RAID 0+1 is a
mirror of stripes. It is not as robust as RAID 10 and cannot tolerate two
simultaneous disk failures, unless the second failed disk is from the same
stripe as the first. That is, once a single disk fails, each of the mechanisms
in the other stripe is single point of failure. Also, once the single failed
mechanism is replaced, in order to rebuild its data all the disks in the array
must participate in the rebuild.
RAID 1+0
A RAID 1+0,
sometimes called RAID 1&0, or RAID 10, is similar to a RAID
0+1 with exception that the RAID levels used are reversed — RAID 10 is a stripe
of mirrors.
RAID 4: A RAID
4 uses block-level striping
with a dedicated parity disk. This allows each member of the set to act
independently when only a single block is requested. If the disk controller
allows it, a RAID 4 set can service multiple read requests simultaneously. RAID
4 looks similar to RAID 5 except that it does not use distributed parity, and
similar to RAID 3 except that it stripes at the block level, rather than the
byte level. Generally, RAID 4 is implemented with hardware support for parity
calculations, and a minimum of 3 disks is required for a complete RAID 4
configuration.
In the example on the right, a read request for block A1
would be serviced by disk 0. A simultaneous read request for block B1 would have
to wait, but a read request for B2 could be serviced concurrently by disk 1.Unfortunately for writing the parity disk becomes a bottleneck, as simultaneous writes to A1 and B2 would in addition to the writes to their respective drives also both need to write to the parity drive. In this way RAID example 4 places a very high load on the parity drive in an array.
RAID 5
RAID 5 uses block-level striping with parity data distributed across all member disks. RAID 5 has achieved popularity due to its low cost of redundancy. This can be seen by comparing the number of drives needed to achieve a given capacity. RAID 1 or RAID 0+1, which yield redundancy, give only s / 2 storage capacity, where s is the sum of the capacities of n drives used. In RAID 5, the yield is . As an example, four 1TB drives can be made into a 2 TB redundant array under RAID 1 or RAID 1+0, but the same four drives can be used to build a 3 TB array under RAID 5.
RAID 5+0
A RAID 50 combines the straight block-level striping of RAID 0 with the
distributed parity of RAID 5. This is a RAID 0 array striped across RAID 5
elements.Below is an example where three collections of 240 GB RAID 5s are striped together to make 720 GB of total storage space:
RAID 50
improves upon the performance of RAID 5 particularly during writes, and
provides better fault tolerance than a single RAID level does. This level is
recommended for applications that require high fault tolerance, capacity and
random positioning performance
Recovering from system failure
Automated System Recovery
To create an ASR set open the backup utility from the
accessories and click advanced mode then from the backup utility’s welcome tab
or from the tools menu select ASR
wizard. Follow the instruction sof the automated system recovery preparation
wizard. It will request for 1.44 MB floppy disk to create an ASR floppy.
The ASR
floppy disk contains two catalogues of files on the sytem.Asr.sif and
Asrpnp.sif. We can find the two files from %system root%\repair folder
How to restore?
To restore system using
automated system recovery, start the computer using windows server 2003 CD ROM
.Then press F2 to perform an ASR. It will prompt for ASR
floppy. the automated system recovery will restore remaining critical files
including the systems registry from the systems ASR backup set. There is a
restart during the process.
Recovery console.
It’s a text mode command
interpreter that allows accessing the hard disk of a computer running Windows
server 2003 for basic troubleshooting and system maintenance. Its particularly
useful when the operating system cant be started. The recovery console can be
used to run diagnostics, disable drivers and services, replace files and
perform other targeted recovery procedures.
We can start recovery console
by booting with Windows server 2003 CD Rom and when prompted pressing R to
choose the repair and recover option.To install a receovery console insert
windows server 2003 Cd ROM and type cd-drive\i386\winnt32\cmdcons
The set up wizard will install
the 8 MB console in a hidden folder called cmdcons and will modify the boot.ini
file to provide the recovery console as a start up option during the reboot.
How to use recovery console?
Boot the system and select the
Microsoft Windows Recovery console from the start up menu. If the console is
not available we can restart the system with windows server 2003 CD ROM and
select R for repair. Once it is started we will be prompted to select the
installation of windows to which we need to logon. Then enter the password.
The commands that can be used.
Listsvc : Displays the services
are drivers listed in registry.
Enable/disable: we can use this
to control the start up type of a service or driver.
Diskpart :provides opportunity
to create or delete the partition.
Bootcfg : Enables to manage
start up menu.
Limitations.
1. Directory access: We can
only view files in the root directory.
2. File copy: Allows copy file
to local hard disk and not from it
3. Wild cards: not allowed to
use wild cards.
All this case can be overcome
by typing commands.
What is
DHCP Relay?
The DHCP Relay Agent component is a Bootstrap Protocol (BOOTP)
relay agent that relays Dynamic Host Configuration Protocol (DHCP) messages
between DHCP clients and DHCP servers on different IP networks. The DHCP Relay
Agent is compliant with RFC 1542, "Clarifications and Extensions for the
Bootstrap Protocol." For each IP network segment that contains DHCP
clients, either a DHCP server or a computer acting as a DHCP Relay Agent is
required.
- You cannot use
the DHCP Relay Agent component on a computer running the DHCP service, the
network address translation (NAT) routing protocol component with
automatic addressing enabled, or Internet Connection Sharing (ICS).
·
Internet Connection Sharing and Network Bridge are not included in
Windows Server 2003, Web Edition; Windows Server 2003, Datacenter Edition; and
the Itanium-based versions of the original release of the Windows Server 2003
operating systems.
Configuring a DHCP Relay Agent
1. Open Routing and
Remote Access console.
2. Right click the
server, and then click Configure and enable Routing and Remote Access.
3. On the welcome
page to Routing and Remote Access setup wizard page, click next.
4. On the
configuration page, select custom configuration, and then click next.
5. On the custom
configuration page, select LAN routing, and then click next.
6. On the completing
Routing and Remote Access setup wizard page, click finish.
7. In Routing and
Remote Access warning dialog box, click yes to start the service.
8. On the remote
access/VPN server page, click finish.
9. In the options of
console tree, expand the server, expand IP routing, and then select general.
10. Right click general
tab, and click the new routing protocol.
11. In the new routing
protocol page, click the DHCP Relay Agent and click Ok.
Configuring
a DHCP Relay Agent with the IP address of the DHCP server
1. Open Routing and
Remote Access console.
2. In the options of
console tree, select DHCP relay agent.
3. Right click the
DHCP relay agent, click properties.
4. On general tab,
server address field, type IP address of the DHCP server that you wish to
forward DHCP request to, click add, then click Ok.
Enabling
the DHCP Relay Agent on a Interface of Router
1. Open Routing and
Remote Access console.
2. In the options of
console tree, select DHCP relay agent.
3. Right click the
DHCP relay agent, click new interface.
4. Select the
interface on which you want to enable the DHCP relay agent, and then click Ok.
5. In the properties
dialog box of DHCP relay agent general tab, make sure that relay DHCP packet is
selected.
6. Configure the boot
threshold (seconds) and hop count threshold, if needed, and then click Ok.
Active
Directory Replication
As
mentioned in an earlier section, the Active Directory database is replicated
between domain controllers. The data replicated between controllers called
"data" are also called "naming context". Only the
changes are replicated, once a domain controller has been established. Active
Directory uses a multimaster model which means changes can be made on
any controller and the changes are sent to all other controllers. The
replication path in Active Directory forms a ring which adds reliability to the
replication.
How
Replication is tracked
- USN - Each object
has an Update Sequence Number (USN), and if the object is modified, the
USN is incremented. This number is different on each domain controller.
- Stamps - Each object
has a stamp with the version number, timestamp, and the GUID of the domain
controller where the change was made
Domain
controllers each contain a "replica" which is a copy of the
domain directory. The "directory update type" indicates how
the data is replicated. The two types are:
- Origination
update
- A change made by an administrator at the local domain controller.
- Replicated
update
- A change made to the replica because of a replication from a replication
partner.
Replication
Sequence
Terms:
- Latency - The
required time for all updates to be completed throughout all domain
controllers on the network domain or forest.
- Convergence - The state
at which all domain controllers have the same replica contents of the
Active directory database.
- Loose
consistency
- The state at which all changes to the database are not yet replicated
throughout all controllers in the database (not converged).
- A change is made
to the Active Directory database on a domain controller. The attribute of
the object and the new USN is written to the database. The entire object
is NOT replicated. This is called an atomic operation because both
changes are done, or neither change is done. This is an origination
update. There are four types:
- Add - An object
is added to the database.
- Delete - An object
is deleted from the database.
- Modify - An object
in the database has its attributes modified.
- Modify
DN
- An object is renamed or moved to another domain.
- The controller
the change was made on (after five minutes of stability), notifies its
replication partners that a change was made. It sends a change
notification to these partners, but only notifies one partner every 30
seconds so it is not overwhelmed with update requests. Each controller, in
turn, when it is updated, sends a change notice to its respective
replication partners.
- The
replication partners each send an update request with a USN to the domain
controller that the change was made on. The USN identifies the current
state of the domain controller making the change. Each change has a unique
USN. This way the domain controller that has the change knows the state of
the domain controller requesting the changes and only the changes are
required to be sent. The time on each controller, therefore, does not need
to be synchronized exactly although timestamps are used to break ties
regarding changes.
Changes
are made through replication partners until all partners are replicated. At
some point, replication partners will attempt to replicate partners that are
already updated. This is where propagation dampening is used. If no changes
have been performed in six hours, replication procedures are performed to be
sure no information has been missed.
Information sent during an update includes:
- Updated object
- The GUID and
USN of the domain server with the originating update.
- A local USN of
the update on the updated object.
Replication
Path
The
replication path that domain controller Active Directory replicated data
travels through an enterprise is called the replication topology. Connection
objects are used to define the replication paths between domain
controllers. Active Directory, by default, sets up a two way ring replication
path. The data can travel in both directions around the ring which provides
redundancy and reliability. Two types of replication occur in the path:
- Direct
replication
- When replication is done from a primary source of data.
- Transitive
replication
- When replication is done from a secondhand or replicated source of data.
The Knowledge Consistency Checker (KCC) (running on all
domain controllers) generates the replication topology by specifying what
domain controllers will replicate to which other domain controllers in the
site. The KCC maintains a list of connections, called a replication topology,
to other domain controllers in the site. The KCC ensures that changes to any
object are replicated to all site domain controllers and updates go through no
more than three connections. Also an administrator can configure connection
objects. The KCC uses information provided by the administrator about sites and
subnets to automatically build the Active Directory replication topology.
The
usnChanged parameter is the highest USN number for any object.
Replication
Partitions
Types
of Active Directory data storage categories which are called partitions:
- Schema
partition
- Defines rules for object creation and modification for all objects in
the forest. Replicated to all domain controllers in the forest. Replicated
to all domain controllers in the forest, it is known as an enterprise
partition.
- Configuration
partition
- Information about the forest directory structure is defined including
trees, domains, domain trust relationships, and sites (TCP/IP subnet
group). Replicated to all domain controllers in the forest, it is known as
an enterprise partition.
- Domain
partition
- Has complete information about all domain objects (Objects that are part
of the domain including OUs, groups, users and others). Replicated only to
domain controllers in the same domain.
- Partial domain
directory partition - Has a list of all objects in the
directory with a partial list of attributes for each object.
These
partitions are all replicated between domain controllers by Active directory.
Different partitions may be replicated between different replication partners.
Replication
Conflict: Replication conflict occurs when changes are made to the same object and
attribute before the changes can be replicated throughout all domain
controller's copies of the database. Additional data (metadata) stored for each
object attribute includes (not related to USN):
- Time stamp of the last
change.
- Attribute
version number
- For each object's attributes, this value is the same on all domain
controllers.
When
an Active Directory database update is received on a domain controller, one of
the following happens:
- If the update
attribute version number is higher than the current version number on the
controller, the new value of the attribute is stored and the version
number is updated.
- If the update
attribute version number and stored attribute version number are the same,
timestamps are used to resolve the conflict.
- If the both
version numbers and both timestamps are the same, the update from the
controller with the highest GUID is used.
File
Replication Service: In Windows 2000, the SYSVOL share
is used to to authenticate users. The SYSVOL share includes group policy
information which is replicated to all local domain controllers. File
replication service (FRS) is used to replicate the SYSVOL
share. The "Active Directory Users and Computers" tool is used to
change the file replication service schedule.
Intrasite
Replication: Replication that happens between controllers inside
one site. All of the subnets inside the site should be connected by high speed
network wires. Replication between two sites may need to be sent over a slower
WAN link or leased line. Intrasite replication data is sent uncompressed.
Site
replication is done using Remote Procedure Call (RPC). If a change is
made, replication occurs within five minutes, and replication is done every six
hours if no changes were made. Domain controllers that receive updates
replicate that information to other domain controllers on their route list. All
changes are therefore completed within a site within 15 minutes since there can
only be three hops. The topology used here is the ring topology talked about
earlier and this replication is automatically set up by Active Directory, but
may be modified by an administrator.
DNS
Replication: The DNS IP address and
computer name is stored in Active Directory for Active Directory integrated DNS
zones and replicated to all local domain controllers. DNS information is not
replicated to domain controllers outside the domain.
Intersite
Replication: Intrasite replication is replication between sites
and must be set up by an administrator.
Replication
Management: The administrative tool,
"Active Directory Sites and Services", is used to manage Active
Directory replication. Replication data is compressed before being sent to
minimze bandwidth use. There are two protocols used to replicate AD:
- Normally Remote
Procedure Call (RPC) is used to replicate data and is always used for
intrasite replication since it is required to support the FRS. RPC depends
on IP (internet protocol) for transport.
- Simple Mail
Transfer Protocol (SMTP) may be used for replication between
sites.
SMTP
can't replicate the domain partition, however. Therefore the remote site would
need to be in another domain to be able to effectively use SMTP for carrying
replication data.
Bridgehead server - A domain controller that is used
to send replication information to one or more other sites.
Q. What are the tools for backup-third party? IBM Tivoli, VERITAS, Netvault
FSMO Roles and how it’s works?
|
Operations Master Role
|
Consequences if Role is Unavailable
|
Risk of Improper Restoration
|
Recommendation for Returning to Service After Seizure
|
|
Schema master
|
You
cannot make changes to the schema. |
Conflicting
changes can be introduced to the schema if both schema masters attempt to
modify the schema at the same time. This can result in a fragmented schema. |
Not
recommended. Can lead to a corrupted forest. |
|
Domain naming master
|
You
cannot add or remove domains from the forest, add or remove application
directory partitions, or perform domain rename operations. |
You
cannot add or remove domains or application directory partitions, or clean-up
metadata. Domains and application directory partitions might appear as though
they are still in the forest even though they are not. |
Not
recommended. Can lead to data corruption. |
|
PDC emulator
|
You
cannot change passwords on clients that do not have Active Directory client
software installed. No replication to Windows NT 4.0 backup domain
controllers. |
Password
validation can randomly pass or fail. Password changes take much longer to
replicate throughout the domain. |
Allowed.
User authentication can be erratic for a time, but no permanent damage
occurs. |
|
Infrastructure master
|
Delays
displaying updated group membership lists in the user interface when you move
users from one group to another within a single domain. |
Displays
incorrect user names in group membership lists in the user interface after
you move users from one group to another. |
Allowed.
May impact the performance of the domain controller hosting the role, but no
damage occurs to the directory. |
|
RID master
|
Eventually,
domain controllers cannot create new directory objects as each of their
individual RID pools is depleted-. |
Duplicate
RID pools can be allocated to domain controllers, resulting in data
corruption in the directory. This can lead to security risks and unauthorized
access. |
Not
recommended. Can lead to data corruption. |
|
Operations
Master
|
Scope
|
|
Schema
Master
|
Forestwide
|
|
Domain
Naming Master
|
Forestwide
|
|
Primary
Domain Controller (PDC) Emulator
|
Specific
to a domain
|
|
Relative
Identifier (RID) Master
|
Specific
to a domain
|
|
Infrastructure
Master
|
Specific
to a domain
|
No comments:
Post a Comment