Tuesday, 30 April 2013

Protecting Container from Accidental Deletion is enable by default when the OU is created



Protecting Container from Accidental Deletion is enable by default when the OU is created. The option can be viewed in the new OU creation wizard.

To remove the protection:

1. Enable the Active Directory Users and Computers advanced feature view mode

Right click the Domain node in AD users and Computers--->View--->Advanced Features

2. Remove the explicit Deny ACEs for the Delete and Delete Subtree advanced permissions for the Everyone group.

Right click the specific OU--->Properties--->Security--->Advanced--->Everyone--->Edit--->Remove the explicit Deny ACEs for the 'Delete' and 'Delete Subtree' permission

Global Catalog Servers



Every domain controller in a forest stores three full writable directory partitions: a domain directory partition, a schema directory partition, and a configuration directory partition. A Global Catalog is a domain controller that stores these writable directory partitions, as well as a partial, read-only copy of all other domain directory partitions in the forest. The additional directory partitions are "partial" because, although they collectively contain every object in the directory, only a limited set of specific attributes are included for each object. The Global Catalog is built automatically by the Active Directory replication system.
All of the directory partitions on a Global Catalog server, whether full or partial partitions, are stored in a single directory database (Ntds.dit) on that server. There is no separate storage area for Global Catalog attributes; they are treated as additional information in the domain controller directory database.
When a new domain is added to the forest, the information about the new domain is stored in the configuration directory partition, which reaches the Global Catalog server (and all domain controllers) through replication of forest-wide information. When a new Global Catalog server is designated, this information is also stored in the configuration directory partition and replicated to all domain controllers in the forest.

Operations master roles


Operations master roles
Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2, Windows Server 2008, Windows Server 2008 R2
Operations master roles
Active Directory supports multimaster replication of the directory data store between all domain controllers (DC) in the domain, so all domain controllers in a domain are essentially peers. However, some changes are impractical to perform in using multimaster replication, so, for each of these types of changes, one domain controller, called the operations master, accepts requests for such changes.
In every forest, there are at least five operations master roles that are assigned to one or more domain controllers. Forest-wide operations master roles must appear only once in every forest. Domain-wide operations master roles must appear once in every domain in the forest.
Note
  • The operations master roles are sometimes called flexible single master operations (FSMO) roles. 
Forest-wide operations master roles
Every forest must have the following roles:
  • Schema master
  • Domain naming master
These roles must be unique in the forest. This means that throughout the entire forest there can be only one schema master and one domain naming master.
Schema master
The schema master domain controller controls all updates and modifications to the schema. To update the schema of a forest, you must have access to the schema master. There can be only one schema master in the entire forest.
Domain naming master
The domain controller holding the domain naming master role controls the addition or removal of domains in the forest. There can be only one domain naming master in the entire forest.
Note
  • Any domain controller running Windows Server 2003 can hold the role of the domain naming master. A domain controller running Windows 2000 Server that holds the role of domain naming master must also be enabled as a global catalog server.
Domain-wide operations master roles
Every domain in the forest must have the following roles:
  • Relative ID (RID) master
  • Primary domain controller (PDC) emulator master
  • Infrastructure master
These roles must be unique in each domain. This means that each domain in the forest can have only one RID master, PDC emulator master, and infrastructure master.
RID master
The RID master allocates sequences of relative IDs (RIDs) to each of the various domain controllers in its domain. At any time, there can be only one domain controller acting as the RID master in each domain in the forest.
Whenever a domain controller creates a user, group, or computer object, it assigns the object a unique security ID (SID). The SID consists of a domain SID, which is the same for all SIDs created in the domain, and a RID, which is unique for each SID created in the domain.
To move an object between domains (using Movetree.exe), you must initiate the move on the domain controller acting as the RID master of the domain that currently contains the object.
PDC emulator master
The PDC emulator master processes password changes from client computers and replicates these updates to all domain controllers throughout the domain. At any time, there can be only one domain controller acting as the PDC emulator master in each domain in the forest.
The PDC emulator role is used in the following ways:
  • To provide consistent password experience for users across sites (can be turned off with AvoidPdcOnWan registry parameter) - The PDC emulator is used as a reference DC to double-check incorrect passwords and it also receives new password changes. When the PDC is reachable, users can use a new password immediately and consistently across the environment. As a preferred point of administration for services (examples are Group Policy and Distributed File System, DFS)
  • As a point of contact for applications hard-coded to the PDC (often written for Windows NT 4.0 and older domains) - The legacy API often used for this is NetGetDcName. It is strongly suggested to change applications to use the new API to locate DCs. DsGetDcName by default does not target the PDC, and has more options that allows you to pick the type of DC needed to perform the operation. As a default time server for all other DCs in the domain - The time server configuration of a PDC requires manual consideration and should be reviewed when you change the owner of the PDC role.
The domain controller configured with the PDC emulator role supports two authentication protocols:
  • The Kerberos V5 protocol
  • The NTLM protocol
Infrastructure master
At any time, there can be only one domain controller acting as the infrastructure master in each domain. The infrastructure master is responsible for updating references from objects in its domain to objects in other domains. The infrastructure master compares its data with that of a global catalog. Global catalogs receive regular updates for objects in all domains through replication, so the global catalog data will always be up to date. If the infrastructure master finds data that is out of date, it requests the updated data from a global catalog. The infrastructure master then replicates that updated data to the other domain controllers in the domain.
Important
  • Unless there is only one domain controller in the domain, the infrastructure master role should not be assigned to the domain controller that is hosting the global catalog. If the infrastructure master and global catalog are on the same domain controller, the infrastructure master will not function. The infrastructure master will never find data that is out of date, so it will never replicate any changes to the other domain controllers in the domain.

    In the case where all of the domain controllers in a domain are also hosting the global catalog, all of the domain controllers will have the current data and it does not matter which domain controller holds the infrastructure master role.
The infrastructure master is also responsible for updating the group-to-user references whenever the members of groups are renamed or changed. When you rename or move a member of a group (and that member resides in a different domain from the group), the group may temporarily appear not to contain that member. The infrastructure master of the group's domain is responsible for updating the group so it knows the new name or location of the member. This prevents the loss of group memberships associated with a user account when the user account is renamed or moved. The infrastructure master distributes the update via multimaster replication.
There is no compromise to security during the time between the member rename and the group update. Only an administrator looking at that particular group membership would notice the temporary inconsistency.

Role
Console in MMC
Schema master
Active Directory Schema
Domain naming master
Active Directory Domains and Trusts
RID master 
Active Directory Users and Computers 
PDC emulator master
Active Directory Users and Computers
Infrastructure master
Active Directory Users and Computers

Difference between Server 2003 and 2008?



1. Virtualization. (Windows Server 2008 introduces Hyper-V (V for Virtualization) but only on 64bit versions. More and more companies are seeing this as a way of reducing hardware costs by running several 'virtual' servers on one physical machine.) 
2. Server Core (provides the minimum installation required to carry out a specific server role, such as for a DHCP, DNS or print server)
3. Better security. 
4. Role-based installation. 
5. Read Only Domain Controllers (RODC). 
6. Enhanced terminal services. 
7. Network Access Protection - Microsoft's system for ensuring that clients connecting to Server 2008 are patched, running a firewall and in compliance with corporate security policies. 
8. PowerShell - Microsoft's command line shell and scripting language has proved popular with some server administrators.
9. IIS 7 .
10. Bitlocker - System drive encryption can be a sensible security measure for servers located in remote branch offices. >br> The main difference between 2003 and 2008 is Virtualization, management. 2008 has more in-build components and updated third party drivers. 
11. Windows Aero.

AD Domain Server Backup & Restore


AD Domain Server Backup & Restore

Three AD server backup  type are
1.       Full Server backup
A full server backup is a backup of every volume on the server.

2.       critical-volumes backup includes all files on the volumes that are required to recover AD Domain services.

3.       System State data
·         Registry.
·         COM+ class registration database.
·         Boot files, including system files.
·         Certificate Services database.
·         Active Directory Domain Services.
·         SYSVOL directory.
·         Cluster Service information.
·         Microsoft Internet Information Services (IIS) meta-directory.
·         System files that are under Windows File Protection (WFP).



You can schedule full server backups and critical-volume backups by using Windows Server Backup or Wbadmin.exe. A full server backup captures all the volumes on the server except the volume where the backup job is stored. The recommended method for backing up a domain controller is to use the wbadmin start systemstatebackup command. You can also use the wbadmin start backup command to perform a critical-volumes backup of a domain controller. A critical-volumes backup includes all files on the volumes that are required to recover AD DS. You can use a critical-volumes backup or a system state backup to perform a nonauthoritative restore of a domain controller.
 You must restart the domain controller in Directory Services Restore Mode (DSRM) to perform a nonauthoritative restore. Then, use thewbadmin start systemstaterecovery command to perform the nonauthoritative restore.
Authoritative restore provides a method of recovering objects and containers that have been deleted from AD DS. Authoritative restore is a four-step process:
  1. Start the domain controller in DSRM.
  2. Restore the desired backup, which is typically the most recent backup.
  3. Use Ntdsutil.exe to mark desired objects, containers, or partitions as authoritative.
  4. Restart in normal mode to propagate the changes.

Performing a Full Server Recovery of a Domain Controller


When you perform a full server recovery, you recover all volumes from the backup set to the server. The procedure to perform full server recovery of a domain controller is the same as for any server running Windows Server 2008. Whenever you perform a full server recovery of a domain controller, you perform a nonauthoritative restore of Active Directory Domain Services (AD DS).
You can use these procedures to perform full server recovery of a domain controller by using Windows Complete PC Restore (a graphical user interface (GUI) tool) and Wbadmin.exe from the command line.
Full server recovery of a domain controller has the following requirements:
  • You must have a full server backup available. This type of backup contains all volumes that were on the server at the time that you made the backup.
  • You can store the backup on a separate, internal or external hard drive or a DVD. If you performed a manual backup, you can perform a full server recovery from a network shared folder.
    • You must have the Windows Server 2008 operating system DVD or have Windows RE installed on a different partition than the critical partitions that are used by the domain controller that you are restoring.
    • If you are recovering to new hardware, the new hardware must provide enough storage capacity to recover all volumes. In other words, the hard drives that you are recovering data to must be as large as—or larger than—the drives that are included in the backup set.
    You can use this procedure to perform full server recovery of a domain controller with Windows Complete PC Restore.
    There are no administrative credential requirements. No authentication is performed when you start in Windows RE.
    1. Insert the Windows Server 2008 installation DVD into the disk drive, and then restart the domain controller.
    2. When you are prompted, press a key to start from the DVD.
    3. At the initial Windows screen, accept or select language options, the time and currency format, and a keyboard layout, and then click Next.
    4. At the Install now screen, click Repair your computer.
    5. In the System Recovery Options dialog box, click anywhere to clear any operating systems that are selected for repair, and then click Next.
    6. Under Choose a recovery tool, click Windows Complete PC Restore.
    7. If the backup is stored on a remote server, a message indicates that Windows cannot find a backup on the hard disks or DVDs on this computer. Click Cancel to close the message.
    8. Click Restore a different backup, and then click Next.
    9. On the Select the location of the backup page, perform either set of the following steps, depending on whether the backup is stored locally or on a network shared folder:
      1. If the backup is stored on the local computer, select the location of the backup, and then click Next.

        Or
      2. If the backup is stored on a network shared folder, click Advanced, and then click Search for a backup on the network.
      3. Click Yes to confirm that you want to connect to the network.
      4. In Network Folder, type the Universal Naming Convention (UNC) name for the network share, and then click OK.
      5. Type credentials for a user account that has sufficient permissions to restore the backup, and then click OK.
      6. On the Select the location of the backup page, click the location of the backup, and then click Next.
    10. Click the backup to restore, and then click Next.
    11. If you want to replace all data on all volumes, regardless of whether they are included in the backup, on the Choose how to restore the backup page, select the Format and repartition diskscheck box.
    12. To prevent volumes that are not included in the restore from being deleted and re-created, click Exclude Disks, select the check box for the disks that you want to exclude, and then click OK.
    13. Click Next, and then click Finish.
    14. Select the I confirm that I want to format the disks and restore the backup check box, and then click OK.
    Use the following procedure to perform full server recovery of a domain controller from the command line.
    There are no administrative credential requirements. No authentication is performed when you start in Windows RE.
    1. Insert the Windows Server 2008 installation DVD into the disk drive, and then restart the domain controller.
    2. When you are prompted, press a key to start from the DVD.
    3. At the initial Windows screen, accept or select language options, the time and currency format, and a keyboard layout, and then click Next.
    4. At the Install now screen, click Repair your computer.
    5. In the System Recovery Options dialog box, click anywhere to clear any operating systems that are selected for repair, and then click Next.
    6. Under Choose a recovery tool, click Command Prompt.
    7. At the Sources prompt, type diskpart, and then press ENTER.
    8. At the Diskpart prompt, type list vol, and then press ENTER.
    9. Identify the volume from the list that corresponds to the location of the full server backup that you want to restore.
      The drive letters in Windows RE do not necessarily match the volumes as they appear in Windows Server 2008.
    10. Type exit, and then press ENTER.
    11. At the Sources prompt, type the following command, and then press ENTER:
      wbadmin get versions -backupTarget:<targetDrive>:
      -machine:<BackupComputerName>
      Where:
      • <targetDrive>: is the location of the backup that you want to restore.
      • <BackupComputerName> is the name of the computer where you want to recover the backup. This parameter is required, if the backup is stored on a remote computer.
    12. Identify the version that you want to restore.
      You must enter this version exactly in the next step.
    13. At the Sources prompt, type the following command, and then press ENTER:
      wbadmin start sysrecovery -version:<MM/DD/YYYY-HH:MM>
      -backuptarget:<targetDrive>: -machine:<BackupComputerName>
      -restoreAllVolumes
      Where:
      • <MM/DD/YYYY-HH:MM> is the version of the backup that you want to restore.
      • <targetDrive>: is the drive that contains the backup.
      • <BackupComputerName> is the name of the computer where you want to recover the backup. This parameter is useful when you have backed up multiple computers to the same location or you have renamed the computer since the backup was taken.
    14. When you are prompted, press Y to proceed with the restore process.
    15. After the recovery operation has completed, minimize the command window, and then, in the System Recovery Options dialog box, click Restart.

To perform a nonauthoritative restore of Active Directory Domain Services (AD DS)


To perform a nonauthoritative restore of Active Directory Domain Services (AD DS), you need at least a system state backup. For more information about the specific components that are included in a system state backup, see What's New in AD DS Backup and Recovery?.
To restore a system state backup, use the wbadmin start systemstaterecovery command. The procedure in this topic uses the wbadmin start systemstaterecovery command.
You can also use a critical-volume backup to perform a nonauthoritative restore, or a full server backup if you do not have a system state or critical-volume backup. A full server backup is generally larger than a critical-volume backup or system state backup. Restoring a full server backup not only rolls back data in AD DS to the time of backup, but it also rolls back all data in other volumes. Rolling back this additional data is not necessary to achieve nonauthoritative restore of AD DS. To restore a critical-volume backup or full server backup, use thewbadmin start recovery command.
To perform a nonauthoritative restore, you must start the domain controller in Directory Services Restore Mode (DSRM). When the domain controller starts in DSRM, you must supply the administrator password for DSRM.
If you cannot start the server, you must perform a full server recovery instead of a system state restore. For more information about performing a full server recovery, see Performing a Full Server Recovery of a Domain Controller.
Use either of the following two methods to start the domain controller in DSRM. If you use the Bcdedit.exe command-line tool to have the server restart in DSRM, you must use Bcdedit.exe to restart the server normally after you complete the recovery operation. Members of the Backup Operators group might not be able to use the Bcdedit.exe command-line tool to have the server restart in DSRM.
Method 1: Press F8 to restart in DSRM.
  1. Restart the domain controller.

    Some computers might require you to shut down the computer, rather than restart it, to see the option to start the domain controller in DSRM.
  2. After the boot option menu appears, press F8 to start the domain controller in DSRM.
  3. When the recovery options menu appears, select the option for DSRM.
Method 2: Use Bcdedit.exe to restart in DSRM.
  1. Click Start, click Command Prompt, and then click Run as administrator.
  2. At the command prompt, type the following command, and then press ENTER:

    bcdedit /set safeboot dsrepair
  3. Type the following command, and then press ENTER:

    shutdown -t 0 -r
  4. To restart the server normally after you perform the restore operation, type the following command, and then press ENTER to have the server restart normally:

    bcdedit /deletevalue safeboot

    Type the following command, and then press ENTER:

    shutdown -t 0 -r
You can use this procedure to perform a nonauthoritative restore of AD DS. After replication occurs and is complete, AD DS is recovered on the domain controller.
You can use the DSRM administrator password to either locally or remotely log on to the domain controller that you are restoring. You specify the DSRM password when you install AD DS.
  1. At the Windows logon screen, click Switch User, and then click Other User.
  2. Type .\administrator as the user name, type the DSRM password for the server, and then press ENTER.
  3. Click Start, right-click Command Prompt, and then click Run as Administrator.
  4. At the command prompt, type the following command, and then press ENTER:
    wbadmin get versions -backuptarget:<targetDrive>:
    -machine:<BackupComputerName>
    Where:
    • <targetDrive>: is the location of the backup that you want to restore.
    • <BackupComputerName> is the name of the computer where you want to recover the backup. This parameter is useful when you have backed up multiple computers to the same location or you have renamed the computer since the backup was taken.
  5. Identify the version that you want to restore.
    You must enter this version exactly in the next step.
  6. At the command prompt, type the following command, and then press ENTER:
    wbadmin start systemstaterecovery -version:<MM/DD/YYYY-HH:MM>
    -backuptarget:<targetDrive>: -machine:<BackupComputerName>
    -quiet
    Where:
    • <MM/DD/YYYY-HH:MM> is the version of the backup that you want to restore.
    • <targetDrive>: is the volume that contains the backup.
    • <BackupComputerName> is the name of the computer where you want to recover the backup. This parameter is useful when you have backed up multiple computers to the same location or you have renamed the computer since the backup was taken.
    If you do not specify the -quiet parameter, you are prompted to press Y to proceed with the restore process and press Y to confirm that the replication engine for SYSVOL has not changed since you created the backup.
    After the recovery operation has completed, if you are not going to perform an authoritative restore of any restored objects, restart the server.