What is Active Directory?
Active Directory (AD) is a
directory service developed by Microsoft and used to store objects like
User, Computer, printer, Network information, It facilitate to manage
your network effectively with multiple Domain Controllers in different
location with AD database, able to manage/change AD from any Domain
Controllers and this will be replicated to all other DC’s, centralized
Administration with multiple geographical location and authenticates
users and computers in a Windows domain
What is LDAP and how the LDAP been used on Active Directory(AD)?
What is Tree?
Tree is a hierarchical arrangement of windows Domain that share a contiguous name space
What is Domain?
Active Directory Domain Services is Microsoft’s Directory Server. It
provides authentication and authorization mechanisms as well as a
framework within which other related services can be deployed
What is Active Directory Domain Controller (DC)?
Domain Controller is the server which holds the AD database, All AD changes get replicated to other DC and vise vase
What is Forest?
Forest consists of multiple Domains trees. The Domain trees in a
forest do not form a contiguous name space however share a common schema
and global catalog (GC)
What is Schema?
Active directory schema is the set of definitions that define the
kinds of object and the type of information about those objects that can
be stored in Active Directory
Active directory schema is Collection of object class and there attributes
Object Class = User
Attributes = first name, last name, email, and others
Can we restore a schema partition?
Tel me about the FSMO roles?
Schema Master
Domain Naming Master
Infrastructure Master
RID Master
PDC
Schema Master and Domain Naming Master are forest wide role and only
available one on each Forest, Other roles are Domain wide and one for
each Domain
AD replication is multi master replication and change can be done in
any Domain Controller and will get replicated to others Domain
Controllers, except above file roles, this will be flexible single
master operations (FSMO), these changes only be done on dedicated Domain
Controller so it’s single master replication
How to check which server holds which role?
Netdom query FSMO
Which FSMO role is the most important? And why?
Interesting question which role is most important out of 5 FSMO roles
or if one role fails that will impact the end-user immediately
Most armature administrators pick the Schema master role, not sure
why maybe they though Schema is very critical to run the Active
Directory
Correct answer is PDC, now the next question why? Will explain role
by role what happens when a FSMO role holder fails to find the answer
Schema Master – Schema Master needed to update the
Schema, we don’t update the schema daily right, when will update the
Schema? While the time of operating system migration, installing new
Exchange version and any other application which requires extending the
schema
So if are Schema Master Server is not available, we can’t able to
update the schema and no way this will going to affect the Active
Directory operation and the end-user
Schema Master needs to be online and ready to make a schema change,
we can plan and have more time to bring back the Schema Master Server
Domain Naming Master – Domain Naming Master required
to creating a new Domain and creating an application partition, Like
Schema Master we don’t cerate Domain and application partition
frequently
So if are Domain Naming Master Server is not available, we can’t able
to create a new Domain and application partition, it may not affect the
user, user event didn’t aware Domain Naming Master Server is down
Infrastructure Master – Infrastructure
Master updates the cross domain updates, what really updates between
Domains? Whenever user login to Domain the TGT has been created with the
list of access user got through group membership (user group membership
details) it also contain the user membership details from trusted
domain, Infrastructure Master keep this information up-to-date, it
update reference information every 2 days by comparing its data with the
Global Catalog (that’s why we don’t keep Infrastructure Master and GC
in same server)
In a single Domain and single Forest environment there is no impact if the Infrastructure Master server is down
In a Multi Domain and Forest environment, there will be impact and we
have enough time to fix the issue before it affect the end-user
RID Master –Every DC is initially issued 500 RID’s
from RID Master Server. RID’s are used to create a new object on Active
Directory, all new objects are created with Security ID (SID) and RID
is the last part of a SID. The RID uniquely identifies a security
principal relative to the local or domain security authority that issued
the SID
When it gets down to 250 (50%) it requests a second pool of RID’s from the RID master. If RID
Master Server
is not available the RID pools unable to be issued to DC’s and DC’s are
only able to create a new object depends on the available RID’s, every
DC has anywhere between 250 and 750 RIDs available, so no immediate
impact
PDC – PDC required for Time sync, user login,
password changes and Trust, now you know why the PDC is important FSMO
role holder to get back online, PDC role will impact the end-user
immediately and we need to recover ASAP
The PDC emulator Primary Domain Controller for backwards
compatibility and it’s responsible for time synchronizing within a
domain, also the password master. Any password change is replicated to
the PDC emulator ASAP. If a logon request fails due to a bad password
the logon request is passed to the PDC emulator to check the password
before rejecting the login request.
Tel me about Active Directory Database and list the Active Directory Database files?
NTDS.DIT
EDB.Log
EDB.Che
Res1.log and Res2.log
All AD changes didn’t write directly to NTDS.DIT database file, first
write to EDB.Log and from log file to database, EDB.Che used to track
the database update from log file, to know what changes are copied to
database file.
NTDS.DIT: NTDS.DIT is the AD database and store all
AD objects, Default location is the %system root%\nrds\nrds.dit, Active
Directory database engine is the extensible storage engine which us
based on the Jet database
EDB.Log: EDB.Log is the transaction log file when
EDB.Log is full, it is renamed to EDB Num.log where num is the
increasing number starting from 1, like EDB1.Log
EDB.Che: EDB.Che is the checkpoint file used to
trace the data not yet written to database file this indicate the
starting point from which data is to be recovered from the log file in
case if failure
Res1.log and Res2.log: Res is reserved transaction
log file which provide the transaction log file enough time to shutdown
if the disk didn’t have enough space
Active Directory restores types?
Authoritative restore
Non-authoritative restore
Non-authoritative restore of Active Directory
Non-authoritative restore is restore the domain controller to its state
at the time of backup, and allows normal replication to overwrite
restored domain controller with any changes that have occurred after the
backup. After system state restore, domain controller queries its
replication partners and get the changes after backup date, to ensure
that the domain controller has an accurate and updated copy of the
Active Directory database.
Non-authoritative restore is the default method for restoring Active
Directory, just a restore of system state is non-authoritative restore
and mostly we use this for Active Directory data loss or corruption.
How perform a non-authoritative restore?
Just start the domain controller in Directory Services Restore Mode and perform system state restore from backup
Authoritative restore of Active Directory
An authoritative restore is next step of the non-authoritative restore
process. We have do non-authoritative restore before you can perform an
authoritative restore. The main difference is that an authoritative
restore has the ability to increment the version number of the
attributes of all objects or an individual object in an entire
directory, this will make it authoritative restore an object in the
directory. This can be used to restore a single deleted user/group and
event an entire OU.
In a non-authoritative restore, after a domain controller is back
online, it will contact its replication partners to determine any
changes since the time of the last backup. However the version number of
the object attributes that you want to be authoritative will be higher
than the existing version numbers of the attribute, the object on the
restored domain controller will appear to be more recent and therefore,
restored object will be replicated to other domain controllers in the
Domain
How perform a authoritative restore?
Unlike a non-authoritative restore, an authoritative restores need to
Ntdsutil.exe to increment the version number of the object attributes
What are Active Directory Partitions can be restored?
You can authoritatively restore only objects from configuration and
domain partition. Authoritative restores of schema-naming contexts are
not supported.
How many domain controllers need to back up? Or which domain controllers to back up?
Minimum requirement is to back up two domain controllers in each domain,
one should be an operations master role holder DC, no need to backup
RID Master (relative ID) because RID master should not be restored