کد:
http://ajtech.blogspot.com/2007/12/quick-understanding-of-active-directory.html

1. What is Active Directory?

Active Directory is Microsoft implementation of LDAP being used in Windows Server platform post NT and built around DNS. It is a distributed and hierarchical directory service which stores information about the resources on the network and provide the means for managing and controlling those resources and authorizing and authenticating access to those resources.

2. What is LDAP?

LDAP stands for Light Weight Directory Access Protocol which provide simple read and write access to the directory over Transport protocol such as TCP, similar to but lighter than X.500. Just like RDBMS LDAP has adopted Client- Server Models and the directory is top-bottom hierarchical structure. Microsoft Active Directory and Novell Network Directory is best example of LDAP implementation. LDAP listen to port 389.

3. Where is the AD database held? What other folders are related to AD?

Active Directory physical database file is ntds.dit in %systemroot%\ntds (ntds – NT Directory Service and dit – Directory Information Tree) which resides in all the domain controller. The Active Directory make use of the database engine called Extensible Storage Engine also referred as Microsoft Jet DB. ESE is the actually the database for Active Directory. ESE records the transaction in Log file called Edb.log and back to Ntdis.dit, and provide the consistency to the database. It resides in the file called ESent.dll. Other files related to active directory are: edbxxx.log – Auxiliary file come into use if edb.log is full. Edb.chk – This is the checkpoint file which is used by transaction logging system to point at which the updates are being transferred to ntds.dit. Res1.log /Res2.log – the log file used when space is full and edbxxx.log can no longer be used. Temp.edb – it is just like scratch pad which store information of current transaction in process. Schema.ini – file used to initialize ntds.dit

4. What is the SYSVOL folder?

%systemroot%\SYSVOL is the folder which resides in every domain controllers to store the elements of Group policies object defined in Active Directory and scripts, such as logon scripts. Change made in SYSVOL in one domain controller is replicated to the entire domain controller by File replication service (FRS)

5. What are DSA and Directory Information Tree?

In LDAP, like X.500, the servers that host the copies of the information base are called Directory Service Agent. DSA can host full or the partial information base. The portion of the information base which forms a hierarchy is called DIT. The very top of the hierarchy has the single object which is not the part of LDAP specification rather it is defined by DNS name space.

6. What is the Naming context in Active Directory? (source: technet)

The Directory Information Base can be separated into parts called naming contexts, or NCs. In Active Directory, each domain represents a separate naming context. Domain controllers in the same domain have a read/write replica of that Domain naming context. Configuration and Schema objects are stored in their own naming contexts, as are DNS Record objects when using Active Directory Integrated DNS zones.

When a client submits a query for information about a particular object, the system must determine which DSA hosts the naming context that contains the particular object. It does this using the object’s distinguished name and knowledge about the directory topology.

If a DSA cannot respond to a query using information in the naming contexts it hosts, it sends the client a referral to a DSA hosting the next higher or lower naming context in the tree (depending on the distinguished name of the object in the search). The client then submits the request to a DSA hosting the naming context in the referral. This DSA either responds with the information being requested or a referral to another DSA. This is called walking the tree.

DSA that host the copies of the same naming context must replicate changes to each other. It’s important to keep this in mind as you work with Active Directory servers. If you have separate domains, then clients in one domain must walk the tree to get access to Active Directory objects in another domain. If the domain controllers for the domains are in different locations in the WAN, this can slow performance. Many of the architectural decisions you’ll make as you design your system focus on the location, accessibility, and reliability of naming contexts

7. What is the Global Catalog?

Global catalog is the central repository which stores the partial replica of every object’s information in the directory but with only few attributes which is know is Partial Attribute Sets (PAS). The information stored in Global Catalog is read-only. However GC server stores full writable copies of the schema and configuration directory partitions- the same as any domain controller. By default the first DC in the First Domain in the First Tree in AD forest is configured as GC. Another DC can be set as global catalog server from Active Directory Sites and Services snap-in. When client request the searches to GC server the queries are directed to port 3268 which indicates that Global Catalog semantics is required.

8. How do you view all the GCs in the forest?

AD Sites and Services and nslookup gc._msdcs.%USERDNSDOMAIN% - easiest way.

9. Why not make all DCs in a large forest as GCs?

With too many DCs are configured to become the GC servers, it will cause the replication overhead between the DCs across the forest.

10. Trying to look at the Schema, how can I do that?

From active directory schema snap-in.

11. What is LDP? What is REPLMON? What is ADSIEDIT? What is NETDOM? What is REPADMIN?

AD Tools. Replmon – replication monitor and troubleshooting, adsiedit – editing object in the active directory, netdom – to manage domain and trust relationship, repadmin- to diagnose replication issue between domain controllers.

12. What are sites? What are they used for?

Sites in Active Directory are the physical network structure of Active Directory based on subnet or subnets. Each site in Active Directory resembles well connected network. It is sometimes referred as physical structure of AD. Depending upon the locations and connection quality sites are created which include a domain or domains. Creating these sites lets you control replication traffic over WAN links. In a way Sites help define the AD’s replication topology.

13. What is Site Link?

Site link allow the connections between two or more sites define. Site link is configured under two different protocols IP and SMTP. The most commonly used default protocol IP under reliable connections. SMTP is often used under poor network connections.

14. What is Cost in Site Link?

Cost is a metric between 1 – 32,767 -is just a number to compare relative cost of the other links in the sites. That means lower the cost favorable the path is. The default cost for the site link is hundred and if there is only one site link there is no need to worry about the cost.

15. What’s the difference between a site link’s schedule and interval?

Schedule enables you to list weekdays or hours when the site link is available for replication to happen in the give interval. Interval is the reoccurrence of the inter site replication in given minutes. It range from 15 – 10,080 mins. The default interval is 180 mins.

16. What is the KCC?

KCC is Knowledge Consistency Checker, which creates the connection object that links the DCs into common replication topology and dictates the replication routes between one DC to another in Active Directory forest. The default run interval is 15 mins. There are two type of algorithm of KCC - Intrasite KCC – which is responsible for the connection within the site, and Intersite Topology Generator (ISTG) – which is responsible for the connections among the sites.

17. What is the ISTG? Who has that role by default?

Intersite Topology Generator (ISTG), which is responsible for the connections among the sites. By default Windows 2003 Forest level functionality has this role.

18. What is linked value replication?

This is one of the significant changes made AD 2003. In Windows 2000 the slight change made within multi value attributes, every single value is replicated causing clog in network bandwidth. However in AD 2003, when changes are made in single value under multi value attributes only single entity get replicated. For example, if the new user is created under the security group containing 1000 of users, instead of replicating all 1000 users as in Win2K, Linked Value Replication allow replicating the newly created use only.

19. What is cached credential?

In the event when the client machines are not able to contact their Global Catalog server in there domain during logon process, locally cached credentials from the previous successful logon will be used to authenticate each unique user to the local machine. This is also know is Domain cached credentials and is processed by Local Security Authority (LSA). By default number of cached logon information is 10 and it can be set from 0 to 50 in registry.
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\Current Version\Winlogon\ CachedLogonsCounts.

19. What are the requirements for installing AD on a new server?

Appropriately configured TCP/IP and DNS.

21. What can you do to promote a server to DC if you’re in a remote location with slow WAN link?

Take a System State Backup from another DC and restore locally to the server that are going to be the next Domain Controller. Run DCPromo /adv which will prompt in the next screen to specify the path to restore the System Backup. This will prevent replication of the entire configuration over the slow network.

22. How can you forcibly remove AD from a server, and what do you do later?

DCPromo /Forceremoval. Though this command will seize the Domain Controller role, we have to use NTDSUTIL to cleanup the metadata.

23. What is tombstone lifetime attribute?

This is the number of days before the object marked for deletion in the Active Directory is permanently deleted. The default is 180 days in Windows 2003 with SP1 and 60 days in Windows 2000 and Windows 2003 without SP1. During Tombstone lifetime the object mark for deletion stays in Deleted Object folder and every 15 mins Garbage collector comes along to check if the tombstone lifetime of expired for any objects. If found the object/objects will be permanently deleted.

The Tombstone Lifetime can be changed by using the ADSIEdit tool. Right click on the CN=Directory Service folder and select Properties. Find Tombstone Lifetime in the attribute list, click the Edit button and enter the number of days in the value field. Or you can use dsquery as: dsquery * "CN=DirectoryService, CN=WindowsNT,CN=Services, CN=Configu ration, DC=yourdomain, DC=com" -scope base -attr tombstonelifetime



موضوعات مشابه: