Archive for January 10, 2010

Renaming a Domain

Posted: January 10, 2010 in Active Directory, Networking, Server, System Information
Tags: , ,
0

Problem

You want to rename a domain, for example due to organizational changes, legal restrictions, or because of a merger, acquisition, or divestiture. Renaming a domain is a very involved process and should be done only when absolutely necessary. Changing the name of a domain can have an impact on everything from DNS, replication, and GPOs to DFS and Certificate Services. A domain rename also requires rebooting all domain controllers, member servers, and client computers in the domain!

Solution

Under Windows 2000, there is no supported process to rename a domain. There is one workaround for mixed-mode domains in which you revert the domain and any of its child domains back to Windows NT domains. This can be done by demoting all Windows 2000 domain controllers and leaving the Windows NT domain controllers in place, or simply by rebuilding all of the 2000 DCs. You could then reintroduce Windows 2000 domain controllers and use the new domain name when setting up Active Directory. The process is not very clean and probably won’t be suitable for most situations, but you can find out more about it in MS KB 292541.

A domain rename procedure is supported if a forest is running all Windows Server 2003 domain controllers and is at the Windows Server 2003 forest functional level. Although the domain rename procedure is greatly simplified in Windows Server 2003, we highly recommend reading the entire white paper before attempting the procedure, as well as attempting the procedure in a test lab before performing it against a production environment.

Discussion

The domain rename process can accommodate very complex changes to your domain model. You can perform the following types of renames:

  • Rename a domain to a new name without repositioning it in the domain tree.
  • Reposition a domain within a domain tree.
  • Create a new domain tree with a renamed domain.

One thing you cannot do with the domain rename procedure is reposition the forest root domain. You can rename the forest root domain, but you cannot change its status as the forest root domain. Another important limitation to note is that you cannot rename any domain in a forest that has had Exchange 2000 installed, though an Exchange Server 2003 is capable of handling domain renames. See the web site mentioned in the solution for more information on other limitations. The rendom.exe utility also includes the gpfixup.exe utility, which corrects references to Group Policy objects after the domain name changes. When working with Exchange 2003, you can also use the xdr-fixup tool to correct Exchange attributes to match the new domain name.

How to find the NetBIOS Name of a Domain

Posted: January 10, 2010 in Active Directory, Networking, Server, System Information
Tags: , ,
1

Problem

You want to find the NetBIOS name of a domain. Although Microsoft has moved to using DNS for its primary means of name resolution, the NetBIOS name of a domain is still important, especially with down-level clients that are still based on NetBIOS instead of DNS for name resolution.

Solution

Using a graphical user interface
  1. Open the Active Directory Domains and Trusts snap-in (domain.msc).
  2. Right-click the domain you want to view in the left pane and select Properties.

The NetBIOS name will be shown in the “Domain name (pre-Windows 2000)” field.

You can also retrieve this information using LDP, as follows:

  1. Open LDP and from the menu, select Connection Connect.
  2. For Server, enter the name of a domain controller (or leave blank to do a serverless bind).
  3. For Port, enter 389.
  4. Click OK.
  5. From the menu select Connection Bind.
  6. Enter credentials of a domain user.
  7. Click OK.
  8. From the menu, select Browse Search.
  9. For BaseDN, type the distinguished name of the Partitions container (e.g., cn=partitions,cn=configuration,dc=rallencorp, dc=com).

10.  For Scope, select Subtree.

11.  For Filter, enter:

12.  (&(objectcategory=crossref)(dnsHostName=<DomainDNSName>)(netbiosname=*))

13.  Click Run.

Using a command-line interface

To find the NetBIOS name of a Windows domain, use the following command:

        > dsquery * cn=partitions,cn=configuration,<ForestRootDN> -filter
        "(&(objectcategory=crossref)(dnsroot=<DomainDNSName>)(netbiosname=*))" -attr
        netbiosname

Or you can use the AdFind utility as follows:

        > adfind -b cn=partitions,cn=configuration,<ForestRootDN>
        -f "(&(objectcategory=crossref)(dnsroot=<DomainDNSName>))" cn netbiosname
Using VBScript
        ' This code prints the  
NetBIOS name for the specified domain
        ' ------ SCRIPT CONFIGURATION -----
        strDomain = "<DomainDNSName>" ' e.g. amer.rallencorp.com
        ' ------ END CONFIGURATION --------

        set objRootDSE = GetObject("LDAP://" & strDomain & "/RootDSE")
        strADsPath = "<LDAP://" & strDomain & "/cn=Partitions," & _
                    objRootDSE.Get("configurationNamingContext") & ">;"
        strFilter = "(&(objectcategory=Crossref)" & _
                     "(dnsRoot=" & strDomain & ")(netBIOSName=*));
        strAttrs = "netbiosname;"
        strScope = "Onelevel"
        set objConn = CreateObject("ADODB.Connection")
        objConn.Provider = "ADsDSOObject"
        objConn.Open "Active Directory Provider"
        set objRS = objConn.Execute(strADsPath &  strFilter &  strAttrs &  strScope)
        objRS.MoveFirst
        WScript.Echo "NetBIOS name for " &  strDomain &  " is " &  objRS.Fields(0).Value

Discussion

Each domain has a crossRef object that is used by Active Directory to generate referrals to other naming contexts within an Active Directory forest. Referrals are necessary when a client performs a query, and the domain controller handling the request does not have the matching object(s) in any naming contexts that it has stored locally. The NetBIOS name of a domain is stored in the domain’s crossRef object in the Partitions container in the Configuration NC. Each crossRef object has a dnsRoot attribute, which is the fully qualified DNS name of the domain. The netBIOSName attribute contains the NetBIOS name for the domain.

How To Install and Configure a DHCP Server in Windows Server 2003

Posted: January 10, 2010 in Active Directory, Networking, System Information
Tags: , ,
0

This step-by-step article describes how to configure a new Windows Server 2003-based Dynamic Host Configuration Protocol (DHCP) server on a stand-alone server to provide centralized management of IP addresses and other TCP/IP configuration settings for the client computers on a network.

How to Install the DHCP Service

Before you can configure the DHCP service, you must install it on the server. DHCP is not installed by default during a typical installation of Windows Standard Server 2003 or Windows Enterprise Server 2003. You can install DHCP either during the initial installation of Windows Server 2003 or after the initial installation is completed.

How to Install the DHCP Service on an Existing Server

  1. Click Start, point to Control Panel, and then click Add or Remove Programs.
  2. In the Add or Remove Programs dialog box, click Add/Remove Windows Components.
  3. In the Windows Components Wizard, click Networking Services in the Components list, and then click Details.
  4. In the Networking Services dialog box, click to select the Dynamic Host Configuration Protocol (DHCP) check box, and then click OK.
  5. In the Windows Components Wizard, click Next to start Setup. Insert the Windows Server 2003 CD-ROM into the computer’s CD-ROM or DVD-ROM drive if you are prompted to do so. Setup copies the DHCP server and tool files to your computer.
  6. When Setup is completed, click Finish.

How to Configure the DHCP Service

After you have installed the DHCP service and started it, you must create a scope, which is a range of valid IP addresses that are available for lease to the DHCP client computers on the network. Microsoft recommends that each DHCP server in your environment have at least one scope that does not overlap with any other DHCP server scope in your environment. In Windows Server 2003, DHCP servers in an Active Directory-based domain must be authorized to prevent rogue DHCP servers from coming online. Any Windows Server 2003 DHCP Server that determines itself to be unauthorized will not manage clients.

How to Create a New Scope

  1. Click Start, point to Programs, point to Administrative Tools, and then click DHCP.
  2. In the console tree, right-click the DHCP server on which you want to create the new DHCP scope, and then click New Scope.
  3. In the New Scope Wizard, click Next, and then type a name and description for the scope. This can be any name that you want, but it should be descriptive enough so that you can identify the purpose of the scope on your network (for example, you can use a name such as “Administration Building Client Addresses”). Click Next.
  4. Type the range of addresses that can be leased as part of this scope (for example, use a range of IP addresses from a starting IP address of 192.168.100.1 to an ending address of 192.168.100.100). Because these addresses are given to clients, they must all be valid addresses for your network and not currently in use. If you want to use a different subnet mask, type the new subnet mask. Click Next.
  5. Type any IP addresses that you want to exclude from the range that you entered. This includes any addresses in the range described in step 4 that may have already been statically assigned to various computers in your organization. Typically, domain controllers, Web servers, DHCP servers, Domain Name System (DNS) servers, and other servers, have statically assigned IP addresses. Click Next.
  6. Type the number of days, hours, and minutes before an IP address lease from this scope expires. This determines how long a client can hold a leased address without renewing it. Click Next, and then click Yes, I want to configure these options nowto extend the wizard to include settings for the most common DHCP options. Click Next.
  7. Type the IP address for the default gateway that should be used by clients that obtain an IP address from this scope. Click Add to add the default gateway address in the list, and then click Next.
  8. If you are using DNS servers on your network, type your organization’s domain name in the Parent domain box. Type the name of your DNS server, and then click Resolve to make sure that your DHCP server can contact the DNS server and determine its address. Click Add to include that server in the list of DNS servers that are assigned to the DHCP clients. Click Next, and then follow the same steps if you are using a Windows Internet Naming Service (WINS) server, by adding its name and IP address. Click Next.
  9. Click Yes, I want to activate this scope now to activate the scope and allow clients to obtain leases from it, and then click Next.

10.  Click Finish.

11.  In the console tree, click the server name, and then click Authorize on the Actionmenu.

Troubleshooting

The following sections explain how to troubleshoot some of the issues that you may experience when you try to install and configure a Windows Server 2003-based DHCP server in a workgroup.

Clients Cannot Obtain an IP Address

If a DHCP client does not have a configured IP address, this typically indicates that the client was not able to contact a DHCP server. This can be caused by a network problem, or because the DHCP server is unavailable. If the DHCP server started and other clients can obtain valid addresses, verify that the client has a valid network connection and that all the related client hardware devices (including cables and network adapters) are working properly.

The DHCP Server Is Unavailable

If a DHCP server does not provide leased addresses to clients, it is frequently because the DHCP service did not start. If this is the case, the server may not be authorized to operate on the network. If you were previously able to start the DHCP service, but it has since stopped, use Event Viewer to check the System log for any entries that may explain why you cannot start the DHCP service.

To restart the DHCP service:

  1. Click Start, and then click Run.
  2. Type cmd, and then press ENTER.
  3. Type net start dhcpserver, and then press ENTER.

-or-

  1. Click Start, point to Control Panel, point to Administrative Tools, and then clickComputer Management.
  2. Expand Services and Applications, and then click Services.
  3. Locate and then double-click DHCP Server.
  4. Verify that Startup is set to Automatic and that Service Status is set to Started. If not, click Start.
  5. Click OK, and then close the Computer Management window.

How to Install and Configure DNS Server in Windows Server 2003

Posted: January 10, 2010 in Active Directory, Networking, System Information
Tags: ,
1

This step-by-step article describes how to install and configure DNS on your Windows Server 2003 computer.

Before You Start

Before you start to configure your DNS, you must gather some basic information. Internic must approve some of this information for use on the Internet, but if you are configuring this server for internal use only, you can decide what names and IP addresses to use.

You must have the following information:

  • Your domain name (approved by Internic).
  • The IP address and host name of each server that you want to provide name resolution for.

Note: The servers may be your mail servers, public access servers, FTP servers, WWW servers, and others.

Before you configure your computer as a DNS, verify that the following conditions are true:

  • Your operating system is configured correctly. In the Windows Server 2003 family, the DNS service depends on the correct configuration of the operating system and its services, such as TCP/IP. If you have a new installation of a Windows Server 2003 operating system, then you can use the default service settings. You do not have to take additional action.
  • You have allocated all the available disk space.
  • All the existing disk volumes use the NTFS file system. FAT32 volumes are not secure, and they do not support file and folder compression, disk quotas, file encryption, or individual file permissions

Install DNS

  1. Open Windows Components Wizard. To do so, use the following steps:
    1. Click Start, click Control Panel, and then click Add or Remove Programs.
    2. Click Add/Remove Windows Components.
  2. In Components, select the Networking Services check box, and then click Details.
  3. In Subcomponents of Networking Services, select the Domain Name System (DNS) check box, click OK, and then click Next.
  4. If you are prompted, in Copy files from, type the full path of the distribution files, and then click OK.

Configure DNS

  1. Start the Configure Your Server Wizard. To do so, click Start, point to All Programs, point to Administrative Tools, and then click Configure Your Server Wizard.
  2. On the Server Role page, click DNS server, and then click Next.
  3. On the Summary of Selections page, view and confirm the options that you have selected. The following items should appear on this page:
  • Install DNS
  • Run the Configure a DNS Wizard to configure DNS

If the Summary of Selections page lists these two items, click Next. If the Summary of Selections page does not list these two items, click Back to return to the Server Role page, click DNS, and then click Next.

  1. When the Configure Your Server Wizard installs the DNS service, it first determines whether the IP address for this server is static or is configured automatically. If your server is currently configured to obtain its IP address automatically, the Configuring Components page of the Windows Components Wizard prompts you to configure this server with a static IP address. To do so:
    1. In the Local Area Connection Properties dialog box, click Internet Protocol (TCP/IP), and then click Properties.
    2. In the Internet Protocols (TCP/IP) Properties dialog box, click Use the following IP address, and then type the static IP address, subnet mask, and default gateway for this server.
    3. In Preferred DNS, type the IP address of this server.
    4. In Alternate DNS, type the IP address of another internal DNS server, or leave this box blank.
    5. When you finish setting up the static addresses for your DNS, click OK, and then click Close.
  2. After you click Close, the Configure a DNS Server Wizard starts. In the wizard, follow these steps:

.      On the Select Configuration Action page, select the Create a forward lookup zone check box, and then click Next.

  1. To specify that this DNS hosts a DNS zone that contains DNS resource records for your network resources, on the Primary Server Location page, click This server maintains the zone, and then click Next.
  2. On the Zone Name page, in Zone name, specify the name of the DNS zone for your network, and then click Next. The name of the zone is the same as the name of the DNS domain for your small organization or branch office.
  3. On the Dynamic Update page, click Allow both nonsecure and secure dynamic updates, and then click Next. This makes sure that the DNS resource records for the resources in your network update automatically.
  4. On the Forwarders page, click Yes, it should forward queries to DNS servers with the following IP addresses, and then click Next. When you select this configuration, you forward all DNS queries for DNS names outside your network to a DNS at either your ISP or central office. Type one or more IP addresses that either your ISP or central office DNS servers use.
  5. On the Completing the Configure a DNS Wizard page of the Configure a DNS Wizard, you can click Back to change any of the settings. To apply your selections, click Finish.

After you finish the Configure a DNS Wizard, the Configure Your Server Wizard displays the This Server is Now a DNS Server page. To review all the changes that you made to your server in the Configure Your Server Wizard or to make sure that a new role was installed successfully, click Configure Your Server log. The Configure Your Server Wizard log is located at %systemroot%\Debug\Configure Your Server.log. To close the Configure Your Server Wizard, click Finish.

Desktop Management

Posted: January 10, 2010 in Networking, System Information
Tags: , ,
0

Desktop management is a comprehensive approach to managing all the computers within an organization. Despite its name, desktop management includes overseeing laptops and other computing devices as well as desktop computers. Desktop management is a component of systems management, which is the administration of all components of an organization’s information systems. Other components of systems management include network management and database management.

Traditional desktop management tasks include installing and maintaining hardware and software, spam filtering, and administering user permissions. In recent years, however, security-related tasks have become an increasingly large part of desktop management. As a result, an increasingly large proportion of administrative resources have been devoted to security-related tasks, such as patch management, fighting viruses and spyware, and controlling greynet applications (programs installed without corporate approval, such as instant messaging, file sharing programs, and RSS readers).

Desktop Management Interface (DMI) is an industry framework for managing and keeping track of hardware and software components in a system of personal computers from a central location. DMI was created by the Desktop Management Task Force (DMTF) to automate system management and is particularly beneficial in a network computing environment where dozens or more computers are managed.

Active Directory Integration

Posted: January 10, 2010 in Active Directory, Networking, System Information
Tags: ,
0


Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2

Active Directory integration

The DNS Server service is integrated into the design and implementation of Active Directory. Active Directory provides an enterprise-level tool for organizing, managing, and locating resources in a network.

Note

  • This feature is not included on computers running the Microsoft® Windows Server® 2003, Web Edition, operating system.

When deploying DNS servers with Active Directory, consider the following:

  • DNS is required for locating domain controllers running Windows Server 2003.

    The Net Logon service uses new DNS server support to provide registration of domain controllers in your DNS domain namespace.

  • DNS servers running Windows Server 2003 can use Active Directory for storing and replicating your zones.

    By directory integrating your zones, you can take advantage of DNS features such as secure dynamic updates and record aging and scavenging features.

How DNS integrates with Active Directory

When you install Active Directory on a server, you promote the server to the role of a domain controller for a specified domain. When completing this process, you are prompted to specify a DNS domain name for the Active Directory domain for which you are joining and promoting the server.

If during this process, a DNS server authoritative for the domain that you specified either cannot be located on the network or does not support the DNS dynamic update protocol, you are prompted with the option to install a DNS server. This option is provided because a DNS server is required to locate this server or other domain controllers for members of an Active Directory domain.

Once you have installed Active Directory, you have two options for storing and replicating your zones when operating the DNS server at the new domain controller:

  • Standard zone storage, using a text-based file.

    Zones stored this way are located in .Dns files that are stored in the systemroot\System32\Dns folder on each computer operating a DNS server. Zone file names correspond to the name you choose for the zone when creating it, such as example.microsoft.com.dns if the zone name was “example.microsoft.com.”

  • Directory-integrated zone storage, using the Active Directory database.

    Zones stored this way are located in the Active Directory tree under the domain or application directory partition. Each directory-integrated zone is stored in adnsZone container object identified by the name you choose for the zone when creating it.

Benefits of Active Directory integration

For networks deploying DNS to support Active Directory, directory-integrated primary zones are strongly recommended and provide the following benefits:

  • Multimaster update and enhanced security based on the capabilities of Active Directory.

    In a standard zone storage model, DNS updates are conducted based upon a single-master update model. In this model, a single authoritative DNS server for a zone is designated as the primary source for the zone.

    This server maintains the master copy of the zone in a local file. With this model, the primary server for the zone represents a single fixed point of failure. If this server is not available, update requests from DNS clients are not processed for the zone.

    With directory-integrated storage, dynamic updates to DNS are conducted based upon a multimaster update model.

    In this model, any authoritative DNS server, such as a domain controller running a DNS server, is designated as a primary source for the zone. Because the master copy of the zone is maintained in the Active Directory database, which is fully replicated to all domain controllers, the zone can be updated by the DNS servers operating at any domain controller for the domain.

    With the multimaster update model of Active Directory, any of the primary servers for the directory-integrated zone can process requests from DNS clients to update the zone as long as a domain controller is available and reachable on the network.

    Also, when using directory-integrated zones, you can use access control list (ACL) editing to secure a dnsZone object container in the directory tree. This feature provides granulated access to either the zone or a specified RR in the zone.

    For example, an ACL for a zone RR can be restricted so that dynamic updates are only allowed for a specified client computer or a secure group such as a domain administrators group. This security feature is not available with standard primary zones.

    Note that when you change the zone type to be directory-integrated, the default for updating the zone changes to allow only secure updates. Also, while you may use ACLs on DNS-related Active Directory objects, ACLs may only be applied to the DNS client service.

  • Zones are replicated and synchronized to new domain controllers automatically whenever a new one is added to an Active Directory domain.

    Although DNS service can be selectively removed from a domain controller, directory-integrated zones are already stored at each domain controller, so zone storage and management is not an additional resource. Also, the methods used to synchronize directory-stored information offer performance improvement over standard zone update methods, which can potentially require transfer of the entire zone.

  • By integrating storage of your DNS zone databases in Active Directory, you can streamline database replication planning for your network.

    When your DNS namespace and Active Directory domains are stored and replicated separately, you need to plan and potentially administer each separately. For example, when using standard DNS zone storage and Active Directory together, you would need to design, implement, test, and maintain two different database replication topologies. For instance, one replication topology is needed for replicating directory data between domain controllers, and another topology would be needed for replicating zone databases between DNS servers.

    This can create additional administrative complexity for planning and designing your network and allowing for its eventual growth. By integrating DNS storage, you unify storage management and replication issues for both DNS and Active Directory, merging and viewing them together as a single administrative entity.

  • Directory replication is faster and more efficient than standard DNS replication.

    Because Active Directory replication processing is performed on a per-property basis, only relevant changes are propagated. This allows less data to be used and submitted in updates for directory-stored zones.

Notes

  • Only primary zones can be stored in the directory. A DNS server cannot store secondary zones in the directory. It must store them in standard text files. The multimaster replication model of Active Directory removes the need for secondary zones when all zones are stored in Active Directory.
  • The DNS Server service includes an option to initialize the DNS Server service by reading parameters stored in the Active Directory database and the server registry. This is the default boot option.
Newer Entries