Archive for October 12, 2011

How to Restore the System State on a Domain Controller

Posted: October 12, 2011 in Active Directory, Domain Controller, Server, Server 2003, Server 2008
Tags: , , , , ,
1

1. To restore the system state on a domain controller, first start the computer in Directory Services Restore Mode. To do so, restart the computer and press the F8 key when you see the Boot menu.

2. Choose Directory Services Restore Mode.

3. Choose the Windows 2000 installation you are going to recover, and then press ENTER.

4. At the logon prompt, supply the Directory Services Restore mode credentials you supplied during the Dcpromo.exe process.

5. Click OK to acknowledge that you are using Safe mode.

6. Click Start, point to Programs, point to Accessories, point to System Tools, and then click Backup.

7. Click the Restore tab.

8. Click the appropriate backup media and the system state to restore.

NOTE: During the restore operation, the Winnt\Sysvol folder must also be selected to be restored to have a working sysvol after the recovery process. Be sure that the advanced option to restore “junction points and data” is also selected prior to the restore. This ensures that sysvol junction points are re-created.

9. In the Restore Files to box, click Original Location.

NOTE: When you choose to restore a file to an alternative location or to a single file, not all system state data is restored. These options are used mostly for boot files or registry keys.

10. Click Start Restore.

11. After the restore process is finished, restart the computer.

Advertisement

How many FSMO Roles?

Posted: October 12, 2011 in Active Directory, Server, Server 2003, Server 2008, System Information
Tags: , , , ,
3

Flexible Single Master Operation Roles

1. Domain Naming Master —ForestWide Roles

2. Schema Master —ForestWide Roles

3. RID Master (Relative ID Master) — Domain Wide Roles

4. PDC Emulator — Domain Wide Roles

5. Infrastructure Master — Domain Wide Roles

 

Relative ID (RID) Master: — it assigns RID and SID to the newly created object like Users and computers. If RID master is down (u can create security objects up to RID pools are available in DCs) else u can’t create any object one its down. The RID master is responsible for processing RID pool requests from all domain controllers in a particular domain. When a DC creates a security principal object such as a user or group, it attaches a unique Security ID (SID) to the object.

PDC emulator: It works as a PDC to any NT Bdcs in your environment

It works as Time Server (to maintain same time in your network)

It works to change the passwords, lockout etc. The PDC emulator is necessary to synchronize time in an enterprise. Windows 2000/2003 includes the W32Time (Windows Time) time service that is required by the Kerberos authentication protocol. All Windows 2000/2003-based computers within an enterprise use a common time

  • Authentication failures that occur at a given DC in a domain because of an incorrect password are forwarded to the PDC emulator before a bad password failure message is reported to the user.
  • Account lockout is processed on the PDC emulator.
  • Editing or creation of Group Policy Objects (GPO) is always done from the GPO copy found in the PDC Emulator’s SYSVOL share, unless configured not to do so by the administrator.

At any one time, there can be only one domain controller acting as the PDC emulator master in each domain in the forest.

 

Infrastructure Master: This works when we are renaming any group member ship object this role takes care. When an object in one domain is referenced by another object in another domain, it represents the reference by the GUID, the SID (for references to security principals), and the DN of the object being referenced. The infrastructure FSMO role holder is the DC responsible for updating an object’s SID and distinguished name in a cross-domain object reference. At any one time, there can be only one domain controller acting as the infrastructure master in each domain.

Domain Naming Master: Adding / changing / deleting any Domain in a forest it takes care,. This DC is the only one that can add or remove a domain from the directory. There can be only one domain naming master in the whole forest.

Schema Master: It maintains structure of the Active Directory in a forest. The schema master domain controller controls all updates and modifications to the schema. Once the Schema update is complete, it is replicated from the schema master to all other DCs in the directory. There can be only one schema master in the whole forest.