Get documents about "Windows Server keypoints
Shared by: HC120704021917
-
Stats
- views:
- 11
- posted:
- 7/3/2012
- language:
- English
- pages:
- 536
Document Sample
Listing of some Windows Server 2003 & 2008 keypoints.
This note is a simple listing of some Windows Server, and Active Directory keypoints.
It might be of use for a beginner, or medium level Windows system Administrator, but it's certainly not intended for experie
Hopefully, it might also be of use as one of your supporting tools for some of the Win2K3 or Win2K8 exams.
Version: 0.1
Date: 25/06/2011
By: Albert van der Sel
Contents:
1. Some keypoints of Active Directory
2. Highlights of the architecture Windows Win2K3 & Win2K8
3. Bootsequence Win2K3
4. PrintServer Architecture
5. Using groups in AD
6. Performance monitoring Win2K3 & Win2K8
1. Some keypoints of Active Directory:
1. Some info on Forest and Trees:
The concepts of Domains, OU's, DC Servertypes etc.. will be explained in section 2 (Architecture AD).
Here we just show a few typical examples of Active Directory Trees, and Forests, and what the difference is.
Example Tree:
abc.com domain
europe.abc.com
domain
transitive trusts
domain
sales.europe.abc.com
The figure above shows an Active Directory tree.
You notice the contiguous nature of the naming? The tree shares a common namespace.
Example Forrest:
domain abc.com xyz.com
child
uk.abc.com us.abc.com
Shared Schema, Catalog, Configuration
sales.uk.abc.com qc.uk.abc.com
This is an example of a Forrest, where two trees are combined.
Notice the non-contiguous namespaces (abc.com and xyz.com).
Example Forrest: this is a forrest too !
But this is a forest too !. It is only "picured" a bit differently, compared to above figure.
The first Domain created is also called "root Domain", or "Tree Root".
abc.com
different DNS namespace transitive trusts
xyz.com europe.abc.com us.abc.com
sales.xyz.com sales.us.abc.com
xyz.com is a different namespace as compared to the tree "abc.com".
2. Architecture AD.
AD: A set of service that helps to manage and to locate objects, and it provides for central account management and authentication
It provides a mechanism for a logical representation of all entities, and to be stored in a common directory (database).
It's an hierarchical, replicated database, that holds information about the network’s resources such as computers, servers, users, gr
The main purpose of Active Directory is to provide locator services, and central authentication and authorization services.
COM apps
replication old NT4 api mapi clients ADSI
Api's to access AD: transports
rpc, smtp
REPL SAM MAPI LDAP
Directory System Agent DSA
Database Layer
ESE (Extentable Storage Engine)
1. AD Logical Structure:
: domain
: Organizational Unit (OU)
'=> A domain is sort of "boundary of Authentication"
'=> You can build a "tree" of Domains, for example
abc.com
us.abc.com
newyork.us.abc.com
Tree's can even be connected to form a "forrest".
An Active Directory tree is a group of domains that share a contiguous
namespace; a forest contains domains that use different namespaces.
An Active Directory tree is a group of domains that share a contiguous
namespace; a forest contains domains that use different namespaces.
'=> Optionally create OU''s:
Sub-containers can group objects, to simplify
management of those objects:
-Same Administration of objects
-Group Policies (configuration, Security)
-Delegation of control
-An OU is a "container" (also an object) that "contains"
objects representing useraccounts, machineaccounts, printers, shares etc..
'=> Every Domain has at least one Domain Controller
- There are no NT4 style PDC, BDC's
- Multi Master Replication
- But there are different AD Roles per DC
=====================================================================================
2. Domain Controller Roles:
Global Catalog Server
Every domain controller stores the objects for the domain in which it is installed.
However, a domain controller designated as a global catalog server stores
the objects (with sometimes partial attributes) from all domains in the forest.
Per default, Active Directory searches are directed to global catalog servers.
The first domain controller in a forest is automatically created as a global catalog server.
- A GC is vital for userlogons to AD.
- Used for LDAP queries.
Flexible Single Master Operations (FSMO) or Operations Master roles:
'-Schema Master:
Schema Master: The schema master domain controller controls all updates and modifications to the
schema. To update the schema of a forest, you must have access to the schema master. There can be only
one schema master in the whole forest.
The schema is all the object class definitions (the template so to speak),
of all possible objects in a Domain, tree, or forrest.
'-Domain Naming Master:
Domain naming master: The domain naming master domain controller controls the addition or removal of
domains in the forest. There can be only one domain naming master in the whole forest.
'- Infrastructure Master:
Infrastructure Master: The infrastructure is responsible for updating references from objects in its domain
to objects in other domains. At any one time, there can be only one domain controller acting as the
infrastructure master in each domain.
'- PDC Emulator:
For the older NT4 Servers in the network, this machine acts like an old fashioned PDC.
At any one time, there can be only one domain controller acting as the PDC emulator master in each
domain in the forest.
'- RID Master:
It controls the sequence number for the domain controllers within a domain. It provides a unique sequence
of RIDs to each domain controller in a domain. When a domain controller creates a new object, the object is
assigned a unique security ID consisting of a combination of a domain SID and a RID.
It's possible to transfer a role from a DC to another DC, using the ntdsutil,exe utility.
================================================================
3. Most important AD Object Names:
3.1 Distinquished Name (DN):
Example 1: Server FS1 in sales.us.abc.com
- DNS:
fs1.sales.us.abc.com
- The AD LDAP Distinquished Name (abbrieviated to "DN") is:
CN=fs1,OU=sales,DC=us,DC=abc,DC=com where the "common name" is fs1
Example 2:
An example DN for a user named "harry" whose object is stored in the cn=Users container in a
domain named Company.com would be :
cn=harry,cn=Users,dc=Company,dc=com.
cn=harry,cn=Users,dc=Company,dc=com.
3.2 Relative Distinquished Name (RDN) and Common Name (CN):
When it's clear you refer to a certain container, or part of a tree, you can shorten the DN as long as
that the objectname remains unique.
The smallest RDN is the Common Name like "FS1" or "harry", but a name like
cn=harry,cn=Users is a RDN as well.
3.3 Canonical Name:
It's not often used. Here, a different "way of notation" is used. Here is an example:
abc.com/sales/fs1
This would be the machine fs1 in OU=sales in domain abc.com
=========================================================================
4. AD Schema:
Definition of all AD
-- Object-Types (Classes)
-- Attributes
-- Data-Types (Syntaxes)
There should ofcourse be ONE consistent Schema inside a single Forest.
A Schema is "extensible", that is, an application or Administrator could create objects and attributes.
For example, implementing "Exchange" will modify AD.
ACL's on Objects and Attributes.
object
attr: value
attr: value
attr: value
8. Searching AD
-dsquery examples:
C:\> dsquery user cn=users,dc=cp,dc=com
C:\> dsquery user -disabled
C:\> dsquery user -name John* | dsget user -office
C:\> dsquery * ou=Test,dc=microsoft,dc=com -scope base -attr *
- saved Queries in Active Directory Users and Computers
(objectCategory=user)(!cn=john*)
(&(objectCategory=person)(objectClass=user)(!(userAccountControl:1.2.840.113556.1
.4.803:=2)))
(&(givenName=John)(|(l=Dallas)(l=Austin)))
- ldifde
C:\>ldifde -d "DC=witaylorroot,DC=com" -f c:\output.txt -r
"(&(objectClass=user)(mailNickName=jeff*))
- Powershell
$Search = New-Object DirectoryServices.DirectorySearcher([ADSI]“”)
$Search.filter =
“(&(objectClass=user)(userAccountControl:1.2.840.113556.1.4.803:=65536))”
$results = $Search.Findall()
Foreach($result in $results){
$User = $result.GetDirectoryEntry()
$user.DistinguishedName
}
3. Directory Partitions or "Naming Context":
Physical storage in the Active Directory database on each DC is organized in several segments, called directory partitions or nam
In Windows Server 2003 there are four partitions:
schema
configuration
domain
application
The Directory Tree of Active Directory tree is partitioned to allow sections to be distributed (replicated) to domain controllers in differ
Each domain controller stores a copy of a specific part of the directory tree, called a “Naming Context” also know as Directory Partit
“Naming Context” is replicated as a unit to other domain controllers in the forest that contain a replica of the same sub tree. A “Nam
• In Win2K3, Active Directory consists of four partitions or naming contexts (NC)
- Domain, Application, Configuration and Schema Naming Contexts
• Each are replicated independently
• An Active Directory forest has single schema and configuration NC.
- Every domain controller (DC) holds a copy of each (schema, configuration NC's)
• Forest or Tree can have multiple domains
- Every domain controller in a domain holds a copy of the domain NC (all object and structure info of that Domain).
DC A "Directory Partition" or "Naming
DC For example, just a Domain , is a p
abc.com DC
GC
t
DC DC => every DC has a copy of the "schema"
DC
DC
DC
uk.abc.com us.abc.com DC
GC
GC
DC
DC => Every domain controller in a domain holds a copy of that domai
DC
sales.uk.abc.com qc.uk.abc.com
4. A few words on Replication:
A mutation in AD, done on a certain Domain Controller, must be replicated to the "replica's" of that particular partition.
In AD, we have "multi-master" replication, meaning that a change in AD performed on a certain Domain Controller, must be propag
Multi-master means that an update can be done at any DC.
But that does not mean neccesarily, that the change will go to all DC's in a tree.
That's why we will spend a few words on the "mechanics" of Replication.
4.1 Some general observations.
1. Attributes based.
AD Replication is based on the "attribute" level. Recall that an object usually has a number of attributes.
By replicating just changed attributes, collisions or locks, are much likely avoidable.
Replication goes between sets of DC's, but also to the Global Catalog Server(s).
If an attribute’s definition in the schema has its "isMemberOfPartialAttributeSet" property set TRUE, it is replicated to the GC too.
2. USN numbers.
Active Directory (AD) uses update sequence numbers (USNs) to track changes to each DC's copy of a partition.
Each DC knows the most recent USN that the server obtained from its replication partners and it uses that USN
to control replication. For example, STARBOSS might contact STARGATE, and queries for the changes beyond USN 123456.
Actually, the USN is not good enough info. If it was solely based on USN, possible endless cycles of queries would happen.
That's why the "change vector" also incororates a timestamp, and the Domain Controller's "GUID" to uniquely determine true relev
3. Domain Controllers and The Global Catalog:
Every DC in a Domain, get's a copy of the Domain Partition. Changed information, will be replicated.
A Global Catalog Server has a copy of the Domain Partition where it resides in, as well as information on all objects of the full tree,
Also, every domain controller holds a copy of the schema- and configuration partitions.
4. KCC and Replication Topology:
On every domain controller, the "Knowledge Consistency Checker (KCC)" is running.
It's a replication component that will generate the replication topology.
You now that one of the AD naming contexts (directory parftition), is the "configuration partition", which describes all Domains, and
the structure of the Tree and Forrest.
All the KCCs use the knowledge of the common data that is stored in the configuration directory partition, as input to the topolog
to converge on the same view of the replication topology.
To aid the replication architecture, socalled "connection objects" are created.
The Knowledge Consistency Checker (KCC) creates connection objects automatically, but they can also be created manually.
A connection object is an Active Directory object that represents a replication connection from one domain controller to another.
When the replication topology is created (inside a "site"), socalled "replication rings" are established.
5. The Update mechanism:
A change is made at SRV1.
Changes: USN
1527 SRV1 1. Update notification SRV2
1526
1525 2. I have up to usn 1525
1524
1523 3. Here are the new changes
1522
1521
1520
4.2 What's a site, and how are they connected?
You may have a Directory tree in a physical network, which consists of relatively "close" subnets, and those subnets are all highspe
Then, you have a certain number of Domains, organized in a Tree (or forest), and generally speaking, replication should go quite "fa
Contrary, you might also have branch offices which are geographically spread across the country, or even across the globe.
In this case, you would typically have created "sites" where each site corresponds to a branch office in another remote location.
A "site" is characterize by "close" subnets using highspeed connections.
The connection between sites, the intersite links, usually are slower WAN links.
Scenario 1: DC Scenario 2: site 1 DC
DC DC
DC DC
site: a group
of (close) subnets DC
New York
Here, your network is just Here, your network
a set of fast subnets. consists of several
You don't use "sites". sites, each consisting
of highspeed LAN's,
but they are interconnected
using WAN links.
Your AD logical model, is in principal, independent from the physical topology.
But ofcourse (!), when architects are designing a tree, they obviously take the physical topology into consideration.
The different possible models can greatly vary in performance of for example "user logons" and "replication".
When you create a site object in Active Directory, you associate one or more Internet Protocol (IP) subnets with that site.
Each domain controller in a forest is associated with an Active Directory site. A client workstation is associated with a site according
to its IP address; that is, each IP address maps to one subnet, which in turn maps to one site.
When your network indeed uses multiple sites, the KCC's will do the following:
One domain controller in each site is selected as the "Intersite Topology Generator (ISTG)". To enable replication across site link
designates one or more servers to perform site-to-site replication. These servers are called bridgehead servers. A bridgehead is a
4.3 Intra-site and Inter-site Replication.
Intrasite replication, is between DC's in one site (the close group of subnet(s)).
Intersite replication then, is between geographically remote sites.
The following "rules" are tied into the replication algolrithm, with respect to Intra-site, and Inter-site Replication.
The KCC creates separate replication topologies depending on whether replication is occurring within a site (intrasite) or between si
- Within a site, the KCC creates a ring topology by using all servers in the site.
- For intersite replication, the ISTG's construct a model using all bridgehead Servers of all sites.
Intrarsite Replication: within a site
- Replication events generally done in 5 minutes
- Uses RPC
- Not necessary to create the topology manually: KCC builds ring partners
- Use "AD Sites and Services" to view replication partners
Intersite Replication: between sites
- Traffic is compressed
- Can be configured Manually
- Can be scheduled
Intersite replication is time based, and this schedule can be set in the sitelink properties.
- Could use SMTP packets
- Uses a model based on all bridgehead Servers of all sites
- Configure using "AD Sites and Services"
2. Highlights of the Architecture of Win2K3 & Win2K8:
Regular Win32 App
Win32 App
Win32 App
svchost.exe
svchost.exe
(running some
services)
Posix Subsystem WIN32 Subsystem
USER (Env. Subsystem (Env. Subsystem)
Other App -------------------------------
MODE user32.dll
GDI32.dll
kernel32.dll
OS2 Subsystem
(Env. Sysbsystem
KERNEL
MODE Executive Services
IO manager Security Local IPC Virtual memory
Reference Manager Manager VMM
Monitor
File Systems
Object Manager
Kernel Mode Drivers
Hardware
3. Bootsequence of Win2K3:
BIOS
Power on Self Test
The MBR contains the Partition Table for the disk and a small
amount of executable code.
BIOS BIOS loads the MBR, or On x86 machines, this executable code examines the Partition Table
Master Boot Record and identifies the system partition (or active partition).
It’s the first sector on the partition that should be used to boot the operating system.
first disk. The code then finds the active partition's starting location on the
disk, and loads an copy of the Partition Boot Sector
Partition into memory.
The Partition Bootsector NTLDR:
points to NTLDR - it knows memory addressing
(the Windows bootloader) - it loads mini filesystem drivers
thus it can access the filesystem
- it loads boot.ini
NTLDR and NTDETECT.COM
If Win2K3 or XP was selected from the bootmenu,
NTDETECT.COM is started by NTLDR. NTDETECT
scans hardware and returns the information it
gathers to NTLDR when finished. NTOSKRNL.EXE and HAL
(There are quite some differences in the detection Next, Ntldr is responsible for loading the
procedures, depending on kernel (Ntoskrnl.exe) and the hardware abstraction
the architecture of the machinelike X86, ACPI, IA- layer (HAL) into memory.
64)
example ntoskrnl:
NTOSKRNL.EXE : 1 CPU
NTKRNLMP.EXE : N CPU SMP
NTKRNLPA.EXE : 1 CPU, PAE
NTKRPAMP.EXE : N CPU SMP, PAE
Especially, the following registry entries
are read:
HKLM\SYSTEM\CurrentControlSet\Control\
Session Manager\
HKLM\SYSTEM\CurrentControlSet\Control\ Session Manager SMSS.exe
ServiceGroupOrder It does (among others) the following:
- It starts the kernel-mode side of the Win32
subsystem (win32k.sys).
- Starts the user-mode side of the Win32
subsystem CSRSS.exe
- Initialize pagefile
- Starts WINLOGON.EXE
- GINA shows the CTRL-ALT-DEL login
- The Service Control Manager starts all
services which has the autostart set to true
services which has the autostart set to true
- After login, GINA passes the user credentials to
WINLOGON, which passes it to LSA.
- LSA determines the security package to use, like for
example a local logon, or an AD logon.
- The currently used ControlSet is copied to the
LastKnownGood ControlSet
- Policies are applied,
4. PrintServer Architecture:
1. What "Point and Print" is:
When you connect your client Windows Operating System, to a printer on a Windows PrintServer, and if your client
does not have the driver, then it looks for the appropriate drivers on the print server.
If the drivers are installed on the printserver, the drivers are automatically downloaded and configured for your client OS.
However, if the drivers are also not present on the PrintServer, you are prompted to select and install the drivers.
Another exception may occur, if an SMB printbox is directly attached in the network, and thus is not connected to a Windows PrintS
Such a printbox, usually does not contains downloadable drivers, and it does not contain the "logic" of point and print mechanics.
Fig 1. Client First time connect: driver download
Windows
send printjobs PrintServer
-queue's
-drivers printer
-spooler
usualy, no
driver download Printbox
2. Installing an "Internet Printing Protocol" printer:
IPP is implemented using the Hypertext Transfer Protocol (HTTP) and thus has all of the HTTP streaming and security features.
The clients that sends IPP request messages, uses the MIME media type "application/ipp" in HTTP POST requests, to an IPP print
The clients thus, as usual, need to know the URL, or IP address, of the remote printer, or PrintServer.
The default Port the PrintServer is listening on, is 631..
As of Windows 2000, the IPP client software is per default installed.
Below you can see one of the Dialogboxes if you on Win2K3, install a networkprinter, and then choose for an IPP printer.
Fig 2.
If it's installed, you can use the printer in the usual way as any other printer.
3. Installing other network printers.
3.1 Installing a network printer:
Generally, if you install a printer on a Windows Server or client, you first choose if it is a locally attached printer, or
if you are dealing with a network printer.
Installing a local printer is rather trivial. For installing a network printer, a couple of items could be interresting.
For installing a typical printer that is located on your local network, the remote printing engine is reachable using a url
in the form of "\\SERVERNAME\Printername".
Below you see an example of installing in Win2K3 Server:
Fig 3. Installing a remote printer in Win2K3 Server.
Usually, if done installing, the printerdriver and supporting files, are downloaded to the client.
If the client machine is a member in a Domain (Active Directory), then searching Active Directory
for a printer, is an option too.
Fig 4. Find a printer in AD.
3.2 Installing a local printer, but using a network port, so that it is actually a remote printer:
There exists another additional way to be able to print to a network printer.
If you install a local printer on your client PC, and you have de-selected the automatic detection, then at a certain stage, you might b
You can just install the local printer (selecting printer brand, type etc..), but as the "printerport", this time you select a network locatio
Fig 5. Installing a local printer, but choosing a TCPIP port.
See figure 3 shown above. Here you create a "new port", which must correspond to a TCPIP location.
Fig. 6. Specifying a network location (dns or IP) as the port.
3.3 Old SMB redirecting
It's possible, to "redirect" a local port to a remote shared printer. Especially with older DOS clients, this was not uncommon.
In such a case, a command like the example below was used.
C:\> net use lpt1: \\servername\sharedprinter
4. The Windows Printsubsystem Architecture:
4.1 Architecture:
Fig. 7.
Client: Win9x,XP
submit printjobs
manage printjobs SMB RAP
MS-SMB
redirector redirector
Client: XP submit printjobs Windows PrintServer
manage printjobs
Synchroneous:
MS-RPRN over Print Spooler
RPC
named pipes %SYSTEMROOT%\System32\winspool.drv
%SYSTEMROOT%\System32\spoolsv.exe (service)
%SYSTEMROOT%\System32\spoolss.dll (router)
local print provider
localspl.dll
queues
Client: Win7, Vista GDI
submit printjobs
Asynchroneous: manage printjobs printprocessor
MS-PAR over winprint.dll
RPC
named pipes printerdriver
print monitor
language monitor
RAW and EMF prinfiles:
local port remote port
monitor monitor
- RAW: tells the spooler not to alter the printjob
Its ready for the printerdevice (like PCL, Postscript)
- EMF: rendering at PrintServer
lpdq
(printername) printer
-on local port
-for lpdsvc local
printdevice
Spooler: The central component. It receives printjobs, loads drivers, schedules printjobs etc..
GDI: Provides services to the printer driver, including caching, client-server communications, and character conversion.
The driver that uses GDI, ensures that programs then use the same standard APIs to draw text and pictures both on screen and on
The printer drivers translate the information that an application sends through the GDI, into drawing commands that the printer unde
Print router: Routes print jobs. The print router determines which print provider to call based on a printer name or other information s
Local print provider:This module does job control, and printer management capabilities for all printers that are accessed through the
Remote print provider: similar to above, but now it directs print jobs to remote print servers.
Print Monitor: Controls the logic to send printjobs to local or remote port monitor. It also handles printer status messages.
Local and Remote Port Monitors: Sends and controls the printjobs to local and remote (e.g. TCPIP) "ports".
4.2 Type of printjobs: RAW and EMF:
Rendering:
RAW and EMF prinfiles:
- RAW: tells the spooler not to alter the printjob
- EMF: rendering at PrintServer
Before Win2000: The client rendered the printjob. The rendered data was send to the PrintServer
Since Win2000, before Vista: prinjob rendering took place at the PrintServer
Starting with Vista: printjob is again rendered locally at the client
4.3 Printerpooling:
Assign multiple ports to one portmonitor. This will let you spread your output across a pool of several printers
A printing pool is one logical printer connected to multiple printers through multiple ports of the print server.
The printers will "share" one queue.
- When a document is sent to the printer pool, the first available printer receives and prints it.
- It is recommended that all printers be in one location. Because it is impossible to predict which printer will receive the document,
keep all printers in a pool in a single location.
- All printers in a pool must use the same driver.
- Multiple types of ports could be used: lpt, serial, network
- The logical printer checks for an available port and sends documents to ports in the order that they are added.
Adding the port connected to the fastest printer first ensures that documents are sent to the printer that can print the fastest,
before they are routed to slower printers in the printing pool.
4.4 Troubleshooting queue problems:
Spooled files will be temporarily stored in the "%Systemroot%\System32\Spool\Printers" folder.
In some case, when documents seems to be "stuck" and printing is in disorder, it might be necessary
to clear the queue.
Via the services applet, stop the spooler, or
use "net stop spooler" to stop the spooler.
Clear the document from the folder shown above.
Via the services applet, start the spooler, or
use "net start spooler" to start the spooler.
5. Example Shared Printer properties on a Win2Kx PrintServer:
Fig. 8. Notice the example permissions for users and groups Fig. 9. Notice the "rendering" on clients, and "l
6. A few words on printers and AD:
The term "printer" and "printqueue" are often treated as equal, when talking about printer objects in AD.
Viewing a printer in "Active Directory Users and Computers":
If you have shared and published a printer in AD, you may not directly find it in the "Active Directory Users and Computers" mmc.
To view printers, you may need to follow this step:
- From the View menu, select "Users, Groups and Computers as Containers".
- Double-click the associated computer.
Publishing a printer in AD automatically:
If you share a printer, and you are "on" the "Sharing" tab of the printer properties Dialog box, then you will find
a checkbox called "List in directory". It is selected by default, meaning that the shared printer is published in AD. See figure 9 above
The printer will be published in the corresponding computer container in AD.
Publishing a printer in AD manually:
Here we just show how to manually publish a printer in AD. You can also use scripting methodologies
to automate the process.
- Manually adding a printer in AD:
Open Active Directory Users and Computers
Right-click the container object folder in which you want to publish the printer.
Point to "New" and then click "Printer".
Type the UNC name ( "\\servername\sharedprintername" ) of the printer you want to publish in AD.
Fig. 11.
Group Policies and Printers:
There are a few settings to edit, using the "Group Policy Editor", or "Group Policy Management", with respect to printer settings in A
As usual, policies are in effect for useraccounts (User Configuration), or for machine accounts (Computer Configuration),
for the container you are working with (like an OU).
Fig. 12
Take a look at figure 12. One of the settings under "Computer Configuration" is called "Allow printers to be published".
Here, you can allow, or disallow, if printservers in your network are able to publish their shared printers in AD.
If you doubleclick that setting, you are able to Enable, or Disable, the policy for all machines in the "context" you selected (like the O
In the same way, you can evaluate all other printer related settings.
7. Some printer related commands:
Obivously, many graphical tools will help you setting up an printing environment.
But many commandline tools are at your disposal too.
7.1 rundll.exe
It's amazing how much you can configure, and what info can be retrieved, using the "rundll.exe" command.
In general, the rundll32.exe application is used to launch code stored in .dll files.
So, you can use it for print related libraries too. Try the following "help" command, to see the parameters which are possible,
as well as some command examples (it should work on most modern Windows systems).
C:\> RUNDLL32 PRINTUI.DLL,PrintUIEntry /?
Just an example:
For example, if you want to view the queue "printername" on "PrintServerA", then you might use this:
C:\> RUNDLL32 PRINTUI.DLL,PrintUIEntry /o /n\\PrintServerA\printername
7.2 cscript prnmngr.vbs
As a part of the Windows Scripting Host environment, the cscript processing utility,
allows you to execute all sorts of scripts, like ".vbs" (visual basic) scripts.
In Win2Kx PrintServer machines, the "prnmngr.vbs" script, allows you to manage printdevices.
You may find it in "%SYSTEMROOT%\System32\Printing_Admin_Scripts\en-US", or similar location.
Just an example syntax, to add a printer:
C:\> cscript prnmngr.vbs -a -p PrinterName [-s RemoteComputer] -m DriverName -r PortName [-u UserName -w Password]
-a: add
-d: delete
On your Windows system, you might find a couple of other (printer related) .vbs scripts as well.
7.3 cscript pubprn.vbs
The "pubprn.vbs" script, allows you to "publish a printer in Active Directory".
Example syntax:
C:\> Cscript Pubprn.vbs {<ServerName> | <UNCPrinterPath>} "LDAP://CN=<Container>,DC=<Container>"
Example:
To publish all printers on the \\PrinServerA computer to the Sales container in the us.abc.com domain, type:
C:\> cscript pubprn.vbs PrintServerA "LDAP://CN=Sales,DC=us,DC=abc,DC=com"
Just as in 7.2, you might find this script in "%SYSTEMROOT%\System32\Printing_Admin_Scripts\en-US", or similar location.
7.4 WMIC printer commands
The "wmic" prompt command has many parameters and options. It can deliver you information about your entire system, and thus p
Not only it can provide the current settings, but you can modify setings, and add or delete objects too.
Someone could write a large article on the "wmic" command, but here we only refer to it, and we just give a few examples.
Just a few examples:
C:\> wmic printer get name, location
C:\> wmic printerconfig get devicename, driverversion
C:\> wmic /INTERACTIVE:ON PRINTER where PortName="LPT1:" DELETE
In general, in the "wmic objectname get attributes " command, there typically are a few tens or more of attributes "to get".
7.5 The "lpr portmonitor" and the "Subsystem for Unix based applications"
lpr Portmonitor:
In, for example, Win2K8, the lpr portmonitor can be added as a optional "feature".
This portmonitor (see section 4 for the overall printarchitecture), enables a Windows PrintServer to send printjobs
to any machine where the "lpd" daemon runs, like UNIX machines.
Subsystem, or services, for Unix applications:
It's also possible to run "unix-like" services on a Windows Server, like for example the "lpd" service.
This then enables UNIX machines to send printjobs to the Windows PrintServer.
At the same time, a number of utilities are installed like the "lpr" command, which has the following syntax:
C:\> lpr -S server -P printer [-C class] [-J job] [-o option] [-x] [-d] filename
So, with that command you can interactively send a printjob to a Server where the lpd service is running.
5. Usuage of "Groups" in AD networks:
Important:
Formally, Microsoft says that there are two types of groups: distribution groups, and security groups.
When you talk about assigning rights, and assigning (resource) permissions, then you are dealing with "security groups".
Destribution groups are relevant only for Email apps and the like, and are not important for assigning rights and permissions.
To differentiate between the different security groups like Global Groups, Universal Groups, and Domain Local Groups, Microsoft us
A scope, determines the "usability", or "range" or "reach" where you can use or "apply" the group.
So, for example, a "Universal Group" can be used for permission assignments througout the whole AD forest.
So, formally, when we talk about the different sorts of "security groups", we better not talk about the different "types" of security grou
One way to differentiate between the "sorts" of security groups, is to refer to the scope of the group.
1. Just listing the "sorts" of security Groups in Active Directory (Domain Controller), an
In figure 1, you can see that, while working on a Domain Controller (and thus in AD), we can create 3 sorts (or scopes) of security g
- Domain Local Group
- Global Group
- Universal Group
In figure 2, we are working on a Windows Server which here is just a member Server in a Domain. This computer is not a Domain
If we logon to this machine, and we start "Computer Management", and we go to the "Groups" folder under "Local Users and Group
- Local Groups (which are simply called "groups", or sometimes "Default Local Group").
Fig 1.
ope
Almost all Operating Systems use the concept of "group". It functions as a sort of container, and you can add or remove user-accou
Then, you can grant permissions to that group, on, for example a directory, or printer etc.., and those permissions inheret to all grou
But Microsoft Windows systems, knows several group scopes (sort of types of groups), as was shown in figures 1 and 2, and th
The question is: when do you use, what scope (scope-type) of group?
Remember, we are only dealing with "Security Groups". "Distribution Groups" are not important for our discussion.
When you talk about assigning rights and assigning (resource) permissions, you are dealing with "security groups".
2. When to use what sort of security group:
2.1 The Wrong Approach: assigning permissions to individual Domain User accounts directly:
Suppose you have a resource, that you want your Domain Users to get access to. Suppose this is a shared directory on the Membe
Working on SRV1, you could share the directory, and grant Share and NTFS permissions to accounts.
You could assign permissions "directly" to individual user accounts from the local Domain, and from any other trusted Domains. B
and you might have lots of resources (located on for example SRV2, SRV3, …, SRV20 etc…), so that ultimately, you would end up
So, you will almost always use some sort of group in permission assignment. But which sort of group?
2.2 Using Groups for permission assignments in a Domain:
Here we take a look at resources which are located in a certain Domain "A", and how we should use groups that are defined in that
If we take a look at AD security groups again:
- Domain Local Group
- Global Group
- Universal Group
And at a member Server:
- Local Groups (which are just called "Groups").
Then, especially at larger networks, you might call a "Local Group" on member Server, also a "Permission Group".
But even better, you should use a "Domain Local Group", at a member Server, as the group to assign permissions to.
The best way to act is as follows:
- In AD, create appropriate Global Groups (with the right logical names).
- Place your domain user accounts into Global Group(s). These Global Groups can be used troughout the Domain.
- In AD, create Domain Local Groups.
- At a member Server, where the resources are, Domain Local Groups are usable in assignment permissions (just like it's personal
- At the member Server, assign permissions on the resource (printer, directory etc..) to the Domain Local Group.
- In AD, you can always make any Global Group, member of a Domain Local Group, by which that Global Group
inherets the permissions.
It sounds a bit like a "detour": why not, at the member Server , use Global Groups directly in permission assignments?
That works too. It's a valid way of doing things.
But for neater administration, use Domain Local Groups. Why? Here are a few good reasons:
- In the Access Control List (ACL) of the resource, just a Domain Local Group is listed, instead of a whole bunch of Global Groups.
- In AD it is determined, which Global Groups go into the Domain Local Group. This is central administration.
You can also add Global Groups from trusted Domains, or Universal Groups, into that Domain Local Group.
The recipy shown above, is what you should use in Win2K3 or Win2K8 AD networks.
In the older NT4 networks, you used a similar recipy. So, Global Groups were used too, to put Domain Account in.
But, the Global Groups were added to the "true" (private) Local Group at the member Server. Then, permission asignments were
done (at the member Server), to that Local Group.
We are going to demonstrate both models:
Example 1 will show you the NT4 way of assigning permissions in a Domain. Today, it's not the preferred way.
But it's still instructive to follow along that example.
Example 2 will show you the preferred way, in using modern Groups available in Active Directory.
Example 1 - using a Local group at the Member Server (not preferred):
Note: Example 2 demonstrates the Microsoft preferred way of using "Domain Local groups", instead of using a Local Group of a me
This example is only present, because it's still a valid way of organizing permisions in Win2K3 and Win2K8 networks.
But actually, it's the NT4 style of assigning permissions on a resource at a member Server.
But please study this example too. It makes great comparision material, when you go to example 2.
Fig 3. Assigning Permissions on the F:\CorpData\Sales folder to the Local Group "lgSales" (private, or local, to the member Server)
In figure 3, we are working on a member Server. On this Server, we have the fileshare "CorpData". Right now, we are busy assignin
As shown in the figure, we are assigning NTFS permissions to the Local Group "lgSales".
Logged on to the member Server, If we now take a look at the members of "lgSales", we find what we can see in figure 4.
Here, we see that the Domain Global Group "ANTAPEX\ggSales" is member of "lgSales".
So, any member of "ANTAPEX\ggSales" will have permissions on the directory.
Fig. 4
It all may sound like a "detour". Why not assign permissions to the Global Group(s) directly, like shown in figure 5 ?
Fig 5. Assigning Permissions on the "F:\CorpData\Sales"NTFS folder to the Global Group "ANTAPEX\ggSales" (not the Microsoft a
That approach would not be invalid, and it works too. But it's far from the Microsoft "preferred" way of organizing permissions.
Please be aware that example 1, demonstrates more "the NT4 like way" of organizing permissions, than the Win2K3/2K8 AD.way o
Example 2 - using a "Domain Local Group" at the Member Server (preferred):
This example will illustrate the Microsoft preferred way of organzing security in AD networks.
In the Domain we alread have a Global Group ggSales.
In AD, we also create a Domain Local Group, called "dlgTest".
It's easy enough to create that Domain Local Group, in your Domain, and optionally in some Organizational Unit.
Once created, let's just put the Global Group "ggSales" as a member of that Domain Local Group.
Fig 6.
So, on the member Server, you can just query AD and select the right "Domain Local Group" as the group to assign permissions to
So, instead of a "true" Local Group of the member Server, we now use a "Domain Local Group", which is better because we can
centrally from AD !
Also, on any member Server you can use a certain AD based "Domain Local Group".
(Now, compare that to the use of a (true) Local Group of a member Server, which is just "local" to that particular machine.)
In figure 7, we are working on a member Server. On this Server, we have the fileshare "CorpData". Right now, we are busy assignin
As shown in the figure, we are assigning NTFS permissions to the Domain Local Group "dlgTest".
Fig 7. Assigning Permissions on the "F:\CorpData\Sales"NTFS folder to the Domain Local Group "ANTAPEX\dlgTest" (preferred M
This example then, is in accordance to Microsoft recommendation.
Important:
The general recommendation from Microsoft is to use Domain Local Groups as the groups to assign permissions to.
That Domain Local group can have as members other groups, like Global Groups, and Universal Groups.
Note:
Please also note the following in comparing examples 1 and 2. Did you notice, that by using a "Domain Local Group", no "local secu
of the member Server is used. All used groups are AD groups, and not local/private to the member Server.
2.3 Permission assignments on resources in Domain A, and security groups from outside A.
Memberlists of Groups with a global scope (Global Groups) are not replicated outside their own domain.
So you can add or remove user accounts in a Global Group frequently without generating replication traffic to the Global Catalog Se
Ofcourse, there is replication traffic in that specific Domain Partition.
Universal Groups may look great in using at permission assignments, but in large AD Trees or a large forest, you should use them w
The memberlist of Universal Groups is tracked by Global Catalog Servers. If it's changed, it gives rise to replication traffic.
Contrary, groups with global or domain local scope are also listed in the global catalog, but their memberlist is not. That is confined
A "Domain Local Group" is confined to it's local Domain only. You cannot use it elsewhere.
So, if we analyze all the above statements, and want to select the best group to use in permission assignments on resources in Dom
for principals outside A, let's say Domain B:
- Domain Local Group from B: does not apply
- Universal group: is possible, but you should minimize the use of Universal Groups.
- Global Group from B: it's possible to use it in "direct" permission asignments at a resource in A.
- Domain Local Group in A: sure, and put the Global Group from B into the memberlist.
3. Scope and properties of Groups:
Groups can be either directory-based, or local to a particular computer (like a member Server, or Workstation)
Local to the member Server:
(True) Local Group (at a member Server):
Only a "Local Group" has a scope of the local machine, that is, it only applies (or exists) at that particular computer.
When you work at such a non-Domain Controller, they are simply called "groups".
As members they can have Global Groups from the Domain, or Global groups from trusted Domains.
In Win2Kx AD networks, you can still use them to assign permissions, but it's not preferred. But the approach is not invalid.
AD based groups:
1. Universal Group:
A "Universal group" can be used anywhere in the Tree or Forest.
So this group can be assigned permissions in any Domain in the Tree or Forest
In practice, you should use it a bit "sparingly", because it needs access to a Global Catalog Server.
Universal group membership is also replicated to global catalog servers.
A universal group might contain users, groups, and computers from any domain in its forest as members.
Best practice however, is to only put global groups inside universal groups (which also limits replication traffic, due to limited membe
2. Global Group:
A global group is a group that can be used in its own domain, in member servers and in workstations of the domain,
and in trusting domains.
In all those locations, you can give a global group exp[licitly rights and permissions, but more preferred is that the Global Group bec
Then, assign rights and permissions to that Domain Local Group.
Please be aware that permissions can also be directly assigned to Global Groups as well.
A Global Group can only contain domain user accounts from its own domain
3. Domain Local Group:
It's a bit similar to a Local Group at a member Server, but there is a difference !
A local group at a member Server, is just local to that particular machine. A Domain Local Group, is a local group defined in AD, and
at any Domain Controller in that particular Domain and at any member Server in that Domain.
A domain local group is a security group that can contain universal groups, global groups, other domain local groups from its own do
and accounts from any domain in the forest.
Just as with a Local Group at a member Server, you can give a Domain Local Groups rights and permissions on resources. That's t
But these resources then, must reside in the same domain where the domain local group is located.
So, in general, the way to assign permissions is this:
Users go into Global Groups, Global Groups go into Domain Local Groups, and Domain Local Groups are listed on the Acc
Overview possible members of group:
Group Can have as member:
Universal Group - Accounts from any domain in the forest
- Global groups from any domain in the forest
- Universal groups from any domain in the forest
Global Group - Accounts from the same domain
- Global Groups from the same domain
Domain Local Groups - Accounts from any domain
- Global groups from any domain
- Universal groups from any domain
- Domain local groups from the same Domain
4. Conversion of Groups:
Sometimes, you are very happy with the memberlist of some group, and suddenly you realize that it's scope should be different.
Luckily, in many cases, it's possible to change the "scope" of a Group, and so you change the "reach" of that Group.
Please see this technet article for a full description:
http://technet.microsoft.com/en-us/library/cc755692(WS.10).aspx
Here are the most important facts.
Group Can be converted to:
Universal Group Domain Local
Global (as long as no other universal groups are members)
Global Group Universal (as long as it is not a member of any other global groups
Domain local Group Universal (as long as no other domain local groups exist as members)
Note:
Here are some other articles that give a good perspective on the use of "groups" and "scope":
http://en.wikipedia.org/wiki/AGDLP
http://technet.microsoft.com/en-us/library/cc755692(WS.10).aspx
http://www.windowsecurity.com/articles/How-Nest-Users-Groups-Permissions.html
6. Performance Monitoring Win2K3 & Win2K8:
1. A few General guidelines using Performance Monitor and Results:
It used to be called "Performance Monitor" or "System Monitor", but since 2K8 is was renamed
to "Reliability and Performance Monitor".
People that came from the NT4 and NT 3.51 era, might still call it "Performance Monitor" or Perf
Anyway, this tool is the foremost (performance) monitoring utility on Windows Server.
You can do "real-time" measurements (viewing real-time graphs), or you can log the findings to a
in which case you can analyze the results at a later time.
If you want to start it:
- Go to Administrative tools and search for the utility. Or,
- just open a command window and enter the perfmon command.
With NT system monitoring tools, you will encounter the following naming structure;
- "objects" are representations of (real) components like processor, physicalDisk etc..
- a "counter", of an object, is a measurable metric that is exposed by that object. An object us
- "instance", for example, you might have an object like a "PhysicalDisk", but.. you might have
So, in this example, you might pick a particular disk (like E:), or choose all of them (mostly d
So you might have as an object, a "processor", which exposes several counters like "%User Time",
%Processor Time (which is User + Priviledge).
In many articles, the full name of a counter is expressed as "Object\Counter", like "Memory\Page
"System\Processor Queue Length".
In general, you should select representative "counters" from all of the most
important subsystems, that is, the CPU, MEMORY, DISK and NETWORK subsystems.
Ofcourse, if you are only interested in one very specific counter, like "Server\logons/sec",
nobody will stop you if you just select that one counter.
Indeed, sometimes you really need to focus on just one, or a few, counters.
But for an overall impression, you should take counters from CPU, MEMORY, DISK and NETWORK subsy
and monitor (or log them) at the same time.
Taking counters from all susbsystems, makes sure you get an overall view of your system.
If you first focus on just one system, like disks, then you (for example) might miss the fact
that your system (for example) is just too low on Memory.
Then, if you have judged all the overall counters, then you can "zoom in" into a particular syst
Remember, if you measure or probe a system, you also will "influence" it.
In effect, performance monitoring will cost… a little bit of performance (!)
Although the effect should be small, but if for example many Administrators are running tools
on the same Server at the same time, the net effect could be relevant.
Also, do not measure too much counters. Just choose a relevant subset, covering the subsystems.
Fig 1.
2. Win2K8 monitoring:
In figure 1, you see an example of a reasonable set of counters for "overall" monitoring.
Remember, it's just an example . It certainly does not pretend to be the "best" set of counters
Here, you see counters from the "Memory" object, the "PhysicalDisk" object, and the "Processor"
Network related counters are not shown in this figure.
As just an example, let's explain those counters:
Object Counter Significance
Memory object Available bytes How much memory is free?
Memory object Page Faults/sec Reads from virtual memory location that is marked
Memory object Pages/sec Pages/sec is the number of pages read from the dis
Memory object Pages Output/sec Pages written to pagefile(s) per sec.
PhysicalDisk Avg. Disk Queue Length an estimate of requests on the physical or logical
PhysicalDisk % Idle Time Disk subsystem performing no work. Sometimes, it's
PhysicalDisk % Disk Time % of time that the disksubsystem is really working
Processor % Processor Time % Total cpu Time spend on requests
System Processor Queue Length Oustanding requests for cpu time waiting in queue.
Important:
Your Server is probably in service for one or more roles like Application Server, AD, file/print
SQL Server, Exchange, or SharePoint etc..
So, for example, if you have installed SQL Server, "suddenly" a whole lot of new objects and cou
were added to choose from.
It simply means that in this case, you cannot only concentrate on the standard objects and count
A few concluding remarks are in order:
- You can create your real-time graphs, or logs, right now. But you should first have created
some "base-line" logs, at the time that your Server was in a "reasonable" well-defined state,
where all applications were running normally, and access to that Server was at a representativ
level as well.
Then, at later time, when you are beginning to suspect a decline in performance, you can compa
your new findings to those base-line logs.
- It's always funny to see how the results of the tool let's people (and me too) jump to conclus
Actually, in real systems, it's very hard to pinpoint the true cause of bad performance.
You probably have to do multiple measurements, and sometimes zooming in on specific counters,
before you can reach solid conclusions.
Also, it's likely that you need to use the objects\counters from a specific applications as we
probably even in combination with monitoring tools from that specific application.
For example, at a Database Server, suppose that indexes are not used, and instead large tables
are being done, which take a very long time to complete.
When only looking at the standard objects and counters, it's quite hard to establish the right
2. Basic Performance Monitoring Win2K8:
In 2K8, after you have started perfmon, the first screen you see, will resemble the following:
Fig 2.
It's important to notice the following "containers" in the left pane:
If you want:
1. To create real-time graphs, click the "Performance Monitor" container, and afterwards, in the
pane, add counters.
2. If you want to create a logfile of measuring counters during a certain period, open the "Data
and create a new Collector set.
If you are done creating the new set (adding counters), you can start it for the actual measu
Then, after a certain period has passed, you can stop the logging.
3. If you want to analyze your logs (as created in 2) you go to the Report folder in the left pa
2.1 Creating a Real Time graph:
This one is real easy. Just make the "Performance Monitor" container (folder) in the left pane
your current context. Then, in the graph on the right, you can add counters if you right-click
the graph pane.
In figure 3, I added a few representative standard counters. Here, you can watch the overall
behaviour of your Server.
Fig. 3
2.2 Creating a logfile (to analyze it later):
First, we create a new Data Collector Set. It will "contain" the counters of our choiche.
If that's done, we start the Collector Set, let it run for a while, and then stop it.
After that, we can view the Report.
In the left pane, open the "Data Collector Sets". Right-click "User Defined". Choose "Create".
The following figures will show you a typical session.
Fig. 4
Fig. 5 Here we choose "Performance counter".
Fig. 8
As shown in figure 8, add the counters you see fit for this run.
When the collector set is ready, you can right-click it, and choose start, as is shown in figure
After it has run for a certain period, you can stop the measurement.
Fig. 9
2.3 Viewing the Report (to analyze your logging):
Each time you run your collector set, under "Reports", then "User Defined", a report will be cre
In my case, you will see reports "00001" etc..
If you click one, the corresponding graph will be visisble, and you can do your analysis.
Fig. 10
3. Basic Performance Monitoring Win2K3:
3.1 Creating Real-Time graphs:
It's indeed very easy to create a monitoring graph, showing you the counters you wish to monitor
As usual, you can find Performance Monitor (or System Monitor) in the Administrative tools,
or just open a command window, and enter the perfmon command.
In order to get a real time graph, just "right-click" somewhere in the rightpane of the main win
just as is shown in the figure below.
Fig. 11
In the figure below, you can see that I have added a few common counters in the graph.
Fig. 12
3.2 Creating a log (which you can analyze later):
Our objective here, is to create a "Counter Log", which you can run during some time,
so that your system get's monitored on the "counters" you have added to that log.
You let the logging go on for a time interval that you see fit, for example, during some
batch run. Then you need to stop the logging, at which point you are able to analyze that log.
Fig 13.
First you need to define some log setting, for example the name of the log, and where
you want to store it.
So, right-click the "Counter Logs" folder, and choose "New Log Settings…".
Next, give your log a descriptive name, like in the example below:
Fig. 14
In the Dialog Box that follows, you can see where per default the log will be stored.
Ofcourse, you are able to change that location.
But first, using the Add button, you now add the counters you wish to monitor.
Fig. 15
Here is just an example of a few counters that were added:
Fig. 16
Do NOT click OK or Apply right now, unless you are happy with the log storage location,
and you want to run the logging now.
It's likely that you want another location to store the logging, so use the Tab "Log Files":
Fig. 17
Evendently, you can change the storage location and filename using this tabsheet.
Also, note that you can limit the size of the logfile.
Do NOT click OK or Apply, unless you are happy with the settings as they are now.
It's worth while to take a look at the "Schedule" tabsheet as well.
Fig. 18
It's likely you want control on when the logging starts, and when it will end.
As you can see in the figure above, you can set the logging to start and stop "manually",
or you can schedule it using the "At" control. Also decide on how the logging should be stopped.
When all is ready, you should see something similar as shown in the figure below.
If you right-click your Counter Log, you are able to start and stop it as you please.
Fig. 19
Note: In some cases (when many counters are used), Counter Logs can quickly grow in size.
It’s probably best to try a few testruns, before you let logging proceed unattended.
3.3 Analyzing the Counter Log.
If no logging is going on right now, you can open your Counter Log, in order to view
the graph of counters.
Fig. 20
In the figure pane, you will notice a couple of buttons. The button where the black arrow
is pointing to, enables you to open any of the Counter Logs you have created.
Fig. 21
Just select the Counter Log of your choice, and proceed to add the counters you want to analyze.
r, but it's certainly not intended for experienced sysadmins.
e Win2K3 or Win2K8 exams.
what the difference is.
Example Tree:
A Domain:
Border for
•Replication Traffic
abc.com •System Policies
•Administration
OU Organizational Unit:
•Can be Nested
•Create a structure in a Domain
us.abc.com •System Policies
europe.abc.com •Administration
•Delegation of control
finance
Only for clarity, I have enlarged
this domain.
user object "harry" in OU finance:
cn=harry,OU=finance,DC=us,DC=abc,DC=com.
sales.europe.abc.com qc.europe.abc.com
The tree still shares the "abc.com" namespace.
All domains that have a common root domain are said to form a contiguous namespace.
enginering.xyz.com
a, Catalog, Configuration
oot Domain", or "Tree Root".
tral account management and authentication.
a common directory (database).
ources such as computers, servers, users, groups, printers, and more.
hentication and authorization services.
Workstation or Server DNS
DNS functions as AD locator service.
In order for Active Directory to function properly, a DNS server must support a
number of Service Location (SRV) resource records. As a few examples:
_ldap._tcp.dabc.com (find a DC)
_ldap._tcp.rd._sites.dabc.com (find the "rd" site)
_ gc._tcp. abc.com (find a Global Catalog)
_kerberos._udp. DnsDomainName (find Kerberos KDC via udp)
LSA _kerberos._tcp. DnsDomainName (find Kerberos KDC via tcp)
etc..
Authentication Packages
-Kerberos
-NTLM
Kerberos AD registers it's services
KDC
It's an integral SPN: for example:
MSSQLSvc/SQLSERVER1.us.abc.com:1433
part of AD
1. AD physical files (on filesystem) on Domain Controller:
- core: %SystemRoot%\ntds\NTDS.DIT
-current transaction log: %SystemRoot%\ntds\edb.log
-former transaction log(s): %SystemRoot%\ntds\ebdnnnn.log
-checkpoint: %SystemRoot%\ntds\ebd.chk
Optional: at install time you can choose a storage location
2. AD Logging on Domain Controller:
%SystemRoot%\Debug
Control of Diagnostic Logging:
HKLM\SYSTEM\CurrentControlSet\Services\NTDS\Diagnostics
values 0:basic to 5:full
3. SysVol (directory on fileystem) on Domain Controller:
Default: %systemroot%\SYSVOL
Contains files and folders, dedicated for Group Policies and
===================
scripts. The File Replication service (FRS) can distribute them
to other domain controllers within that domain.
4. Import / Export AD data:
1. LDIF Format:
Use the "ldifde" utility:
Import / Export of AD objects to e.g.
ldif files. LDIF files contain:
– Data
– Data and actions to be performed
like add, delete, modify
master. There can be only
2. CSV Format:
Use the "csvde" utility
he addition or removal of
om objects in its domain
5. Some other AD Tools:
- ntdsutil.exe
Overall utility for broad management on Active Directory.
- adsiedit
A GUI tool, a Microsoft Management Console (MMC) snap-in, that allows for low-level edit actions in Active
ovides a unique sequence Directory.
a new object, the object is
- Dsadd.exe
This tool adds a computer, contact, group, organization unit, or user to a directory.
- Dsget.exe
This tool displays the selected attributes of a computer, contact, group, organizational unit, server, or user in a
directory.
- Dsmod.exe
This tool modifies an existing user, computer, contact, group, or organizational units in a directory.
- Dsmove.exe
This tool moves any object from its current location in the directory to a new location (provided that the move
can be accommodated in a single domain controller) and renames an object without moving it in the directory
tree.
- Dsquery.exe
This tool queries and finds a list of computers, groups, organizational units, servers, or users in the directory
by using specified search criterion.
- Dsrm.exe
This tool deletes an object of a specific type or any general object from the directory
- setspn.exe
- setspn.exe
Allows you to register, or to delete, an SPN in AD.
6. Creating AD objects by Automation.
Many scripting environments can be used to add, delete and modify AD objects.
For example you can use VBscript, wsh, Powershell etc..
VBScript example:
Create a user account
Set objOU = GetObject("LDAP://OU=Management,dc=contoso,dc=com")
Set objUser = objOU.Create("User", "cn=Dan Holme")
objUser.Put "sAMAccountName", "DanHolme"
objUser.SetInfo
Create a global group account
Set objOU = GetObject("LDAP://OU=Management,dc=contoso,dc=com")
Set objGroup = objOU.Create("Group", "cn=phx-users")
objGroup.Put "sAMAccountName", "phx-users"
objGroup.SetInfo
objects and attributes. Powershell example:
here a loop is used to import from a .csv file.
$users = import-csv "C:\usersToBeCreated.csv"
$container = [ADSI] "LDAP://cn=Users,dc=YourDomain,dc=local"
$users | foreach {
$UserName = $_.UserName
$newUser = $container.Create("User", "cn=" + $UserName)
$newUser.Put("sAMAccountName", $UserName)
$newUser.SetInfo()
$newUser.psbase.InvokeSet('AccountDisabled', $false)
$newUser.SetInfo()
$newUser.SetPassword("P@55w0rd")
}
7. Undelete Objects
When an object is deleted from Active Directory, it is not immediately erased, but it is marked for future deletion.
This marker is called a "tombstone".
The tombstone is an object where the "IsDeleted" property is set to True.
The directory service moves tombstoned objects to the Deleted Objects container, where they remain until the
garbage collection process really removes the objects.
The timespan where tombstoned objects remain in the directory service before being deleted is 60 days, or 180
days, depending on the Version of AD.
- Restoring a tombstoned object, is often called "reanimation".
- You can also restore a true deleted object (it was not even a tombstone anymore).
Tools/Methods:
- Restoring deleted items from a previous System State backup (DS Restore Mode)
- ldp.exe
- ADRestore.exe
- ntdsutil.exe
- ldifde.exe (if you have exported the objects before, as a means of backup)
Windows 2008 R2:
- Recycle Bin
Windows 2008 R2:
- Recycle Bin
Needs forest functional level of your AD DS or AD LDS environment to be Windows Server 2008 R2
9. Creating a DC:
On a member Server, use "dcpromo.exe" to contvert it to a DC.
dcpromo creates a new DC
– Initial database from …\system32\ntds.dit
– Default objects in DIT from …\system32\schema.ini
Three log files track the promotion process
– Located in %SystemRoot%\Debug
dcpromoui.log - userinteface logging
dcpromo.log - Server promotion process
dcpromos.log - Domain upgrades
egments, called directory partitions or naming contexts.
ted (replicated) to domain controllers in different domains within the forest.
aming Context” also know as Directory Partition.
ontain a replica of the same sub tree. A “Naming Context” is also called a Directory Partition.
tructure info of that Domain).
A "Directory Partition" or "Naming Context", is a part of the whole Directory Tree.
For example, just a Domain , is a partition.
=> every DC has a copy of the "schema" and "config" partition
=> every GC has:
- schema and config partition
- Has of copy of the Domain Partition where it is installed in
- Has information on all objects of the full tree, although a partial attribute set is kept
- Important for logons
- Logon fails if the GC is not available – Administrators can still logon
ain controller in a domain holds a copy of that domain partition
ca's" of that particular partition.
a certain Domain Controller, must be propagated to other Domain Controllers.
ty set TRUE, it is replicated to the GC too.
ach DC's copy of a partition.
ners and it uses that USN
s for the changes beyond USN 123456.
less cycles of queries would happen.
oller's "GUID" to uniquely determine true relevant updates.
as information on all objects of the full tree, although a partial attribute set is kept
partition", which describes all Domains, and
n directory partition, as input to the topology generation algorithm,
but they can also be created manually.
on from one domain controller to another.
High watermark:
Before: 1525
After: 1527
e" subnets, and those subnets are all highspeed LAN's.
erally speaking, replication should go quite "fast".
he country, or even across the globe.
branch office in another remote location.
DC site 2
DC DC
Boston
DC
DC DC
site 3
ut they are interconnected Washington
topology into consideration.
ons" and "replication".
Protocol (IP) subnets with that site.
workstation is associated with a site according
(ISTG)". To enable replication across site links, the ISTG automatically
alled bridgehead servers. A bridgehead is a point where a connection leaves or enters a site.
nd Inter-site Replication.
occurring within a site (intrasite) or between sites (intersite).
n2K3 & Win2K8:
Regular Win32 App Logon screen
Win32 App
winlogon.exe gina
Win32 App 16 bit DOS App
cmd / console
Application
DLL's NTVDM.exe CSRSS.exe
Authentication Packages
Client Server
-Kerberos
Runtime Subsystem
-NTLM
WIN32 Subsystem
(Env. Subsystem) LSASS.exe
------------------------------- Local Security Authority
Subsystem
SMSS.exe
Session Manager
Subsystem
NTDLL.dll
Memory Manager Process Manager Plug and Play Win32K.sys
Manager user
GDI
DirectX
Graphics Drivers
Microkernel
Hardware Abstraction Layer
the Partition Table for the disk and a small
this executable code examines the Partition Table
system partition (or active partition). This is the
uld be used to boot the operating system.
ds the active partition's starting location on the
Partition Boot Sector of this active
boot of older OS like
Dos
Win9x
BOOTSECT.DOS
If older DOS based Operating System was
choosen, NTLDR passes control
boot.ini in the root of systempartition: to BOOTSECT.DOS which emulates the boot
- ascii file of the older operating system
- contains code to diplay a bootmenu with bootoptions
- bootoptions contains ARC paths to Operating System
locations like
"multi(0)disk(0)rdisk(0)partition(1)\WINDOWS=
"Microsoft Windows XP Professional"
- If present, older DOS based bootoption
is present too.
tldr is responsible for loading the Windows
and the hardware abstraction NTOSKRNL does the following:
- boot-time device drivers are loaded (but not yet
initialized).
- From registry key "HKLM\System\Select"
the best ControlSet (not failed)
is selected.
AMP.EXE : N CPU SMP, PAE
Configuration information of services is then
known, and services and subsystems are
initialized.
After a control set is chosen, the Current set gets
set. The Failed key is also set to the same as
Current until the end of the boot process.
LastKnownGood ControlSet is also set to Current
if the boot process completes successfully.
-constructs the "Executive" from a number of
modules.
mong others) the following:
mode side of the Win32
mode side of the Win32
WINLOGON.EXE
It does (among others) the following:
- starts the Local Security Authority Subsystem
Service (LSASS.EXE)
- starts the Service Control Manager SCM
- starts GINA
gin, GINA passes the user credentials to
ON, which passes it to LSA.
ermines the security package to use, like for
a local logon, or an AD logon.
rently used ControlSet is copied to the
PrintServer, and if your client
and configured for your client OS.
lect and install the drivers.
nd thus is not connected to a Windows PrintServer.
in the "logic" of point and print mechanics.
printer
he HTTP streaming and security features.
ipp" in HTTP POST requests, to an IPP printer.
and then choose for an IPP printer.
a locally attached printer, or
s could be interresting.
engine is reachable using a url
ctually a remote printer:
detection, then at a certain stage, you might be asked for the portname.
terport", this time you select a network location like so:
DOS clients, this was not uncommon.
Unix Client
lpd (lpdsvc) using lpr
Client: Xp, Win7, Vista,
Win2Kx
Application
RPC by modern
clients GDI
System32\winspool.drv
Redirector
System32\spoolsv.exe (service) SMB by older client spooler
clients Winspool.drv
System32\spoolss.dll (router)
remote print
provider
queues
LDAP publishing in
Active Directory
other
portmonitors
are installable,
like the LPR
portmonitor
remote
printer PrintServer printer
remote
printdevice
remote unix
lpd service
ations, and character conversion.
draw text and pictures both on screen and on paper.
into drawing commands that the printer understands.
ased on a printer name or other information supplied with the print job.
for all printers that are accessed through the print monitors of the local print provider.
o handles printer status messages.
data was send to the PrintServer
pool of several printers
dict which printer will receive the document,
rder that they are added.
to the printer that can print the fastest,
PrintServer:
Fig. 9. Notice the "rendering" on clients, and "list in Directory" Fig. 10. Notice that you can choose for a (remote) TCPIP port
ive Directory Users and Computers" mmc.
g box, then you will find
printer is published in AD. See figure 9 above.
agement", with respect to printer settings in AD.
ccounts (Computer Configuration),
"Allow printers to be published".
shared printers in AD.
hines in the "context" you selected (like the OU=sales).
ee the parameters which are possible,
ortName [-u UserName -w Password]
min_Scripts\en-US", or similar location.
ormation about your entire system, and thus printers too.
it, and we just give a few examples.
tens or more of attributes "to get".
rintServer to send printjobs
are dealing with "security groups".
t for assigning rights and permissions.
oups, and Domain Local Groups, Microsoft uses the concept of "scope".
ut the whole AD forest.
alk about the different "types" of security groups.
ectory (Domain Controller), and on a member Server (non-Domain Controller):
e can create 3 sorts (or scopes) of security groups:
in a Domain. This computer is not a Domain Controller.
Groups" folder under "Local Users and Groups", we are only able to create:
Fig 2.
ainer, and you can add or remove user-accounts to, or from it.
tc.., and those permissions inheret to all group members.
ups), as was shown in figures 1 and 2, and the listings above.
mportant for our discussion.
ealing with "security groups".
main User accounts directly:
pose this is a shared directory on the Member Server "SRV1".
main, and from any other trusted Domains. But usually, the number of user accounts is so large,
0 etc…), so that ultimately, you would end up in a administrative nightmare.
we should use groups that are defined in that same Domain.
er, also a "Permission Group".
e group to assign permissions to.
used troughout the Domain.
ssignment permissions (just like it's personal Local Groups)
the Domain Local Group.
y which that Global Group
ctly in permission assignments?
instead of a whole bunch of Global Groups.
central administration.
, to put Domain Account in.
Server. Then, permission asignments were
s not the preferred way.
oups", instead of using a Local Group of a member Server..
Win2K3 and Win2K8 networks.
ales" (private, or local, to the member Server)
"CorpData". Right now, we are busy assigning NTFS permissions on the Sales folder.
we find what we can see in figure 4.
ectly, like shown in figure 5 ?
oup "ANTAPEX\ggSales" (not the Microsoft approach).
eferred" way of organizing permissions.
permissions, than the Win2K3/2K8 AD.way of doing things.
some Organizational Unit.
Group" as the group to assign permissions to !
cal Group", which is better because we can manage all groups
st "local" to that particular machine.)
"CorpData". Right now, we are busy assigning NTFS permissions on the Sales folder.
ocal Group "ANTAPEX\dlgTest" (preferred Microsoft approach).
he groups to assign permissions to.
s, and Universal Groups.
using a "Domain Local Group", no "local securiy principal"
ty groups from outside A.
ing replication traffic to the Global Catalog Servers in AD.
Trees or a large forest, you should use them with care.
ed, it gives rise to replication traffic.
, but their memberlist is not. That is confined to their "local" Domain.
permission assignments on resources in Domain A,
Server, or Workstation)
s) at that particular computer.
rred. But the approach is not invalid.
limits replication traffic, due to limited memberlist).
n workstations of the domain,
t more preferred is that the Global Group becomes a member of a Domain Local group.
cal Group, is a local group defined in AD, and can be used
ps, other domain local groups from its own domain,
rights and permissions on resources. That's the preferred way.
Domain Local Groups are listed on the Access Control List (ACL) of the resource.
realize that it's scope should be different.
nge the "reach" of that Group.
Monitor and Results:
but since 2K8 is was renamed
it "Performance Monitor" or Perfmon.
ity on Windows Server.
or you can log the findings to a file,
ng naming structure;
ssor, physicalDisk etc..
osed by that object. An object usually has many counters.
sicalDisk", but.. you might have multiple disks on your system!
, or choose all of them (mostly designated by "_Total")
veral counters like "%User Time", "%Priviledge Time", or
bject\Counter", like "Memory\Pages/sec", or
er, like "Server\logons/sec",
U, MEMORY, DISK and NETWORK subsystems,
rall view of your system.
r example) might miss the fact
"zoom in" into a particular system.
ministrators are running tools
subset, covering the subsystems.
for "overall" monitoring.
to be the "best" set of counters for all cases.
isk" object, and the "Processor" object.
l memory location that is marked "not present.
number of pages read from the disk or written to the disk.
pagefile(s) per sec.
quests on the physical or logical disk that are either in service or waiting for service
rforming no work. Sometimes, it's an informative counter.
e disksubsystem is really working.
spend on requests
ts for cpu time waiting in queue.
pplication Server, AD, file/print services,
whole lot of new objects and counters
on the standard objects and counters.
you should first have created
"reasonable" well-defined state,
hat Server was at a representative
ine in performance, you can compare
ople (and me too) jump to conclusions too fast.
e cause of bad performance.
zooming in on specific counters,
rom a specific applications as well,
specific application.
ot used, and instead large tablescans
quite hard to establish the right conclusion.
e, will resemble the following:
container, and afterwards, in the right
a certain period, open the "Data Collector Sets",
can start it for the actual measurement to take place.
the Report folder in the left pane.
ainer (folder) in the left pane
add counters if you right-click
re, you can watch the overall
e counters of our choiche.
ile, and then stop it.
User Defined". Choose "Create".
Fig 6. Next, add the counters.
oose start, as is shown in figure 9.
er Defined", a report will be created.
you can do your analysis.
the counters you wish to monitor.
in the Administrative tools,
in the rightpane of the main window,
counters in the graph.
run during some time,
added to that log.
for example, during some
u are able to analyze that log.
of the log, and where
he log will be stored.
he log storage location,
, so use the Tab "Log Files":
ing this tabsheet.
s as they are now.
start and stop "manually",
ow the logging should be stopped.
the figure below.
stop it as you please.
can quickly grow in size.
g proceed unattended.
Log, in order to view
tton where the black arrow
the counters you want to analyze.
A Domain:
Border for
•Replication Traffic
•System Policies
•Administration
OU Organizational Unit:
•Can be Nested
•Create a structure in a Domain
•System Policies
•Administration
•Delegation of control
Only for clarity, I have enlarged
inance,DC=us,DC=abc,DC=com.
ory to function properly, a DNS server must support a
on (SRV) resource records. As a few examples:
(find a DC)
.com (find the "rd" site)
(find a Global Catalog)
mainName (find Kerberos KDC via udp) Kerberos: Granting Tickets:
ainName (find Kerberos KDC via tcp)
There are 2 kinds of tickets, authentication tickets ,or ticket granting tickets, (T
service tickets.
Kerberos issues an authentication ticket when a client first authenticates itself
controller.
The domain controller sends back the authentication ticket and a session key t
AD registers it's services encrypted with the client’s personal key (in this case the user’s password). In f
secret key. The client decrypts the session key with it’s personal (secret) key.
Then the client uses it’s authentication ticket and session key to obtain a servi
each server the client needs to access.
MSSQLSvc/SQLSERVER1.us.abc.com:1433
Kerberos
KDC
- Authentication Service
- Ticket Granting Service
- Ticket Granting Service
1. Harry logs on.
3. Here is a TGT.
Decrypt it with your password
distribute them
4. Here is the TGT. Give me a Service Ticket
for Service "X"
5. Here is the Service Ticket for "X"
6. Here is my Service Ticket.
level edit actions in Active
anizational unit, server, or user in a
onal units in a directory.
w location (provided that the move
t without moving it in the directory
, servers, or users in the directory
for future deletion.
ainer, where they remain until the
re being deleted is 60 days, or 180
Logon screen Clients
LDAP Apps locator
- Active Directory database DNS
- Active Directory database DNS
%SystemRoot%\ntds\NTDS.DIT. _ldap._tcp.<DNSDomainName>
(if this Server is a Domain Controller) _ldap._tcp.gc._msdcs.<DNSTreeName>
Authentication Packages etc..
Kerberos
NTLM - KDC
netlogon.dns
OU OU's
Computers
Groups
Users
OU OU
Other objects…
Session Manager
sed Operating System was
DOS which emulates the boot
ce that you can choose for a (remote) TCPIP port
tickets, authentication tickets ,or ticket granting tickets, (TGT), and
authentication ticket when a client first authenticates itself to the domain
er sends back the authentication ticket and a session key that’s been
lient’s personal key (in this case the user’s password). In fact, it's a
t decrypts the session key with it’s personal (secret) key.
it’s authentication ticket and session key to obtain a service tickets for
Authentication Service 2. The Authentication Service
Ticket Granting Service
Ticket Granting Service will authenticate Harry
using AD and a DC
service
TGT. Give me a Service Ticket
ldap._tcp.<DNSDomainName>
ldap._tcp.gc._msdcs.<DNSTreeName>
netlogon.dns
