Active Directory - Weebly by xiangpeng

VIEWS: 18 PAGES: 44

									                      Active Directory
                      An active directory is a directory structure used on Microsoft
                      Windows based computers and servers to store information and
                      data about networks and domains. It is primarily used for online
                      information and was originally created in 1996. It was first used
                      with Windows 2000.

                      An active directory (sometimes referred to as an AD) does a
                      variety of functions including the ability to provide information on
                      objects, helps organize these objects for easy retrieval and access,
                      allows access by end users and administrators and allows the
                      administrator to set security up for the directory.

An active directory can be defined as a hierarchical structure and this structure is usually
broken up into three main categories, the resources which might include hardware such as
printers, services for end users such as web email servers and objects which are the main
functions of the domain and network.

Understanding Active Directories
It is interesting to note the framework for the objects. Remember that an object can be a
piece of hardware such as a printer, end user or security settings set by the administrator.
These objects can hold other objects within their file structure. All objects have an ID,
usually an object name (folder name). In addition to these objects being able to hold other
objects, every object has its own attributes which allows it to be characterized by the
information it contains. Most IT professionals call these settings or characterizations
schemas.

The type of schema created for a folder will ultimately determine how these objects are
used. For instance, some objects with certain schemas cannot be deleted, they can only be
deactivated. Others types of schemas with certain attributes can be deleted entirely. For
instance, a user object can be deleted, but the administrator object cannot be deleted.

When understanding active directories, it is important to know the framework that objects
can be viewed at. In fact, an active directory can be viewed at either one of three levels,
these levels are called forests, trees or domains. The highest structure is called the forest
because you can see all objects included within the active directory.

Within the Forest structure are trees, these structures usually hold one or more domains.
Going further down the structure of an active directory are single domains. To put the
forest, trees and domains into perspective, consider the following example.

A large organization has many dozens of users and processes. The forest might be the
entire network of end users and specific computers at a set location. Within this forest
directory are now trees that hold information on specific objects such as domain
controllers, program data and system, among others. Within these objects are even more
objects which can then be controlled and categorized.

How are Active Directories used?
If you are a computer administrator for a large corporation or organization, you can easily
update all end users computers with new software, patches and files simply by updating
one object in a forest or tree.

Because each object fits into a set schema and has specific attributes, a network
administrator can easily clear a person on a set tree or instantly give or deny access to
select users for certain applications. The Microsoft servers use trust to determine whether
or not access should be allowed. Two types of trusts that Microsoft active directories
incorporate are transitive trusts and one way non transitive trusts. A transitive trust is
when there is a trust that goes further than two domains in a set tree, meaning two entities
are able to access each other's domains and trees.

A one way transitive trust is when a user is allowed access to another tree or domain;
however, the other domain does not allow access to the further domains. This can be
summed up as a network administrator and end user. The network administrator can
access most trees in the forest including a specific end user's domain. However, the end
user, while able to access his or her own domain, cannot access other trees.

It is important to note that active directories are a great way to organize a large
organization or corporation's computers' data and network. Without an active directory,
most end users would have computers that would need to be updated individually and
would not have access to a larger network where data can be processed and reports can be
created. While active directories can be technical to a good extent and require
considerable expertise to navigate, they are essential to storing information and data on
networks.




Physical Structure of Active Directory
In comparison to the logical structure, which performs administrative tasks, the Active Directory physical
structure checks when and where logon and replication traffic occurs. The physical structure of Active
Directory contains all the physical subnets present in your network like domain controllers and
replication between domain controllers.

The physical structure of Active Directory:
      Domain Controllers: These computers run Microsoft Windows Server 2003/2000, and Active
       Directory. Every Domain Controller performs specific functions like replication, storage and
       authentication. It can support maximum one domain. It is always advised to have more than one
       domain controller in each domain.
      Active Directory Sites: These sites are collection of well-connected computers. The reason why
       we create site is domain controllers can communicate frequently within the site. This way it
       minimizes the latency within site say changes made on one domain controller to be replicated to
       other domain controllers. The other reason behind creating a site is to optimize bandwidth between
       domain controllers which are located in
       different locations.
       All IP subnets who share the common
       Local Area Network (LAN) connectivity
       without knowing the actual physical
       location of computers is called site.
       Let's take an example: A site has subnets
       192.168.5. A and 192.168.50.A, where
       192.168.5.A computer is located in Texas
       and 192.168.50.A computer is located in
       London. In this case physical location of
       both the computer is not known to user.
       Because of proper bandwidth between
       these two, they are able to work and configure computers within the same Active Directory Site.
       Few considerations an Administrator should examine before creating a new site are proper
       bandwidth, available bandwidth cost and replication traffic expected.
      Active Directory Partitions: Each Domain Controller contains the following active directory
       partitions:
            o The Domain Partition contains a copy of all the objects in that domain. Replication in
                 Domain Partition is only to other domain controllers which are in the same domain.
            o The Schema Partition is forest wide. Every forest has one schema with consistent object
                 class. The Schema and Configuration take part in replication, and get replicated to all
                 domain controllers in a forest.
            o Application Partition which is optional carries objects which are not related to security
                 and can be used by one or more applications. Application Partition replicates to specific
                 domain controller in the forest.




Logical Structure of an Active Directory
Active Directory fulfills all the needs of an organization by designing a directory
structure. It provides flexibility in designing the business structure according to current
and future needs for an organization, so it should be examined prior to installing active
directory. In Active Directory, resources are organized in a logical structure, and this
grouping of resources logically enables a resource to be found by its name rather than by
its physical location.

Benefits of AD Logical Structure
      Logical Structure provides more network security by means of providing access
       to resources to only specified groups (OU).
      Logical structure simplified the network management by administration,
       configuration and control of the network.
      The relationship between the logical structure of domains and forests simplifies
       resource sharing across an organization.
      As logical structure provides simplified network management, it reduces the load
       on network resources and lower the
       total cost of ownership.

Components of AD Logical
Structure
The logical structure components have
relationship with each other so it manage
to control access to stored data and finds
how the data will be managed between different domains in a forest.

      Objects: like a user, computer , group, printer etc…
      Organizational Units – like any folder but in control of Active Directory
      Domains – Logical boundaries for objects
      Trees – Logical boundary for multiple domains
      Forests – Logical boundary for multiple trees

Overall, one physical machine running as a Microsoft Domain controller can control all
these logical divisions with the help of 'A Operation Master' dedicated to perform specific
tasks.




Tree and Forest in Active Directory
The Domain is the core unit of logical structure in Active Directory. All objects which
shares a common directory database, trust relationship with other domain and security
policies is known as Domain. Each domain stores information only about the objects that
belong to that domain.

All security polices and settings, such as administrative rights, security policies, and
Access Control Lists (ACLs), do not cross from one domain to another, thus a domain
administrator has full rights to set policies only within domain they belong to.

Domains provide administrative boundaries for objects; manage security for shared
resources and a unit of replication for objects.
A Tree
Trees are collections of one or more domains that allow global resource sharing. A tree
may consist of a single domain or multiple domains in a contiguous namespace. Adding a
domain to a tree becomes a child of the tree root domain. Domain will be called as parent
domain to which child domain is attached. A child domain can also have its multiple
child domains. Child domain uses the name followed by parent domain name and gets a
unique Domain Name System
(DNS).

For example, if tech.com is the
root domain, you can create one or
more Child domains to tech.com
such as north.tech.com and or
south.tech.com. These "children"
may also have child domains
created under them, such as
sales.north.tech.com.

The domains in a tree have two-
way, Kerberos transitive trust
relationships. A Kerberos
transitive trust simply means that
if Domain A trusts Domain B and Domain B trusts Domain C, then Domain A trusts
Domain C. Therefore, a domain joining a tree immediately has trust relationships
established with every domain in the tree.

A Forest
A forest is a collection of multiple trees that share a common global catalog, directory
schema, logical structure, and directory configuration. Forest has automatic two-way
transitive trust relationships. The very first domain you create in the forest is called the
forest root domain.

Forests allow organizations to group their divisions which use different naming scheme,
and may need to operate independently. But as an organization they want to communicate
with the entire organization via transitive trusts, and share the same schema and
configuration container.


Global Catalog in Active Directory
Domains and Forests can also share resources available in active directory. These
resources are searched by Global Catalog across domains and forests and this search is
transparent to user. For example, if you make a search for all of the printers in a forest,
this search goes to global catalog server for its query and then global catalog returns the
results. Without a global catalog server this query needs to go to every domain in the
forest of its result.

It is important to have a global catalog on at least one domain controller because many
applications use port 3268 for searching. For example, if you do not have any global
catalog servers in your network, the Search command on the Start menu of Windows
2000/2003 cannot locate objects in Active Directory.

The global catalog is a domain controller that contains attributes for every object in the
Active Directory. By default, only the members of the Schema Admins group have rights
to change which attributes stored in the global catalog, according to organization's
requirements.

The global catalog contains:

      The commonly used attributes
       need in queries, such as a user's
       first and last name, and logon
       name.
      All the information or records
       which are important to determine
       the location of any object in the
       directory.
      A default subset of attributes for each object type.
      All the access related permissions for every object and attribute that is stored in
       the global catalog. Say, without permission you can't access or view the objects. If
       you are searching for an object where you do not have the appropriate
       permissions to view, the object will not appear in the search results. These access
       permissions ensure that users can find only objects to which they have been
       assigned access.

A global catalog server is a domain controller that contains full and writable replica of its
domain directory, and a partial, read-only replica of all other domain directory partitions
in the forest. Let's take an example of a user object; by default user objects have lot of
attributes such as first name, last name, address, phone number, and many more. The
Global Catalog will store only the main attributes of user objects in search operations like
a user's first name and last name, or login name. This partial attributes of that user object
which is stored would be enough to allow a search for that object to be able to locate the
full replica of the object in active directory. If a search comes to locate objects, then first
it goes to local global catalog and reduces network traffic over the WAN.

Domain Controllers always contain the full attribute list for objects belonging to their
domain. If the Domain Controller is also a GC, it will also contain a partial replica of
objects from all other domains in the forest.
It is always recommended to have a global catalog server for every active directory site in
an enterprise network.


Active Directory Operations Masters
When a change is made to a domain, the change is replicated across all of the domain
controllers in the domain. Some changes, such as those made to the schema, are
replicated across all of the domains in the forest. This replication is called multimaster
replication. But few changes are practically not possible to perform with multimaster
replication, so a domain controller known as Operations Master takes such type of
changes to perform. Five Operations Master Roles are given to one or more domain
controllers in each forest.

Operations Master Roles
The operations master roles are also called as flexible single master operations (FSMO)
roles.

Forest-Wide Roles: Unique to a forest

      Schema Master: Controls all modifications and updates to the schema. The
       schema contains the master list of objects classes and attributes that are used to
       create all Active Directory objects, such as users, computers and printers. One
       needs to have access to update the schema of a forest. There is only one schema
       master in the entire forest.
      Domain Naming Master: Controls
       the additions or removal of
       domains in the forest. When you
       add a new domain to the forest,
       only the domain controller that
       holds the domain naming master
       role can add the new domain.
       There can be only one domain
       naming master in the entire forest.
       The role of domain naming master
       can be hold by any Windows
       Server 2000/2003. Domain naming
       master should be configured as a global catalog server.

There is only one schema master and one domain-naming master in the entire forest.

Domain-Wide Roles: Unique to each domain in a forest

      Primary Domain Controller (PDC) Emulator: If your networks has one or more
       Windows NT, there it act as Windows NT PDC to support any backup domain
       controller (BDCs) running Windows NT within a mixed mode domain. This type
       of domain has domain controllers that run Windows NT. The PDC Emulator role
       is maintained in the first domain controller that you create in a domain. By
       default, for time synchronization throughout the domain for all domain
       controllers, PDC emulator master is also responsible. Using "net time" one can
       synchronize the time of PDC Emulator with external server. Syntax is:
        net time ServerName/setsntp:TimeSource

       After executing this statement, all computers in the entire forest run within
       seconds of each other. PDC emulator role supports two authentication protocols:
       Kerberos V5 protocol and NTLM protocol

      Relative Identifier Master: When you create a new user, computer or object, the
       domain controller creates a new security principal for that object and assigns that
       object a unique security identifier (SID). This SID consists of domain ID and a
       relative identifier (RID). The RID master allocates blocks of RIDs to each domain
       controller in the domain. Domain controller use these allocated block of RIDs to
       assigns a RID to objects.
       Using Movetree.exe you can move an object between domains. But before this
       you need to initiate the move on the Relative Identifier (RID) master domain
       which contains the object.
      Infrastructure Master: Infrastructure master updates objects references when
       objects are moved from one domain to another. The object references contain
       GUID (Global Unique Identifier), a Security Identifier (SID), and distinguished
       name. The infrastructure master always replicates its data with global catalog.
       Global catalogs always receive the regular updates from other domain through
       replication; therefore global catalog data is always up to date. For regular updates
       it will always ask the global catalog. Then infrastructure master replicates its
       updated data to all domain controllers in the domain. Infrastructure master and
       global catalog should never be on the same domain controller because
       infrastructure master will not function.


Understanding and Managing Operations
Master Roles
Understanding the Operations Master Roles
Active Directory operates in a multi-master replication manner. What this means is that
each domain controller in the domain holds a readable, writable replica of the Active
Directory data store. In multi-master replication, any domain controller is able to change
objects within Active Directory. Multi-master replication is ideal for the majority of
information located in Active Directory. However, certain Active Directory functions or
operations are not managed in a multi-master manner because they cannot be shared
without causing some data uniformity issues. These functions are called Flexible Single
Master Operations (FSMOs).

There are five Operations Master (OM) roles which are automatically installed when you
install the first domain controller. These five OMs are installed on the domain controller.
Two of these OM roles apply to the entire Active Directory forest. The roles that apply to
the forest are the Schema Master role and the Domain Naming Master role. The other
three OM roles apply to each domain. The roles that apply to a domain are the Relative
identifier (RID)/relative ID Master role, the Primary Domain Controller (PDC) Emulator
role, and the Infrastructure Master role. When a domain controller is assigned a FSMO,
that domain controller becomes a role master. The particular domain controller that is
assigned these roles performs single-master replication within the Active Directory
environment.

Because domain controllers generally
contain the same Active Directory
information, when one domain
controller is unavailable, the
remainder of the domain controllers
are able to provide access to Active
Directory objects. However, if the
domain controller that is lost has one
of these OM roles installed, you could
find that no new objects can be added
to the domain.

Forest-Wide Operations Master Roles
Each Forest-wide OM role can exist on only one domain controller in the entire forest.
What this means is that these roles have to be unique in the entire forest. The two forest-
wide OM roles are:

      Schema Master role: Because the objects that exist in the in the schema directory
       partition define the Active Directory structure for a forest, great control is placed
       on who can add objects to this partition. Since each domain controller in an
       Active Directory environment have a common schema, the information in the
       schema has to be consistent on each domain controller. It is the domain controller
       that is assigned the Schema Master role that controls which objects are added,
       changed, or removed from the schema. The domain controller with the Schema
       Master role is the only domain controller in the entire Active Directory forest that
       can perform any changes to the schema. You can use the Active Directory
       Schema MMC snap-in to make changes to the schema, and only if you are a
       member of the Schema Admins group. Any changes made to the schema would
       affect each domain controller within the Active Directory forest. You can transfer
       the Schema Master role to a different domain controller within the forest. You can
       also seize the role if the existing domain controller holding the role had a failure
       and cannot be recovered.
      Domain Naming Master role: As is the case with the Schema Master role, only
       one Domain Naming Master role is allowed in the entire forest. The domain
       controller that is assigned the Domain Naming Master role is responsible for
       tracking all the domains within the entire Active Directory forest to ensure that
       duplicate domain names are not created. The domain controller with the Domain
       Naming Master role is accessed when new domains are created for a tree or
       forest. This ensures that domains are not simultaneously created within the forest.
       The default configuration is that the first domain controller promoted in a forest,
       is assigned this role. You can however transfer the Domain Naming Master role to
       a different domain controller within te forest.

Domain-Wide Operations Master Roles
The three domain-wide OM roles have to unique in each domain within a forest. What
this means is that there should be one of each of these roles in each domain. The three
domain-wide OM roles are:

      Relative identifier (RID) Master role: When a security object is created within
       Active Directory, it is allocated a security ID. The security ID is made up of the
       domain security ID and a relative ID. The domain security ID is exactly the same
       for each security ID created in the particular domain. The relative ID on the other
       hand is unique to each security ID created within the domain. Because each
       relative ID has to be unique, the domain controller that is assigned the RID
       Master role is responsible for tracking and for assigning unique relative IDs to
       domain controllers whenever new objects are created. To ensure efficiency when
       assigning relative IDs to domain controllers, the domain controller assigned the
       RID Master role actually generates a set of 500 relative IDs to allocate to domain
       controllers. As the number of available relative IDs decreases, the RID Master
       generates more relative IDs to maintain the number of relative IDs available as
       500. The default configuration is that the RID Master role and PDC Emulator role
       is assigned to the identical domain controller. You can however transfer the RID
       Master role to a different domain controller within the domain.
      PDC Emulator role: In domains that contain Windows NT Backup Domain
       Controllers (BDCs), the domain controller which is assigned the PDC Emulator
       role functions as the Windows NT Primary Domain Controller (PDC). The PDC
       Emulator role has importance when it comes to replication – BDCs only replicate
       from a Primary Domain Controller! Objects that are security principles can only
       be created and replicated by the PDC Emulator. Security principles are Users,
       Computers, and Groups. It is therefore the PDC Emulator that enables down-level
       operating systems to co-exist in Windows 2000 and Windows Server 2003 Active
       Directory environments. After the domain is operating in the Windows Server
       2003 functional level, the domain controller assigned the PDC Emulator role
       continues to perform other operations for the domain.
       These additional functions include the following:
           o   All password changes and account lockout requests are forwarded to the
               PDC Emulator. A domain controller within a domain checks first with the
               PDC Emulator to verify whether a bad password provided by a user was a
               recently changed password, and is therefore a valid password.
           o Group policies consist of a Group Policy Container (GPC) in Active
               Directory, and a Group Policy Template (GPT) in the SYSVOL folder.
               Because these two items can become out of sync due to multi-master
               replication, the Group Policy Editor is by default set to the PDC Emulator.
               This prevents group policy changes from being made on all domain
               controllers within the domain.
      Infrastructure Master role: The domain controller assigned the Infrastructure
       Master role has the following functions within the domain:
           o Updates the group-to-user references when the members of groups are
               changed. These updates are sent by the Infrastructure Master to the
               remainder of the domain controllers within the domain via multi-master
               replication.
           o Deletes any stale or invalid group-to-user references within the domain.
               To do this, the Infrastructure Master role checks with the Global Catalog
               for stale group-to-user references.

Planning the Placement of the FSMOs

A mentioned previously, all the OM roles are by default automatically assigned to the
first domain controller created for the first domain in a new Active directory forest. Then,
when you create either a root domain of a new tree in a forest, or a new child domain, the
three domain specific OM roles are assigned to the first domain controller in that domain.
In cases where a doain has only one domain controller, each domain specific OM role has
to exist on that single domain controller. The two forest specific OM roles stay on the
initial domain controller for the first domain created within the forest.

OM roles are usually transferred to other domain controllers when you need to perform
maintenance activities, or load balance the existing load of the domain controllers, or
simply move the particular OM role to a better equipped domain controller.

In instances where multiple domain controllers exist for a particular domain, consider the
following recommendations when placing your Operations Master roles within the
domain:

      Where you have two domain controllers that are direct replication partners and are
       well-connected, assign the RID Master role, PDC Emulator role and Infrastructure
       Master role to one domain controller. This particular domain controller would
       become the OM domain controller for the domain. The remaining domain
       controller would become the designated standby OM domain controller.
      It is generally recommended to assign the PDC Emulator and RID Master roles to
       the same domain controller.
      However, if the domain which you are placing FSMO roles for is large in size,
       consider locating the RID Master role and PDC Emulator role on two different
       domain controllers. Each of these domain controllers should be well-connected to
       the domain controller designated as the standby OM domain controller for these
       two roles. This strategy is usually implemented to reduce the load on the domain
       controller assigned the PDC Emulator.
      You should place the Schema Master role and the Domain Naming Master role on
       the same domain controller.
      You should refrain from assigning the Infrastructure Master role to a domain
       controller that contains the Global Catalog. The domain controller assigned the
       Infrastructure Master role should be well-connected to the Global Catalog server.
       The Infrastructure Master would not operate correctly if the Global Catalog is
       hosted on the identical domain controller.

Managing Operations Master Roles
Since only one or a few domain controllers are assigned the Operations Master roles, it is
important that these specific domain controllers remain functioning in the Active
Directory environment. There are essentially two processes involved in the management
of FSMOs. These management tasks are outlined below:

      Because the FSMOs are automatically created when the first domain controller is
       installed, you might need to transfer OM roles to a more robust server. You
       would also need to transfer OM roles to a different server before demoting the
       domain controller hosting them.
      When a lost domain controller cannot be recovered, you would to need any seize
       OM roles assigned to the particular domain controller.

Transferring an Operations Master role, involves moving it from one server to a different
server. To transfer the Schema Master role, you need to have Schema Admins rights, and
to transfer the Domain Naming Master role, you need to have Enterprise Admin rights.

You can use an Active Directory console or a command-line utility to transfer OM roles.
The Active Directory MMC consoles that can be utilized to transfer the different FSMOs
are outlined below:

      Active Directory Schema MMC snap-in: For transferring the Schema Master role
      Active Directory Domains and Trusts console: For transferring the Domain
       Naming Master role
      Active Directory Users and Computers console: For transferring the RID Master
       role, PDC Emulator role, and Infrastructure Master role.

When you seize an OM role, you do it without the cooperation of the existing domain
controller that is assigned with the particular OM role. When an OM role is seized, it is
basically reassigned to a different domain controller. Before you attempt to seize any OM
roles, first try to determine what the reason is for the filure of the existing domain
controller which is assigned with the particular OM role. Certain network issues which
are likely to be corrected in short time fames are well worth enduring through. Before
you seize OM roles, first ensure that the domain controller you are planning to shift these
roles to; is indeed powerful enough to uphold these roles. In summary, you should only
really seize an OM role if the existing OM cannot be recovered again. You would need to
use the Ntdsutil tool command-line tool to seize OM roles.

The Consequences of FSMOs Failing
The following section looks at what actually happens when each FSMO role fails:

      A Schema Master failure is basically only evident when an Administrator
       attempts to change the Active Directory schema. What this means is that a
       Schema Master failure is invisible to your standard network users. You should
       only seize this role to the domain controller designated as the standby schema
       master if the existing Schema Master can in fact never be recovered.
      As is the case with a Schema Master failure, Domain Naming Master failure is
       only evident if an Administrator is attempting to add a domain to the forest, or
       remove a domain from the forest. A Domain Naming Master failure can generally
       not be perceived by your standard network users. You should only seize this role
       to the domain controller designated as its standby when the existing Domain
       Naming Master would never be operational again.
      A RID Master failure is only evident to Administrators if they are attempting to
       add new Active Directory objects in the particular domain where the RID Master
       failed. When this happens, the RID Master is unable to allocate relative IDs to the
       domain controllers on which the new Active Directory objects are being created.
       A RID Master failure cannot be detected by your conventional network users.
       You should also generally only seize this OM role when the existing domain
       controller assigned with the RID Master role would never recover from the
       failure.
      An Infrastructure Master failure is also not visible to your standard network
       users. The failure only impacts Administrators that are attempting to move user
       accounts, or rename them. Consider moving the role to the designated standby
       domain controller if the existing domain controller assigned with the
       Infrastructure Master is to be unavailable for a reasonably extended period of
       time, and the changes that need to be made are pertinent.
      Unlike the OM role failures previously described that are not evident to your
       standard network users, a PDC Emulator failure does impact network users. It is
       important to immediately seize this role to its designated standby domain
       controller if the domain contains any Windows NT backup domain controllers.
       You can always return this role to its previous domain controller when it is
       recovered and online again.
How to view the existing Schema Master role assignment
  1. Open a command prompt, and enter regsvr32 schmmgmt.dll to register the
      schmmgmt.dll on the computer.
  2. Click Start, Run, and enter mmc in the Run dialog box. Click OK.
  3. From the File menu, select Add/Remove Snap-in and then select Add.
  4. In the list of available snap-ins, double-click Active Directory Schema.
  5. Click Close. Click OK.
  6. Open the Active Directory Schema snap-in.
  7. In the console tree, right-click Active Directory Schema and select Operations
      Masters from the shortcut menu.
  8. The Change Schema Master dialog box opens.
  9. You can view the name of the existing Schema Master in the Current Schema
      Master (Online) box.
  10. Click Close.

How to view the existing Domain Naming Master role
assignment
  1. Open the Active Directory Domains And Trusts console from the Administrative
     Tools menu.
  2. In the console tree, right-click Active Directory Domains And Trusts and select
     Operations Masters from the shortcut menu.
  3. The Change Operations Master dialog box opens.
  4. You can view the name of the existing Domain Naming Master in the Domain
     Naming Operations Master box.
  5. Click Close.

How to view the existing RID Master role, PDC Emulator, and
Infrastructure Master role assignments
  1. Open the Active Directory Users And Computers console from the Administrative
     Tools menu.
  2. In the console tree, right-click Active Directory Users And Computers and click
     All Tasks, and then Operations Masters from the shortcut menu.
  3. The Operations Masters dialog box contains the following tabs:
         o RID tab: The name of the existing RID Master is displayed in the
             Operations Master box of this tab.
         o PDC tab: In the Operations Master box of the PDC tab, you can view the
             name of the existing PDC Emulator.
         o Infrastructure tab: The existing Infrastructure Master's name is displayed
             in the Operations Master box.
  4. Click Close.
How to transfer the Schema Master role to another domain
controller
Before you can transfer the Schema Master role to another domain controller, ensure that
you have the required Schema Admins rights, and that both domain controllers you are
planning to work with are available. Before you can use the Active Directory Schema
MMC snap-in, you first have to add it to a MMC.

To add the Active Directory Schema snap-in to a MMC,

   1. Open a command prompt, and enter regsvr32 schmmgmt.dll to register the
      schmmgmt.dll on the computer.
   2. Click Start, Run, and enter mmc in the Run dialog box. Click OK.
   3. From the File menu, select Add/Remove Snap-in and then select Add.
   4. In the list of available snap-ins, double-click Active Directory Schema.
   5. Click Close. Click OK

To transfer the Schema Master role,

   1. Open the Active Directory Schema snap-in.
   2. Right-click Active Directory Schema in the console tree, and select Change
      Domain Controller from the shortcut menu.
   3. The options available when the Change Domain Controller dialog box opens are
          o Any DC: If this option is selected, Active Directory will select a new
              domain controller for the Schema Master role.
          o Specify Name: If this option is enabled, you have to enter the name of the
              new location for the Schema Master Role.
   4. Click OK
   5. Right-click Active Directory Schema in the console tree again, and choose
      Operations Master from the shortcut menu.
   6. When the Change Schema Master dialog box opens, click Change.
   7. Click OK when a message appears prompting for verification of the OM role
      transfer you want to perform.
   8. Click OK to exit the Change Schema Master dialog box.

How to transfer the Domain Naming Master role to another
domain controller
You have to be a member of the Enterprise Admin group to transfer the Domain Naming
Master role to another domain controller.

   1. Open the Active Directory Domains And Trusts console from the Administrative
      Tools menu.
   2. In the console tree, right-click Active Directory Domains And Trusts and select
      Connect To Domain Controller from the shortcut menu.
   3. The Connect To Domain Controller dialog box opens. This is where you specify
      the name of the new domain controller that should be assigned the Domain
      Naming Master role.
   4. Click OK
   5. In the console tree, right-click Active Directory Domains And Trusts and select
      Operations Masters from the shortcut menu.
   6. When the Change Operations Master dialog box opens, click Change
   7. Click Close

How to transfer the RID Master role, PDC Emulator role, or
Infrastructure Master role to another domain controller
   1. Open the Active Directory Users And Computers console from the Administrative
       Tools menu.
   2. In the console tree, right-click Active Directory Users And Computers and click
       Connect To Doman from the shortcut menu.
   3. When the Connect To Domain dialog box opens, enter the domain name that you
       want to work with.
   4. Click OK
   5. In the console tree, right-click Active Directory Users And Computers and click
       Connect To Domain Controller from the shortcut menu.
   6. When the Connect To Domain Controller dialog box opens, specify the new
       domain controller for the OM role that you are transferring.
   7. Click OK
   8. In the console tree, right-click Active Directory Users And Computers and click
       All Tasks, and then click Operations Masters from the shortcut menu.
   9. The Operations Masters dialog box opens. On one of the following tabs,
           o RID tab: Click Change to change the location of the RID Master
           o PDC tab: Click Change to change the location of the PDC Emulator
           o Infrastructure tab: Click Change to change the location of the
              Infrastructure Master.
   10. Click Yes to verify that you want to transfer the particular OM role to a different
       domain controller.
   11. Click OK. Click Close.

How to seize an Operations Master role
When you seize an OM role, you need to perform the following tasks:

      Verify that the new domain controller for the role is completely updated with
       changes performed on the existing domain controller of the particular role. You
       can use the Replication Diagnostics command-line utility for this verification.
       Repadmin.exe is included with the Windows Support Tools on the Windows
       Server 2003 CD-ROM.
      You would not use the Ntdsutil tool to seize the particular OM role. The Ntdsutil
       tool first attempts to transfer the role before it actually proceeds to seize the role.
However, if you need to seize the PDC Emulator or Infrastructure FSMOs, you can use
the Active Directory Users and Computers console. The Ntdsutil tool has to though be
used to seize the other FSMOs – Schema Master role, Domain Naming Master role, and
RID Master role. You can however also use the Ntdsutil tool to seize the PDC Emulator
role or Infrastructure Master role.

To seize the PDC Emulator or Infrastructure FSMOs using the Active Directory Users
and Computers console,

   1. Open the Active Directory Users and Computers console
   2. In the console tree, right-click the domain object, and choose Connect to Domain
      Controller from the shortcut menu.
   3. Enter the name of the other domain controller. Click OK
   4. To perform the seizure of the role, right-click the domain object and choose
      Operations Masters from the shortcut menu.
   5. Click either the PDC tab, or the Infrastructure tab
   6. You will notice that the particular OM role is indicated as being offline.
   7. Click Change.
   8. Click OK to verify that you want to transfer the OM role.
   9. Click Yes when prompted to verify that you want to perform a forced transfer.

To seize any OM roles using the Ntdsutil tool,

   1.   Click Start, Command Prompt.
   2.   Enter the following at the command prompt: ntdsutil. Press Enter
   3.   Enter the following at the ntdsutil prompt: roles. Press Enter
   4.   Enter the following at the fsmo maintenance prompt: connections. Press Enter
   5.   Enter the following at the server connections prompt: connect to server, and the
        fully qualified domain name (FQDN). Press Enter
   6.   Enter the following at the server connections prompt: quit. Press Enter.
   7.   Enter one of the following at the fsmo maintenance prompt:
            o seize schema master. Press Enter
            o seize domain naming master. Press Enter
            o seize RID master. Press Enter
            o seize PDC. Press Enter
            o seize infrastructure master. Press Enter
   8.   Enter quit at the fsmo maintenance prompt. Press Enter
   9.   Enter quit at the ntdsutil prompt.

How to perorm a metadata cleanup
The class objects and attribute objects of the schema are referred to as metadata. A
metadata cleanup is usually performed when you are unable to restore a failed domain
controller. The cleanup removes any references to the failed domain controller in Active
Directory.
To perform the metadata cleanup,

   1.  From the command prompt, enter ntdsutil and press Enter.
   2.  Enter the following at the ntdsutil prompt: metadata cleanup. Press Enter
   3.  Enter the following at the metadata cleanup prompt: connections. Press Enter
   4.  Enter the following at the server connections prompt: connect to server, followed
       by the server name. Press Enter
   5. Enter quit, and press Enter
   6. Enter the following at the metadata cleanup prompt: select operation target. Press
       Enter
   7. Enter list domains. Press Enter
   8. Enter select domain, followed by the number of the domain that holds the server
       that you want to remove. Press Enter
   9. Enter list sites. Press Enter
   10. Enter select site, followed by the number of the site that holds the server that you
       want to remove. Press Enter
   11. Enter list servers in site. Press Enter
   12. Enter select server, followed by the number of the server that you want to remove.
       Press Enter.
   13. Enter quit and press Enter to return to the metadata cleanup prompt.
   14. Enter remove selected server, and press Enter.
   15. When a message box appears prompting you to verify whether the server should
       be removed, click Yes
   16. Quit from Ntdsutil.




Understanding Server Roles
Server Roles Overview
A network or network infrastructure is the grouping of hardware devices and software
components which are needed to connect devices within the organization, and to connect
the organization to other organizations and the Internet. The network infrastructure's
physical hardware and logical components are needed to provide a number of features for
the network, including connectivity, routing and switching capabilities, network security,
and access control. The network or network infrastructure has to exist before a number of
servers needed to support applications which are needed by your users can be deployed
into your networking environment.

Therefore, when planning your network design and deciding on the computers for your
network, you must know what functions the computer will be performing. Understanding
these functions will put you in a good position to determine the hardware and software
components needed for your computers.
Windows Server 2003 itself provides a number of features and tools when you install it
on a computer. You though have to implement additional features and functionality on a
server to provide the services and capabilities required by the organization and its users.
In fact, until these additional features and functionality make certain services available,
the computer cannot be used as required
by users.

Computers required on your network can
be broadly grouped according to the
following roles:

      Server roles: Servers can be
       configured to perform a number of
       roles. The applications that the
       server is running specify the role of the particular server. Server's typically need
       services and additional features installed to perform its specific role. When
       compared to workstations, servers have more disk space and memory, and faster
       processors. The hardware required by servers is determined by the role being
       performed by the server. A few common server roles are listed below:
           o Domain controller
           o Database server
           o Backup server
           o File server
           o Print server
           o Infrastructure server
           o Web server
           o E-mail server
      Desktop workstation roles: Desktop workstations differ to servers in that desktop
       workstations are general purpose computers that can perform a number of
       different types of functions.
      Portable workstation roles: Portable workstations are the solution to bringing the
       features of a desktop computer to an off-site employee.

Windows Server 2003 introduced the concept of server roles. Server roles basically
group related administrative tasks, and are used to provide a specific capability or
function to the network design. With Windows Server 2003, if you configure a server for
a certain server role, then a number of additional services, features and tools are installed
for the server. In this manner, the server is set up to provide the required services to your
users.

Windows Server 2003 provides a new tool for defining and managing server roles,
namely, the Manage Your Server utility. The actual Wizard for applying the server roles
to computers is the Configure Your Server Wizard. The Configure Your Server Wizard is
included within the Manage Your Server utility and is also managed through this utility.
For Windows Server 2003, there are 11 different server roles that you can configure
using the Configure Your Server Wizard:

      File server
      Print server
      Application server
      Mail server
      Terminal server
      Remote access server/VPN server
      Domain controllers
      DNS server
      WINS server
      DHCP server
      Streaming media server

Understanding the File Server Role
The file server role is a widely used role when configuring servers in Windows Server
2003 based networks. This is due to the file server role storing data for network users,
and providing access to files stored on the file server. The file server role is though not
availble in the Windows Server 2003 Web Edition. A file stored on a file server volume
can be accessed by users that have the necessary rights to access the directories wherein
the files are stored.

File servers provide the following functionality to users:

      Enables users to store files in a centralized location.
      " Enable a user to share files with another user.

A few characteristics and features of the file server role are listed:

      Files and folder resources can be shared between network users.
      Administrators can manage the following aspects of file servers:
           o Access to files and folders
           o Disk space
           o Disk quotas can be implemented to control the amount of space which
               users can utilize.
      For file servers that have NTFS volumes:
           o NTFS security can be used to protect files from users who are not
               authorized to access the files and folders.
           o Encrypting File System (EFS) enables users to encrypt files and folders,
               and entire data drives on NTFS formatted volumes. EFS secures
               confidential corporate data from unauthorized access.
           o Distributed File System (Dfs) provides a single hierarchical file system
               that assists in organizing shared folders on multiple computers in the
               network. Dfs provides a single logical file system structure by concealing
               the underlying file share structure within a virtual folder structure. Users
               only see a single file structure even though there are multiple folders
               located on different file servers within the organization.
      The Offline files feature can be enabled if necessary. Offline Files make is
       possible for a user to mirror server files to a local laptop, and ensures that the
       laptop files and server files are in sync. For your laptop users, Offline Files
       ensures that the user can access the server based files when they are not connected
       to the network.

Understanding the Print Server Role
The print server role provides network printing capabilities for the network. Through the
print server role, you can configure a server to manage printing functions on the network.
Users typically connect to a network printer through a connection to a print server. The
print server is the computer where the print drivers are located that manage printing
between printers and client computers. With Windows NT, Windows 2000, Windows
XP, and Windows Server 2003, the print servers supply clients with the necessary printer
drivers. The print servers also manage communication between the printers and the client
computers. The print servers manage the print queues, and can also supply audit logs on
jobs printed by users. A network interface printer is a printer that connects to the network
through a network card. The print server role is though not available in the Windows
Server 2003 Web Edition.

When deciding on a print server, ensure that the print server has sufficient disk space to
store print jobs waiting in the printer queue. It is recommended to use a dedicated, fast
drive for the print spooler. You should consider implementing a print server cluster if
your enterprise needs exceptional reliability and performance when it comes to printing.

A few characteristics of print servers are listed here:

      The Windows Management Instrumentation (WMI) a management application
       program interface (API) can be used to manage printing on the network.
      Print servers can also be remotely managed.
      Administrators can control when printing devices can be utilized.
      Administrators can control access to printers
      Priorities can be defined for print jobs.
      Print jobs can be paused, resumed, and deleted and viewed.
      Printers can be published in Active Directory so that access to printers can be
       controlled according to Active Directory accounts.

Understanding Web servers
The application server role makes Web applications and distributed applications available
to users. A Web server typically contains a copy of a World Wide Web site and can also
host Web based applications. When you install a Web server, users can utilize Web based
applications and download files as well.
When you add a Web server through the application server role, the following
components are installed:

      Internet Information Services 6.0
      The Application Server console
      The Distributed Transaction Coordinator (DTC)
      COM+, the extension of the Component Object Model (COM)

Internet Information Services 6.0 (IIS 6.0) is Microsoft's integrated Web server that
enables you to create and manage Web sites within your organization. Through IIS, you
can create and manage Web sites, and share and distribute information over the Internet
or intranet. With the introduction of Windows Server 2003, came the advent of Internet
Information Services (IIS) 6. IIS 6 is included with the 32-bit version and the 64-bit
versions of the Windows Server 2003 Editions. IIS 6 include support for a number of
protocols and management tools which enable you to configure the server as a Web
server, File Transfer Protocol (FTP) server or a Simple Mail Transport Protocol (SMTP)
server. The management tools included with Windows Server 2003 allows you to manage
Internet Information Services on the Windows Server 2003 product platforms.

Before you can deploy IIS 6 Web servers within your enterprise, you first need to install
Windows Server 2003 or upgrade to Windows Server 2003. Only after Windows Server
2003 is deployed, are you able to install IIS 6 in your environment.

After Windows Server 2003 is installed, for all editions of Windows Server 2003 other
than the Web Edition, you can install IIS 6 from the Configure Your Server Wizard.
When you first log on after Windows Server 2003 is installed, the Manage Your Server
Wizard is initiated. To start the Configure Your Server Wizard, choose the Add Or
Remove A Role link. You next have to follow the prompts of the Configure Your Server
Wizard to install the Application Server (IIS, ASP.NET) option.

The protocols supported by IIS 6.0, the Microsoft integrated Web server, are listed here:

      Hypertext Transfer Protocol (HTTP) is a TCP/IP application layer protocol used
       to connect to websites, and to create Web content. HTTP handles the publishing
       of static and dynamic Web content. A HTTP session consists of a connection, a
       HTTP request and a HTTP response
           1. Port 80 is used for HTTP connections. The client establishes a TCP
                connection to the server by using a TCP three way handshake.
           2. After the connection is established, the client sends a HTTP GET request
                message to the server.
           3. The server sends the client the requested Web page.
           4. HTTP Keep-Alives maintains the TCP connection between the client and
                server if it is enabled, so that the client can request additional pages.
           5. If HTTP Keep-Alives is not enabled, the TCP connection is terminated
                after the requested page is downloaded.
   File Transfer Protocol (FTP) is a TCP/IP application layer protocol used for
    copying files to and from remote systems through the Transmission Control
    Protocol (TCP). FTP makes it possible for clients to upload and download files
    from a FTP server over an internetwork. Through IIS, you can create and
    administer FTP servers. You need an FTP server and FTP client to use the
    protocol. A FTP session has a connection, a request, and a response.
         1. The client establishes a TCP connection to the FTP server through port 21.
         2. A port number over 1023 is assigned to the client.
         3. The client sends a FTP command to port 21.
         4. If the client needs to receive data, another connection is created with the
              client, to convey the data. This connection utilizes port 20.
         5. The second connection remains in a TIME_WAIT state afte the data is
              transferred to the client. The TIME_WAIT state makes it possible for
              additional data to be transferred. The TIME_WAIT state ends when the
              connection timeout.
   Network News Transfer Protocol (NNTP) is a TCP/IP application layer protocol
    used to send network news messages to NNTP servers and NNTP clients on the
    Internet. NNTP is a client/server and server/server protocol. The NNTP protocol
    enables a NNTP host to replicate its list of newsgroups and messages with another
    host through newsfeeds, using a push method or a pull method. A NNTP client
    can establish a connection with a NNTP host to download a list of newsgroups,
    and read the messages contained in the newsgroups. Through NNTP, you can
    implement private news servers to host discussion groups, or you can implement
    public news servers to provide customer support and help resources to Internet
    users. You can specify that users need to be authenticated to both read and post
    items to newsgroups, or you can allow access to everybody. The NNTP service
    can also integrate with the Windows Indexing Service for the indexing of
    newsgroup content. It is also fully integrated with event and performance
    monitoring of Windows Server 2003.
   Simple Mail Transfer Protocol (SMTP) is a TCP/IP application layer protocol
    used for routing and transferring e-mail between SMTP hosts on the Internet.
    SMTP enables IIS machines to operate as SMTP hosts to forward e-mail over the
    Internet. IIS can be utilized instead of Sendmail. SMTP also enables IIS machines
    to protect mail servers such as Microsoft Exchange servers from malicious attacks
    by operating between these servers and Sendmail host at the ISP of the
    organization. SMTP can be used to forward mail from one SMTP host to another
    SMTP host. SMTP cannot deliver mail directly to the client. Mail clients use
    POP3 or IMAP to receive e-mail. Windows Server 2003 includes the POP3
    service for providing clients with mailboxes, and for handling incoming e-mail.
    To use the SMTP as a component of IIS, you have to install the SMTP service
    first if you are running a Windows Server 2003 Edition other than the Windows
    Server 2003 Web Edition. The SMTP service is installed on the Windows Server
    2003 Web Edition by default.
Understanding the Mail Server Role
The mail server role provides e-mail services for the network, by providing the
functionality needed for users to both send and receive e-mail messages. A mail server
has to exist for users to send e-mail to each other. When a mail server receives e-mail for
a user, it stores the e-mail for the intended user until that particular user retrieves it from
the mail server.

The primary functions of mail servers are listed here:

       Store e-mail data.
       Process client requests
       Receive incoming e-mail from the Internet.

When you configure a server for the mail server role, the following TCP/IP based
protocols are installed:

       Simple Mail Transfer Protocol (SMTP): SMTP is a TCP/IP application layer
        protocol used for routing and transferring e-mail between SMTP hosts on the
        Internet. IIS 6 has to be installed to install both the SMTP service and the Post
        Office Protocol 3 (POP3) service. The SMTP service has to be installed because
        mail servers and clients utilize this service to send e-mail.
       Post Office Protocol 3 (POP3): Mail clients use the POP3 service or IMAP to
        receive e-mail. Windows Server 2003 includes the POP3 service for providing
        clients with mailboxes, and for handling incoming e-mail. The POP3 service also
        enables clients to retrieve e-mail from the mail server.

Understanding the Terminal Server Role
Terminal Services have the ability to operate as an application server that remote clients
can connect to, and run sessions from. The Terminal Services server runs the
applications. The data response is transmitted back to the Terminal Services client.
Clients can access Terminal Services over a local areaconnection or a wide area
connection. Terminal Services clients can be MS-DOS based clients, Windows for
Workgroups clients, (version 3.11), Windows based terminals, and Macintosh clients.

When a user connects to a Windows Server 2003 server using Remote Desktop, the
resources of the server is used, and not that of the workstation. The terminal is only
responsible for the keyboard, mouse and the display. Every user has its own individual
Terminal Services session. Sessions are unique and do not affect one another. In this
manner, a user connecting to a Windows Server 2003 server through Remote Desktop
functions as a terminal on that server.

Once a client establishes a connection to Terminal Services, it creates a Terminal
Services session for the client. All processing is handled by the Terminal Services server.
Clients use insignificant bandwidth on the underlying network when they establish a
connection. Terminal Services is therefore popular in WANs where bandwidth is limited.
It is also suited for mobile users who have to execute processor intensive applications
over a dial-up connection. In this case, the local machine only needs to handle the
console.
When applications need to be installed or updated, a single instance of the application can
be installed or updated on the Terminal Services server. Users will have access to the
application without you needing to install or update the application on all machines.

Remote Desktop Protocol (RDP) is the protocol that manages communications between a
computer running Terminal Services, and a client computer running a Terminal Server
client. The connection can be established using Terminal Services on a terminal server.
The RDC utility can be used for complete terminal server client utilization, or it can be
used for Remote Administration. Remote Desktop Connection is by default installed with
Windows XP and Windows Server 2003. You can however install Remote Desktop
Connection on the previous Windows Operating Systems (OSs) such as Windows 2000,
Windows NT, Windows ME, Windows 98, and Windows 95. The RDC utility is
backward compatible, and can therefore interact with Terminal Services in Windows XP,
Windows 2000 and Windows NT 4 Terminal Server Edition.

Understanding the Remote Access and VPN Server Role
The Windows Server 2003 remote access and VPN server role can be used to provide
remote access to clients through either of the methods:

      Dial-up connections: Dial-up networking makes it possible for a remote access
       client to establish a dial-up connection to a port on a remote access server. The
       configuration of the dial-up networking server determines what resources the
       remote user can access. Users that connect through a dial-up networking server,
       connect to the network much like a standard LAN user accessing network
       resources.
      Virtual private networks (VPNs): Virtual Private Networks (VPNs) provide
       secure and advanced connections through a non-secure network by providing data
       privacy. Private data is secure in a public environment. Remote access VPNs
       provides a common environment where many different sources such as
       intermediaries, clients and off-site employees can access through web browsers or
       email. Many companies supply their own VPN connections via the Internet.
       Through their ISPs, remote users running VPN client software are assured private
       access in a publicly shared environment. By using analog, ISDN, DSL, cable
       technology, dial and mobile IP; VPNs are implemented over extensive shared
       infrastructures. Email, database and office applications use these secure remote
       VPN connections.

A few features and capabilities provided by the RRAS server are listed here:

      LAN-to-LAN routing and LAN-to-WAN routing
      Virtual private network (VPN) routing
      Network Address Translation (NAT) routing: NAT, defined in RFC 1631
       translates private addresses to Internet IP addresses that can be routed on the
       Iternet
      Routing features, including
           o IP multicasting
           o Packet filtering
           o Demand-dial routing
           o DHCP relay
      Assign DHCP addresses to RRAS clients
      Remote Access Policies (RAPs): RAPs are used to grant remote access
       permissions.
      Layer Two Tunneling Protocol (L2TP) combines Layer 2 Forwarding (L2F) of
       Cisco with Point-to-Point Tunneling Protocol (PPTP) of Microsoft. L2TP is a
       Data-link protocol that can be used to establish Virtual Private Networks (VPNs).
      Internet Authentication Service (IAS), a Remote Authentication Dial-In User
       Service (RADIUS) server, provides remote authentication, authorization and
       accounting for users that are connecting to the network through a network access
       server (NAS) such as Windows Routing and Remote Access.

Understanding the Domain Controllers Role

A domain controller is a server that stores a write copy of Active Directory, and
maintains the Active Directory data store. Active Directory was designed to provide a
centralized repository of information, or data store that could securely manage the
resources of an organization. The Active Directory directory services ensure that network
resources are available to, and can be accessed by users, applications and programs.
Active Directory also makes it possible for administrators to log on to a one network
computer, and then manage Active Directory objects on a different computer within the
domain.

A domain controller is a computer running Windows 2000 or Windows Server 2003 that
contains a replica of the domain directory. Domain controllers in Active Directory
maintain the Active Directory data store and security policy of the domain. Domain
controllers therefore also provide security for the domain by authenticating user logon
attempts.

The main functions of the domain controller role within Active Directory are listed here:

      Each domain controller in a domain stores and maintains a replica of the Active
       Directory data store for the particular domain.
      Domain controllers in Active Directory utilize multimaster replication. What this
       means is that no single domain controller is the master domain controller. All
       domain controllers are considered peers.
      Domain controllers also automatically replicate directory information for objects
       stored in the domain between one another.
      Updates that are considered important are replicated immediately to the remainder
       of the domain controllers within the domain.
      Implementing multiple domain controllers within the domain provides fault
       tolerance for the domain.
      In Active Directory, domain controllers can detect collisions. Collisions take
       place when an attribute modified on one particular domain, is changed on a
       different domain controller prior to the change on the initial domain controller
       being fully propagated.

Certain master roles can be assigned to domain controllers within a domain and forest.
Domain controllers that are assigned special master roles are called Operations Masters.
These domain controllers host a master copy of specific data in Active Directory. They
also copy data to the remainder of the domain controllers. There are five different types
of master roles that can be defined for domain controllers. Two types of master roles,
forestwide master roles, are assigned to one domain controller in a forest. The other three
master roles, domainwide master roles, are applied to a domain controller in every
domain.

The different types of master roles which can be configured on domain controllers are
listed here:

      The Schema Master is a forestwide master role applied to a domain controller that
       manages all changes in the Active Directory schema.
      The Domain Naming Master is a forestwide master role applied to a domain
       controller that manages changes to the forest, such as adding and removing a
       domain. The domain controller serving this role also manages changes to the
       omain namespace.
      The Relative ID (RID) Master is a domainwide master role applied to a domain
       controller that creates unique ID numbers for domain controllers and manages the
       allocation of these numbers.
      The PDC Emulator is a domainwide master role applied to a domain controller
       that operates like a Windows NT primary domain controller. This role is typically
       necessary when there are computers in your environment running pre-Windows
       2000 and XP operating systems.
      The Infrastructure Master is a domainwide master role applied to a domain
       controller that manages changes made to group memberships.

A Global Catalog (GC) server(s) can also be installed on a domain controller. The global
catalog is a central information store on the Active Directory objects in a forest and
domain, and is used to improve performance when searching for objects in Active
Directory. The first domain controller installed in a domain is designated as the global
catalog server by default. The global catalog server stores a full replica of all objects in
its host domain, and a partial replica of objects for the remainder of the domains in the
forest. The partial replica contains those objects which are frequently searched for. It is
generally recommended to configure a global catalog server for each site in a domain.
The functions of the global catalog server are summarized below:

      Global catalog servers are crucial for Active Directory's UPN functionality
       because they resolve user principal names (UPNs) when the domain controller
       handling the authentication request is unable to authenticate the user account
       because the user account actually exists in another domain. Here, the GC server
       assists in locating the user account so that the authenticating domain controller
       can proceed with the logon request for the user.
      The global catalog server deals with all search requests of users searching for
       information in Active Directory. It can find all Active Directory data irrespective
       of the domain in which the data is held. The GC server deals with requests for the
       entire forest.
      The global catalog server also makes it possible for users to provide Universal
       Group membership information to the domain controller for network logon
       requests.

Understanding the DNS Server Role
Domain Name Service (DNS) is a hierarchically distributed database that creates
hierarchical names that can be resolved to IP addresses. The IP addresses are then
resolved to MAC addresses. DNS provides the means for naming IP hosts, and for
locating IP hosts when they are queried for by name.

The DNS server role resolves IP addresses to domain names, and domain name to IP
addresses. In this way, DNS provides name resolution services to establish connections
for those clients that need to resolve to IP addresses. A Fully Qualified Domain Name
(FQDN) is the DNS name that is used to identify a computer on the network.

A DNS server is a computer running the DNS service or BIND; that provides domain
name services. The DNS server manages the DNS database that is located on it. The
information in the DNS database of a DNS server pertains to a portion of the DNS
domain tree structure or namespace. This information is used to provide responses to
client requests for name resolution. A DNS server is authoritative for the contiguous
portion of the DNS namespace over which it resides.

When a DNS server is queried for name resolution services it can do either of the
following:

      Respond to the request directly by providing the requested information.
      Provide a pointer (referral) to another DNS server that can assist in resolving the
       query.
      Respond that the information is unavailable.
      Respond that the information does not exist

You can configure different server roles for your DNS servers. The server role that you
configure for a DNS server affects the followin operations of the server:
      The way in which the DNS server stores DNS data.
      The way in which the DNS server maintains data.
      Whether the DNS data in the database file can be directly edited.

The different DNS server roles which you can configure are listed here:

      Standard Primary DNS server: This DNS server owns the zones defined in its
       DNS database, and can make changes to its zones. A standard primary DNS
       server obtains zone data from the local DNS database. The primary DNS server is
       authoritative for the zone data that it contains. When a change needs to be made to
       the resource records of the zone, it has to be done on the primary DNS server so
       that is can be included in the local zone database. A DNS primary server is
       created when a new primary zone is added.
      Standard Secondary DNS server: This DNS server obtains a read-only copy of
       zones through DNS zone transfers. A secondary DNS server cannot make any
       changes to the information contained in its read-only copy. A secondary DNS
       server can however resolve queries for name resolution. Secondary DNS servers
       are usually implemented to provide fault tolerance, provide fast access for clients
       in remote locations, and to distribute the DNS server processing load evenly. If a
       secondary DNS server is implemented, that DNS server can continue to handle
       queries when the primary DNS becomes unavailable. Secondary DNS servers also
       assist in reducing the processing load of the primary DNS server. It is
       recommended to install at least one primary DNS server, and one secondary DNS
       server for each DNS zone.
      Caching-only DNS server: A caching-only DNS server only performs queries and
       then stores the results of these queries. All information stored on the caching-only
       DNS server is therefore only that data which has been cached while the server
       performed queries. Caching-only DNS servers only cache information when the
       queries have been resolved. The information stored by caching-only DNS servers
       is the name resolution data that it has collected through name resolution queries.
       Caching-only DNS servers do not host zones and are not authoritative for any
       DNS domain.
      Master DNS servers: The DNS servers from which secondary DNS servers obtain
       zone information in the DNS hierarchy are called master DNS servers. When a
       secondary DNS server is configured, you have to specify the master server from
       whom it will obtain zone information. Zone transfer enables a secondary DNS
       server to obtain zone information from its configured primary DNS server. A
       secondary DNS server can also transfer its zone data to other secondary DNS
       servers, who are beneath it in the DNS hierarchy. Here, the secondary DNS server
       is regarded as the master server to the other subordinate secondary DNS servers.
       A secondary DNS server initiates the zone transfer process from its particular
       master server when it is brought online.
      Dynamic DNS Servers: Windows 2000, Windows XP and Windows Server 2003
       computers can dynamically update the resource records of a DNS server when a
       client's IP addressing information is added, or renewed through Dynamic Host
       Configuration Protocol (DHCP). Both DHCP and Dynamic DNS (DDNS) updates
       make this possible. When dynamic DNS updates are enabled, a client sends a
       message to the DNS server when changes are made to its IP addressing data. This
       indicates to the DNS server that the A type resource record of the client needs to
       be updated.

Understanding the WINS Server Role
The Windows Internet Name Service (WINS) server roles provide name resolution
services for clients that need to resolve IP addresses to NetBIOS names, and vice versa.
A WINS server is an enhanced NetBIOS name server (NBNS) designed by Microsoft to
resolve NetBIOS computer names to IP addresses. WINS can resolve NetBIOS names for
local hosts and remote hosts. WINS registers NetBIO computer names, and stores these
client name registrations in the WINS database. The registrations are used when clients
query for host name resolution and service information and to resolve a NetBIOS name to
an IP address. Clients that are configured to utilize a WINS server as a NetBIOS name
server (NBNS) are called WINS enabled clients. If the WINS server resolves the
NetBIOS name to an IP address, no broadcast traffic is sent over the network. Broadcasts
are only utilized if the WINS server is unable to resolve the NetBIOS name. A WINS
enabled client can communicate with a WINS server that is located anywhere on the
internetwork.

Since Windows 2000 was the first Windows operating system where NetBIOS naming
was no longer required, you might still need to provide support for NetBIOS naming if
you have legacy applications. Remember that all Windows operating system prior to
Windows 2000 require NetBIOS name support.

To implement WINS, you only need one WINS server for an internetwork. However,
implementing two WINS servers provides fault tolerance for name resolution. The
secondary WINS server would be used for name resolution if the primary WINS server is
unavailable to service WINS clients' requests.

A WINS server can cope with 1,500 name registrations and roughly 4,500 name queries
per minute. It is recommended to have one WINS server and a backup server for each
10,000 WINS clients. When you configure the WINS server role, the WINS server must
be statically assigned with the following TCP/IP parameters: static IP address, subnet
mask and default gateway.

Understanding the DHCP Server Role
DHCP is a service and protocol which runs on a Windows Server 2003 operating system.
DHCP functions at the application layer of the TCP/IP protocol stack. One of the primary
tasks of the protocol is to automatically assign IP addresses to DHCP clients.

A server running the DHCP service is called a DHCP server. The DHCP protocol
automates the configuration of TCP/IP clients because IP addressing occurs through the
system. You can configure a server as a DHCP server so that the DHCP server can
automatically assign IP addresses to DHCP clients, and with no manual intervention. IP
addresses that are assigned through a DHCP server are regarded as dynamically assigned
IP addresses.

The DHCP server assigns IP addresses from a predetermined IP address range(s), called a
scope. A DHCP scope can be defined as a set of IP addresses which the DHCP server can
allocate or assign to DHCP clients. A scope contains specific configuration information
for clients that have IP addresses which are within the particular scope. Scope
information for each DHCP server is specific to that particular DHCP server only, and is
not shared between DHCP servers. Scopes for DHCP servers are configured by
administrators.

The functions of the DHCP server are outlined below:

      Dynamically assign IP addresses to DHCP clients.
      Allocate the following TCP/IP configuration information to DHCP clients:
          o Subnet mask information
          o Default gateway IP addresses
          o Domain Name System (DNS) IP addresses
          o Windows Internet Naming Service (WINS) IP addresses

You can increase the availability of DHCP servers by using the 80/20 Rule if you have
two DHCP servers located on different subnets. The 80/20 Rule is applied as follows:

      Allocate 80 percent of the IP addresses to the DHCP server which resides on the
       local subnet.
      Allocate 20 percent of the IP addresses to the DHCP Server on the remote subnet.

If the DHCP server that is allocated with 80 percent of the IP addresses has a failure, the
remote DHCP server would resume assigning the DHCP clients with IP addresses.

With Windows Server 2003 DHCP, three options are available for registering IP
addresses in DNS. The options can be configured for the DHCP serve, or for each
individual scope. The options which can be specified to enable/disable the DHCP service
to dynamically update DNS records on behalf the client are:

      The DHCP server can be configured to not register any IP address of the DHCP
       clients when it assigns IP addresses to these clients.
      The DHCP server can be configured to at all times register all IP address of
       clients when they receive IP addresses from the DHCP server.
      The default option results in the DHCP server registering the IP addresses of
       clients with the authoritative DNS server, based on the client's request for an IP
       address.
Understanding the Streaming Media Server Role
The streaming media role provides media services so that clients can access streaming
audio and video. The Windows Media Services is used to provide media services to
clients. The Windows Media Services can be configured on server platforms, and on
enterprise platforms.

The Windows Media Services is not available in the following edition of Windows
Server 2003:

      Windows Server 2003 Web Edition
      Windows Server 2003 64-bit versions.

Understanding Certificate Authorities (CAs) Servers
A Certificate Authority is an entity that generates and validates digital certificates. The
CA adds its own signature to the public key of the client. By using the tools provided by
Microsoft, you can create an internal CA structure within your organization.

A digital certificate associates a public key with an owner. The certificate verifies the
identity of the owner. A certificate cannot be forged because the authority that issued the
certificate digitally signs the certificate. Certificates are issued for functions such as the
encryption of data, code signing, Web user and Web server authentication, and for
securing e-mail. Certificates in Windows XP and Windows Server 2003 are managed by
the Data Protection API. When certificates are issued to a client, it is stored in the
Registry and in Active Directory. You can also store certificates on smart cards. The
information included in a certificate is determined by the type of certificate being used.

Certificate Authorities (CAs) are servers which are configured to issue certificates to
users, computers, and services. CAs also manage certificates. An organization can have
multiple CAs, which are arranged in a logical manner. A CA can be a trusted third party
entity such as VeriSign or Thawte, or it can be an internal entity of the organization. An
example of an internal CA entity is Windows Server 2003 Certificate Services. Windows
Server 2003 Certificate Services can be used to create certificates for users and
computers in Active Directory domains.

The functions performed by Certificate Authorities (CAs) are listed below:

      Accepts the request for a certificate from a user, computer, application, or service.
      Authenticates the identity of the user, computer or service requesting the
       certificate. The CA utilizes its policies, and incorporates the type of certificate
       being requested; to verify the identity of the requestor.
      Creates the certificate for the requestor.
      Digitally signs the certificate using its own private key.
Windows Certificate Services is used to create a Certificate Authority on Windows
Server 2003 servers. The first CA that is installed becomes the root CA. The common
practice is to first install the root CA, and then use the root CA to validate all the other
CAs within the organization. A root CA is the most trusted CA in a CA hierarchy. When
a root CA issues certificates to other CAs, these CAs become subordinate CAs of the root
CA. When a root CA is online, it is used to issue certificates to subordinate CAs. The root
CA never usually directly issues certificates to users, computers, applications or services.

A subordinate CA can also issue certificates to other subordinate CAs. These subordinate
CAs are called intermediate CAs. While an intermediate CA s subordinate to the root CA,
it is considered superior to those subordinate CAs to which it issued certificates.
Subordinate CAs which only issue certificates to users, and not to other subordinate CAs,
are called leaf CAs.

The type of CAs which you can install:

      Enterprise root CA: This is the topmost CA in the CA hierarchy, and is the first
       CA installed in the enterprise. Enterprise root CAs are reliant on Active Directory.
       Enterprise root CAs issue certificates to subordinate CAs.
      Enterprise Subordinate CA: This CA also needs Active Directory, and is used to
       issue certificates to users and computers.
      Stand-alone Root CA: A stand-alone root CA is the topmost CA in the certificate
       chain. A stand-alone root CA is not however dependent on Active Directory, and
       can be removed from the network. This makes a stand-alone root CAs the solution
       for implementing a secure offline root CA.
      Stand-alone Subordinate CA: This type of CA is also not dependent on Active
       Directory, and is used to issue certificates to users, computers, and other CAs.

Understanding the Configure Your Server Wizard

The Configure Your Server Wizard is one of the main wizards used to perform
administrative tasks for Windows Server 20033 computers. The Configure Your Server
Wizard is used to configure server roles. Windows Server 2003 provides a new tool for
defining and managing server roles, namely, the Manage Your Server utility. The actual
Wizard for applying the server roles to computers is the Configure Your Server Wizard.
The Configure Your Server Wizard is included within the Manage Your Server utility
and is also managed through this utility.

To access the Manage Your Server utility and use the Configure Your Server Wizard,

   1. Click Start, click Administrative Tools, and then click Manage Your Server.

The main screen of the Manage Your Server utility is made up as follows:

      At the top of the Manage Your Server main screen, are three buttons, labelled as
       follows:
           o    Add or remove a role button; for initiating the Configure Your Server
                Wizard.
            o Read about server roles button; for accessing information on server roles.
            o Read about remote administration button; for accessing information on
                remote administration.
       The left end of the screen contains the server roles which are already configured
        for the particular server.
       Each listed configured server role is accompanied by buttons which can be used
        to view information on the existing role, or manage the existing server role. The
        buttons which are displayed differ between the existing server roles.

You can also initiate the Configure Your Server Wizard by:

   1. Clicking Start, Administrative Tools, and then clicking Configure Your Server.

After the Configure Your Server Wizard is initiated, the following preliminary steps need
to be performed first before any server roles can be added:

       Install all modems and network cards.
       Attach all necessary cables.
       Create an Internet connection if the server is to be used for Internet connectivity.
       Turn on all peripherals
       Have the Windows Server 2003 installation CD at hand.

Clicking the Next button on the Preliminary Steps screen invokes the Configure Your
Server Wizard to test network connections and verify the operating system, and then
displays the Server Role screen.

The Server Role screen contains the following columns:

       Server role column; indicates the server roles which can be added or removed.
       Configured column; indicates whether a server role is configured or not
        configured.

If you want to navigate to the Add or Remove Programs in Control Panel, click the Add
or Remove Programs link on the Server Role screen.

How to add an application server role to Windows Server 2003

   1. Click Start, click Administrative Tools, and then click Manage Your erver.
   2. Click the Add or remove a role button.
   3. The Configure Your Server Wizard initiates.
   4. Click Next on the Preliminary Steps page of the wizard.
   5. When the Server Role page opens, select the Application server (IIS, ASP.NET)
      server role, and then click Next.
   6. The Application Server Options page opens.
  7. Select the FrontPage Server Extensions checkbox to include Web server
      extensions in the configuration.
  8. Select the Enable ASP.NET checkbox so that Web applications created through
      ASP.NET can be utilized. Click Next.
  9. Verify the settings which you have selected on the Summary of Selections. Click
      Next.
  10. The installation of the components occurs next.
  11. Click Finish.

How to install the Remote Access and VPN server role using the
using the Configure Your Server Wizard

  1. Click Start, click Administrative Tools, and then click Manage Your Server.
  2. Select the Add or remove a role option.
  3. The Configure Your Server Wizard starts.
  4. On the Preliminary Steps page, click Next.
  5. A message appears, informing you that the Configure Your Server Wizard is
     detecting network settings and server information.
  6. When the Server Role page appears, select the Remote Access/VPN Server option
     and then click Next.
  7. On the Summary of Selections page, click Next.
  8. The Welcome to the Routing and Remote Access Server Setup Wizard page is
     displayed.

How to add the global catalog server role on a domain controller

  1. Click Start, Administrative Tools, and then click Active Directory Sites and
     Services.
  2. In the console tree, expand Sites, and then expand the site that contains the
     domain controller which you want to configure as a global catalog server.
  3. Expand the Servers folder, and locate and then click the domain controller that
     you want to designate as a global catalog server.
  4. In the details, pane, right-click NTDS Settings and click Properties on the shortcut
     menu.
  5. The NTDS Settings Properties dialog box opens.
  6. The General tab is where you specify the domain controller as a global catalog
     server.
  7. Enable the Global Catalog checkbox.
  8. Click OK.

How to remove the global catalog server role from a domain
controller

  1. Open the Active Directory Sites and Services console.
  2. In the console tree, locate and click the domain controller currently configured as
     the global catalog server.
  3. Right-click NTDS Settings and click Properties on the shortcut menu to open the
     NTDS Settings Properties dialog box.
  4. Clear the Global Catalog checkbox.
  5. Click OK

How to install the DHCP server role

  1. Click Start, Control Panel, and then click Add Or Remove Programs.
  2. When the Add Or Remove Programs dialog box opens, click Add/Remove
     Windows Components.
  3. This starts the Windows Components Wizard.
  4. In the Components list box, select Networking Services, and then click the Details
     button.
  5. The Networking Services dialog box opens.
  6. In the Subcomponents Of Networking Services list box, check the Dynamic Host
     Configuration Protocol (DHCP) checkbox.
  7. Click OK. Click Next.
  8. When The Completing The Windows Components Wizard page is displayed,
     click Finish.

How to implement a caching-only DNS server

  1. Open Control Panel
  2. Double-click Add/Remove Programs., and then click Add/Remove Windows
     Components.
  3. The Windows Components Wizard starts.
  4. Click Networking Services, and then click Details.
  5. In the Networking Services dialog box, select the checkbox for Domain Name
     System (DNS) in the list.
     Click OK. Click Next.
  6. When The Completing The Windows Components Wizard page is displayed,
     click Finish.
  7. Do not add or configure any zones for the DNS server. The DNS Server service
     functions as a caching-only DNS server by default. This basically means no
     configuration is necessary to set up a caching-only DNS server.
  8. You should verify that the server root hints are configured correctly.

How to add the Terminal Services server role to Windows Server 2003
using Add Or Remove Programs in Control Panel

  1. Click Start, Control Panel, and then click Add Or Remove Programs.
  2. Click Add/Remove Windows Components to initiate the Windows Components
     Wizard
  3. Select the Terminal Server checkbox. Click Next
  4. When the Terminal Server Setup page is displayed, read the message on Terminal
     Server Licensing and Terminal Server mode. Click Next
  5. Select the appropriate security setting. Click Next
  6. After the necessary files are copied, click Finish.
  7. When the System Settings Change page is displayed. Click Yes to reboot the
     computer.
  8. Terminal Services Configuration, Terminal Services Manager, and Terminal
     Server Licensing are added to the Administrative Tools menu.

How to install IIS 6.0 using the Configure Your Server Wizard

  1. Click Start, click Administrative Tools, and then click Manage Your Server.
  2. In the Manage Your Server main screen, click Add or remove a role.
  3. The Configure Your Server Wizard starts.
  4. The Preliminary Steps screen is a warning screen that prompts you to verify that
     the requirements for the installation have been met. Click Next.
  5. The network connections configured on the machine are tested and verified before
     the Wizard displays the following screen.
  6. On the Configuration Options screen, choose one of the following options:
         o Typical configuration for a first server: You would choose this option to
             install the server as a domain controller, and to install the Active Directory
             directory service, DNS service, and DHCP service.
         o Custom Configuration, This option should be selected to install IIS 6 on
             the server.

       Click Next.

  7. On the Server Role screen, choose Application Server (IIS, ASP.NET) as the role
     which you want install on the server. From this screen, you can also select to
     install Terminal, Print, DNS, and DHCP services. Selecting the Application
     Server (IIS, ASP.NET) option, installs IIS, ASP.NET and additional components
     so that the server can host websites and FTP sites. Click Next.
  8. On the Application Server Options screen, you can select that these optional
     components be installed:
         o FrontPage Server Extensions, for users to develop Web content and
             publish Web content on the IIS machine via Microsoft FrontPage or
             Microsoft Visual Studio.
         o Microsoft Data Engine, for hosting SQL databases on the IIS machine
         o Enable ASP.NET: This option is enabled by default. ASP.NET is the
             scripting framework utilized for running IIS applications.

       Click Next.

  9. The Summary of Selections screen displays a summary of the components which
     you selected for installation. Verify that the correct items are listed on this screen.
     The Enable COM+ for remote transactions option is automatically added. Click
     Next.
                                 10. The installation process now commences. You would
                                     either have to insert the Windows Server 2003 CD,
                                     or indicate the location of the installation files. The
                                     Application Selections screen is displayed, the
                                     Configuration Components window appears, and the
                                     necessary files are copied.




                             DNS Server Roles
                             DNS Server and DNS Server Roles
                             Overview
                             Before DNS , HOSTS files were used to resolve host names
                             to IP addresses. The HOSTS files were manually maintained
by administrators. The HOSTS file was located on a centrally administered server on the
Internet. Because of the shortcomings of the HOSTS files, DNS was designed and
introduced. From the days of Windows NT Server 4.0, DNS has been included with the
operating system. DNS is a hierarchically distributed and scalable database. DNS
provides name registration, name resolution and service location for Windows 2000 and
Windows Server 2003 clients.

A DNS zone is the contiguous portion of the DNS domain name space over which a DNS
server has authority, or is authoritative. A zone is a portion of a namespace – it is not a
domain. A domain is a branch of the DNS namespace. A DNS zone can contain one or
more contiguous domains. A DNS server can be authoritative for multiple DNS zones.

A DNS server is a computer running the DNS Server service, or BIND; that provides
domain name services. The DNS server manages the DNS database that is located on it.
The DNS server program, whether it is the DNS Server service or BIND; manages and
maintains the DNS database located on the DNS server. The information in the DNS
database of a DNS server pertains to a portion of the DNS domain tree structure or
namespace. This information is used to provide responses to client requests for name
resolution. When a DNS server is queried for name resolution, it can respond to the
request directly by providing the requested information, provide a pointer (referral) to
another DNS server that can assist in resolving the query, or respond that the information
is unavailable or that is does not exist. A DNS server is authoritative for the contiguous
portion of the DNS namespace over which it resides.

You can configure different server roles for your DNS servers. The server role that you
configure for a name server affects the following operations of the server:

      The way in which the DNS server stores DNS data
      The way in which the DNS server maintains data
      Whether the DNS data in the database file can be directly edited.

In DNS, a standard primary DNS server is the authoritative DNS server for a DNS zone.
There are a number of zones used in Windows Server 2003 DNS:

      Primary zone: This is only zone type that can be directly updated or edited
       because the data in the zone is the original source of the data for all domains in
       the zone. Updates made to the primary zone are made by the DNS server that is
       authoritative for the specific primary zone.
      Secondary zone: This is a read-only copy of the zone that was copied from the
       master server during zone transfer
      Active Directory-integrated zone: This is an authoritative primary zone that stores
       its data in Active Directory. Active Directory-integrated zones can be regarded as
       enhanced standard primary zones.
      Stub zone: Stub zones only contain those resource records necessary to identify
       the authoritative DNS servers for the master zone

Standard secondary DNS servers are usually implemented to provide a number of
features for the DNS environment, including:

      Provide redundancy: It is recommended to install one primary DNS server, and
       one secondary DNS server for each DNS zone (minimum requirement). Install the
       DNS servers on different subnets so that if one DNS server fails, the other DNS
       server can continue to resolve queries.
      Distribution of DNS processing load: Implementing secondary DNS servers assist
       in reducing the load on the primary DNS server.
      Provide fast access for clients in remote locations: Secondary DNS servers can
       also assist in preventing clients from transversing slow links for name resolution
       requests.

In addition to two server roles just mentioned, you can als configure the DNS server as a
DNS forwarder, or as a caching-only DNS server. The remainder of this Article focuses
on the different DNS server roles that you can configure for your DNS servers.

Understanding Standard Primary DNS Servers
A standard primary DNS server is a name server that obtains zone data from the local
DNS database. This makes the primary DNS server authoritative for the zone data that it
contains. When a change needs to be made to the resource records of the zone, it has to
be done on the primary DNS server so that is can be included in the local zone database.

A DNS primary server is created when a new primary zone is added. The primary server
that is created becomes the mechanism for updating the specific primary zone.

When a query is sent to the standard primary DNS server for name resolution, the
following events take place:
   1. The request for name resolution is sent to the primary DNS server.
   2. The primary DNS server compares the requested name to the information it
      contains in its local zone database.
   3. If the primary DNS server locates a match for the queried name, the requested
      information is returned to the client.
   4. If the DNS server cannot find a matching record in its local zone database file, the
      DNS server then attempts a number of name resolution methods to resolve the
      request on behalf of the client.
   5. If all attempts for name resolution in unsuccessful, the DNS server returns an
      error message to the client.

Understanding Standard Secondary DNS Servers
This DNS server type obtains a read-only copy of zone information through DNS zone
transfers. A secondary DNS server cannot make any changes to the information
contained in its read-only zone copy. A secondary DNS server can however resolve
queries for name resolution.

Secondary DNS servers are usually implemented to provide fault tolerance, provide fast
access for clients in remote locations, and to distribute the DNS server processing load
evenly. If a secondary DNS server is implemented, that DNS server can continue to
handle queries when the primary DNS becomes unavailable. Secondary DNS servers also
assist in reducing the processing load of the primary DNS server. It is recommended to
install at least one primary DNS server, and one secondary DNS server for each DNS
zone.

A secondary DNS server obtains its data from the primary DNS server's zone database, as
a copy of that database. During zone transfer, the primary DNS server's zone database is
replicated to the secondary DNS server. A secondary DNS server cannot make changes to
its zone information. All changes have to be made on the primary zone, and then have to
be replicated to the secondary DNS server through DNS zone transfer.

DNS Notify is a mechanism that enables a primary DNS server to inform secondary DNS
servers when its database has been updated. The mechanism informs the secondary DNS
servers when they need to initiate a zone transfer so that the updates of the primary DNS
server can be replicated to them. When a secondary DNS server receives the notification
from the primary DNS server, it can start an incremental zone transfer or a full zone
transfer to pull zone changes from the primary DNS server.

Understanding Caching-Only DNS Servers
The main characteristics of caching-only DNS servers are:

      Caching-only DNS servers do not host zones.
      They are not authoritative for any DNS domain.
      The information stored by caching-only DNS servers is the name resolution data
       that it has collected through name resolution queries.

A caching-only DNS server just performs queries and then stores the results of these
queries. All information stored on the caching-only DNS server is therefore only that data
which has been cached while the server performed queries. Caching-only DNS servers
only cache information when the queries have been resolved.

when a caching-only DNS servers starts or the first time, it has no cached information.
The caching-only DNS server collects information as it sends and resolves queries. One
of the main advantages of implementing caching-only DNS servers is that they are
excluded from the zone transfer process, and therefore do not generate network traffic
from zone transfers.

Understanding Master DNS Servers
The servers from which secondary DNS servers obtain zone information in the DNS
hierarchy are called master servers. When a secondary DNS server is configured, you
have to specify the master server from whom it will obtain zone information. Zone
transfer enables a secondary DNS server to obtain zone information from its configured
primary DNS server, and enables these servers to continue handling queries if the
primary DNS server fails. In this case, the primary DNS server is the master server of the
secondary DNS server. A secondary DNS server can also transfer its zone data to other
secondary DNS servers, who are beneath it in the DNS hierarchy. In this case, the
secondary DNS server is regarded as the master server to the other subordinate secondary
DNS servers. A secondary DNS server initiates the zone transfer process from its
particular master server when it is brought online.

Understanding Dynamic DNS Servers
Windows 2000, Windows XP and Windows Server 2003 computers can dynamically
update the resource records of a DNS server when a client's IP addressing information is
added, or renewed via Dynamic Host Configuration Protocol (DHCP). Both DHCP and
Dynamic DNS (DDNS) updates make this possible. When dynamic DNS updates are
enabled, a client sends a message to the DNS server when changes are made to its IP
addressing data. This indicates to the DNS server that the A type resource record of the
client needs to be updated.

How to implement a caching-only DNS server
   1. Open Control Panel
   2. Double-click Add/Remove Programs., and then click Add/Remove Windows
      Components.
   3. The Windows Components Wizard starts.
   4. Click Networking Services, and then click Details.
  5. In the Networking Services dialog box, select the checkbox for Domain Name
     System (DNS) in the list.
  6. Click OK. Click Next.
  7. Click Finish.
  8. Do not add or configure any zones for the DNS server. The DNS Server service
     functions as a caching-only DNS server by default. This basically means no
     configuration is necessary to set up a caching-only DNS server.
  9. You should verify that the server root hints are configured correctly.

How to add a new zone to a DNS server
  1. Click Start, Administrative Tools, and then click DNS to open the DNS console.
  2. In the console tree, find and select the DNS server that you want to create a new
      DNS zone.
  3. From the Action menu, click the New Zone option.
  4. On the initial page of the New Zone Wizard, click Next.
  5. Select the zone type that you want to create. The options are:
          o Primary, to create a new standard primary zone.
          o Secondary, to create a copy of the primary zone.
          o Stub, to create a copy of zone but for only the NS record, SOA record, and
              the glue A record.
  6. Select the default selected option – Primary zone.
  7. To integrate the new zone with Active Directory, and if the DNS server is a
      domain controller; then you can select the Store the zone in Active Directory
      (available only if DNS server is a domain controller) checkbox.
  8. Click Next.
  9. On the Active Directory Zone Replication Scope page, accept the default setting
      for DNS replication: To all domain controllers in the Active Directory domain.
      Click Next.
  10. Select the Forward lookup zone option on the following page which is displayed
      by the New Zone Wizard, and then click Next.
  11. Enter a zone name for the new zone. Click Next.
      The options that you can select on the following page with regar to dynamic
      updates are:
          o Allow only secure dynamic updates (recommended for Active Directory)
              option: This option is only available if you are using Active Directory-
              integrated zones.
          o Allow both non-secure and secure dynamic updates option: Select this
              option with caution!
          o Do not allow dynamic updates option: You have to manually update zone
              information and resource records.
  12. Choose the best option for your circumstance, and then click Next.
  13. Click Finish to add the new zone to your DNS server.
How to enable dynamic updating on your DNS servers
Active Directory- integrated zones are set up to only allow secure dynamic updates.

   1. Click Start, Administrative Tools, and then click DNS to open the DNS console.
   2. In the console tree, expand the DNS server node that contains the authoritative
      zone that you want to work with.
   3. Expand the Forward Lookup Zones folder.
   4. Locate the specific zone that you want to configure.
   5. Right-click the zone, and then select Properties on the shortcut menu.
   6. When the Zone's Properties dialog box opens, leave the General tab displayed.
   7. The options available in the Dynamic updates: list box are:
          o None
          o Non-secure and secure
          o Secure only
   8. Select the Secure only option, and then click OK.

How to disable dynamic updates for a host computer or
interface
You can also disable dynamic updates for a host computer, for a specific interface on that
computer, or for multiple interfaces on the computer.

   1. Open the Registry Editor tool.
   2. In the left pane, expand the HKEY_LOCAL_MACHINE key, expand System,
      expand CurrentControlSet, and then expand Services.
   3. Locate Tcpip, and then expand this node as well.
   4. Find the Parameters node.
   5. To disable dynamic updates for the host computer, click the Parameters node. In
      the details pane, double-click the DisableDynamicUpdate entry. Change the value
      data of DisableDynamicUpdate to 1 to disable dynamic updates. Click OK.
   6. To disable dynamic updates for a single interface, expand the Parameters node,
      and then expand the Interface node. Select the interface, and then double-click the
      DisableDynamicUpdate entry in the details pane. Change the value data of
      DisableDynamicUpdate to 1 to disable dynamic updates. Click OK.

How to test a query on a DNS server
   1. Click Start, Administrative Tools, and then click DNS to open the DNS console.
   2. In the console tree, right-click the DNS server that you want to test and then select
      Properties on the shortcut menu.
   3. When the DNS Server's Properties dialog box opens, click the Monitoring tab.
   4. You can choose to perform a simple query test, a recursive query test, or you can
      specify that the DNS server automatically performs testing at an interval that you
      set.
  5. In the Select A Test Type area of the Monitoring tab, select the A Simple Query
     Against This DNS Server checkbox.
  6. Click the Test Now button.
  7. The Test Results area of the tab displays the results of the test.
  8. Click OK.

Related Articles on DNS
     What is DNS?
     How do I flush DNS?
     How do I find my DNS servers?
     What are public DNS servers?
     How do I perform a DNS lookup?
     What is reverse DNS?
     What is a dynamic DNS?
     What are DNS root servers?
     Understanding DNS

								
To top