NETLOGON vs SYSVOL
Logon scripts are found under the domain controller's NETLOGON admin share for Windows NT, whereas they are found under the SYSVOL share for Windows 2000. This can cause some confusion for Windows NT admins not familiar with the name change. On Windows NT DCs, the %SystemRoot%\System32\Repl\Import\Scripts folder is shared as NETLOGON. Dcpromo modifies the registry value that defines the path to the NETLOGON share as part of the upgrade to %SystemRoot%\Sysvol\Sysvol\domain_name\Scripts. The default folder structure for W2K is :
%SystemRoot%\Sysvol\Sysvol\domain_name\Policies %SystemRoot%\Sysvol\Sysvol\domain_name\Scripts
Any changes to the %systemroot%\SYSVOL folder on any DC are replicated to the other DCs in the domain. Replication is RPC based.
You can use NETLOGON and SYSVOL to distinguish between DC and member server. If both the NETLOGON and SYSVOL shares exist on a W2K server, it is a DC. When dcpromo demotes a DC to a member server, the NETLOGON share is removed. Thus the presence of only SYSVOL signals a member server.
A neat method to check which servers are receiving replication (example is W2K but technique is general): create a file to be replicated which has the same name as the name of the domain controller. Lets say the DC is named w2ksrv1, in that case create a file
\\Winnt\Sysvol\Sysvol\yourdomain\w2ksrv1
Check which domain controllers in yourdomain receive the new file
Active Directory Support Files
The ESE engine used by Active Directory is based on Microsoft's Jet database technology. Jet uses a btree file structure with transaction logs to ensure recoverability in the event of a system or drive failure.
When you promote a server to a domain controller, you select where to put the Active Directory files. The default path is in the boot partition under \Windows\NTDS. Generally, it is a good idea to put them on a separate volume from the operating system files to improve performance.
The following list contains the Active Directory support files and their functions:
Ntds.dit. This is the main AD database. NTDS stands for NT Directory Services. The DIT stands for Directory Information Tree. The Ntds.dit file on a particular domain controller contains all naming contexts hosted by that domain controller, including the Configuration and Schema naming contexts. A Global Catalog server stores the partial naming context replicas in the Ntds.dit right along with the full Domain naming context for its domain.
Edb.log. This is a transaction log. Any changes made to objects in Active Directory are first saved to a transaction log. During lulls in CPU activity, the database engine commits the transactions into the main Ntds.dit database. This ensures that the database can be recovered in the event of a system crash. Entries that have not been committed to Ntds.dit are kept in memory to improve performance. Transaction log files used by the ESE engine are always 10MB.
Edbxxxxx.log. These are auxiliary transaction logs used to store changes if the main Edb.log file gets full before it can be flushed to Ntds.dit. The xxxxx stands for a sequential number in hex. When the Edb.log file fills up, an Edbtemp.log file is opened. The original Edb.log file is renamed to Edb00001.log, and Edbtemp.log is renamed to Edb.log file, and the process starts over again. ESENT uses circular logging. Excess log files are deleted after they have been committed. You may see more than one Edbxxxxx.log file if a busy domain controller has many updates pending.
Edb.chk. This is a checkpoint file. It is used by the transaction logging system to mark the point at which updates are transferred from the log files to Ntds.dit. As transactions are committed, the checkpoint moves forward in the Edb.chk file. If the system terminates abnormally, the pointer tells the system how far along a given set of commits had progressed before the termination.
Res1.log and Res2.log. These are reserve log files. If the hard drive fills to capacity just as the system is attempting to create an Edbxxxxx.log file, the space reserved by the Res log files is used. The system then puts a dire warning on the screen prompting you to take action to free up disk space quickly before Active Directory gets corrupted. You should never let a volume containing Active Directory files get even close to being full. File fragmentation is a big performance thief, and fragmentation increases exponentially as free space diminishes. Also, you may run into problems as you run out of drive space with online database defragmentation (compaction). This can cause Active Directory to stop working if the indexes cannot be rebuilt.
Temp.edb. This is a scratch pad used to store information about in-progress transactions and to hold pages pulled out of Ntds.dit during compaction.
Schema.ini. This file is used to initialize the Ntds.dit during the initial promotion of a domain controller. It is not used after that has been accomplished.
Whats new in windows 2008 Active Directory
As an Active Directory administrator very curies about the windows 2008 features compare to the earlier version like windows 2003, Windows 2008 comes with the whole bunch of features, and am going to discuss specific about the features of Active Directory server roles in Windows 2008
First I will list the features of windows 2008 Active directory and will discuss in detail of each in my upcoming article
Auditing
Now you can know the previous and present values for the changed attributes of the active directory object using the new auditing feature in windows 2008, as per the windows 2003 auditing you will only know the present values of the changed attribute
This is very useful features in windows 2008 since you can revert back the changes using the previous value of the attribute
Fine-Grained Passwords
By default in windows 2003 all the user account in the domain should use the same password policy configured in domain level, thats why we called domain is a security boundary, if you require a different password policy then you have to create new domain
In windows 2008 password policy can be configured for specific group of peoples with in the domain
Read-Only Domain Controller
Every one know about the BDC (backup domain controller) and it’s a same as the BDC but it only take the advantages from the BDC and it’s specifically designed for the today’s requirements like branch office setup and to managing the branch office
We all know how difficult to design and manage the domain controller from the branch office, some time it lead to the lingering object, but using the Read-Only Domain Controller In the branch office where the physical security of the domain controller is in question, or domain controllers that host additional roles, requiring other users to log on and maintain the server
In any Active Directory environment if one Domain Controller not replicated with the partner Domain Controller more then one month, then it’s a very critical issue you have to rectify the replication problem as soon as possible or the Domain Controller needs to be decommissioned with in the tombstone lifetime, since its read-only domain controller no worries about the tombstone time.
Restartable Active Directory Domain Services
Hey good new, now no need to restart the domain controller for every time for the active directory maintenance.
In windows 2008 active directory is a services, you can stop or restart the services for maintenance without restarting the domain controller and restarting it in Directory Services Restore Mode is not required for most maintenance functions, however still some maintenance function require Directory Services Restore Mode
Database Mounting Tool
Active Directory Database mounting tool in Windows Server 2008 to create and view snapshots of data that is stored in Active Directory Domain Services, and no need to restart the domain controller. A snapshot is a shadow copy created by the Volume Shadow Copy Service, at different times so that you can better choose which data to restore after object deletion. This reduces the administrator time and no need to restore multiple backups to compare the Active Directory data.
Active Directory Database mounting tool can be called Snapshot Viewer, Snapshot Browser, and Active Directory data mining tool.
Active Directory Recycle Bin
You can restore the accidentally deleted Active Directory object, without Active Directory authoritative restore, this can be used for single object restore like a accidental deletion of user or OU and you can reduce the domain controller downtime
Active Directory module for Windows PowerShell
PowerShell available on windows 2003 itself, however it’s not fully supported for Active Directory, you can’t manage the Active Directive using the PowerShell in windows 2003
In windows 2008 Windows PowerShell provides command-line scripting for administrative, configuration, and diagnostic tasks
You can manage the Active Directory with Exchange Server, Group Policy, and other services and it’s very easy to use like a windows commands, you can easily pipe cmdlets to build complex operations
Active Directory Administrative Center
It’s new tool in windows 2008 R2 to manage active directory, we already have active directory users and computer to manage the active directory, using this new tool you can manage active directory in a new way
As an administrator you perform most of the task commonly that is daily, some how it’s hard to open an active directory user and computer and find the object and do the task, in this new tool Active Directory Administrative Center it’s very easy to do a common task like password reset and search the Active Directory object and others
Active Directory Best Practices Analyzer
This can be helped to identify and implement the best practices in the configuration of your active directory environment, this will scan your network and find the best practice violations, Then you can correct that, to get the best out of Active Directory services in windows 2008.
Active Directory Web Services
Active Directory Web Services is give you the Web service interface to Active Directory domains and AD LDS instances (Active Directory Lightweight Directory Services)
Active Directory Database Mounting Tool uses the Active Directory Web Services as a front end, like that Windows PowerShell and Active Directory Administrative Center is used the Active Directory Web Services to access the directory service instances.
Offline domain join
Offline domain join makes to join a member server to the domain even the domain controller not reachable from the member server
And this can be very useful for bulk deployment, when the system starts, it will automatically joined to the domain, this will reduce the administrative effort
Managed Service Accounts
Normally applications and services uses the Local Service and Network Service and Local System accounts, it’s easy to configure and shared among multiple applications and services and cannot be managed on a domain level
You can use the domain account for the application (services), this can isolate the privileges for the application, but it’s very hard to manage these domain accounts like password management
We have two new types of accounts, Managed service accounts and virtual accounts in windows 2008, now you can easily manage the service principal names (SPNs), it will provide Automatic password management
Active Directory Management Pack
You can monitor the Active Directory service on windows 2008 using the Active Directory Management Pack (MOM, SCOM)
Designed specifically to monitor the performance and availability of Active Directory Domain Services (AD DS), also monitors the overall health of AD DS and alerts you to critical performance issues.
Windows Server 2008 and Windows Server 2008 SP2 are the same operating system, just at a different service pack level (Windows Server 2008 started at the SP1 level because it was released quite a bit after Windows Vista and SP1 was already out). As for as the windows 2008 and windows 2008 SP2 concern it’s uses the same OS kernel of windows vista, and in windows Server 2008 R2 has the same OS kernel of Windows7 Windows Server 2008 R2 is the server release of Windows 7, so it's version 6.1 of the OS. It introduces quite a lot of new features, because it's actually a new release of the system.
Windows Server 2008 is based on the 6.0 kernel, the same of Windows Vista, Windows Server 2008 R2 is based on the 6.1 one, the same of Windows 7, while versioning it as 6.1 to indicate its similar build to Vista and increase compatibility with applications that only check major version numbers, similar to Windows 2000 and Windows XP both having 5.x version numbers
There are also differences at the GUI level, because Windows Server 2008 R2 uses the same new GUI introduced with Windows 7
The single most important point: Windows Server 2008 R2 exists only for 64-bit platforms, there's no x86 version anymore.
Windows Server 2008 R2 has many features that are designed specifically to work with client computers running Windows 7. Windows 7 is the next version of the Windows operating system from Microsoft
Some of the features that only available when running Windows 7 client computers with server computers running Windows Server 2008 R2, compare to windows 2008 SP2 and windows 2008 R2, windows 2008 R2 have more Features, I will cover this in my upcoming article.
Windows 2000 Active Directory data store, the actual database file, is %SystemRoot%\ntds\NTDS.DIT. The ntds.dit file is the heart of Active Directory including user accounts. Active Directory's database engine is the Extensible Storage Engine ( ESE ) which is based on the Jet database used by Exchange 5.5 and WINS. The ESE has the capability to grow to 16 terabytes which would be large enough for 10 million objects. Back to the real world. Only the Jet database can maniuplate information within the AD datastore.
For information on domain controller configuration to optimize Active Directory, see Optimize Active Directory Disk Performance
The Active Directory ESE database, NTDS.DIT, consists of the following tables:
Schema table the types of objects that can be created in the Active Directory, relationships between them, and the optional and mandatory attributes on each type of object. This table is fairly static and much smaller than the data table. Link table contains linked attributes, which contain values referring to other objects in the Active Directory. Take the MemberOf attribute on a user object. That attribute contains values that reference groups to which the user belongs. This is also far smaller than the data table. Data table users, groups, application-specific data, and any other data stored in the Active Directory. The data table can be thought of as having rows where each row represents an instance of an object such as a user, and columns where each column represents an attribute in the schema such as GivenName.
From a different perspective, Active Directory has three types of data
Schema information definitional details about objects and attributes that one CAN store in the AD. Replicates to all domain controllers. Static in nature. Configuration information configuration data about forest and trees. Replicates to all domain controllers. Static as your forest is. Domain information object information for a domain. Replicates to all domain controllers within a domain. The object portion becomes part of Global Catalog. The attribute values (the actual bulk of data) only replicates within the domain.
Although GUIDs are unique, they are large. AD uses distinguished name tag ( DNT ). DNT is a 4-byte DWORD value which is incremented when a new object is created in the store. The DNT represents the object's database row number. It is an example of a fixed column. Each object's parent relationship is stored as a parent distinguished name tag ( PDNT ). Resolution of parent-child relationships is optimized because the DNT and PDNT are indexed fields in the database. For more technical info on the AD datastore and its organization, a good starting point is the Active Directory Database Sizing document.
The size of ntds.dit will often be different sizes across the domain controllers in a domain. Remember that Active Directory is a multi-master independent model where updates are occuring in each of the ADs with the changes being replicated over time to the other domain controllers. The changed data is replicated between domain controllers, not the database, so there is no guarantee that the files are going to be the same size across all domain controllers.
Active Directory routinely performs online database defragmentation, but this is limited to the disposal of tombstoned objects. The database file cannot be compacted while Active Directory is mounted. An ntds.dit file that has been defragmented offline ( compacted ), can be much smaller than the ntds.dit file on its peers. To defrag ntds.dit offline:
Back up the Active Directory using Windows 2000 Backup. W2K backup natively supports backing up Active Directory while online. This occurs automatically when you select the option to back up everything on the computer in the Backup Wizard, or independently by selecting to back up System State in the backup wizard.
Reboot Select the appropriate installation from the boot menu, and press F8 to display the Windows 2000 Advanced Options menu. Choose Directory Services Restore Mode and press ENTER. Press ENTER again to start the boot process. Logon using the password defined for the local Administrator account in the offline SAM. Click Start, Programs, Accessories, and then click Command Prompt. At the command prompt, run the ntdsutil command. When ntdsutil has started Type files and press ENTER. Type info and then press ENTER. This will display current information about the path and size of the Active Directory database and its log files. Type compact to drive:\directory, and press ENTER. Be sure that the drive specified has enough drive space for the compacted database to be created. I know, you don't know how big the compacted version will be, but if there is enough space for the uncompacted version, you should be OK. A gotcha!: You must specify a directory path and if the path name has spaces, the command will not work unless you use quotation marks
compact to "c:\my new folder" Type quit and press Enter. Type quit and press Enter to return to the command prompt. A new compacted database named Ntds.dit can be found in the folder you specified. Copy the new ntds.dit file over the old ntds.dit file. You have successfully compacted the Active Directory database. If you believe in belts and suspenders, I would copy the old uncompacted database somewhere else before I overwrote it with the new compacted version. Reboot and see if all is normal.
This is a server by server task. Monitor the size of ntds.dit and if it starts growing and performance is slow and you can not see why either situation should apply, consider offline defrags.
If ntds.dit gets corrupted or deleted or is missing ( can happen if the promotion process to domain controller goes bad ), you have to manually recover it using Windows 2000 Backup. Now you did do W2K backups right?:
Reboot the domain controller and press F8 to display the Windows 2000 Advanced Options menu. Select Directory Services Restore Mode and then press ENTER. Select the correct installation, and then press ENTER to start the boot process. Logon using the administrator account and password you specified during the promotion process. When you ran Dcpromo.exe to install Active Directory, it requested a password to be used for the Administrator password for Active Directory Restore Mode. This password is not stored in Active Directory. It is stored in an NT4-style SAM file and is the only account available when the AD is corrupted. Click OK. This acknowledges the warning message that you are using Safe mode. Click Start, Programs, Accessories, System Tools, and then click Backup. Select the Restore tab. Click the + symbol next to the following items to expand them: File Media Created System Drive Winnt NTDS Click the NTDS folder to display the files in the folder. Click to select the ntds.dit check box. Leave the Restore files to box set to Original Location. This check box provides the option to restore to an alternative location. If you restore to an alternative location, you will have to copy the ntds.dit file into the %SystemRoot%\ntds folder. Click Start Restore.
To move a database or log file :
Reboot the domain controller and press F8 to display the Windows 2000 Advanced Options menu. Select Directory Services Restore Mode and then press ENTER. Select the correct installation, and then press ENTER to start the boot process. Logon using the administrator account and password you specified during the promotion process. When you ran Dcpromo.exe to install Active Directory, it requested a password to be used for the Administrator password for Active Directory Restore Mode. This password is not stored in Active Directory. It is stored in an NT4-style SAM file and is the only account available when the AD is corrupted. Start a command prompt, and then type ntdsutil.exe . At a Ntdsutil prompt, type files. At the File Maintenance prompt To move a database, type move db to %s where %s is the drive and folder where you want the database moved. To move log files, type move logs to %s where %s is the drive and folder where you want the log files moved. To view the log files or database, type info. To verify the integrity of the database at its new location, type integrity. Type quit Type quit to return to a command prompt. Restart the computer in Normal mode.
When you move the database and log files, you must back up the domain controller.