Upload
boppana-kishore-chowdary
View
220
Download
0
Embed Size (px)
Citation preview
7/24/2019 Microsoft Windows Servers 2003 kc.docx
1/162
Microsoft Windows Servers - Command Reference
Network File System Command Reference
1. mapadmin
The mapadmin command-line utility administers User Name Mapping on the local or remote
computer running Microsoft Services for Network File System. If you are logged on with an
account that does not have administrative credentials you can specify a user name and
password of an account that does.
Synta!"
mapadmin #$computer%& #-u $user% #-p $password%&&
mapadmin #$computer%& #-u $user% #-p $password%&& 'start ( stop)mapadmin #$computer%& #-u $user% #-p $password%&& config $option#...&%
mapadmin #$computer%& #-u $user% #-p $password%&& add -wu $*indowsUser% -uu
$UNI+User% #-setprimary&
mapadmin #$computer%& #-u $user% #-p $password%&& add -wg $*indows,roup% -ug
$UNI+,roup% #-setprimary&
mapadmin #$computer%& #-u $user% #-p $password%&& setprimary -wu $*indowsUser% #-uu
$UNI+User%&
mapadmin #$computer%& #-u $user% #-p $password%&& setprimary -wg $*indows,roup% #-
ug $UNI+,roup%&
mapadmin #$computer%& #-u $user% #-p $password%&& delete $option#...&%
mapadmin #$computer%& #-u $user% #-p $password%&& list $option#...&%mapadmin #$computer%& #-u $user% #-p $password%&& ackup $filename%
mapadmin #$computer%& #-u $user% #-p $password%&& restore $filename%
mapadmin #$computer%& #-u $user% #-p $password%&& adddomainmap -d
$*indowsomain% '-y $$NISdomain%% ( -f $path%)
mapadmin #$computer%& #-u $user% #-p $password%&& removedomainmap -d
$*indowsomain% -y $$NISdomain%%
mapadmin #$computer%& #-u $user% #-p $password%&& removedomainmap -all
mapadmin #$computer%& #-u $user% #-p $password%&& listdomainmaps
7/24/2019 Microsoft Windows Servers 2003 kc.docx
2/162
". Mount
The mountcommand-line utility mounts the file system identified y ShareNamee!ported
y the NFS server identified y ComputerNameand associates it with the drive letterspecified yDeviceNameor if an asterisk 0#1 is used y the first availale driver letter.
Users can then access the e!ported file system as though it were a drive on the local
computer. *hen used without options or arguments mountdisplays information aout all
mounted NFS file systems.
The mount utility is availale only if 4lient for NFS is installed.
The following options and arguments can e used with the mountutility.
Synta! "
mount #-o $5ption%#...&& #-u"$UserName%& #-p"'$2assword% ( 6)&
'77$4omputerName%7$ShareName% ( $4omputerName%"8$ShareName%) '$eviceName% (
6)
5ptions -o rsi$e%
7/24/2019 Microsoft Windows Servers 2003 kc.docx
3/162
Synta!"
nfsadmin server +ComputerName, +-u UserName+-pPassword,,-l
nfsadmin server +ComputerName, +-u UserName +-pPassword,,-r client all/
nfsadmin server +ComputerName, +-u UserName +-pPassword,, start stop/
nfsadmin server +ComputerName, +-u UserName +-pPassword,, config Option+...,
nfsadmin server +ComputerName, +-u UserName +-pPassword,,creategroupName
nfsadmin server +ComputerName, +-u UserName +-pPassword,,listgroups
nfsadmin server +ComputerName, +-u UserName +-pPassword,,deletegroupName
nfsadmin server +ComputerName, +-u UserName +-pPassword,,renamegroup OldName
NewName
nfsadmin server +ComputerName, +-u UserName +-pPassword,,addmemersName
Host+...,
nfsadmin server +ComputerName, +-u UserName +-pPassword,,listmemers
nfsadmin server +ComputerName, +-u UserName +-pPassword,,deletememers Group
Host+...,
nfsadmin client +ComputerName, +-u UserName +-pPassword,, start stop/
nfsadmin client +ComputerName, +-u UserName +-pPassword,,config Option+...,
In addition to service-specific command arguments and options nfsadminaccepts the
following"
ComputerName
Specifies the remote computer you want to administer. /ou can specify the computerusing a *indows Internet Name Service 0*INS1 name or a omain Name System
0NS1 name or y Internet 2rotocol 0I21 address.
-u UserName
Specifies the user name of the user whose credentials are to e used. It might e
necessary to add the domain name to the user name in the formdomain!UserName
-pPassword
Specifies the password of the user specified using the -uoption. If you specify the -
uoption ut omit the -poption you are prompted for the user3s password.
0. Nfssare
7/24/2019 Microsoft Windows Servers 2003 kc.docx
4/162
*ithout arguments the nfssarecommand-line utility lists all Network File System 0NFS1
shares e!ported y Server for NFS. *ith ShareNameas the only argument nfssarelists the
properties of the NFS share identified y ShareName. *hen ShareNameandDrive'Pathare
provided nfssaree!ports the folder identified yDrive'Pathas ShareName. *hen
the 2deleteoption is used the specified folder is no longer made availale to NFS clients.
Synta! "
nfsshare $ShareName%H$rive"2ath% #-o $5ptionHvalue%...&
nfsshare '$ShareName% ( $rive%"$2ath% ( 6 ) 8delete
3. Nfsstat
*hen used without the -$option the nfsstatcommand-line utility displays the numer of
NFS J
7/24/2019 Microsoft Windows Servers 2003 kc.docx
5/162
The showmount command-line utility displays information aout mounted file systems
e!ported y Server for NFS on the computer specified y Server. If Server is not provided
showmount displays information aout the computer on which the showmount command is
run.
Synta! "
sowmount-e -a -d/ +Server,
-e isplays all file systems e!ported on the server.
-a isplays all Network File System 0NFS1 clients and the directories on the server each has
mounted.
-d isplays all directories on the server that are currently mounted y NFS clients.
6. (mount
The umount command-line utility disconnects the specified NFS-mounted drive. /ou must
supply at least one of the following options or arguments.
Synta! "
umount#-f& #'-a (DriveLetter"#...& (NetworkMount#...&)&
-fForces deletion of Network File System 0NFS1 network drives.
-aeletes all NFS network drives. If there are active connections umount prompts you for
confirmation unless you also use the -f option.
7rive8etter- The letter of the logical drive to e disconnected.
NetworkMount- The network mount point to e disconnected. This mount must have een
created using the net use *indows command-line utility without specifying a drive letter.
Def " http"88technet.microsoft.com8en-us8lirary8ccG@@E>=0vHws.;E1.asp!
Windows Server Backup Command Reference
1. Wbadmin enable backup
To configure or modify a daily ackup schedule you must e a memer of either the
:dministrators or Cackup 5perators group. In addition you must run wadmin from an
elevated command prompt.
Synta! for *indows Server "
7/24/2019 Microsoft Windows Servers 2003 kc.docx
6/162
wadmin enale ackup
#-addtarget"$CackupTargetisk%&
#-removetarget"$CackupTargetisk%&
#-schedule"$TimeToDunCackup%&
#-include"$JolumesToInclude%-all4ritical&
#-uiet&
Synta! for *indows Server D
7/24/2019 Microsoft Windows Servers 2003 kc.docx
7/162
wadmin disale ackup
#-uiet&
Def " http"88technet.microsoft.com8en-us8lirary8ccGGE@=E0vHws.;E1.asp!
3. Wbadmin start backup
4reates a ackup using specified parameters. If no parameters are specified and you have
created a scheduled daily ackup this sucommand creates the ackup y using the settings
for the scheduled ackup. If parameters are specified it creates a Jolume Shadow 4opy
Service 0JSS1 copy ackup and will not update the history of the files that are eing acked
up.
To create a one-time ackup with this sucommand you must e a memer of the Cackup
5perators group or the :dministrators group or you must have een delegated the
appropriate permissions. In addition you must run wadmin from an elevated command
prompt.
Synta: for Windows Server ";;6'
wadmin start ackup
#-ackupTarget"'$CackupTargetKocation% ( $TargetNetworkShare%)&
#-include"$JolumesToInclude%&
#-all4ritical&
#-noJerify-user"$UserName%&
#-password"$2assword%&
#-noinherit:cl&
#-vssFull&
#-uiet&
Synta: for Windows Server ";;6 R"'
*admin start ackup
#-ackupTarget"'$CackupTargetKocation% ( $TargetNetworkShare%)&
#-include"$ItemsToInclude%&
#-nonDecurseInclude"$ItemsToInclude%&
#-e!clude"$ItemsToL!clude%&
#-nonDecurseL!clude"$ItemsToL!clude%&
#-all4ritical&
#-systemState&
#-noJerify&
#-user"$UserName%&
#-password"$2assword%-noInherit:cl&
7/24/2019 Microsoft Windows Servers 2003 kc.docx
8/162
#-vssFull ( -vss4opy&
#-uiet&
:ample'
2erform a one-time ackup of f"7folder; and h"7folder< to volume d".
Cackup the system state
Make a copy ackup so that the normally scheduled differential ackup is not impacted.
wadmin start ackup ackupTarget"d" -include"g7folder;h"7folder< systemstate -vsscopy
0.W&admin stop =o&
4ancels the ackup or recovery operation that is currently running. 4anceled operations
cannot e restartedPyou must rerun a canceled ackup or recovery operation from the
eginning.
To stop a ackup or recovery operation with this sucommand you must e a memer of the
Cackup 5perators group or the :dministrators group or you must have een delegated the
appropriate authority. In addition you must run wadmin from an elevated command prompt.
Synta: '
wadmin stop Qo
#-uiet&
-uiet --%Duns the sucommand with no prompts to the user.
3.W&admin >et versions
Kists details aout the availale ackups that are stored on the local computer or another
computer. *hen this sucommand is used without parameters it lists all ackups of the local
computer even if those ackups are not availale. The details provided for a ackup include
the ackup time the ackup storage location the version identifier 0needed for the wadmin
get items sucommand and to perform recoveries1 and the type of recoveries you can
perform.
To get details aout availale ackups using this sucommand you must e a memer of the
Cackup 5perators group or the :dministrators group or you must have een delegated the
7/24/2019 Microsoft Windows Servers 2003 kc.docx
9/162
appropriate permissions. In addition you must run wadmin from an elevated command
prompt.
Synta: '
wadmin get versions
#-ackupTarget"'$CackupTargetKocation% ( $NetworkShare2ath%)&
#-machine"CackupMachineName&
L!ample " To see a list of availale ackups that are stored on volume h type"
wadmin get versions -ackupTarget"h"
4. W&admin >et items
To use this sucommand you must e a memer of the Cackup 5perators group or the
:dministrators group or you must have een delegated the appropriate permissions. In
addition you must run wadmin from an elevated command prompt.
Synta:'
wadmin get items
-version"$JersionIdentifier%
#-ackupTarget"'$CackupTargetKocation% ( $NetworkShare2ath%)-machine"$CackupMachineName%&
:ample'
To list items from the ackup that was run on March @;
7/24/2019 Microsoft Windows Servers 2003 kc.docx
10/162
-items"'$JolumesToDecover% ( $:ppsToDecover% ( $Files5rFoldersToDecover%)
-itemtype"'Jolume ( :pp ( File)
#-ackupTarget"'$JolumeOostingCackup% ( $NetworkShareOostingCackup%)&
#-machine"$CackupMachineName%&
#-recoveryTarget"'$TargetJolumeForDecovery% ( $Target2athForDecovery%)&
#-recursive-overwrite"'5verwrite ( 4reate4opy ( Skip)&
#-notDestore:cl&
#-skipCad4luster4heck&
#-noDollForward&
#-uiet&
-uiet --%Duns the sucommand with no prompts to the user.
L!ample " To run a recovery of the ackup from March @;
7/24/2019 Microsoft Windows Servers 2003 kc.docx
11/162
1;.W&admin start systemstaterecovery
2erforms a system state recovery to a location and from a ackup that you specify.
To perform a system state recovery with this sucommand you must e a memer of the
Cackup 5perators group or the :dministrators group or you must have een delegated the
appropriate permissions. In addition you must run wadmin from an elevated command
prompt.
Synta: '
wadmin start systemstaterecovery
-version"$JersionIdentifier%
-showsummary
#-ackupTarget"'$CackupestinationJolume% ( $NetworkShare2ath%)&
#-machine"$CackupMachineName%&
#-recoveryTarget"$Target2athForDecovery%&
#-authsysvol&
#-uiet&
:ample 'To perform a system state recovery of the ackup from E@8@;8
7/24/2019 Microsoft Windows Servers 2003 kc.docx
12/162
:ample 'To create a system state ackup and store it on volume f type"
wadmin start systemstateackup -ackupTarget"f"
9ctive 7irectory 7omain Services Command Reference
1. 9dprep
L!tends the :ctive irectory schema and updates permissions as necessary to prepare a
forest and domain for a domain controller that runs the *indows Server operating
system.
:dprep.e!e is a command-line tool that is availale on the *indows Server installation
disc in the 7sources7adprep folder and it is availale on the *indows Server Dory )otential )ro&lems
omain controllers
8: Kow 42U or memory resources on domain controllers Kow disk space on volumes
housing the Sysvol folder the : dataase 0NTS.IT1 file and8or the : transactional log
files Slow or roken connections etween domain controllers Slow or failed client network
logon authentication reuests Slow or failed K:2 uery responses Slow or failed Beyistriution 4enter 0B41 reuests Slow or failed : synchroni9ation reuests NetKogon
0KS:SS1 service not functioning properly irectory Service :gent 0S:1 service not
functioning properly B44 not functioning properly L!cessive numer of SMC connections
Insufficient DI allocation pool si9e on local server 2rolems with transitive or e!ternal
trusts to *in
7/24/2019 Microsoft Windows Servers 2003 kc.docx
20/162
Kow-level network connectivity prolems.T428I2 routing prolems.O42 I2 address
allocation pool shortages.*INS server uery or replication failures 0for legacy NetCI5S
.systems and applications1Naming conte!t lost W found items e!ist.:pplication or service
failures or performance prolems.
$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$
Monitoring and Troubleshooting the DHCP Server
/ou can use the Lvent Jiewer tool located in the :dministrative Tools folder to monitor
O42 activity. Lvent Jiewer stores events that are logged in the system log application log
and security log. The system log contains events that are associated with the operating
system. The application log stores events that pertain to applications running on the computer.
Lvents that are associated with auditing activities are logged in the security log. :ll events
that are DHCP!speci"ic are logged in the S#stem log. The O42 system event log contains
events that are associated with activities of the O42 service and O42 server such as when
the O42 server started and stopped when O42 leases are close to eing depleted and
when the O42 dataase is corrupt.
: few O42 system event log Is are listed elow"
$vent %D &'() *%n"ormation+" Indicates that the O42 server has egun to clean up
the O42 dataase.
$vent %D &'(, *%n"ormation+" Indicates that the O42 server cleaned up the O42
dataase for unicast addresses"
o E I2 address leases were recovered.
o E records were deleted.
Event ID 1039 (Information)% ndicates t&at t&e !'C( server cleaned upt&e !'C( database for multicast addresses%
E I2 address leases were recovered.
o E records were deleted.
Event ID 1044 (Information)% ndicates t&at t&e !'C( server &as concludedt&at it is aut&ori)ed to start* and is currentl+ servicing !'C( clientre,uests for ( addresses.
Event ID 1042 (Warning)% ndicates t&at t&e !'C( service running on t&eserver &as detected t&e following servers on t&e network.
7/24/2019 Microsoft Windows Servers 2003 kc.docx
21/162
Event ID 1056 (Warning)% ndicates t&at t&e !'C( service &as determinedt&at it is running on a domain controller* and no credentials are con-guredfor !!S registrations.
Event ID 1046 (Error)% ndicates t&at t&e !'C( service running on t&e
server &as determined t&at it is not aut&ori)ed to start to service !'C(clients.
Using Syste Monitor to Monitor DHCP A!tivity
The System Monitor utility is the main tool for monitoring system performance. System
Monitor can track various processes on the *indows system in real time. The utility uses a
graphical display that you can use to view current data or log data. /ou can specify specific
elements or components that should e tracked on the local computer and remote computers.
/ou can determine resource usage y monitoring trends. System Monitor can e displayed in
a graph histogram or report format. System Monitor uses oQects counters and instances to
monitor the system
System Monitor is a valuale tool when you need to monitor and trouleshooting O42
traffic eing passed etween the O42 server and O42 clients. Through System Monitor
you can set counters to monitor"
The O42 lease process.
The O42 ueue length
uplicate I2 address discards
O42 server-side conflict attempts
To start System Monitor
;. 4lick Start :dministrative Tools and then click 2erformance.
7/24/2019 Microsoft Windows Servers 2003 kc.docx
22/162
eclines8sec indicates the rate at which the O42 server receives O42L4KINL
messages.
iscovers8sec indicates the rate at which the O42 server receives
O42IS45JLD messages.
uplicaed ropped8sec indicates the rate at which duplicated packets are eing
received y the O42 server.
Informs8sec indicates the rate at which the O42 server receives O42INF5DM
messages.
Milliseconds per packet 0:vg.1 indicates the average time which the O42 server
takes to send a response.
Nacks8sec indicates the rate at which O42N:4B messages are sent y the O42
server.
2ackets L!pired8sec indicates the rate at which packets are e!pired while waiting in
the O42 server ueue.
2ackets Deceived8sec indicates the rate that the O42 server is receiving packets.
Deleases8sec indicates the rate at which O42DLKL:SL messages are received y
the O42 server.
Deuests8sec indicates the rate at which O42DLXULST messages are received y
the O42 server.
Using "et#or$ Monitor to Monitor DHCP %ease Tra&!
/ou can use Network Monitor to monitor network traffic and to trouleshoot network issues
or prolems. Network Monitor shipped with *indows Server
7/24/2019 Microsoft Windows Servers 2003 kc.docx
23/162
The Network Monitor version 0full1 included with Microsoft Systems Management
Server 0SMS1" *ith this version you can monitor network activity on all devices on a
network segment. /ou can capture frames from a remote computer resolve device
names to M:4 addresses and determine the user and protocol that is consuming the
most andwidth.
Cecause of these features you can use Network Monitor to monitor and trou-leshoot DHCP
lease tra""ic. /ou can use the Network Monitor version included in *indows Server
7/24/2019 Microsoft Windows Servers 2003 kc.docx
24/162
@. If you want to e!amine captured data during he capture select Stop :nd Jiew from
the 4apture menu.
Understanding DHCP Server log 'iles
O42 server log files are comma-delimited te!t files. Lach log entry represents one line ofte!t. Through O42 logging you can log many different events. : few of these events are
listed elow"
O42 server events
O42 client events
O42 leasing
O42 rogue server detection events
:ctive irectory authori9ation
TheDHCP server log "ile "ormatis depicted elow. Lach log file entry has the fields listed
elow and in this particular order as well"
%D" This is the O42 server event I code. Lvent codes are used to descrie
information on the activity which is eing logged.
Date" The date when the particular log file entry was logged on your O42 server.
.ime" The time when the particular log file entry was logged on your O42 server.
Description" This is a description of the particular O42 server event.
%P/ddress" This is the I2 address of the O42 client.
HostName" This is the host name of the O42 client.
M/C/ddress" This is the M:4 address used y the O42 client3s network adapter.
DHCP server log "iles use reserved event %D codes. These event I codes descrie
information on the activities eing logged. The actual log file only descries event I codes
which are lower than RE.
: few common DHCP server log event %D codesare listed elow"
EE indicates the log was started.
E; indicates the log was stopped.
7/24/2019 Microsoft Windows Servers 2003 kc.docx
25/162
E< indicates the log was temporarily paused due to low disk space.
;E indicates a new I2 address was leased to a client.
;; indicates a lease was renewed y a client.
;< indicates a lease was released y a client
;@ indicates an I2 address was detected to e in use on the network.
;= indicates a lease reuest could not e satisfied due to the scope3s address pool
eing e!hausted.
;R indicates a lease was denied.
;? indicates a lease was deleted
;G indicates a lease was e!pired
7/24/2019 Microsoft Windows Servers 2003 kc.docx
26/162
R; :uthori9ation succeeded" The O42 server was authori9ed to start on the
network.
R< Upgraded to a *indows Server Server could not find domain" The O42 server could not locate the specified
:ctive irectory domain.
R Network failure" : network-related failure prevented the server from determining
if it is authori9ed.
?E No 4 is S enaled" No :ctive irectory 4 was located. For detecting
whether the server is authori9ed a domain controller that is enaled for :ctive
irectory is needed
?; Server found that elongs to S domain" :nother O42 server that elongs to
the :ctive irectory domain was found on the network.
?< :nother server found" :nother O42 server was found on the network.
?@ Destarting rogue detection" The O42 server is trying once more to determine
whether it is authori9ed to start and provide service on the network.
?= No O42 enaled interfaces" The O42 server has its service indings ornetwork connections configured so that it is not enaled to provide service.
7/24/2019 Microsoft Windows Servers 2003 kc.docx
27/162
Oow to change O42 log files location
;. 5pen the O42 console.
7/24/2019 Microsoft Windows Servers 2003 kc.docx
28/162
o The O42 server as eing enaled
o The I2 address is displayed as I2 :ddress. It should not e displayed as
:utoconfiguration I2 :ddress.
3. /ou can also use t&e status dialog bo0 for t&e network connection todetermine t&e ( address t+pe for t&e client.
. 2o view t&is information* doubleclick t&e appropriate network connectionin t&e etwork Connections dialog bo0.
#. Click t&e Support tab.
4. 2&e ( address t+pe s&ould be displa+ed as being Assigned B+ !'C(.
If after the aove checks you can conclude that the I2 address was assigned to the client y
the O42 server some other network issue is the cause of the O42 server connectivity
issues eing e!perienced. The issue is not due to an I2 addressing issue on the client.
*hen clients have the incorrect %P address it was proaly due o the computer not eing
ale to contact the O42 server. *hen this occurs the computer assigns its own I2 address
through :utomatic 2rivate I2 :ddressing 0:2I2:1.
4omputers could e unale to contact the O42 server for a numer of reasons"
: prolem might e!ist with the hardware or software of the O42 server.
: data-link protocol issue could e preventing the computer from communicating
with the network.
The O42 server and the client are on different K:Ns and there is no O42 Delay
:gent. : O42 Delay :gent enales a O42 server to handle I2 address reuests of
clients that are located on a different K:N.
*hen a O42 client is assigned an I2 address that is currently eing used y another client
then an address con"licthas occurred.
The process that occurs to detect duplicate I2 addresses is illustrated elow"
;. *hen the computer starts the system checks for any duplicate I2 addresses.
7/24/2019 Microsoft Windows Servers 2003 kc.docx
29/162
=. The computer that initially owned the duplicate I2 address e!periences no
interruptions and operates as normally.
R. /ou have to reconfigure the conflicting computer with a uniue I2 address so that the
T428I2 protocol stack can e enaled on that particular computer again.
*hen address conflicts e!ist a warning message is displayed"
: warning is displayed in the system tray
: warning message is displayed in the System log which you can view in Lvent
Jiewer.
:ddresses conflicts usually occur under the following circumstances"
/ou have competing DHCP serversin your environment" /ou can use the
hcploc.e!e utility to locate any rogue O42 servers. The hcploc.e!e utility is
included with the *indows Support Tools. To solve the competing O42 server
issue you have to locate the rogue O42 servers remove the necessary rogue O42
servers and then check that no two O42 servers can allocate I2 address leases from
the same I2 address range.
:scope redeplo#menthas occurred" /ou can recover from a scope redeployment
through the following strategy"
o Increase the conflict attempts on the O42 server.
o Denew your O42 client leases
5ne of the following methods can e used to renew your O42 client leases"
Use the Ipconfig 8renew command
o The Depair utton of the status dialog o! 0Support ta1 of the connection can
e used to renew the O42 client lease.
W&en +ou click t&e Repair button of t&e status dialog bo0 5Support tab6 of
t&e connection to renew t&e !'C( client lease* t&e following process
occurs%
;. : O42DLXULST message is roadcast on the network to renew your O42
clients3 I2 address leases.
7/24/2019 Microsoft Windows Servers 2003 kc.docx
30/162
=. The NS cache is flushed.
R. The NetCI5S name and I2 address of the client is registered again with the *INS
server.
?. The computer name and I2 address of the client is registered again with the NS
server.
/ou can enale server-side conflict detection through the following process
;. 5pen the O42 console
7/24/2019 Microsoft Windows Servers 2003 kc.docx
31/162
o Jerify that the O42 server is authori9ed.
w&en troubles&ooting t&e scope con-gured for t&e !'C( server%
o &eck t&at t&e scope is enabled.
o &eck w&et&er all t&e available ( leases &ave alread+ been assignedto clients
: few trouleshooting strategies which you can use when a DHCP client o-tains an %P
address "rom the incorrect scope are summari9ed elow"
First determine whether competing O42 servers e!ist on your network. Use the
hcploc.e!e utility included with the *indows Support Tools to locate rogue O42
servers that are allocating I2 addresses to clients.
If no rogue O42 servers are located through the hcploc.e!e utility your ne!t step
is to verify that each O42 server is allocating I2 address leases from uniue scopes.
There should e no overlapping of the address space.
If you have multiple scopes on your O42 server and the O42 server is assigning
I2 addresses to clients on remote sunets verify that a O42 Delay :gent that is used
to enale communication with the O42 server has the correct address
Troubleshooting the DHCP Server Con(guration
If you have clients that cannot otain I2 addresses from the O42 server even though they
can contact the O42 server verify the following"
Jerify that the O42 Server service is running on the particular server.
4heck the actual T428I2 configuration settings on the O42 server.
If you are using the :ctive irectory directory service verify that the O42 server is
authori9ed.
The O42 server could e configured with the incorrect scope. 4heck that the scope
is correct on the O42 server and verify that it is active.
*hen you need to veri"# the con"iguration o" the DHCP server use the following process"
First check that the O42 server is configured with the correct I2 address. The
network I of the address eing used must e the same for the sunet for which the
O42 server is e!pected to assign I2 addresses to client.
Jerify the network indings of the O42 server. The O42 server must e ound tothe particular sunet. To check this
7/24/2019 Microsoft Windows Servers 2003 kc.docx
32/162
;. 5pen the O42 console
7/24/2019 Microsoft Windows Servers 2003 kc.docx
33/162
Troubleshooting DHCP Database )ssues
The O42 service uses a numer of dataase files to maintain O42-specific data or
information on I2 addresses leases scopes superscopes and O42 options. The O42
dataase files that are located in the systemrootSystem@
7/24/2019 Microsoft Windows Servers 2003 kc.docx
34/162
7/24/2019 Microsoft Windows Servers 2003 kc.docx
35/162
@. *hen the Deconcile :ll Scopes dialog o! opens click Jerify to start the O42
dataase reconciliation process.
=. *hen no inconsistencies are reported click 5B.
R. *hen inconsistencies are detected select the addresses which need to e reconciled
and then click Deconcile.
?. The inconsistencies are repaired.
Ho# to re!on!ile a single s!o*e
;. 5pen the O42 console
7/24/2019 Microsoft Windows Servers 2003 kc.docx
36/162
een devised. This duplication of effort consumes time and money and adds comple!ity to
already comple! systems.
D24 is designed to mitigate these issues y providing a common interface etween
applications. D24 serves as a goetween for client8server communications. D24 is designed
to make client8server interaction easier and safer y factoring out common tasks such as
security synchroni9ation and data flow handling into a common lirary so that developers
do not have to dedicate the time and effort into developing their own solutions.
2erms and !e-nitions
The following terms are associated with D24.
Client
: process such as a program or task that reuests a service provided y another program.
The client process uses the reuested service without having to deal with many working
details aout the other program or the service.
Server
: process such as a program or task that responds to reuests from a client.
Endpoint
The name port or group of ports on a host system that is monitored y a server program for
incoming client reuests. The endpoint is a network-specific address of a server process for
remote procedure calls. The name of the endpoint depends on the protocol seuence eingused.
Endpoint Mapper (EPM)
2art of the D24 susystem that resolves dynamic endpoints in response to client reuests and
in some configurations dynamically assigns endpoints to servers.
Client Stub
Module within a client application containing all of the functions necessary for the client to
make remote procedure calls using the model of a traditional function call in a
standalone application. The client stu is responsile for invoking the marshalling engine andsome of the D24 application programming interfaces 0:2Is1.
Server Stub
Module within a server application or service that contains all of the functions necessary for
the server to handle remote reuests using local procedure calls.
R(C !ependencies and nteractions
D24 is a client8server technology in the most generic sense. There is a sender and a receiverA
data is transferred etween them. This can e classic client8server 0for e!ampleMicrosoft 5utlookcommunicating with a server running Microsoft L!change Server1 or
7/24/2019 Microsoft Windows Servers 2003 kc.docx
37/162
system services within the computer communicating with each other. The latter is especially
common. Much of the *indows architecture is composed of services that communicate with
each other to accomplish a task. Most services uilt into the *indows architecture use D24
to communicate with each other.
The following tale riefly descries the services in *indows Server
7/24/2019 Microsoft Windows Servers 2003 kc.docx
38/162
7/24/2019 Microsoft Windows Servers 2003 kc.docx
39/162
Remote !esktop
'elp Session
:anager
:anages and controls Remote Assistance.
Remote Registr+
7/24/2019 Microsoft Windows Servers 2003 kc.docx
40/162
Cop+ backup and ot&er purposes.
Windows Audio :anages audio devices for Windowsbased programs.
Windows mage
Ac,uisition 5WA6
(rovides image ac,uisition services for scanners and
cameras.
Windows nstallernstalls* repairs* and removes software according to
instructions contained in .:S -les.
Windows nternet
ame Service
5WS6
Resolves etB7S names for 2C(@( clients b+ locating
network services t&at use etB7S names.
Windows
:anagement
nstrumentation
(rovides a common interface and ob=ect model to access
management information about operating s+stem* devices*
applications* and services. f t&is service is stopped* most
Windowsbased software will not function properl+.
Wireless
Con-guration
7/24/2019 Microsoft Windows Servers 2003 kc.docx
41/162
FS server face users can still continue accessing the data from ack up FS 0Target1
There is no interruption to accessing data.
*. 8oad &alancin>'
If all the FS root servers and targets are working fine it leads to load alancing.
This is achieved y specifying locations for separate users.
0. Security'
*e can implement security y using NTFS settings.
7FS erminolo>y'
;. FS root
7/24/2019 Microsoft Windows Servers 2003 kc.docx
42/162
has een shared.
Emplementation of 7FS
Creatin> a 7FS root'
5n 4
4reate a folder in any drive
Share it
,ive everyone full control
Use the folder name as FS root
4reate < more folders for links
Share them Z everyone full control
Start %p%admin tools%FS
Dight click on FS
New root
Select domain root
omain name
Crowse the server 4
Ne!t mention the root name
Crowse the folder to share
Ne!t finish.
Emplementin> 7FS links
5n 4
4reate < folders.
Share them Z give full control permission
5n Memer Server also same process
5n 4
Start % 2%:dmin tools%FS%right click on FS
New link
Kink name 0e.g. ,ermany1
Crowse the share folder from 4
5k
4reate all four links two from 4 Z two from memer server
9ccessin> te resources linksG'
Lither on 4 or memer server
77domain name7FS root name
e!" 779oom.com7FS root
7/24/2019 Microsoft Windows Servers 2003 kc.docx
43/162
Emplementin> of 7FS tar>et'
5n c
5pen Fs
Dight click on Fs rootSelect new root target
Crowse server name %ne!t
Crowse folder to share
Ne!t%finish
Replication'
:fter configuring the target we can configure the replication etween FS root and FS
target.
:nd this can e scheduled.Types of replication topologies"
Ding topology
Ou Z spoke topology
Mesh topology
Confi>urin> replication &etween 7FS root H tar>et.
5n 4
5pen FSDight click on the FS root
4onfigure replication%ne!t
Select topology
Finish
$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$
!isk(art commands Fuide
isk2art is a te!t-mode command interpreter that enales you to manage oQects 0disks
partitions volumes or virtual hard disks1 y using scripts or direct input from a command
prompt. Cefore you can use isk2art commands you must first list and then select an oQect
to give it focus. *hen an oQect has focus any isk2art commands that you type will act on
that oQect.
/ou can list the availale oQects and determine an oQect3s numer or drive letter y using
the list diskI list volumeI list partition and list vdiskcommands. The list diskI list
7/24/2019 Microsoft Windows Servers 2003 kc.docx
44/162
vdiskand list volumecommands display all disks and volumes on the computer. Oowever
the list partitioncommand only displays partitions on the disk that has focus. *hen you use
the listcommands an asterisk 061 appears ne!t to the oQect with focus.
*hen you select an oQect the focus remains on that oQect until you select a different oQect.
For e!ample if the focus is set on disk E and you select volume > on disk
7/24/2019 Microsoft Windows Servers 2003 kc.docx
45/162
EN9CEJ- Mark the selected partition as inactive.
8ES- isplay a list of oQects.
MRA- Merges a child disk with its parents.6
BN8EN- 5nline an oQect that is currently marked as offline.
BFF8EN- 5ffline an oQect that is currently marked as online.RCBJR- Defreshes the state of all disks in the selected pack. :ttempts recovery on disks
in the invalid pack and resynchroni9es mirrored volumes and D:IR volumes that have stale
ple! or parity data.6
RM- oes nothing. This is used to comment scripts.
RMBJ- Demove a drive letter or mount point assignment.
R)9ER- Depair a D:I-R volume with a failed memer.
RSC9N- Descan the computer looking for disks and volumes.
R9EN- 2lace a retained partition under a simple volume.
S9N- isplay or set the S:N policy for the currently ooted 5S.6
S8C- Shift the focus to an oQect.
SE7- 4hange the partition type.6
SKRENL- Deduce the si9e of the selected volume.6
(NEO(E7- isplays or sets the ,UI partition tale 0,2T1 identifier or master oot
record 0MCD1 signature of a disk.6
$$$$$$$$$$$$$$$$$$$$$$$$$
A!tive Dire!tory 0AD1 Windo#s Server 23
History /4 A!tive Dire!tory
:ctive irectorywas introduced to the world in the mid-;Es y Microsoft as a replacement
for *indows NT-style user authentication. *indows NT included a flat and non-e!tensile
domain model which did not scale well for large corporations. :ctive irectory on the other
hand was created as a true directory service versus a flat user-management service that NT
had. Though it was introduced in the ;Es it did not ecome a part of the 5perating System
until *indows
7/24/2019 Microsoft Windows Servers 2003 kc.docx
46/162
application protocol for uerying and modifying directory services developed at the
University of Michigan in the early ;Es. :n K:2 directory tree is a hierarchical structure
of organi9ations domains trees groups and individual units.
:ctive irectory is a irectory Sometimes its easy to get lost in all of the technology and
functions that are provided with : and forget that :ctive irectory is a directory. It is a
directory in oth the common use of the term like a white pages 0you can add in a persons
first name last name phone numer address email address etc1 and a directory of
information for use y applications and services 0such as Microsoft L!change for email1. :
is functionally a place to store information aout people things 0computers printers etc1
applications domains services security access permissions and more. :pplications and
services then use the directory to perform a function.
For e!ample Microsoft *indows uses :ctive irectory information to allow a user to login
to their computer and provide access to the security rights assigned in :ctive irectory.*indows is accessing the directory and then providing rights ased on what it finds. If a user
account is disaled in :ctive irectory the directory itself is Qust setting a flag which
*indows uses to disallow a user from logging in.
*e mentioned in the introduction that administrators use :ctive irectory to deploy
software this is an incomplete description. :dministrators can set policies and information
that a certain software application should e deployed to a certain user : itself does not
deploy the software ut a *indows service reads the information from :ctive irectory and
then installs the software.
$$$$$$$$$$$$$$$$$$$$$$
'le5ible Single Master /*erations 0'SM/ in AD1
Windows 2000/2003 ulti!aster odel
: multi-master enaled dataase such as the :ctive irectory provides the fle!iility of
allowing changes to occur at any 4 in the enterprise ut it also introduces the possiility of
conflicts that can potentially lead to prolems once the data is replicated to the rest of the
enterprise.
5ne way *indows
7/24/2019 Microsoft Windows Servers 2003 kc.docx
47/162
Windows 2000/2003 "in#le!aster odel
To prevent conflicting updates in *indows
7/24/2019 Microsoft Windows Servers 2003 kc.docx
48/162
also host the gloal catalog all the domain controllers have the current data and it is not
important which domain controller holds the infrastructure master role.
Relative E7 RE7G Master'
The DI master is responsile for processing DI pool reuests from all domain controllers
in a particular domain. *hen a 4 creates a security principal oQect such as a user or group
it attaches a uniue Security I 0SI1 to the oQect.
This SI consists of a domain SI 0the same for all SIs created in a domain1 and a relative
I 0DI1 that is uniue for each security principal SI created in a domain. Lach 4 in a
domain is allocated a pool of DIs that it is allowed to assign to the security principals it
creates.
*hen a 43s allocated DI pool falls elow a threshold that 4 issues a reuest foradditional DIs to the domain3s DI master. The domain DI master responds to the reuest
y retrieving DIs from the domain3s unallocated DI pool and assigns them to the pool of
the reuesting 4. :t any one time there can e only one domain controller acting as the
DI master in the domain.
)7C mulator'
The 24 emulator is necessary to synchroni9e time in an enterprise. *indows
7/24/2019 Microsoft Windows Servers 2003 kc.docx
49/162
:ccount lockout is processed on the 24 emulator.
Lditing or creation of ,roup 2olicy 5Qects 0,251 is always done from the ,25 copy found
in the 24 Lmulator3s S/SJ5K share unless configured not to do so y the administrator.
The 24 emulator performs all of the functionality that a Microsoft *indows NT =.E Server-
ased 24 or earlier 24 performs for *indows NT =.E-ased or earlier clients.
This part of the 24 emulator role ecomes unnecessary when all workstations memer
servers and domain controllers that are running *indows NT =.E or earlier are all upgraded
to *indows
7/24/2019 Microsoft Windows Servers 2003 kc.docx
50/162
Metod P1' Lnow te default settin>s
The FSM5 roles were assigned to one or more 4s during the 42D5M5 process. The
following tale summari9es the FSM5 default locations"
FSM5 DoleNumer of 4s holding
this role5riginal 4 holding the FSM5 role
Schema 5ne per forest The first 4 in the first domain in the
forest 0i.e. the Forest Doot omain1omain Naming 5ne per forest
DI 5ne per domain The first 4 in a domain 0any domain
including the Forest Doot omain any
Tree Doot omain or any 4hild
omain1
24 Lmulator 5ne per domain
Infrastructure 5ne per domain
Metod P"' (se te A(E
The FSM5 role holders can e easily found y use of some of the : snap-ins. Use this tale
to see which tool can e used for what FSM5 role"
FSM5 Dole *hich snap-in should I use
Schema Schema snap-in
omain Naming : omains and Trusts snap-in
DI
: Users and 4omputers snap-in24 Lmulator
Infrastructure
Findin> te RE7 MasterI )7C mulatorI and Enfrastructure Masters via A(E
To find out who currently holds the omain-Specific DI Master 24 Lmulator and
Infrastructure Master FSM5 Doles"
;.5pen the :ctive irectory Users and 4omputers snap-in from the :dministrative Tools
folder. te 7omain Namin> Master via A(E
To find out who currently holds the omain Naming Master Dole"
;. 5pen the :ctive irectory omains and Trusts snap-in from the :dministrative Tools
folder.
7/24/2019 Microsoft Windows Servers 2003 kc.docx
51/162
Masters.
@. *hen you3re done click 4lose.
Findin> te Scema Master via A(E
To find out who currently holds the Schema Master Dole"
;. Degister the Schmmgmt.dll lirary y pressing Start % DUN and typing"
re>svr*" scmm>mt.dll
. 2ress the 4lose utton.
Metod P*' (se te Ntdsutil command
The FSM5 role holders can e easily found y use of the Ntdsutil command.
4aution" Using the Ntdsutil utility incorrectly may result in partial or complete loss of :ctive
irectory functionality.
;. 5n any domain controller click Start click Dun type Ntdsutil in the 5pen o! and then
click 5B.
Microsoft Windows +Jersion 3.".*5Q;,
CG Copyri>t 1Q63-";;* Microsoft Corp.
C'!WEN7BWSntdsutil
ntdsutil'
;. Type roles and then press LNTLD.
ntdsutil' roles
fsmo maintenance'
Note" To see a list of availale commands at any of the prompts in the Ntdsutil tool type
and then press LNTLD.
Type connections and then press LNTLD.
fsmo maintenance' connections
server connections'
Type connect to server $servername% where $servername% is the name of the server you
want to use and then press LNTLD.
server connections" connect to server server;EE@indin> to server1;; ...
7/24/2019 Microsoft Windows Servers 2003 kc.docx
52/162
Connected to server1;; usin> credentials of locally lo>>ed on user.
server connections'
:t the server connections" prompt type and then press LNTLD again.
server connections' D
fsmo maintenance'
:t the FSM5 maintenance" prompt type Select operation target and then press LNTLD
again.
fsmo maintenance' Select operation tar>et
select operation tar>et'
:t the select operation target" prompt type Kist roles for connected server and then press
LNTLD again.
select operation tar>et' 8ist roles for connected server
Server ?server1;;? knows a&out 3 roles
Scema - CN%N7S Settin>sICN%SRJR1;;ICN%ServersICN%7efault-First-Site-NameICN%SitesICN%C
onfi>urationI7C%dpetriI7C%net
7omain - CN%N7S Settin>sICN%SRJR1;;ICN%ServersICN%7efault-First-Site-
NameICN%SitesICN%C
onfi>urationI7C%dpetriI7C%net
)7C - CN%N7S Settin>sICN%SRJR1;;ICN%ServersICN%7efault-First-Site-
NameICN%SitesICN%Conf
i>urationI7C%dpetriI7C%net
RE7 - CN%N7S Settin>sICN%SRJR1;;ICN%ServersICN%7efault-First-Site-
NameICN%SitesICN%Conf
i>urationI7C%dpetriI7C%net
Enfrastructure - CN%N7S Settin>sICN%SRJR1;;ICN%ServersICN%7efault-First-
Site-NameICN%Si
tesICN%Confi>urationI7C%dpetriI7C%net
select operation tar>et'
Type @ times to e!it the Ntdsutil prompt.
Note" /ou can download TOIS nice atch file that will do all this for you 0;k1.
:nother Note" Microsoft has a nice tool called umpfsmos.cmd found in the *indows
7/24/2019 Microsoft Windows Servers 2003 kc.docx
53/162
security. In *indows
7/24/2019 Microsoft Windows Servers 2003 kc.docx
54/162
Windows Server 8""3 domain functional level
The :ctive irectory domain features that are availale in *indows
7/24/2019 Microsoft Windows Servers 2003 kc.docx
55/162
The :ctive irectory domain features that are availale in *indows
7/24/2019 Microsoft Windows Servers 2003 kc.docx
56/162
The :ctive irectory domain features that are availale in *indows Server
7/24/2019 Microsoft Windows Servers 2003 kc.docx
57/162
!istribution group nesting
Securit+ group nesting
universal Froups
Froup conversion between Securit+ Froups and !istribution Froups
Flobal Catalog support
S! 'istor+
Ep to 1*"""*""" domain ob=ects are supported
Renaming domain controllers
Epdate logon timestamp
Esers@Computers container redirection
Constrained delegation
Eser password support on t&e net7rg(erson ob=ect
Kow to ceck wic domain function level is set for te domain
1. 7pen t&e Active !irector+ !omains And 2rusts console
8. Rig&tclick t&e particular domain w&ose functional level +ou want verif+*and select Raise !omain unctional evel from t&e s&ortcut menu.
3. 2&e Raise !omain unctional evel dialog bo0 opens
. /ou can view t&e e0isting domain functional level for t&e domain in Currentdomain functional level.
Kow to raise te domain functional level to te Windows ";;; native domain functional
level or Windows Server ";;* domain functional level
Cefore you can raise the domain functional level to *indows Server
7/24/2019 Microsoft Windows Servers 2003 kc.docx
58/162
. Ese t&e Select An Available !omain unctional evel list to c&oose t&edomain functional level for t&e domain.
#. Click Raise
4. Click 7?
'orest 'un!tional %evels
*hile *indow
7/24/2019 Microsoft Windows Servers 2003 kc.docx
59/162
mproved ?nowledge Consistenc+ C&ecker 5?CC6 replication algorit&ms
Application groups
net7rg(erson ob=ectClass
2!S.!2 si)e reduction
Windows Server ";;* Enterim Forest Functional 8evel
omain controllers in a domain running *indows NT = and *indows Server
7/24/2019 Microsoft Windows Servers 2003 kc.docx
60/162
!+namic au0iliar+ classes
Application groups
net7rg(erson ob=ectClass
2!S.!2 si)e reduction
Windows Server ";;* Forest Functional 8evel
:ll domain controllers in the forest have to e running *indows Server
7/24/2019 Microsoft Windows Servers 2003 kc.docx
61/162
8. Rig&tclick Active !irector+ !omains and 2rusts in t&e console tree* andselect Raise orest unctional evel from t&e s&ortcut menu.
3. 2&e Raise orest unctional evel dialog bo0 opens
. /ou can view t&e e0isting domain functional level for t&e domain in Currentforest functional level.
Kow to raise te forest functional level to Windows Server ";;* forest functional level
Lach domain controller in the forest has to e running *indows Server
7/24/2019 Microsoft Windows Servers 2003 kc.docx
62/162
,roups are containers that contain user and computer oQects within them as memers. *hen
security permissions are set for a group in the :ccess 4ontrol Kist on a resource all memers
of that group receive those permissions. omain ,roups enale centrali9ed administration in
a domain. :ll domain groups are created on a domain controller.
In a domain :ctive irectory provides support for different types of groups and group
scopes. The group type determines the type of task that you manage with the group. The
group scope determines whether the group can have memers from multiple domains or a
single domain.
6rou* Ty*es
Securit+ groups% Ese Securit+ groups for granting permissions to gainaccess to resources. Sending an email message to a group sends t&emessage to all members of t&e group. 2&erefore securit+ groups s&are t&ecapabilities of distribution groups.
!istribution groups% !istribution groups are used for sending emainmessages to groups of users. /ou cannot grant permissions to securit+groups.
7/24/2019 Microsoft Windows Servers 2003 kc.docx
63/162
Eniversal Froup Scope% t&ese groups are precisel+ used for emaildistribution and can be granted access to resources in all trusted domainas t&ese groups can onl+ be used as a securit+ principal 5securit+ groupt+pe6 in a windows 8""" native or windows server 8""3 domain functionallevel domain. Eniversal group members&ips are not limited like global
groups. All domain user accounts and groups can be a member ofuniversal group. Eniversal groups can be nested under a global or !omainocal group in an+ domain.
$$$$$$$$$$$$$$$$$$$$$$
Windows Server 8""3 2!Sutil Fuide
NTSutil is a *indows utility for configuring the heart of :ctive irectory. Ntdsutil.e!e is a
command-line tool that provides management facilities for :ctive irectory .Use Ntdsutil to
perform dataase maintenance of :ctive irectory to manage and control single master
operations and to remove metadata left ehind y domain controllers that were removedfrom the network without eing properly uninstalled. Cy default Ntdsutil is installed in the
*innt7System@< folder.
2reparation for NTSutil
Cegin y logging on at a *indows Server
7/24/2019 Microsoft Windows Servers 2003 kc.docx
64/162
Doles H FSM5 Maintenance. *hich omain 4ontroller has which Single 5perations
Master Sei9e roles such as 24 Lmulator. ,ood news for once you do get a message
detailing the transfer you are aout to make. My advice is to use Doles in conQunction with
netdom or the :ctive irectory Snap-ins. My point is I could not find a way of displaying
who holds which FSM5 role with NTSutil.
Deset SDM password. If you don3t know the server3s irectory Service account password
then here is your change to reset to a password that you will rememer.
Security :ccount Management. 4heck for duplicate SIs
+,ample -.Security :ccount Management 0Maintenance1
Ket us start gently and check for duplicate SIs. This e!periment is more for gaining
e!perience of the NTSutil interface than the proaility of finding any duplicate SIs. Thisis what I typed at the command prompt my commands are in old"
L"7ntdsutil%ntdsutil
ntdsutil" security account management
Security :ccount Maintenance" connect to server Server@
Security :ccount Maintenance" check duplicate sid
...
uplicate SI check completed successfully. 4heck dupsid.log for any duplicates
Security :ccount Maintenance"
;1 In the aove session I typed the full command security accounts management. Oowever
you can shorten commands thus" 3sec acc man3
Incidentally I am inventing these shorthand commands in the sense that NTSutil also
understands"
sec ac ma or even 3secu a m3. NTSutil3s rain works y analysing your letters and if there is
only one possile interpretation then it fills in the gaps and returns the service that you asked
for. For e!ample plain 3se3 will not work ecause there is another command which egins
with se Semantic....
7/24/2019 Microsoft Windows Servers 2003 kc.docx
65/162
+,ample 2.Deset password for SDM 0irectory Services Destore Mode1
Oere is where I challenge you to perform a real task. 5nce upon a time when your *indows
server
7/24/2019 Microsoft Windows Servers 2003 kc.docx
66/162
It is est to avoid sei9ing roles. The decision to sei9e an operations master role depends upon
the role and the e!pected length of the outage.
)rimary 7omain Controller mulator Failures
The loss of a domain controller that is the primary domain controller emulator role can e
visile to any user either users or administrators. Specifically an end user running *indows
NT *[email protected]; or *indows NT =.E *indows R or *indows > without the :ctive
irectory client cannot change their password without communicating with the
primary domain controller emulator. If the user[s password has e!pired the user is not ale to
log on.
Therefore you might need to repair a primary domain controller emulator failure uickly.If
the primary domain controller emulator is offline for a significant period of time and the
domain has users running *indows NT *orkstation @.R; or *indows NT =.E *indows R
or *indows > without the :ctive irectory client or domain controllers running earlierversions of *indows NT you should sei9e the primary domain controller emulator role to the
\Standy operations masterdomain controller.]
The user interface for this sei9ure is similar to that of a normal operations master role
transfer e!cept it reuires an e!tra confirmation from you. :gree to the confirmation only if
you know the current primary domain controller emulator will e offline for a significant
period. Kater when the original primary domain controller emulator domain controller comes
ack online transfer the role ack to the original role owner.
Enfrastructure Master Failures
Temporary loss of a domain[s infrastructure master is not visile to end users and is not
visile to you as an administrator unless you recently moved or renamed a large numer of
accounts. Therefore in most cases a temporary loss of the infrastructure master is not a
prolem worth fi!ing. If you anticipate a long outage of a domain[s infrastructure master and
you need to repair it first select a domain controller that is not a ,loal 4atalog server and
that has good network connectivity to a ,loal 4atalog server located in any domain.
Ideally the domain controller you have chosen should e within the same site as a ,loal
4atalog server. It is not important that the new infrastructure master e near the previous one.*hen you have selected the domain controller sei9e the infrastructure master role to
this domain controller.
The user interface for this sei9ure is similar to that of a normal operations master role
transfer e!cept it reuires an e!tra confirmation from you. :gree to the confirmation only if
you know that the current infrastructure master will e offline for a very long period. Kater
when the original infrastructure master comes ack online transfer the role ack to the
original role owner.
Bter Bperations Master Failures
Temporary loss of the schema master domain naming master or DI master is ordinarily not
7/24/2019 Microsoft Windows Servers 2003 kc.docx
67/162
visile to end users and does not usually inhiit your work as an administrator. Therefore
this is usually not a prolem worth fi!ing. Oowever if you anticipate an e!tremely long
outage of the domain controller holding one of these roles you can sei9e that role to the
\Standy operations master domain controller.]
Cut sei9ing any of these roles is a drastic stepA one that you would take only when the outage
is permanent as in the case when a domain controller is physically destroyed and cannot e
restored from ackup media. : domain controller whose schema master domain
naming master or DI master role is sei9ed must never come ack online. Cefore proceeding
with the role sei9ure you must ensure that the outage of this domain controller is permanent
y physically disconnecting the domain controller from the network.
The domain controller that sei9es the role should e fully up-to-date with respect to updates
performed on the previous role owner. Cecause of replication latency it is possile that
the domain controllermight not e up-to-date.
To check the status of updates for a domain controller you can use the Depadmin command-
line tool. The Depadmin command-line tool is a Desource Bit tool that performs replication
diagnostics. It is availale on the Microsoft *indows
7/24/2019 Microsoft Windows Servers 2003 kc.docx
68/162
server;E or use the Depadmin tool[s 8sync8force commands to make the replication happen
immediately.
:fter you have determined that the role owner is fully up-to-date you can sei9e the
operations master role using the Ntdsutil tool as in the following e!ample"
4"7% ntdsutil
ntdsutil" roles
fsmo maintenance" connections
server connections" connect toserver;E.reskit.com
inding to server;E.reskit.com
4onnected to server;E.reskit.com
using credentials of locally logged on user
server connections" Duit
fsmo maintenance" sei$e RE7 master
Server \server;E.reskit.com] knows aout R rolesSchema 4NHNTS Settings4NHserverE=4NHServers
4NHNew-/ork4NHSites4NH4onfiguration4Hreskit4Hcom
omain 4NHNTS Settings4NHserverE=4NHServers
4NHNew-/ork4NHSites4NH4onfiguration4Hreskit4Hcom
24 4NHNTS Settings4NHserver;E4NHServers
4NH4hicago4NHSites4NH4onfiguration4Hreskit4Hcom
DI 4NHNTS Settings4NHserver;E4NHServers
4NH4hicago4NHSites4NH4onfiguration4Hreskit4Hcom
Infrastructure 4NHNTS Settings4NHserver;
7/24/2019 Microsoft Windows Servers 2003 kc.docx
69/162
*hen you use the Ntdsutil command-line tool to sei9e an operations master role the tool
attempts a transfer from the current role owner first. Then if the e!isting operations master is
unavailale it performs the sei9ure. The Ntdsutil tool provides help information when you
type a uestion mark 01. The following is an e!ample showing the transfer of the domain
naming master role 0with user input shown in old type1"4"7% ntdsutil
ntdsutil"
2rint this help information
9utoritative restore :uthoritatively restore the IT dataase
7omain mana>ement 2repare for new domain creation
Files Manage NTS dataase files
Kelp 2rint this help information
E)7eny 8ist Manage K:2 I2 eny Kist
879) policies Manage K:2 protocol policies
Metadata cleanup 4lean up oQects of decommissioned servers
)opups s 0en8dis1ale popups with \on] or \off]
Ouit Xuit the utility
Roles Manage NTS role owner tokens
Security account mana>ement Manage Security :ccount ataase uplicate SI
4leanup
Semantic data&ase analysis Semantic 4hecker
ntdsutil" rolesfsmo maintenance"
2rint this help information
4onnections 4onnect to a specific domain controller
Oelp 2rint this help information
Xuit Deturn to the prior menu
Sei9e domain naming master 5verwrite domain role on connected server
Sei9e infrastructure master 5verwrite infrastructure role on connected server
Sei9e 24 5verwrite 24 role on connected server
Sei9e DI master 5verwrite DI role on connected server
Sei9e schema master 5verwrite schema role on connected server
Select operation target Select sites servers domains roles and Naming 4onte!ts
Transfer domain naming master Make connected server the domain naming master
Transfer infrastructure master Make connected server the infrastructure master
Transfer 24 Make connected server the 24
Transfer DI master Make connected server the DI master
Transfer schema master Make connected server the schema master
7/24/2019 Microsoft Windows Servers 2003 kc.docx
70/162
fsmo maintenance" connections
server connections"
2rint this help information
4lear creds 4lear prior connection credentials
4onnect to domain Vs 4onnect to NS domain name4onnect to server Vs 4onnect to server NS name or I2 address
Oelp 2rint this help information
Info Show connection information
Xuit Deturn to the prior menu
Set creds Vs Vs Vs Set connection creds as domain user pwd
Use \NUKK] for null password
server connections" connect to serverreskit;
Cinding to reskit;
4onnected to reskit; using credentials of locally logged on user
server connections" Duit
fsmo maintenance" transfer domain namin> master
Server \reskit;^ knows aout R roles
Schema 4NHNTS
Settings4NHDLSBIT;4NHServers4NH*ashington4NHSites4NH4onfiguration4Hresk
it4Hcom
omain 4NHNTS
Settings4NHDLSBIT;4NHServers4NH*ashington4NHSites4NH4onfiguration4Hresk
it4Hcom
24 4NHNTSSettings4NHDLSBIT;4NHServers4NH*ashington4NHSites4NH4onfiguration4Hresk
it4Hcom
DI 4NHNTS
Settings4NHDLSBIT;4NHServers4NH*ashington4NHSites4NH4onfiguration4Hresk
it4Hcom
Infrastructure 4NHNTS
Settings4NHDLSBIT;4NHServers4NH*ashington4NHSites4NH4onfiguration4Hresk
it4Hcom
fsmo maintenance" Duit
ntdsutil" Duit
isconnecting from reskit;
4"7%
In the previous e!ample the availale Ntdsutil tool commands display after entering a
uestion mark 01. To transfer an operations master role the roles command is entered which
displays the fsmo maintenance menu. Lntering a uestion mark 01 displays the
sucommands within the fsmo maintenance menu. Cefore transferring the operations master
role you must connect to the domain controller that will receive the role 0\reskit;^ in the
e!ample aove1 y entering the connect to server sucommand. Then after leaving the serverconnections mode y entering \uit] issue the transfer domain naming master command. :
7/24/2019 Microsoft Windows Servers 2003 kc.docx
71/162
confirmation pop-up window 0not shown1 displays for the transfer domain naming master
operation.
Note
/ou must have sufficient permissions to e!ecute commands using the Ntdsutil tool. For more
information aout controlling access to operations master role placements see \4ontrolling
:ccess to Dole 2lacements] later in this chapter.
It is also possile to view the current operations master role owner using the Ntdsutil
command-line tool from the Select 5peration Target menu located under the Doles option. Cy
using the Kist roles for connected server command a list displays of all of the current
operations master role owners.
For more information aout using the Ntdsutil command-line tool see *indows
7/24/2019 Microsoft Windows Servers 2003 kc.docx
72/162
7utgoing 2rust% n t&is case* users in t&e ot&er domain able toaccess network resources in t&e initiating domain. Esers int&e initiating domain are not able to access an+ resources int&e ot&er domain.
o 2wowa+ trusts% A twowa+ trust relations&ip means t&at w&ere!omain1 trusts !omain8* t&en !omain8 trusts !omain1. 2&e trustbasicall+ works bot& wa+s* and users in eac& domain are able toaccess network resources in eit&erone of t&e dolmans. A twowa+*transitive trust relations&ip is t&e trust t&at e0ists between parentdomains and c&ild domains in a domain tree. n twowa+ transitivetrust* w&ere !omain1 trusts !omain8 and !omain8 trusts !omain3*t&en !omain1 would trust !omain3 and !omain3 would trust!omain1.2wowa+* transitive trust is t&e default trust relations&ipbetween domains in a tree. t is automaticall+ created and e0istsbetween toplevel domains in a forest.
2rusts can be implicit or e0plicit trusts%
o mplicit% Automaticall+ created trust relations&ips are called implicittrust. An e0ample of implicit trust is t&e twowa+* transitive trustrelations&ip t&at Active !irector+ creates between a parent andc&ild domains.
o
7/24/2019 Microsoft Windows Servers 2003 kc.docx
73/162
6orest trust4 Forest trust can e created etween two :ctive irectory forests.
$$$$$$$$$$$$$$$$$$
Planning Considerations 4or Trust +elationshi*s
Tree-root trust and 2arent-child trust is implicitly created y :ctive irectory when new
domains are created. *hat this means is that you do not need to e!plicitly create these trusts
nor do you have to perform any configuration or management tasks for the trust relationships.
Shortcut trust Dealm trust L!ternal trust and Forest trust differ to Tree-root and 2arent-child
trust in that the former four trusts have to e e!plicitly created and managed. Cecause of the
different types of trust relationships that can e created you need to plan which type of trust
relationship to create for the domains within your :ctive irectory environment.
S&ortcut 2rust
Cefore you can create any shortcut trusts you must e a memer of the Lnterprise :dmin or
omain :dmin groups in each domain in the forest. :nother reuirement is that the domains
you are creating shortcut trust for are *indows Server
7/24/2019 Microsoft Windows Servers 2003 kc.docx
74/162
In order to create realm trust you should have Lnterprise :dmin or omain :dmin
permissions for the *indows Server
7/24/2019 Microsoft Windows Servers 2003 kc.docx
75/162
Introduction
This document is part of a set of step-y-step guides that introduce IT managers and system
administrators to the features of the *indows
7/24/2019 Microsoft Windows Servers 2003 kc.docx
76/162
Adinistrative te*lates. 2&ese include registr+based Froup (olic+*w&ic& +ou use to mandate registr+ settings t&at govern t&e be&avior andappearance of t&e desktop* including t&e operating s+stem componentsand applications.
Se!urity settings. /ou use t&e Securit+ Settings e0tension to set securit+options for computers and users wit&in t&e scope of a Froup (olic+ ob=ect./ou can de-ne local computer* domain* and network securit+ settings.
So4t#are installation. /ou can use t&e Software nstallation snapin tocentrall+ manage software in +our organi)ation. /ou can assign andpublis& software to users and assign software to computers.
S!ri*ts. /ou can use scripts to automate computer startup and s&utdownand user logon and logoJ. /ou can use an+ language supported b+Windows Script 'ost. 2&ese include t&e :icrosoft isual BasicKdevelopment s+stem* Scripting IavaScript> ( and:S!7SKst+le batc& -les 5.bat and .cmd6.
+eote )nstallation Servi!es. /ou use Remote nstallation Services5RS6 to control t&e be&avior of t&e Remote 7perating S+stem nstallationfeature as displa+ed to client computers.
)nternet -5*lorer aintenan!e. /ou use nternet ure 1' e Kierarcy of Aroup )olicy and te 9ctive 7irectory,roup 2olicy oQects are linked to site domain and 5U containers in the :ctive irectory.
7/24/2019 Microsoft Windows Servers 2003 kc.docx
77/162
The default order of precedence follows the hierarchical nature of the :ctive irectory" sites
are first then domains and then each 5U. : ,25 can e associated with more than one
:ctive irectory container or multiple containers can e linked to a single ,25.
(rere,uisites and nitial Con-guration
Prerequisites
This Software Installation and Maintenance document is ased on Step-y-Step to a 4ommon
Infrastructure for *indows
7/24/2019 Microsoft Windows Servers 2003 kc.docx
78/162
snap-in for setting the scope of management to domain and organi9ational units 05Us1. /ou
can also use the :ctive irectory Sites and Services snap-in to set the scope of management
to a site. These two tools can e accessed from the :dministrative Tools program groupA the
,roup 2olicy snap-in e!tension is enaled in oth tools. :lternatively you can create a
custom MM4 console as descried in the ne!t section.
Con!"urin" a Custom Console
The e!amples in this document use the custom MM4 console that you can create y
following the procedure in this section. /ou need to create this custom console efore
attempting the remaining procedures in this document.
Note'If you want more e!perience uilding MM4 consoles run through the procedures
outlined in Step-y-Step ,uide to Microsoft Management 4onsole
o confi>ure a custom console
og on to t&e H8+-SDC9 domain controller server as anadministrator.
Click Start* click +un* t+pe !* and t&en click /K.
7n t&e Consolemenu* click Add:+eove Sna*in.
n t&e Add:+eove Sna*indialog bo0* click Add.
n t&e Add Standalone Sna*indialog bo0* in t&e Availablestandalone sna*inslist bo0* click A!tive dire!tory users and
!o*uters* and t&en click Add.
!oubleclick A!tive dire!tory sites and servi!es sna*infromt&e Available standalone sna*inslist bo0.
n t&e Available standalone sna*inslist bo0* doubleclick 6rou*Poli!y.
n t&e Sele!t 6rou* Poli!yob=ect dialog bo0* %o!al !o*uterisselected under 6rou* Poli!y ob;e!t. Click'inishto edit t&e local Froup(olic+ ob=ect. Click Closein t&e Add standalone sna*indialog bo0.
n t&e Add:+eove Sna*in dialog bo0* click t&e -5tensionstab. es
n t&e ::C console* on t&e Consolemenu* click Save.
n t&e Save Asdialog bo0* in t&e 'ilename te0t bo0*
t+pe 6PWal$through* and t&en click Save.
7/24/2019 Microsoft Windows Servers 2003 kc.docx
79/162
The console should appear as in Figure < elow"
Fi>ure "' Aroup )olicy MMC Console
Accessin" Group Policy
/ou can use the appropriate :ctive irectory tools to access ,roup 2olicy while focused on
any site domain or 5U.
o open Aroup )olicy from 9ctive 7irectory Sites and Services
n t&e 6PWal$through ::C console* in t&e console tree* click t&e
7/24/2019 Microsoft Windows Servers 2003 kc.docx
80/162
Scopin" a Domain or #$
To scope the domain or 5U use the ,2*alkthrough MM4 console that you saved earlier.
o scope Aroup )olicy for a domain or B(
Click Start* point to Progras* click Adinistrative Tools* and
click 6PWal$throughto open t&e ::C console +ou created earlier.
Click t&e < ne0t to A!tive Dire!tory Users and Co*utersto e0pandt&e tree.
Click t&e ement
Scopin" %ocal or &emote Computers
To access ,roup 2olicy for a local or a remote computer you add the ,roup 2olicy snap-in to
the MM4 console and focus it on a remote or local computer. To access ,roup 2olicy for the
local computer use the ,2*alkthrough console created earlier in this document and choosethe 8ocal Computer )olicynode. /ou can add other computers to the console namespace y
7/24/2019 Microsoft Windows Servers 2003 kc.docx
81/162
adding another ,roup 2olicy snap-in to the ,2*alkthrough console and clicking
the @rowseutton when the Select Aroup )olicyoQect dialog o! is displayed.
Note'Some of the ,roup 2olicy e!tensions are not loaded when ,roup 2olicy is run against
a local ,25.
Creatin" a Group Policy #b'ect
The ,roup 2olicy settings you create are contained in a ,roup 2olicy 5Qect 0,251 that is in
turn associated with selected :ctive irectory oQects such as sites domains or
organi9ational units 05Us1.
o create a Aroup )olicy B&=ect A)BG
7pen t&e 6PWal$through::C console.
Click t&e uarters Pro*ertiespage* click t&e 6rou* Poli!ytab.
Click "e#* and t+pe H8 Poli!y.
The KeadDuarters )ropertiespage should appear as in Figure = elow"
7/24/2019 Microsoft Windows Servers 2003 kc.docx
82/162
Fi>ure 0' KeadDuarters )roperties
:t this point you could add another ,25 for the Oeaduarters 5U giving each one that you
create a meaningful name or you could edit the OX 2olicy ,25 which starts the ,roup
2olicy snap-in for that ,25. :ll ,roup 2olicy functionality is derived from the snap-in
e!tensions. In this e!ercise all of these e!tensions are enaled. It is possilePusing standardMM4 methodsPto restrict the e!tension snap-ins that are loaded for any given snap-in. For
information on this capaility see the *indows
7/24/2019 Microsoft Windows Servers 2003 kc.docx
83/162
snapin* w&ic& is &ow t&e F(7 is modi-ed. 2&is is described in more detaillater in t&is document.
2o permanentl+ delete a F(7 from t&e list* select it from t&e list and clickt&e Deletebutton. 2&en* w&en prompted* select +eove the lin$ and
delete the 6rou* Poli!y ob;e!t *eranently. Be careful w&en deletingan ob=ect* because t&e F(7 ma+ be associated wit& anot&er site* domain*or 7E. f +ou want to remove a F(7 from t&e list* select t&e F(7 from t&elinks list* click Delete* and t&en w&en prompted* select +eove the lin$4ro the list.
2o determine w&at ot&er sites* domains* or 7Es are associated wit& agiven F(7* rig&tclick t&e F(7* selectPro*ertiesfrom t&e conte0t menu*and t&en click t&e %in$stab in t&e F(7 Pro*ertiespage.
2&e "o overridec&eck column marks t&e selected F(7 as one w&osepolicies cannot be overridden b+ anot&er F(7.
Note'/ou can enale the No 5verride property on more than one ,25. :ll ,25s that are
marked as No override will take precedence over all other ,25s not marked. 5f those ,25s
marked as No override the ,25 with the highest priority will e applied after all the other
similarly marked ,25s.
2&e Disabledc&eck bo0 simpl+ disables 5deactivates6 t&e F(7 wit&outremoving it from t&e list. 2o remove a F(7 from t&e list* select t&e F(7from t&e links list* click Delete* and t&en select +eove the lin$ 4rothe listin t&e Deletedialog bo0.
t is also possible to disable onl+ t&e Eser or Computer portion of t&e F(7.2o do t&is* rig&tclick t&e F(7* clickPro*erties* click eit&er Disable!o*uter !on(guration settingsor Disable user !on(gurationsettings* and t&en click /K. 2&ese options are available on t&eF(7 Pro*ertiespage* on t&e 6eneraltab.
2&e ?lo!$ *oli!y inheritan!ec&eck bo0 &as t&e eJect of negating allF(7s t&at e0ist &ig&er in t&e &ierarc&+. 'owever* it cannot block an+ F(7st&at are enforced b+ using t&e "o overridec&eck bo0> t&ose F(7s arealwaysapplied.
Note'2olicy settings contained within the local ,25 that are not specifically overridden y
domain-ased policy settings are also always applied. Clock 2olicy Inheritance at any level
will not remove local policy.
Editin" a Group Policy #b'ect
/ou can use the custom console to edit a ,25. /ou will need to log on to the OX-DLS-4-
E; server as an :dministrator if you have not already done so.
o edit a Aroup )olicy B&=ect A)BG
Click Start* point to Progras* click Adinistrative Tools* and t&enselect 6PWal$through.
7/24/2019 Microsoft Windows Servers 2003 kc.docx
84/162
Click t&e uarters* select Pro*erties* and t&en click t&e 6rou*Poli!ytab. H8 Poli!yin t&e 6rou* Poli!y ob;e!t lin$slist bo0 s&ould
be &ig&lig&ted.
!oubleclick t&e H8 Poli!yF(7 5or click -dit6.
This opens the ,roup 2olicy snap-in focused on a ,25 named OX 2olicy which is linked to
the 5U named Oeaduarters. It should appear as in Figure R elow"
Fi>ure 3' KO )olicy
Addin" or rosin" a Group Policy #b'ect
The 9dd a Aroup )olicy B&=ect 8inkdialog o! shows ,25s currently associated with
domains 5Us sites or all ,25s without regard to their current associations 0links1. The 9dd
a Aroup )olicy B&=ect 8inkdialog o! is shown in Figure ? elow.
Fi>ure 4' 9dd a Aroup )olicy B&=ect 8ink
7/24/2019 Microsoft Windows Servers 2003 kc.docx
85/162
F(7s are stored in eac& domain. 2&e %oo$ )ndropdown bo0 allows +ou toselect a diJerent domain to view.
n t&e Doains:/Ustab* t&e list bo0 displa+s t&e sub7Es and F(7s fort&e currentl+ selected domain or 7E. 2o navigate t&e &ierarc&+* double
click a sub7E or use t&e U* one leveltoolbar button.
2o add a F(7 to t&e currentl+ selected domain or 7E* eit&er doubleclickt&e ob=ect* or select it and click /K.
Alternativel+* +ou can create a new F(7 b+ clicking t&e Alltab* rig&tclicking in t&e open space* and selecting"e#on t&e conte0t menu* or b+using t&e Create "e# 6P/toolbar button. 2&e Create ew F(7
toolbar button is onl+ active in t&e All tab. 2o create a new F(7 and link itto a particular site* domain* or 7E* use t&e ew button on t&e Froup (olic+(ropert+ page.
Note'It is possile to create two or more ,25s with the same name. This is y design and is
ecause the ,25s are actually stored as ,UIs and the name shown is a friendly name
stored in the :ctive irectory.
n t&e Sitestab* all F(7s associated wit& t&e selected site are displa+ed.Ese t&e dropdown list to select anot&er site. 2&ere is no &ierarc&+ of sites.
2&e Alltab s&ows a Dat list of all F(7s t&at are stored in t&e selecteddomain. 2&is is useful w&en +ou want to select a F(7 t&at +ou know b+name* rat&er t&an w&ere it is currentl+ associated. 2&is is also t&e onl+place to create a F(7 t&at does not &ave a link to a site* domain* or 7E.
2o create an unlinked F(7* access t&e Add a 6rou* Poli!y %in$dialogbo0 from an+ site* domain* or 7E. Click t&e Alltab* select t&e toolbarbutton or rig&tclick t&e w&ite space* and select "e#. ame t&e new F(7*and click-nter* and t&en click Can!elLdo not li! #*. Clicking /Klinkst&e new F(7 to t&e current site* domain* or 7E. Clicking Can!elcreatesan unlinked F(7.
Registr+based (olicies
The user interface for registry-ased policies is controlled y using :dministrative Template
0.adm1 files. These files descrie the user interface that is displayed in the 9dministrative
emplatesnode of the ,roup 2olicy snap-in. These files are format-compatile with the
.adm files used y the System 2olicy Lditor tool 0poledit.e!e1 in Microsoft *indows NT =.E.
*ith *indows
7/24/2019 Microsoft Windows Servers 2003 kc.docx
86/162
*indows uration!9dministrative emplates under the System!Aroup )olicynodes. If you
set this policy to na&led the Sow policies onlycommand is turned on and administrators
cannot turn it off and the ,roup 2olicy snap-in displays only true policies. If you set this
policy to 7isa&ledor Not confi>ured the Sow policies onlycommand is turned on y
defaultA however you can view preferences y turning off the Sow policies onlycommand.
To view preferences you must turn off the Sow policies onlycommand which you access
y selecting the 9dministrative emplatesnode 0under either (ser
Confi>urationor Computer Confi>uration nodes1 and then clicking the Jiewmenu on the
,roup 2olicy console and clearing the Sow policies onlycheck o!. Note that it is not
possile for the selected state for this policy to persistA that is there is no preference for this
policy setting.
In ,roup 2olicy preferences are indicated y a red icon to distinguish them from true
policies which are indicated y a lue icon.
Use of non-policies within the ,roup 2olicy infrastructure is strongly discouraged ecause of
the persistent registry settings ehavior mentioned previously. To set registry policies on
*indows NT =.E and *indows R and *indows > clients use the *indows NT =.E System
2olicy Lditor tool 2oledit.e!e.
Cy default the System.adm Inetres.adm and 4onf.adm files are loaded and present this
namespace as shown in Figure G elow"
7/24/2019 Microsoft Windows Servers 2003 kc.docx
87/162
Fi>ure 5' (ser Confi>uration
The .adm files include the following settings"
S+stem.adm% 7perating s+stem settings
netres.adm% nternet
7/24/2019 Microsoft Windows Servers 2003 kc.docx
88/162
o Rig&tclick Adinistrative Te*lates* and select Add:+eoveTe*lates. 2&is s&ows a list of t&e currentl+ active templates -lesfor t&is Active !irector+ container.
o Click Add. 2&is s&ows a list of t&e available .adm -les in t&e
Ns+stemrootNOinf director+ of t&e computer w&ere Froup (olic+ isbeing run. /ou can c&oose an .adm -le from anot&er location. 7ncec&osen* t&e .adm -le is copied into t&e F(7.
o set re>istry-&ased settin>s usin> administrative templates
o n t&e F(Walkt&roug& console* doubleclick A!tive Dire!toryUsers and Co*uters* doubleclick t&eres$it=!odomain*doubleclick A!!ounts* rig&tclick t&e Head>uarters7E* and t&enclick Pro*erties.
o n t&e Head>uarters Pro*ertiesdialog bo0* click 6rou* Poli!y.
o !oubleclick t&e H8 Poli!yF(7 from t&e 6rou* Poli!y ob;e!tlin$slist to edit t&e 'P (olic+ F(7.
o n t&e Froup (olic+ console* under t&e User Con(gurationnode*click t&e plus sign 5
7/24/2019 Microsoft Windows Servers 2003 kc.docx
89/162
Note the )revious )olicyand Ne:t )olicyuttons in the dialog o!. /ou can use
these uttons to navigate the details pane to set the state of other policies. /ou can
also leave the dialog o! open and click another policy in the details pane of the
,roup 2olicy snap-in. :fter the details pane has the focus you can use
the (pand 7ownarrow keys on the keyoard and press nterto uickly rowsethrough the settings 0or :plaintas1 for each policy in the selected node.
o Click /K. ote t&e c&ange in state in t&e Settingcolumn* in t&edetails pane. 2&is c&ange is immediate> it &as been saved to