Sei sulla pagina 1di 9

What is Active Directory?

Active Directory is an implementation of LDAP directory services by Microsoft for use in


Windows environments. Active Directory allows administrators to assign enterprise-wide policies, deploy programs to many computers, and apply critical updates to an entire organization. An Active Directory stores information and settings relating to an organization in a central, organized, accessible database.

1.what is schema? a) schema is a data model, specifically a logical schema, for organizing the data contained in
entries in a directory service, database, or application, such as an address book. In a white pages directory, each entry typically represents an individual person that makes use of network resources, such as by receiving email or having an account to log into a system. In some environments, the schema may also include the representation of organizational divisions, roles, groups, and devices.

2.Why FSMO Roles? A)


FSMO roles are responsible for updating certain aspects of Active Directory. By making designated servers responsible for certain updates, instead of allowing every server to make all updates, you prevent conflicts in Active Directory updates.

3.What is the FSMO Roles?

a) FSMO Roles The 5 FSMO server roles: Schema Master Domain Naming Master PDC Emulator RID Master Infrastructure Master Forest Level Forest Level Domain Level Domain Level Domain Level One per forest One per forest One per domain One per domain One per domain

3.What are activities for FSMO Roles? 1. Schema Master (Forest level)

The schema master domain controller controls all updates and modifications to the schema. To update the schema of a forest, you must have access to the schema master. There can be only one schema master in the whole forest.
2. Domain Naming Master (Forest level)

The domain naming master domain controller controls the addition or removal of domains in the forest. There can be only one domain naming master in the whole forest.
3. PDC Emulator (Domain level)

The PDC emulator is a domain controller that advertises itself as the primary domain controller (PDC) to workstations, member servers, and domain controllers that are running earlier versions of Windows.The PDC emulator server role performs the following functions:
Password changes performed by other DCs in the domain are replicated preferentially to the PDC emulator first.

Authentication failures that occur at a given DC in a domain because of an incorrect password are forwarded to the PDC emulator for validation before a bad password failure message is reported to the user. Account lockout is processed on the PDC emulator. Time synchronization for the domain. Group Policy changes are preferentially written to the PDC emulator. There is only one PDC emulator per domain 4. RID Master (Domain level)

The RID master is responsible for processing RID pool requests from all domain controllers in a particular domain. At any one time, there can be only one domain controller acting as the RID master in the domain.
5. Infrastructure Master (Domain level)

The infrastructure is responsible for updating references from objects in its domain to objects in other domains. At any one time.
When a user in DomainA is added to a group in DomainB, then the Infrastructure master is involved. Likewise, if that user in DomainA, who has been added to a group in DomainB, then changes his username in DomainA, the Infrastructure master must update the group membership(s) in DomainB with the name change. There is only one Infrastructure master per domain.

You can transfer FSMO roles by using the Ntdsutil.exe command-line utility or by using an MMC snap-in tool.

4.What if a FSMO server fails? Schema Master No updates to the Active Directory schema will be possible. Since schema updates are rare (usually done by certain applications and possibly an Administrator adding an attribute to an object), then the malfunction of the server holding the Schema Master role will not pose a critical problem. The Domain Naming Master must be available when adding or removing a domain from the forest (i.e. running DCPROMO). If it is not, then the domain cannot be added or removed. It is also needed when promoting or demoting a server to/from a Domain Controller. Like the Schema Master, this functionality is only used on occasion and is not critical unless you are modifying your domain or forest structure. The server holding the PDC emulator role will cause the most problems if it is unavailable. This would be most noticeable in a mixed mode domain where you are still running NT 4 BDCs and if you are using downlevel clients (NT and Win9x). Since the PDC emulator acts as a NT 4 PDC, then any actions that depend on the PDC would be affected (User Manager for Domains, Server Manager, changing passwords, browsing and BDC replication). In a native mode domain the failure of the PDC emulator isn't as critical because other domain controllers can assume most of the responsibilities of the PDC emulator. The RID Master provides RIDs for security principles (users, groups, computer accounts). The failure of this FSMO server would have little impact unless you are adding a very large number of users or groups. Each DC in the domain has a pool of RIDs already, and a problem would occur only if the DC you adding the users/groups on ran out of RIDs. This FSMO server is only relevant in a multi-domain environment. If you only have one domain, then the Infrastructure Master is irrelevant. Failure of this server in a multi-domain environment would be a problem if you are trying to add objects from one domain to another.

Domain Naming Master

PDC Emulator

RID Master

Infrastructure Master

5. What Permissions you require if you want to move these roles? Before you can transfer a role, you must have the appropriate permissions depending on which role you plan to transfer: Schema Master Domain Naming Master PDC Emulator RID Master Infrastructure Master member of the Schema Admins group member of the Enterprise Admins group member of the Domain Admins group and/or the Enterprise Admins group member of the Domain Admins group and/or the Enterprise Admins group member of the Domain Admins group and/or the Enterprise Admins group

Forest Preparation

: With forest preparation schema is extended in the forest root to cater to the addition of domains and the installation of Exchange 2003 into the forest. Domain Preparation: The domain preparation creates the groups and permissions in Active

Directory necessary for Exchange operation. Global Catalog : The global catalog is a distributed data repository that contains a searchable, partial representation of every object in every domain in a multidomain Active Directory forest. Exchange Core services: Exchange system attendant IIS admin service Exchange Information store SMTP service

RUS Recipient Update Service


The Exchange Recipient Update Service is the Exchange component which is responsible for managing the Exchange Server Proxy E-Mail addresses and for creating and updating e-mail addresses for Exchange Server recipients and Exchange core components. There is one RUS service in every domain where Exchange is installed and one Exchange Recipient Update Service for the Enterprise Configuration (the whole Exchange Organization).

IIS Admin service


The IIS Admin service (IIS Admin) manages the IIS Metabase and updates the registry for the following services:

WWW service FTP service SMTP service POP3 service IMAP4 service NNTP service

IIS reset :
/restart: Use this parameter to stop and restart all of the running Internet services. /start: Use this parameter to start all of the Internet services that are stopped. /stop: Use this parameter to stop all of the running Internet services. /reboot: Use this parameter to restart the computer. /rebootonerror: Use this parameter to restart the computer if an error occurs after the Internet services attempt to start, stop, or restart. /noforce: Use this parameter so that the Internet services do not shut down forcefully if you cannot stop the services gracefully. /status: Use this parameter to display the status of all of the Internet services. /enable: Use this parameter to enable the Internet services to restart. /disable: Use this parameter to disable the Internet services restart process.

To create a virtual directory by using IIS Manager


1. In IIS Manager, expand the local computer, expand the Web Sites or FTP Sites folder, rightclick the site or folder within which you want to create the virtual directory, point to New, and then click Virtual Directory. The Virtual Directory Creation Wizard appears. 2. 3. 4. 5. 6. 7. Click Next. In the Alias box, type a name for the virtual directory. (Choose a short name that is easy to type because the user types this name.) Click Next. In the Path box, type or browse to the physical directory in which the virtual directory resides, and then click Next. Under Allow the following permissions, select the check boxes for the access permissions you want to assign to your users, and then click Next. Click Finish. The virtual directory is created below the currently selected folder level.

What is an Application Pool?


An Application Pool can contain one or more applications and allows us to configure a level of isolation between different Web applications.
ADSIEdit Views or modifies directory service object information.This tool is most useful when you need to change an object and cant find the object in the standard Active Directory consoles._ DSACLS Views or modifies the Access Control Lists (ACLs) on objects. When you migrate objects from one domain to another,

DSACLS

is useful for making certain that the access is correct._ DSAStat Compares directory service data on different domain controllers to check status and detect inconsistencies. If you have to troubleshoot replication, this utility offers some helpful information._ MoveTree Moves objects from one domain to another domain. Use this tool for migrations.
_

NetDOM Manages domain operations such as trust relationships and domain membership. This command-line utility is great for batch files used on workstations in migrations. REPAdmin Manages site replication. Replication is critical to maintain consistent and up-todate information, and this tool can assist you in managing it.
_

REPLMon Monitors and displays replication information.REPLMon should be used daily by an Active Directory administrator to monitor the way that replication takes place.
_

SIDWalker Fixes SIDHistory on migrated accounts. SIDWalker is best used after a migration from legacy Windows NT to Windows 2000 in order to handle SIDHistory issues.
_

Level Title Description 1 Enterprise _ Exchange Server installs default Administrators groups in the builtin container in Active Directory Users and Computers. The builtin local security group called Administrators has all permissions to manage the Windows Server domain. The Domain Admin and Enterprise Admin global security groups are members of the Administrators group and therefore also are granted all permissions in the Windows 2000 domain. _ The Domain Admin and Exchange Admin global security groups are granted rights to administer the Exchange 2000 organization.These rights are inherited from the parent objectthe servers Configuration container._ Note that Exchange System Manager hides the configuration container. Adsiedit.exe from Windows 2000 Server Support Tools. Routing Group Connector Connects two Exchange Routing Groups Easiest connector to configure SMTP-based SMTP Connector Connects a Routing Group to other routing groups (in the same Admin Group) or a foreign SMTP RFC821-compliant messaging system www.syngress.com Limits in Public Folder Store Properties
Continued 214 Chapter 4 Basic Administration

X400 Connector Connects a Routing Group to other routing groups (in the same Admin Group) or a foreign X400-based messaging system that conforms to X400 standard To repair store.edb :eseutil/p before this we need to dismount the stores
Eseutil /r performs a recovery of your databases.

To defragment :

eseutil/d

Netdiag event viewer


Protocol Default TCP Port SMTP 25 POP3 110 POP3/SSL 995 IMAP4 143 IMAP4/SSL 993 NNTP 119 NNTP/SSL 563 LDAP 389 LDAP/SSL 636 HTTP 80 HTTP/SSL 443 The streaming database file has an extension of .stm

This component is new in Exchange 2000 and is used to store native Internet content, Multipurpose Internet Mail Extension (MIME), such as that used by Web clients. This file is also made up of 4 KB pages. _ Log files These files have an extension of .log. Exchange uses log files to keep a record of all the transactions that have occurred. To make Exchange faster, log files can contain information that has not yet been committed to the database file. Two reserve log files, Res1.log and Res2.log, are used to reserve storage space in case the Exchange server runs out of disk space.
_

Checkpoint file This file is named Edb.chk. A checkpoint file keeps track of the transactions that have been
committed to the database and those that still need to be committed.

Online Backups

Online backups allow you to back up your databases and still allow clients to access Exchange. Online backups also clear the committed log files if circular logging is disabled. Only a Normal online backup verifies the checksum on every page in the database, so that if any part of the Exchange database is corrupt, Exchange will log an error to the Event Log. Since the database is still in use during an online backup, there could be changes to the database during the backup. If Exchange allowed the database to change during the backup, there would be inconsistencies in the data. To prevent this problem, Exchange uses a patch file. This file has an extension of .pat. A patch file records all the transactions to the database during the backup, similar to the way a log file works. Once the backup is complete, the patch file is then backed up, and all the events written to the patch file are committed to the database. You need to ensure that the backups do not overlap with system maintenance, or online defragmentation might never run. If backups for a storage group begin while a database in the storage group is being defragmented, the defragment process ceases.

Offline Backups

Offline backups are still possible in Exchange 2000, but they require dismounting the database you are backing up. While the database is dismounted, users will be unable to access their mailboxes. As we said before, Exchange now uses two files for each database. For offline backups, both the Exchange database (.edb) file and the stream (.stm) file need to be backed up and restored together to keep the database in a consistent state. Log files do not need to be backed up.

Using ExMerge to Back Up Mailboxes

The Five FSMOs

Basic Services Abbreviation Microsoft Exchange System Attendant Microsoft Exchange Information Store Microsoft Exchange Microsoft Exchange Microsoft Exchange SMTP Routing Engine and Transport Public folder rights Create items Read items

MSExchangeSA MSExchangeIS POP3 Pop3svc IMAP4 Imap4svc MTA MsExchangeMTA MSExchangeTransport

SMTP connector scope options: Entire Organization Routing Group Users group: Exchange Domain servers Exchange Enterprise servers.

Group types in AD

Distributions groups
Distribution groups can be used only with e-mail applications (such as Exchange) to send e-mail to collections of users. Distribution groups are not security-enabled, which means

that they cannot be listed in discretionary access control lists (DACLs). If you need a group for controlling access to shared resources, create a security group.

Security groups
Used with care, security groups provide an efficient way to assign access to resources on your network. Using security groups
Some features that are new in Exchange 2003 are: Volume Shadow Copy Service for Database Backups/Recovery Mailbox Recovery Center Recovery Storage Group Front-end and back-end Kerberos authentication Distribution lists are restricted to authenticated users Real-time Safe and Block lists Inbound recipient filtering Attachment blocking in Microsoft Office Outlook Web Access HTTP access from Outlook 2003 cHTML browser support (i-Mode phones) xHTML (Wireless Application Protocol [WAP] 2.0) browser support Queues are centralized on a per-server basis Move log files and queue data using Exchange System Manager Multiple Mailbox Move tool Dynamic distribution lists 1,700 Exchange-specific events using Microsoft Operations Manager (requires Microsoft Operations Manager) Deployment and migration tools

What is the difference between Exchange 2003 Standard and Exchange 2003 Enterprise editions? Standard Edition 16 GB database limit One mailbox store One public folder store NEW: Server can act as a front-end (post-Beta 2) Enterprise Edition Clustering Up to 20 databases per server X.400 Connectors

Both Editions support features such as: Database snapshot OMA and ActiveSync AirMAPI Recovery Storage Group Exchange Management Pack for MOM Note: It is not possible to in-place upgrade Exchange 2000 Enterprise Edition to Exchange 2003 Standard Edition.

The Exchange /forestprep command extends the schema and adds some objects in the Configuration Naming Context. The Exchange / domainprep command adds objects within the Domain Naming Context of the domain it is being run on and sets some ACLs.

res1.log, res2.log, priv1.edb, pub1.edb E00.log E00001.log E00.chk First Storage Group priv1.stm, pub1.stm, InfraStore.edb, InfraStore.stm, tmp.edb C:\Program Files\exchsrvr\mdbdata C:\Program Files\exchsrvr\CorpSG CorpStore.edb,CorpStore.stm,E01.log,E01.chk,E01001.log, C:\Program Files\exchsrvr\MarketingSG
Public Stores Pub1.edb,Pub1.stm Transaction Log E00.log E01.log E02.log Path and Names E0000001.log E0100001.log E0200001. E0000002.log E0200002. Other Files Res1.log Res1.log Res1.log Res2.log Res2.log Res2.log Tmp.edb Tmp.edb Tmp.edb E00.chk E01.chk E02.chk Storage Group First Storage CorpSG MarketingSG Name Group

Lightweight Directory Access Protocol (LDAP)

When the Active Directory is queried, the requests are sent from clients via LDAP. LDAP is an Internet protocol used specifically for access to directory services. The protocol specifies what operations can be performed on the directory service and which information can be accessed. Because it is a standard protocol, LDAP provides a level of interoperability with other directory services that also employ LDAP, and any LDAP-compliant client applications. Active Directory supports LDAP versions 2 and 3.

Kerberos Version 5

The authentication provided by Windows 2000 Active Directory is based on Kerberos version 5 (V5), an Internet standard. All trust relationships between the domains within an Active Directory forest are also based on the Kerberos V5 authentication protocol.

www.syngress.com
_ To

120 Chapter 3 Security Applications that Enhance Exchange 2000

assign users administrative privileges for the entire enterprise, add them to the Enterprise Admin group. By default, members of Enterprise Admin have nearly full

control of both Active Directory and Exchange 2000. 2 Administrative _ Many organizations might want to take Group advantage of the administrative group Administrators model. To do this, you create a global security group in Active Directory and grant this group one of the roles in the Exchange Administration Delegation Wizard for the specific administrative group. These permissions should be the same as those for Enterprise Admin, except that they are only valid within the selected administrative group. 3 Recipient _ Recipient Administrators administer all Administrators aspects of user objects. You can use the built-in Windows 2000 Server Account Operators security group as a single location for recipient administrators. You should grant the Account Operators group the Exchange View Only permissions role using the Exchange Administration Delegation Wizard. Recipient administrators must be able to create accounts in Active Directory in addition to enabling a mailbox in Exchange 2000. _ All user administration permissions must