Planning Tech

Types of DNS Zones
When we need to put pen on paper and plan you DNS server you need to know all the Zones you can use to take all the benefits from this wonderful tool.
For example you can use Zone transfer to establish you Naming Servers or you can use Active Directory Integrated Zones if you want that all Zones will replicate automatically to each DNS server over your environment.

Forward Lookup Zone

Holds all three Zones available:

• Primary Zone.
• Secondary Zone.
• Stub Zone.

Records Types per Zone:

• Primary Zone :

SOA, A, CNAME.MX.NS, SRV

• Secondary Zone:

SOA, A, CNAME.MX.NS, SRV

• Stub Zone:

SOA, A, NS

Reverse Lookup Zone

Holds all three Zones available:

• Primary Zone.
• Secondary Zone.
• Stub Zone.

Records Types per Zone:

• Primary Zone:

SOA, PTR

• Secondary Zone:

SOA, PTR

• Stub Zone:

SOA, NS, A

In this article I will try to explain you the type of answer you will get when you set a query to your DNS server.

The Recursive name query

When a client sends request to a Recursive type of DNS server he most gets a response no matter if the server an autoretive to response or not. In this case the server can respond in two different ways.

The first option is that the DNS servers hold the record for the requested client query, and will respond as it’s supposed to for the specific record type.

The second option is that the DNS server is not holding the requested record for the client query; in that case the server will send an error message to the client and not forward the client query to another DNS server to try to resolve the client query.

The Recursive name queries can be made by clients to a DNS server or from one DNS server to a second DNS server (To set queries between to DNS servers we need to set the second DNS server as Forwarder).

Here we need to remember one easy role!

No matter if the server can or cannot resolve the client query he is the last stage for the client queries.

The Iterative name query

When a client sends request to a Iterative type of DNS server he also allow the server to forward is request in case the server don’t holds the record for is query to another DNS server that holds the record and can answer the correct respond to the query forward to him .

 These types of queries typically established between two different DNS servers.

Here I will show you an example of those two queries types.

1. User connects to DNS1 with a Recursive query for dudu.planning-tech.com.

Note!

In that case the DNS1 server must respond to the client query with the correct answer or an error massage.

1. DNS1 need to check if he has an answer to the query and couldn’t find the correct record for it.

Note!

DNS1 will check both is Zones and is Cache to see if he can answer the client query.

1. Because DNS1 cannot respond the correct answer to the client query he send a recursive request to alterative DNS server over the internet.

Note!

DNS servers holds by default the “Root Hints” that help him sends queries to other DNS servers around the net.

1. The root DNS server from the internet also cannot resolve the request from DNS1.

1. The root DNS server try to resolve the request with autorative DNS server for .Com domain name.

1. DNS1 establish connection to the .COM domain with Iterative query for dudu.planning-tech.com.

1. Now the server responsible for the .Com domain doesn’t know the full answer for the client query so he answer with referral to server authorities for the planning-tech.com.

1. DNS1 connects to the server holds the planning-tech.com.

1. The planning-tech.com server also doesn’t know the full answer so he responds with the requested IP.

1.   After all this process DNS1 now can respond the user with the IP address to “dudu.planning-tech.com.”

We use different resource records to resolve many types of queries in today environment. The purpose of DNS query is to help us locate the server how’s Authoritative for ad Domain Controller, is mission is to check the query to its resource records.

Types of Records and what they here:

_SRV and _MSDSC records:

Thus two records I created by default when you install your DNS role in your environment and it required for communication with Active Directory.

This record helps us to see the services available and make the connection between client’s computers and the Domain Controllers with the resolve of the DC ip addresses.

For r example we can see our DNS servers, our Active-Directory servers and our Global Catalog servers.

SOA (State of Authority) Records:

This is the most important record that DNS server as to offer and for easy life for us the administrators we better know how to manage this record so we have easy life controlling our DNS server .we also need to remember that we have only on SOA record in a ZONE.

Basically this record contain all the information of our DNS server and Domain, for example in the SOA we can get information about updates and the time they occur in our domain, we also can specify our E-mail address in case we not in work because we transfer to a bigger office and we make much more money and our replacement need to ask stupid questions. We need also know that good SOA configuration helps us to save replication times in our domain.

MX Records:

If I have one way to describe the purpose of the MX records I would say that we use this type of records to help servers to deliver email between them.

The e-mail delivery can occur in your internal environment or to other external domains.

The process is very simple:

Client from planning-tech domain sends E-mail to other client that’s belonging to Microsoft domain.

The mail that send to an SMTP server and he checks the MX record of the domain in the send E-mail (XXX@IBM.com) if the SMTP server finds the MX record to be correctly configured he then checks for the A record for that domain and establish the connection to this Mail Server .

We can create multiple MX records (For redundancy or to create balance between our Exchange servers) with priority between them ,so when the SMTP server try one of our MX record he will chose the one with the lower number and if it’s not active he goes to the second priority MX record with higher number.

 NS Records:

This record simply helps us knowing the authorities DNS servers we have in our environment.

We need to know\use the NS records when we create forwarders between DNS servers both Internal and External DNS servers.

PTR Records:

First we need to know that we cannot create PTR record by default, to create the PTR records we firs need to create additional Zone called “Reverse Lockup”.

The PTR record maps the ip addresses into Hostnames. When you use this types of records you need to know that it’s also can allow security problems because attacker can easily create a “Reverse DNS Lookup “ and by that achieve the target to know all your domains name and other security problems(But that will explained in other post…).

The main purpose of the PTR records is to help us establish connection to an SMTP mail relay that must have the PTR record to function properly so we can enjoy Mail-Flow.

A Host Record:

This is the classic record that DNS server as to offer, the only thing that “A” record do is to map Hostnames into IP addresses. We can set one A record to an IP address because if we set A record to one or more IP address we have conflicts in our DNS server. The A record also help us to set static IP addresses to our Domain Controllers that must have (Or let’s say that it’s recommended by Microsoft…)Static IP addresses (Imagine your DC change is IP address ….not so recommended….).

For Example:

www.XXX.com Equaled to 192.XXX.XXX.X

CName Record:

Cname is a canonical name Record that helps us to map our “A” records (Hosts Names) to a different path like another hostname or to different FQDN.

NSLookup is fantastic toll that help us to resolve troubleshooting in DNS server role. At first when you type the NSLookup command we will see the HOST and the IP address of the DNS server that configures as our DNS server.

Note!

To exit the NSLookup too all you need to do is to type “exit”.

You need to know that when you run the NSLookup too it’s always search for your Local Domain unless you provide a different FQDN.

For example we can resolve HOST names into IP’s:

Nslookup www.Microsoft.com

Server: lb1.www.ms.akadns.net

Address: 207.46.19.190

We also can query for the opposite:

NSLookup 207.46.19.190

Server: www.microsoft.com

Address: 207.46.19.190

Now I will provide you all the switches NSLookup as to offer to help you the best as possible:

Switch and the function he provides:

NSLookup -> here we lunches NSLookup tool.

Set Host Name -> Return the IP of the host name we provide.

Set Timeout=X -> here we determine the interval time limits.

Set ->

Here we can chose the query return type (A, ANY, CNAME, MX, NS.PTR, SOA, SRV).

Set Querytype -> exactly like type.

The RODC is a new function on server 2008 and if we want to be prosiest it’s new Domain-Controller. The main purpose of RODC is to provide and resolve security issues. Now we can use the RODC in small sites that we cannot put Physical servers because we cannot provide the ability to secure it. So the RODC will provide us the ability to put Domain-Controller without the sensitive data of our organization and Delegate the appropriate permission to the local administrator.

The RODC works only in one way, that’s mean that all databases that the RODC contains come from the root Domain-Controller, The RODC holds all object and their attributes.

So let’s imagine the next scenario, you put RODC in small site and the worst scenario upends and we have a thief in our site, the RODC will protect our organization date as follow:

• First not like Regular Domain-Controller the RODC will not enable access to the organization Active-Directory database because RODC contains only Readable Database so we cannot change objects in the small site.

• If we disabled password caching in RODC that’s provide us the ability to disabled the option of an attacker to use Brute-Force to crack our password to gain access to our database because the RODC is not contain objects Credentials .

• One of the most sensitive ROLES in DC is the DNS database; by using RODC we create protection on our DNS database so attacker cannot access our DNS records. If our RODC contains DNS role you cannot enabled the dynamic updates option, that’s mean that if you want to update a DNS record it’s not happens on the RODC, The RODC will send the request to the root DC (That’s old writable database) and just then the record will update and send back to the RODC server. 

• When you give the Local admin delegations he can install software on the RODC, to be able to get that delegation the local admin need to be including in the Domain Admin group.

Note!

In case attacker gets the local admin Password he cannot make changes in other Domain-Controllers.

RODC Deployment

Before we deploy the RODC server our environment need to meet few perquisites:

1. To be able to deploy RODC server we need to have at least one writable DC with server 2008 or server 2008 R2, Both servers need to be in the same Domain. The reason for that is that the RODC needs to get replica of our database because he don’t have one of his own.

1. Now we need to prepare our domain and schema , here we need to notice two different possibilities :

-          The first option is to have new forest with only 2008 Domain-Controllers , in that case we don’t need to run the  adprep /rodcprep command .

-          The second option and probably the most relevant are to have both 2003 and 2008 servers in our forest. In that case we need to prepare both forest and domain  with the next two commands :

Adprep /foresprep (On the Schema older).

Adprep /domainprep /gpprep (On infrastructure master).

Adprep /rodcprep (You can run it on any domain controller).

1. Be sure your Forest Functional level is Server2003 or higher.

1. Add yourself to Domain Admins group.

Installing RODC (Full Installation) follow the next easy steps:

1. First connect to your server and add it to the domain (we do it in case we don’t use delegation install).

1. Run “Dcpromo”.

1. Chose “Existing Forest” and “add domain controller to an existing domain”

1. On the Network Credentials page, type the name of a domain in the forest, and then click next.
2. Select the domain for the RODC, and then click next.
3. Chose the site you want to add the RODC.

1. In the “additional Domain Controller Options” chose :

-          DNS server.

-          Global Catalog.

-          RODC.

1. Next -> Finish.

Installing RODC (Delegate Installation) follow the next easy steps:

This is an optional possibility for us the organization admins to give the power to another user (Off course we need to trust this person….).

The installation need to follow 2 stages that both people need to be involved in them in the following way:

1. The “Big” admin with the domain credentials need to create the RODC account in

AD-DS, that account will include all records and data that we need for attached the RODC in the second stage. This stage must create with the right credentials (Domains Admin Groups).Darning this stage we also specify the user account that will proceed with the second stage.

1. The “Small” admin need to create the connection between the RODC that sits in other physical location into the account that the “Big” admin creates in the first stage of the process. The server that we install the RODC on must be joined to the domain before we precede the RODC installation. During the RODC installation the wizard checks our credentials to fit that has been created in the first stage and also that the name of the RODC much the name of the account created in stage one.

Stage1:

To create an RODC account by using Active Directory:

1. Open RUN.
2. Type: DSA.msc (Active Directory Users and Computers snap-in will show up).
3. Open the “Domain-Controller”.
4. Click the “Domain-Controller” -> Actions.
5. Now you need to click on “Pre-create Read-only Domain Controller account”.
6. A wizard will open and display.
7. 7.      On the Network Credentials, under Specify the account credentials to use to perform the installation, click my current logged on credentials.

Note!

We can specify credentials of another account:

Alternate credentials -> Set. In the Windows Security dialog box, provide the user name and password for an account that can install the additional domain controller.

1. Now you will ask to provide the name of the RODC server.
2. On the SITE selection you need to provide the site you want that the RODC will be belong into.

10.  In the “Additional Domain Controller Option” you need to go throw MICROSOFT recommendations as follow  :

1.  
   • DNS server: This option is selected by default so that your domain controller can function as a DNS server. If you do not want the domain controller to be a DNS server, clear this check box. However, if you do not install the DNS server role on the RODC and the RODC is the only domain controller in the branch office, users in the branch office will not be able to perform name resolution when the WAN to the hub site is offline.
   • Global catalog: This option is selected by default. It adds the read-only directory partitions of the global catalog to the domain controller, and it enables global catalog search functionality. If you do not want the domain controller to be a global catalog server, clear this option. However, if you do not install a global catalog server in the branch office or enable universal group membership caching for the site that includes the RODC, users in the branch office will not be able to log on to the domain when the WAN to the hub site is offline.
   • RODC – When you create an RODC account, this option is selected by default and you cannot clear it.

11.  In Select Users, Computers, and Groups, type the names of the accounts that you want to add to the policy -> OK.

1. On the Delegation of RODC Installation and Administration page, type the name of the user or the group who will attach the server to the RODC account that you are creating.
2. Now you need to see the Summery page to check the entire configuration that we created – click next.

That’s was the first stage of the RODC installation, after we created the account we need to install the RODC server and connect it to the account we just created.

Stage 2:

Attach the RODC account to the account we created  

1. Connect to the RODC server (The server we want to install the RODC)with Local Administrator credentials.
2. Open Run and type: Dcpromo /UseExistingAccount:Attach
3. On the welcome screen click next.
4. On the Network Credentials -> insert the Domain name in the forest where you want to install your additional DC:

Under Specify the Account : chose “Alternate credentials” -> Set -> in the Windows Security you need to provide the credentials that we inherit from the first stage .

1. On the Select Domain Controller Account -> Confirm->Next.
2. Location for Database ,Log Files, and SYSVOL : here you need to specify the location of the following databases.
3. The Directory Services Restore Mode Administrator Password page : insert your recovery credentials

Note!

Now its seams not important but when you have database corruption or failed server trust me that you will need this password so keep it in place you can remember!!!!

    !!!!!Good Luck You Have a New Read Only Domain Controller!!!!!

The FSMO (flexible single master operations) roles assigned in our environment to Domain-Controllers and provide us the ability to manage our environment without Conflicts , The FSMO roles can be transfer between Domain-Controllers and that’s provide us the ability to manage our environment in much more flexibility .

There are 5 FSMO roles in a forest; from the 5 roles 2 of them will provide services in the Forest level and the other 3 in the domain level.

 The Forest level Fsmo:

• Schema Master Role – The schema master Role is responsible to update the Schema Partition. The DC that contains the Schema master is the only one in our entire environment that can update the Schema directory. As you already know from my other articles, when this update finish the schema will replicate to all other DC in our directory.

Note!

We have only ONE schema master per directory!

• Domain Naming Master Role – This role is the one that provide us the ability to make changes in the Forest-Wide domain name of our directory. The DC that holds this role is the only one that can add or Remove new DC from our forest.

The Domain level Fsmo:

• RID Master Role – The RID role hosts on a single DC, This DC responsible for the RID pool requests from all other DC in a domain. This role is also responsible to add or Remove objects from a domain and transfer it to other DC (Users, computers…).

The RID responsible to add Security Principal to objects in our environment (Users, Computers, Groups …) called SID ,This SID is unique in all our domain and cannot duplicate to other object in our domain .

• PDC Emulator Role – These roles provide us many services, the first responsibility is to Sync times in windows 2000 environment (W32Time Service) that requires for Kerberos Autantication, The time that this FSMO provides will gather from an external source like Microsoft servers for example.

The PDC role is the role that provides us the most services and from this we can said that this role is the busy one on our environment, here are few Examples:

-          This role helps us to replicate the Sysvol folder in our environment.

-          Manage all passwords changes in our domains to ensure that accounts that not supply the right credentials will be locked and replicate Password across domains.

• Infrastructure Master Role – This role provide us the ability to update all objects SID’S and distinguished name in cross domains , this happens when object from one domain referenced with object from another DC.

FSMO levels:

Schema master                                         : One per forest.

Domain Naming Master                        : One per forest.

PDC Emulator                                            : One per domain.

RID Master                                                 : One per domain.

Infrastructure Master                            : One per domain.

Worst Case Scenario – What Happens’ if Fsmo fails…?

• Schema Master - If this FSMO role fails we cannot add object to our Schema Partition. And for that reason we cannot change object or their Attributes.

• Domain Naming Master - Here it’s easy to understand the problem that we have when this FSMO fails, we simply cannot be abeles to add new DC to the forest and we also cannot demote existing Domain-Controllers. We need to pay attention that our environment will function till we net do manage Domain –Controllers in our forest. 

• PDC Emulator – like we describe this role is the one that provides most services for that reason when this role not function probably will cause us the biggest problems in our environment.

• Rid Master – First we need to know that each Domain-Controller In our domain contains pool of RID’S, so we only have problems if we want to add many object (Users, Computers…).

• Infrastructure master – Here we need to understand the difference between Single Domain environment (IF this FSMO fails it’s not relevant to this scenario) and Multi-Domain environment (If this FSMO fails we cannot add object from one DC to another).

Microsoft Recommendations for placing FSMO roles

First we need to know that the first Domain-Controller installed in a forest holds all five FSMO.

When we add more DC’S we can transfer the FSMO from the firs DC installed on the forest (It’s not happened automatically so we need to manage the transfers manually).

As you already understand it’s nice to have more then on Domain-Controller in a forest so we can enjoy more redundancy and more flexibility to manage FSMO roles, here are MICROSOFT recommendations to manage FSMO roles in a FOREST environment:

1. The Schema Master and Domain Naming Master should reside on the same server, and that machine should be a Global Catalog server.  

1. The Infrastructure Master should not be on the same server that acts as a Global Catalog server.

Note!
 Global Catalog contains information about every object in the forest. When the Infrastructure Master, which is responsible for updating Active Directory information about cross domain object changes, needs information about objects not in its domain, it contacts the Global Catalog server for this information.  If they both reside on the same server, then the Infrastructure Master will never think there are changes to objects that reside in other domains because the Global Catalog will keep it contently updated.  This would result in the Infrastructure Master never replicating changes to other domain controllers in its domain.
Note!

 In a single domain environment this is not an issue.

Permissions

To be able to transfer FSMO you need the appropriate Permissions, every FSMO needs is own Permissions:

• Schema Master                             : Schema Admins group.
• Domain Naming Master            : Enterprise Admins group.
• PDC Emulator                               : Domain Admins group.
• RID Master                                    : Domain Admins group.
• Infrastructure Master              : Domain Admins group.

So where can we found the FSMO holders…?

• The Easiest way is to work with NETDOM Utility; we can find it in Microsoft “Support Tools” or in Win 2003 “Resource kit”.

Now all we need to do is go to the command line and type the following command:

“Netdom query fsmo”

After the command finishes we will see a list of Domain-Controllers and the role that they hosts.

• The second way is to use Administrative Tools Snap-In :

-          Open Users and Computers press Right Click on The domain name and choose “operations Master”. Now you should see a box indicates the server FSMO’S.

The FSMO’S that we can see here will be:

1. Rid Master.
2. Pdc Emulator.
3. Infrastructure Master.

-           Open Domains and Trusts press Right Click on The domain name and choose “operations Master”. Now you should see a box indicates the server FSMO.

Here we can see only the Domain naming FSMO.

-          To see the Schema Holder we need to add a blank MMC and add the “Active Directory Schema”.

Group policy is Centralized management tool that helps us do many tasks to many computers in Active Directory Envornmant like security issues, software deployment and many more.

What is using for..?

• Firs we can deploy scripts to all clients- for example we can deploy script that add network folders to users when they log on to their computer.
• Controls what users can and can’t do on a computer network – here we can specify the limits for users- let’s say that we want to create hardening on our network ,with GPO we can limits users to gain access to network resources and many more useful things.
• We can deeply software to clients computer in few single steps – let’s say you need to deploy office2007 to 100 clients, all you need to do is to create policy that install the software and save you the time to pass one by one  computer .

Note!

We can deploy policy in two different ways:

-          We can create policy to computers.

-          We can deploy policy to users.

How we manage group policy deployment..?

The easiest way to work with group policy is to download GPMC (“Group Policy Management Console”),

We can download it from Microsoft site at the following link:

http://www.microsoft.com/downloads/details.aspx?familyid=0a6d4c24-8cbd-4b35-9272-dd3cbfc81887&displaylang=en

After you download it simply install it by Microsoft directions.

What is Loopback option..?

Group policy can be applied both to users and computers the policy usually deploy by the object location in our Active Directory Infrastructure. But sometimes we want to apply to users based only on the Computer location in our environment, in other words Loopback policy will be applied on the physical computer of the user no matter what policy he takes from another AD policy.

To create Loopback policy that applied to user based on the physical computer, follow:

Note!

After we enabled Loopback, we direct the system to apply few GPO’S for the computer that user logs on.

1. Open Group Policy Microsoft Management Console (MMC) Snap-In.
2. Open Computer Configuration.
3.  Search for Administrative Templates.
4. Click System.
5. Click Group Policy.
6. Now Enabled Loopback Policy.

Note!

To use Loopback option all the objects that we want to apply the policy for need to be in Active – Directory.

What is Wmi Filters …?

WMI Filters are a way to fine tune the application of GPOs. Evaluated at the time of a Group Policy refresh at the client. If any of these queries return a result (essentially meaning they evaluate to true) then the WMI filter is considered to evaluate to true and the GPO to which it is linked is applied. If the WQL queries do not return anything in the result set then the GPO is not applied.

In other words, we can set criteria to apply policies, let give an Example:

If you want to deploy Office 2007 and you already have clients computers installed with office2007, so you can specify the software deployment to all clients (Include the one with office2007) and crate filter that apply the policy only if the client computer doesn’t have office 2007.

What is AdmFile….?

Although the Group Policy is a wonderful tool it’s have limits, the ADM files help us to resolve that problem. For example we can download ADM file with restrictions regards only to office 2007.

So to start working with ADM files we first need to download it from the following address

http://www.microsoft.com/downloads/details.aspx?familyid=92759d4b-7112-4b6c-ad4a-bbf3802a5c9b&displaylang=en

Now all you need to do is to search the ADM that you want to use to apply your policies on users.

The main purpose of this Snap-in is to configure the replication topology of your network environment, By default after we install the first Domain-Controller the first site is created and called “Default-First-Site” ,the replication can occur in both ways:

• The first option is to create replication between two Domain Controllers in the same site, in a LAN network.

• The second option is to create replication between two sites; here we create replication between two LAN networks that connected in a WAN.

The secondary’s purpose to use Sites and Services Snap – in:

• First we can check our replication topology and get all the info that we need about our servers or domain controllers.
• We can create Subnets in two sites to specify different ranges between the sites to reduce network traffic ,for example :

-          Site 1 = 192.168.101.1 – 192.168.101.253.

-          Site 2 = 192.168.103.1 – 192.168.103.253.

• And of course we here we specify our DC to be a Global Catalog server.

So when we talk about Replication let’s understand what replicated, for doing that we firs need to understand Active-Directory Partitions:

The active directory database is separated into 5 different partitions, at a single forest all domains controllers have at Minimum two of those partitions that common: Schema and Configuration partition those two partitions located in the “Forest-Level”, so let’s understand the partitions:

Schema Partition:

This partition is unique because we have only one Schema per forest. The schema partition is stored on each DC in our forest. The schema partition contains all our Object and Attributes that been created in our Active-Directory. The Schema information replicated to each DC in the forest and for that reason we need to follow the Schema definition.

Configuration Partition:

Like the Schema the “Configuration Partition” is also unique because she’s in the forest level and we have only one partition in the entire forest, like the schema partition it’s replicated to all DC in the forest. The configuration partition contains all the information about the Active –Directory Structure in our forest. For that reason we can see in this partition all the information about our Domain Controllers, Services and Sites that exists in the forest.

Domain Partition:

The “Domain Partition” can be found on each Domain –Controller in our forest. This partition contains all the information that we need about Specific objects that created in the domain (Users, groups, Computers and more), the domain partition replicated to all domain controllers. All those object located and stores in Global Catalog.

Application Partition:

The “Application Partitions” store information about applications installed in Active-Directory, an application partitions cannot contain Security Principals objects (Users and more) , not like the Domain Partition here the object NOT stored in a global catalog.

Replication Topology:

Replication is the route which replication data travels throughout your

Network Environment. Replication occurs between two domain controllers at a time.

To create a replication topology, we need to specify in AD which replica goes to each domain controller.

Now if you remember we said before that we have two partitions that belongs to the entire Forest (Schema and Configuration) in other words each DC in the forest holds replica of them, if we have different domains in our forest the DC inside them will also replicate the Domain Partition

Knowledge Consistency Checker (KCC):

This feature is built in process that runs on each DC and verifies that the replication process of the partition that this DC contains will be as it supposes to be with the right order. The KCC runs by default every 15 minutes.

Global Catalog and Replication of Partitions:

The Global Catalog allows us to sheer object from our Active Directory to the entire Forest and Domains. Those resources are stored in the Global Catalog and can be searched by users (nice example will be to search any object in active directory like users or computers), so as you understand without the Global Catalog every server will needs to search on every DC in the forest and that’s not good for us .

By Microsoft recommendation you suppose to have at least one Global Catalog server, hosted on Domain Controller .the Global Catalog is hosted on a Domain Controller and hosted all attributes & objects from Active Directory.

Note!

The default permeations to work with Global Catalog need to be members of the Schema Admins.

The global catalog contains the following list:

1. Default attributes for each object type (Users, Computers…).
2. All attributes that we need when we set query in AD such as a user’s first and last name, and logon name.
3. Information which helps determines the location of an object in AD.
4. Permissions of every object type (That’s ensure that users will receive all the results that they have permissions on, object without permissions will not display on the query respond).

So let’s make the conclusion of GC:

• A global catalog server is a domain controller that contains full and writable replica of its domain directory.
• A global catalog server is a domain controller that contains read-only replica of all other domain directory partitions in the forest (Store only the important attributes of an object).

Note!

Microsoft recommends having a global catalog server for every active directory site in an enterprise network.

More about sites and Subnets:

Sites in DC can help us to define our Physical network structure, we can separate sites with TCP\IP subnets .A single site can contain more than one subnet.

What is Replication Monitor?

• Displays replicating information both directly and transitively, with this tool we can monitor our replication topology, we also can see which objects have not replicated from a Domain-Controller and create Triggers the KCC to recalculate the replication topology.

Note!

We can set replication monitor from each Domain Controller, or any computer that runs server 2003.

How to configure replication monitor:

1. Open Start->Run and Type: Replmon and press OK.

1. Now in View Screen press Options.

1. Now you will see “Active Directory Replication Monitor Options page” ,go to status logging tab .and press “Display Changed Attributes when Replication Occurs”
2. Click “Monitored servers” and add your desirable Domain-Controller.

Repadmin.exe Tool:

This tool can help us create tasks related to our replication topology.

With this tool we can see our replication topology (On each DC) .we also can use Repadmin to Force replication and view the replication Metadata.

               Dcdiag Tool:

              We can use this tool to analyzes the state of Domain Controllers and check for every problem that occur, we can see problems related to connectivity, Replication, topology integrity, and interstice health.

              At a command prompt, type:

Dcdiag +

Switch                          Description

/v                                 provides verbose results. When you use /v, the output from dcdiag

Provides a lot of information that can help you troubleshoot a

Problem.

/f: LogFile                    Redirects output to a specified log file.