Академический Документы
Профессиональный Документы
Культура Документы
&
SERVICES LTD
Lee Johnny.J
CEC
WINDOWS CLUSTERING
Microsoft Windows 2000 Server Operating System
Introduction:
Windows 2000 (also referred to as Win2K) is a preemptive,
interruptible, graphical and business-oriented operating system designed to work
with either uniprocessor or symmetric multi-processor computers. It is part of the
Microsoft Windows NT line of operating systems and was released on February 17,
2000.It has been succeeded by Windows XP in October 2001 and Windows Server
2003 in April 2003. It is a hybrid kernel operating system.
The Windows 2000 server family consists of Windows 2000 Server, Windows 2000
Advanced Server and Windows 2000 Datacenter Server.
Common features:
1. Professional (Client).
2. 2000 Server.
3. Advanced Server.
4. Datacenter Server.
a) It was designed as the desktop operating system for businesses and power
users.
b) It is the client version of Windows 2000. It offers greater security and stability
than many of the previous Windows desktop operating systems.
c) It supports up to two processors, and can address up to 4 GB of RAM. The
system requirements are a Pentium processor of 133 MHz or greater, at least
32 MB of RAM, 700 MB of hard drive space, and a CD-ROM drive
(recommended: Pentium II, 128 MB of RAM, 2 GB of hard drive space, and
CD-ROM drive).
a) SKUs share the same user interface with Windows 2000 Professional, but
contain additional components for the computer to perform server roles and
run infrastructure and application software.
b) A significant new component introduced in the server SKUs is Active
Directory, which is an enterprise-wide directory service based on LDAP.
HCL Confidential 3
PROPOSAL
c) Additionally, Microsoft integrated Kerberos network authentication, replacing
the often-criticized NTLM authentication system used in previous versions.
This also provided a purely transitive-trust relationship between Windows
2000 domains in a forest (a collection of one or more Windows 2000 domains
that share a common schema, configuration, and global catalog, being linked
with two-way transitive trusts).
d) Furthermore, Windows 2000 introduced a Domain Name Server which allows
dynamic registration of IP addresses.
e) Windows 2000 Server requires 128 MB of RAM and 1 GB hard disk space;
however requirements may be higher depending on installed components.
HCL Confidential 4
PROPOSAL
c) Limited number of copies of an IA-64 version, called Windows 2000
Datacenter Server, Limited Edition were made available via OEMs.
d) Its minimum system requirements are normal, but it was designed to be
capable of handing advanced, fault-tolerant and scalable hardware—for
instance computers with up to 32 CPUs and 64 GB of RAM, with rigorous
system testing and qualification, hardware partitioning, coordinated
maintenance and change control.
Introduction:
According to Microsoft, Windows Server 2003 is more scalable and delivers better
performance than its predecessor, Windows 2000.
Overview:
1. Released on April 24, 2003, Windows Server 2003 (which carries the version
number 5.2) is the follow-up to Windows 2000 Server, incorporating
compatibility and other features from Windows XP.
2. Windows Server 2003 includes compatibility modes to allow older applications to
run with greater stability. It was made more compatible with Windows NT 4.0
domain-based networking.
HCL Confidential 5
PROPOSAL
3. Windows Server 2003 brought in enhanced Active Directory compatibility, and
better deployment support, to ease the transition from Windows NT 4.0 to
Windows Server 2003 and Windows XP Professional.
4. Changes to various services include those to the IIS web server, which was
almost completely rewritten to improve performance and security, Distributed
File System, which now supports hosting multiple DFS roots on a single server,
Terminal Server, Active Directory, Print Server, and a number of other areas.
Features:
1. Standard Edition
2. Enterprise Edition
3. Datacenter Edition
4. Web Edition
HCL Confidential 6
PROPOSAL
1. Standard Edition:
2. Enterprise Edition:
HCL Confidential 7
PROPOSAL
c) It supports a maximum of up to 32 processors on 32-bit or 64-bit hardware.
32-bit architecture also limits memory addressability to 128 GB, while the 64-
bit versions support up to 2 TB.
d) Windows Server 2003, Datacenter Edition, also allows limiting processor and
memory usage on a per-application basis.
e) Windows Server 2003, Datacenter Edition has better support for Storage Area
Networks (SAN). It features a service which uses Windows sockets to emulate
TCP/IP communication over native SAN service providers, thereby allowing a
SAN to be accessed over any TCP/IP channel. With this, any application that
can communicate over TCP/IP can use a SAN, without any modification to the
application.
f) Datacenter Edition also supports 8-node clustering. Clustering increases
availability and fault tolerance of server installations, by distributing and
replicating the service among many servers.
4. Web Edition:
a) Web Edition is mainly for building and hosting Web applications, Web
pages, and XML Web services.
b) It is designed to be used primarily as an IIS 6.0 Web server and
provides a platform for rapidly developing and deploying XML Web
services and applications that use ASP.NET technology.
c) Windows Server 2003 Web Edition supports a maximum of 2
processors (SMP) with support for a maximum of 2GB of RAM.
d) Windows Server 2003, Web Edition cannot act as a domain controller.
e) Additionally, it is the only version of Windows Server 2003 that does
not include client number limitation upon Windows update services as
it does not require Client Access Licenses.
HCL Confidential 8
PROPOSAL
Windows Server 2003 R2, an update of Windows Server 2003, was
released to manufacturing on 6 December 2005. It is distributed on two CDs, with
one CD being the Windows Server 2003 SP1 CD. The other CD adds many optionally
installable features for Windows Server 2003. The R2 update was released for all x86
and x64 versions, but not for Itanium versions.
New features:
HCL Confidential 9
PROPOSAL
o Base Utilities
o SVR-5 Utilities
o Base SDK
o GNU SDK
o GNU Utilities
o Perl 5
o Visual Studio Debugger Add-in.
HCL Confidential 10
PROPOSAL
Features:
1. Server Core
HCL Confidential 11
PROPOSAL
Certificate Services (ADCS), and Active Directory Rights Management Services
(ADRMS).
3. Terminal Services:
Windows Server 2008 features major upgrades to Terminal Services.
Terminal Services now supports Remote Desktop Protocol 6.0. The most notable
improvement is the ability to share a single application over a Remote Desktop
connection, instead of the entire desktop. This feature is called Terminal Services
RemoteApp.
5. Self-healing NTFS:
HCL Confidential 12
PROPOSAL
6. Hyper-V:
Hyper-V is a hypervisor-based virtualization system, forming a core part of
Microsoft's virtualization strategy. It virtualizes servers on an operating system's
kernel layer. It can be thought of as partitioning a single physical server into multiple
small computational partitions. Hyper-V includes the ability to act as a Xen
virtualization hypervisor host allowing Xen-enabled guest operating systems to run
virtualized. A beta version of Hyper-V ships with certain x86-64 editions of Windows
Server 2008. Microsoft released the final version of Hyper-V on June 26, 2008 as a
free download for these editions. Also, a standalone version of Hyper-V is planned.
This version will also only support the x86-64 architecture.
8. Server Manager:
Server Manager is a new roles-based management tool for Windows Server
2008. It is a combination of Manage Your Server and Security Configuration Wizard
from Windows Server 2003. Server Manager is an improvement of the Configure my
server dialog that launches by default on Windows Server 2003 machines. However,
rather than serve only as a starting point to configuring new roles, Server Manager
gathers together all of the operations users would want to conduct on the server,
such as, getting a remote deployment method set up, adding more server roles etc
and provides a consolidated, portal-like view about the status of each role.
It is not currently possible to use the Server Manager remotely, but a client version
is planned.
HCL Confidential 13
PROPOSAL
HCL Confidential 14
PROPOSAL
Terminal Server Session Directory allows users to reconnect to the same
session on Terminal Server clusters (Enterprise and Datacenter editions only).
Remote Installation Services now works for servers.
Active Directory in Application mode (AD/AM). An application can have its own
separate instance of Active Directory which hasn't got any of the limitations
that the Network Operating System imposes on the main AD.
The backup and restore of DHCP settings has been incorporated into the DHCP
manager while in 2000 you had to change registry keys and move files
manually
The FTP server allows different default directories to be assigned to different
users.
There's a Security Configuration and Analysis tool to check a server's security
settings
DNS AD-integrated zones are stored in the Application Partition of a forest so
aren't replicated to domain controllers which aren't DNS servers.
Regedit.exe and Regedt32.exe have been amalgamated into a single utility
which takes the best features of each. Both files still exist but run the same
utility.
The DNS server has added flexibility with the new options of stub zones and
conditional forwarding.
Internet Information Server 6 has the ability to keep worker processes from
different websites and web applications separate so that if one application
crashes then other websites running on the same server remain unaffected.
Group Policy has been improved: Resultant Set of Policy tool, 220 new
templates, better folder redirection, WiFi access policy and a Group policy
management console. gpupdate utilty replaces "secedit /refreshpolicy".
There are some new command-line administration tools which are useful for
automating operations on 100s of users at once.
New "Saved Queries" applet in Active Directory Users and Groups
Improvements to RRAS: PPPoE dial-on-demand for Broadband circuits,
Background Intelligent Transfer Service, NAT Traversal using UPnP, improved
management console.
Remote Storage. Infrequently used files are moved to on-line backup when disk
space becomes low.
A new boot.ini option called "secondary plex" allows booting when a software
HCL Confidential 15
PROPOSAL
RAID volume has failed
Task Manager has 2 extra tabs - one showing a graph of network usage per
adaptor and the other showing details of connected users.
Emergency Management Services Console Redirection. Redirect the screen
through a COM port so that a remote administrator can view the boot process.
Robocopy.exe - a Resource Kit tool to maintain identical folder trees in multiple
locations.
Clustering service supports Majority Node Set clusters which don't require
shared disk storage and it also supports multiple redundant paths to external
storage such as SANs. Cluster Service account password can be changed with
cluster on-line. (Enterprise and Datacenter editions only).
Automated System Recovery is a new backup option to facilitate a server being
rebuilt from scratch including recreating the partition structure.
Windows System Resource Manager allows limits to be placed on system
resources such as CPU and RAM usage on a per-process or per-application
basis (Enterprise and Datacenter editions only).
In Windows 2000 server OS, we can create 1 Million users whereas in 2003
server we can create the 1 Billion users.
Workgroup
HCL Confidential 16
PROPOSAL
Sys 1
Sys 2
Sys 3
All computers are peers; no computer has control over another computer.
Each computer has a set of user accounts. To use any computer in the
workgroup, you must have an account on that computer.
No Centralized Administration
HCL Confidential 17
PROPOSAL
Domain
Sys1
If you have a user account on the domain, you can log on to any computer on
the domain without needing an account on that computer.
By using group policy you can restrict any applications in the entire domain.
HCL Confidential 18
PROPOSAL
Before Active Directory: In Windows NT Server We are used the Network Directory
Service, in this there is no directory hierarchy only flat structure and PDC and BDC
available.
Replication of Information
Manageability
Kerberos Authentication
HCL Confidential 19
PROPOSAL
Flexible install/uninstall
For Example: A user is an object with attributes such as first name, last name and
Job title
Object Attributes
HCL Confidential 20
PROPOSAL
Domai
n
Organizational Unit
HCL Confidential 21
PROPOSAL
Forest
D D
D D
D D
Domain Tree
Domain Tree
1. Domain
2. Organizational Unit
3. Tree
4. Forest
HCL Confidential 22
PROPOSAL
Domain: It is a Centralized Unit of logical structure. It is a collection of objects such
as users, computers, printers, shared folder and so on.
When you configure a new Windows Server 2003 domain, the default domain
functional level is Windows 2000 mixed. Under this domain functional level, Windows
NT, 2000, and 2003 domain controllers are supported. However, certain features
such as group nesting, universal groups, and so on are not available.
Upgrading the functional level of a domain to Windows 2000 Native should only be
done if there are no Windows NT domain controllers remaining on the network. By
upgrading to Windows 2000 Native functional level, additional features become
available including: group nesting, universal groups, SID History, and the ability to
convert
security groups and distribution groups.
What is difference between windows 2000 mixed mode and Windows 2003 Interim
mode?
HCL Confidential 23
PROPOSAL
Organizational Unit:
For Example: Suppose you are a senior administrator for an organization. You have
an OU called Accounts where all user, group and computer accounts are stored. The
creating of users, group, and computer accounts is not a difficult task in terms of
configuration.
Delegation of control to delegate the administrative duties of creating user, group,
and computer accounts to new administrative trainee.
With Delegation of Control, you can limit the tasks an administrator can perform until
he or she technically capable of handling more complex tasks.
Here right click the Accounts OU then click Delegation control then give the Tasks to
delegate. Click delegation control what type of active directory objects want to
control. Then select the permissions you want to delegate.
HCL Confidential 24
PROPOSAL
A domain contains domain controllers.
India.com
Chennai.india.com Mumbai.india.com
Forest: A forest is a one or more domains that share same schema Site, replication
information and searchable components (Global Catalog).
2. Windows Server 2003 Interim: Allows the windows 2003 domain controller to
communicate with domain controllers in the forest running windows NT4 and
windows 2003.
1. Site
2. Domain Controller
HCL Confidential 25
PROPOSAL
2. Single sites across multiple domains
3. Multiple sites in single domain
Domain controller:
A domain controller contains copy of the local domain database.
A domain can have many domain controllers and each domain controller
Replicating directory information for all the objects in the domain to each
other automatically
With the new Active Directory features in Standard Edition, Enterprise Edition, and
Datacenter Edition, more efficient administration of Active Directory is available to
you.
New features can be divided into those available on any domain controller running
Windows Server 2003, and those available only when all domain controllers of a
domain or forest are running Windows Server 2003.
The following list summarizes the Active Directory features that are enabled by
default on any domain controller running Windows Server 2003.
HCL Confidential 26
PROPOSAL
Multiple selection of user objects: Modify common attributes of multiple user
objects at one time.
Saved queries: Save commonly used search parameters for reuse in Active
Directory Users and Computers.
Active Directory command-line tools: Run new directory service commands for
administration scenarios.
Selective class creation: Create instances of specified classes in the base schema
of a Windows Server 2003 forest. You can create instances of several common
classes, including: country or region, person, organizational Person, groupOfNames,
device, and certification Authority.
InetOrgPerson class: The inetOrgPerson class has been added to the base schema
as a security principal and can be used in the same manner as the user class. The
userPassword attribute can also be used to set the account password.
New domain- or forest-wide Active Directory features can be enabled only when all
domain controllers in a domain or forest are running Windows Server 2003 and the
domain functionality or forest functionality has been set to Windows Server 2003.
HCL Confidential 27
PROPOSAL
The following list summarizes the domain- and forest-wide Active Directory features
that can be enabled when either a domain or forest functional level has been raised
to Windows Server 2003.
Domain rename: Rename any domain running Windows Server 2003 domain
controllers. You can change the NetBIOS name or DNS name of any child, parent,
tree- or forest-root domain.
Forest trusts: Create a forest trust to extend two-way transitivity beyond the scope
of a single forest to a second forest.
The following table describes the domain-wide features that are enabled for
the corresponding domain functional level:
HCL Confidential 28
PROPOSAL
Domain controller Disabled Disabled Enabled
rename tool
Update logon Disabled Disabled Enabled
timestamp
Kerberos KDC Disabled Disabled Enabled
key version
numbers
User password on Disabled Disabled Enabled
InetOrgPerson
object
Universal Groups Enabled for Enabled Enabled
distribution groups.
Allows both security Allows both security
Disabled for and distribution and distribution
security groups. groups. groups.
Group Nesting Enabled for Enabled Enabled
distribution groups.
Allows full group Allows full group
Disabled for nesting. nesting.
security groups,
except for domain
local security
groups that can
have global groups
as members.
Converting Disabled Enabled Enabled
Groups
No group Allows conversion Allows conversion
conversions between security between security
allowed. groups and groups and
distribution groups. distribution groups.
The following table describes the forest-wide features that are enabled for
the corresponding forest functional level:
HCL Confidential 29
PROPOSAL
Forest trust Disabled Enabled
Linked value replication Disabled Enabled
Domain rename Disabled Enabled
Improved replication Disabled Enabled
algorithms
Dynamic auxiliary classes Disabled Enabled
InetOrgPerson objectClass Disabled Enabled
change
HCL Confidential 30
PROPOSAL
HCL Confidential 31
PROPOSAL
5. Choose create a new Domain in a new forest and click Next.
6. Enter the full DNS name of the new domain, for example - kuku.co.il -
this must be the same as the DNS zone you've created in step 3, and the same
as the computer name suffix you've created in step 1. Click Next.
HCL Confidential 32
PROPOSAL
This step might take some time because the computer is searching for the DNS
server and checking to see if any naming conflicts exist.
7. Accept the down-level NetBIOS domain name, in this case it's KUKU.
Click Next
8. Accept the Database and Log file location dialog box (unless you want to
change them of course). The location of the files is by default %systemroot
HCL Confidential 33
PROPOSAL
%\NTDS, and you should not change it unless you have performance issues in
mind. Click Next.
9. Accept the Sysvol folder location dialog box (unless you want to change it
of course). The location of the files is by default %systemroot%\SYSVOL, and
you should not change it unless you have performance issues in mind. This
folder must be on an NTFS v5.0 partition. This folder will hold all the GPO and
scripts you'll create, and will be replicated to all other Domain Controllers. Click
Next.
HCL Confidential 34
PROPOSAL
10. If your DNS server, zone and/or computer name suffix were not
configured correctly you will get the following warning:
HCL Confidential 35
PROPOSAL
This means the Dcpromo wizard could not contact the DNS server, or it did
contact it but could not find a zone with the name of the future domain. You
should check your settings. Go back to steps 1, 2 and 3. Click Ok.
You have an option to let Dcpromo do the configuration for you. If you want,
Dcpromo can install the DNS service, create the appropriate zone, configure it to
accept dynamic updates, and configure the TCP/IP settings for the DNS server IP
address.
To let Dcpromo do the work for you, select "Install and configure the DNS
server...".
Click Next.
Otherwise, you can accept the default choice and then quit Dcpromo and check
steps 1-3.
11. If your DNS settings were right, you'll get a confirmation window.
12. Accept the Permissions compatible only with Windows 2000 or Windows
Server 2003 settings, unless you have legacy apps running on Pre-W2K servers.
HCL Confidential 36
PROPOSAL
13. Enter the Restore Mode administrator's password. In Windows Server 2003 this
password can be later changed via NTDSUTIL. Click Next.
HCL Confidential 37
PROPOSAL
14. Review your settings and if you like what you see - Click Next.
HCL Confidential 38
PROPOSAL
15. See the wizard going through the various stages of installing AD.
Whatever you do - NEVER click Cancel!!! You'll wreck your computer if you do. If
you see you made a mistake and want to undo it, you'd better let the wizard
finish and then run it again to undo the AD.
HCL Confidential 39
PROPOSAL
16. If all went well you'll see the final confirmation window. Click Finish.
HCL Confidential 40
PROPOSAL
1. First, see that the Administrative Tools folder has all the AD management
tools installed.
2. Run Active Directory Users and Computers (or type "dsa.msc" from the
Run command). See that all OUs and Containers are there.
3. Run Active Directory Sites and Services. See that you have a site named
Default-First-Site-Name, and that in it your server is listed.
4. Open the DNS console. See that you have a zone with the same name as
your AD domain (the one you've just created, remember? Duh...). See that
within it you have the 4 SRV record folders. They must exist.
HCL Confidential 41
PROPOSAL
= Good
If they don't (like in the following screenshot), your AD functions will be broken
(a good sign of that is the long time it took you to log on. The "Preparing
Network Connections" windows will sit on the screen for many moments, and
even when you do log on many AD operations will give you errors when trying to
perform them).
HCL Confidential 42
PROPOSAL
= Bad
This might happen if you did not manually configure your DNS server and let the
DCPROMO process do it for you.
Another reason for the lack of SRV records (and of all other records for that
matter) is the fact that you DID configure the DNS server manually, but you
made a mistake, either with the computer suffix name or with the IP address of
the DNS server (see steps 1 through 3).
To try and fix the problems first see if the zone is configured to accept dynamic
updates.
You should now restart the NETLOGON service to force the SRV registration.
You can do it from the Services console in Administrative tools:
Or from the command prompt type "net stop netlogon", and after it finishes type
"net start netlogon".
Let it finish, go back to the DNS console, click your zone and refresh it (F5). If
all is ok you'll now see the 4 SRV record folders.
HCL Confidential 43
PROPOSAL
If the 4 SRV records are still not present double check the spelling of the zone in
the DNS server. It should be exactly the same as the AD Domain name. Also
check the computer's suffix (see step 1). You won't be able to change the
computer's suffix after the AD is installed, but if you have a spelling mistake
you'd be better off by removing the AD now, before you have any users, groups
and other objects in place, and then after repairing the mistake - re-running
DCPROMO.
5. Check the NTDS folder for the presence of the required files.
6. Check the SYSVOL folder for the presence of the required subfolders.
7. Check to see if you have the SYSVOL and NETLOGON shares, and their
location.
If all of the above is ok, I think it's safe to say that your AD is properly installed
Where is the database file store in AD?
%systemroot%/NTDS/NTDS.dit
Where dit stands for directory information tree, and default size is 40 MB.
What is the sysvol folder in AD?
Sysvol folder stores the Server’s copy of the domain public files. The contents such
as group policy, users etc of the sysvol folder are replicated to all domain controllers
in the domain.
How to Backup AD?
1. Open NTBACKUP by either going to Run, then NTBACKUP and pressing Enter
or by going to Start -> Accessories -> System Tools.
2. If you are prompted by the Backup or Restore Wizard, I suggest you un-check
the "Always Start in Wizard Mode" checkbox, and click on the Advanced Mode
link.
HCL Confidential 44
PROPOSAL
4. Click to select the System State checkbox. Note you cannot manually select
components of the System State backup. It's all or nothing.
5. Enter a backup path for the BKF file. If you're using a tape device, make sure
NTBACKUP is aware and properly configured to use it.
HCL Confidential 45
PROPOSAL
7. The Backup Job Information pops out, allowing you to configure a scheduled
backup job and other settings. For the System State backup, do not change
any of the other settings except the schedule, if so desired. When done, press
Start Backup.
HCL Confidential 46
PROPOSAL
8.
9. After a few moments of configuration tasks, NTBACKUP will begin the backup
job.
HCL Confidential 47
PROPOSAL
10. When the backup is complete, review the output and close NTBACKUP.
Next, you need to properly label and secure the backup file/tape and if
possible, store a copy of it on a remote and secure location.
You can use the command line version of NTBACKUP in order to perform backups
from the Command Prompt.
For example, to create a backup job named "System State Backup Job" that backs
up the System State data to the file D:\system_state_backup.bkf, type:
ntbackup backup systemstate /J "System State Backup Job" /F "D:\system_state_backup.b
HCL Confidential 48
PROPOSAL
COM class Registration database
CA (Certificate Authority)
HCL Confidential 49
PROPOSAL
For example, a server that has a System State backup from two days ago
goes down. A restore of the two-day old active directory would be performed
and it would then be updated from the other domain controllers when the
next replication takes place. No other steps would be required
Authoritative Restore:
Authoritative restores do not have to be made of the entire directory, as you
can choose to restore only parts of the directory
When only parts of the active directory are restored, say an organizational
unit this information is pushed out to the remaining DCs and they are
overwritten.
However, the rest of the directory's information is then replicated to the
restored DC's directory and it is updated
An example of when an Authoritative restore would be used is when an
organizational unit is deleted but everything else in the active directory is
working as required
If the environment only has a single domain controller, then there is never a
reason to perform an authoritative restore as there are no replication partners
E:\ntdsutil>ntdsutil
ntdsutil: authoritative restore
authoritative restore: restore object OU=bosses,DC=ourdom,DC=com
HCL Confidential 50
PROPOSAL
Restore the system state backup then restart the server.
Primary restore: When your all the Domain controllers are failed that case we use
primary restore.
Replication:
What is Replication: Replication refers to reflecting that changes made in a
These changes are provided to domain controllers within and outside the side
The directory information is logically partitioned into four categories that are
Schema partition:
Defines rules for objects creation and modification for all objects in the forest.
Replicated to all domain controller in the forest.
Configuration Partition:
Defines forest Information Including Trees, domains, domains, Trust Relationship,
and sites
Replicated to all domain controllers in the forest.
Domain partition:
Has complete information about all domain objects such as OU’s, Groups and users.
Replicated only to domain controllers in the same domain
Application partition:
It is replicated only to specific domain controller
HCL Confidential 51
PROPOSAL
It provides redundancy, availability or fault tolerance.
For Example:
If you use a DNS that is integrated with the ADS you have two application partitions
for DNS zones.
1. Forest DNS zones
2. Domain DNS zones
Active directory replication the date within the sites or between the sites
1. Intrasite Replication
2. Intersite Replication
Intrasite Replication:
Knowledge Consistency Checker (KCC) is a process that runs on
a domain controller that generates replication topology with a domain using Ring
structure.
KCC monitors the topology about fifteen minutes.
If a domain controller in the ring fails or it is removed, KCC reconfigure the topology.
DC
1
IntrasiteDCReplication DC
2 3
Intersite Replication:
Intersite replication is configurable and schedule.
HCL Confidential 52
PROPOSAL
SITE1
SITE 2 SITE 3
Cost: Replication schedule you can specify the internal between replication.
IP: IP is recommended to use whenever possible for replication of Active directory
SMTP: To use SMTP you need to install certificate services to encrypt and verify the
directory replication.
Trust
HCL Confidential 53
PROPOSAL
Trust relationship: Trust relationship connects two domain such as the trusting
domain and trusted domain.
Transitivity: Transitive trusts are not bounded by domains in the trust relationship
and non-transitive trusts are bounded by the domain in the trust relationship.
Example:
DC1
DC2 DC3
Domain A trusts B and C, Domain B trust domain A & C this is called transitive.
In unidirectional trust domain X trust domain y. whereas domain X and y both trust
each other called bidirectional.
HCL Confidential 54
PROPOSAL
Printe
r
Users
Files
1. Tree-root trust
2. Parent-child trust
3. Shortcut trust
4. External trust
5. Forest trust
6. Realm trust
Trusting domain: The domain containing the resource called the trusting domain.
Trusted domain: The domain containing the user account is called the trusted
domain.
Shortcut Trust: The administrator manually creates shortcut trusts between two
domains in a forest.
External Trust: The administrator creates external trust manually between windows
2003 domains in different forest.
The trust allows you to access the resources from separate forests
HCL Confidential 55
PROPOSAL
Forest Trust: A new kind of trust with windows server 2003. It allows one forest to
trust all domains within another forest. It is non-transitive and can be unidirectional
or bidirectional.
Realm Trust: The administrator creates realm trust manually between windows
2003 server and non-windows Kerberos realm in different forest.
Object Naming:
An active directory object is identified by its name these names are determined by
LDAP standards.
DN shows the complete path to the object or where the object resides within
the AD
HCL Confidential 56
PROPOSAL
For Example:
Represents a 128 bit hexadecimal number. This number is unique for each
object in the enterprise.
The GUID of an object never changes even if the DN is changed or the object’s
location is changed.
User Accounts
Windows 2003 server supports three types of use accounts they are
Administrator:
Manages the computer Administrator can modify, create and delete user account.
HCL Confidential 57
PROPOSAL
Guest: Allows users to access the domain who do not have a domain user account.
The users can access the network resources and guest account does not
have a password.
The guest account in windows 2003 is disabled by default, you can rename
and disable the guest account but cannot delete the account.
User Profiles
1. Local User Profiles (LUP)
2. Roaming User Profiles (RUP)
3. Mandatory User Profiles (MUP)
Local User Profiles: User profiles are stored locally on the system. Profiles are
store in the path c:\documents and settings\username Local user profile include
desktop settings, network places, my documents and even application data.
Roaming User Profiles: If users work at more than one computer you can
configure the roaming user profiles. RUP’s stored on the server and is downloaded to
the local computer whenever a user logs on.
Mandatory User Profiles: It is a read-only roaming profile that is stored at server.
A Single mandatory user profiles can be assigned to multiple users who need same
desktop settings.
Group Types
The Group type identifies the use of a group.
For Example: A security group assigns permissions whereas a distribution group
sends emails.
Active directory service in 2003 supports two types of groups.
1. Distribution
2. Security
Distribution: Applications use distribution groups for non-security related functions.
In distribution groups to create email distribution lists.
Distribution groups can be used only with email applications such as exchange to
send email to collections of users.
In distributed groups are not security enabled which means they cannot be listed in
DACL (Discretionary Access Control List).
HCL Confidential 58
PROPOSAL
Security: Security groups to assign permissions to shared resources. A group that
can be listed in DACL used to define permissions on resources and objects.
Security Descriptor: Security descriptors include information about who owns the
object, which can access it and in what way.
Access Control List (ACL): The ACL contains the security descriptors and it stores a
list of user access permissions.
Access Control Entry (ACE): An entry in an object’s DACL that grants permissions
to a user or group.
An ACE is also an entry in SACL that specifies the events to be audited for a user or
group.
Domain Local Groups: Domain local groups assign permissions to resources within
single domain. Domain local groups can contain user and computer accounts from
the same domain.
You can change domain local group to universal group if the group is not a member
of other domain local group.
HCL Confidential 59
PROPOSAL
Global group: Global groups provide access permissions to other trusted domains
under the same forest.
A global group can contains only user or computer accounts and global groups of the
same domain.
You can change the global group to universal group if the global group is not a
member of other global groups in the domain.
Global Catalog
A Global Catalog server is a domain controller that contains copy of all objects in its
own domain and partial copy of all objects within other domains in a forest.
1. Click Start, Administrative Tools, and then click Active Directory Sites and
Services.
2. In the console tree, expand Sites, and then expand the site that contains the
domain controller which you want to configure as a GC server.
HCL Confidential 60
PROPOSAL
3. Expand the Servers folder, and locate and then click the domain controller
that you want to designate as a GC server.
4. In the details, pane, right-click NTDS Settings and click Properties on the
shortcut menu.
5. The NTDS Settings Properties dialog box opens.
6. The General tab is where you specify the domain controller as a GC server.
7. Enable the Global Catalog checkbox.
8. Click OK.
HCL Confidential 61
PROPOSAL
Clients
Global catalog clients, including search clients and Address Book clients, as
well as domain controllers performing replication and universal group security
identifier (SID) retrieval during logon in a multidomain forest.
Network
The physical IP network.
Interfaces
LDAP over port 389 for read and write operations and LDAP over port 3268
for global catalog search operations. NSPI and replication (REPL) use proprietary RPC
protocols. Retrieval of universal group membership occurs over RPC as part of the
replication RPC interface. Windows NT 4.0 clients and backup domain controllers
(BDCs) communicate with Active Directory through the Security Accounts Manager
(SAM) interface.
HCL Confidential 62
PROPOSAL
HCL Confidential 63
PROPOSAL
As shown in the preceding diagram, a global catalog server stores a replica of its own
domain (full and writable) and a partial, read-only replica of all other domains in the
forest.
All directory partitions on a global catalog server, whether full or partial, are stored
in the directory database file (Ntds.dit) on that server. That is, there is not a
separate storage area for global catalog attributes; they are treated as additional
information in the directory database of the global catalog server.
Domain controller:
Server that stores one full, writable domain directory partition plus forestwide
configuration and schema directory partitions. Global catalog servers are always
domain controllers.
1. Click Start, Administrative Tools, and then click Active Directory Sites and
Services.
2. In the console tree, click the particular site that you want to enable universal
group membership caching for.
3. In the details pane, right-click NTDS Settings and click Properties on the
shortcut menu.
4. The NTDS Settings Properties dialog box opens.
HCL Confidential 64
PROPOSAL
5. Check the Enable Universal Group Membership Caching checkbox.
6. Click OK.
Fsmo roles are Server roles in a forest they are forestwide and domainwide roles.
Schema master is a set of rules which is used to define the structure of active
directory.
It maintains detail information of all objects and it is a forestwide rule.
Schema master control all updates and modifications to the schema once the
schema update is complete it is replicated schema master to all other DC in
the directory.
The schema master domain controller controls all updates and modifications to the
schema. To update the schema of a forest, you must have access to the schema
master. There can be only one schema master in the entire forest.
HCL Confidential 65
PROPOSAL
Follow these steps in order to perform the task
2. In the console tree, right-click Active Directory Schema, and then click
Operations Master.
HCL Confidential 66
PROPOSAL
3. Under Current Schema Master, view the current schema operations master.
Click Start, click run, type mmc, and then click OK.
HCL Confidential 67
PROPOSAL
On the Console menu click File and then click Add/Remove Snap-in.
Click Add.
Click Active Directory Schema.
Click Add.
Click Close to close the Add Standalone Snap-in dialog box.
Click OK to add the snap-in to the console.
Monitors and controls the Adding, Changing and deleting any domain
controllers in the forest. It is a forestwide rule.
It assigns RID and SID to the newly created objects like users and computers.
If RID Master is down you can create security objects up to RID pools are
available in the DC.
RID master is used when moving an object between domain and it is
domainwide role.
This works when we are renaming the group membership object this role takes care.
HCL Confidential 68
PROPOSAL
It is possible for an object in one domain to be referenced by another domain.
For Example: When a user from domain A is placed in a local group in domain B,
the reference information stored in the domain B group is
1. The Global Unique Identifier (GUID) of the object, which never changes
during the objects lifetime, even if it is moved between domains.
2. The security Identifier (SID) of the object, which would change if moved
between domains.
3. The Distinguished Name (DN) of the object, which changes if the object is
moved in anyway.
The infrastructure master is responsible for that the SID’s and DN’s of the phantom
records of objects referenced from other domains are kept up to date by comparing
the content of its database with that of the global catalog.
Type DSA in run command and right click the domain controller then click operation
master
HCL Confidential 69
PROPOSAL
You can use the Schema Master tool to transfer the role. However, the
Schmmgmt.dll dynamic-link library must be registered in order to make the Schema
tool available as an MMC snap-in.
Type regsvr32 schmmgmt.dll, and then click OK. A message should be displayed
stating that the registration was successful.
Click Start, click run, type mmc, and then click OK.
HCL Confidential 70
PROPOSAL
On the Console menu click Add/Remove Snap-in.
Click Add.
Click Add.
Right-click the Active Directory Schema icon, and then click Change Domain
Controller.
Note: If you are not on the domain controller where you want to transfer the role,
you need to take this step. It is not necessary if you are connected to the domain
controller whose role you want to transfer.
Click Specify Domain Controller, type the name of the domain controller that will be
the new role holder, and then click OK.
Click OK.
Click OK.
1. On any domain controller, click Start, click Run, type Ntdsutil in the Open
box, and then click OK.
HCL Confidential 71
PROPOSAL
Microsoft Window s [Version 5.2.3790]
(C) Copyright 1985-2003 Microsoft Corp.
C:\WINDOWS>ntdsutil
ntdsutil:
ntdsutil: roles
fsmo maintenance:
Note: To see a list of available commands at any of the prompts in the Ntdsutil
tool, type ?, and then press ENTER.
5. At the server connections: prompt, type q, and then press ENTER again.
server connections: q
fsmo maintenance:
6. Type transfer <role>. where <role> is the role you want to transfer.
For example, to transfer the RID Master role, you would type transfer rid
master:
Options are:
HCL Confidential 72
PROPOSAL
Transfer domain naming master
Transfer infrastructure master
Transfer PDC
Transfer RID master
Transfer schema master
7. You will receive a warning window asking if you want to perform the
transfer. Click on Yes.
8. After you transfer the roles, type q and press ENTER until you quit
Ntdsutil.exe.
9. Restart the server and make sure you update your backup.
1. Open the Active Directory Domains and Trusts snap-in from the
Administrative Tools folder.
2. If you are NOT logged onto the target domain controller, in the snap-in, right-
click the icon next to Active Directory Domains and Trusts and press Connect
to Domain Controller.
3. Select the domain controller that will be the new role holder and press OK.
4. Right-click the Active Directory Domains and Trusts icon again and press
Operation Masters.
5. Press the Change button.
6. Press OK to confirm the change.
7. Press OK all the way out.
1. Open the Active Directory Users and Computers snap-in from the
Administrative Tools folder.
2. If you are NOT logged onto the target domain controller, in the snap-in,
right-click the icon next to Active Directory Users and Computers and press
Connect to Domain Controller.
HCL Confidential 73
PROPOSAL
3. Select the domain controller that will be the new role holder, the target,
and press OK.
4. Right-click the Active Directory Users and Computers icon again and
press Operation Masters.
5. Select the appropriate tab for the role you wish to transfer and press the
Change button.
6. Press OK to confirm the change.
7. Press OK all the way out.
1. Enable
2. Disabled
3. Not configured (default)
1. Software setting
2. Windows setting
3. Security setting
2. User Configuration
1. Software setting
2. Windows setting
3. Administrative template
HCL Confidential 74
PROPOSAL
The Group policy Template (GPT) is the portion of a GPO that is stored in the
SYSVOL of the domain controllers within the domain.
It is responsible for storing the settings that are configured in the GPO.
It also responsible for storing the administrative templates.
What is Group Policy Container?
Group policy container is a portion of a GPO that stored domain controller within
the domain.
GPC is responsible for keeping references to client site extensions.
What are the different levels to apply Group Policy Object
GPO can be applied to three different levels:
1. Site Level
2. Domain Level
3. Organization Level
Site Level:
Group policy configured for the entire sites at the higher level. The settings are
applied to all the servers and domain that are within the site.
Domain Level:
Group policies are configured for the entire domain. The settings are applied to
the entire domains.
Organizational Unit Level:
Group policies are configured for the entire organizational unit. The setting are
applied only in the Organizational Unit
HCL Confidential 75
PROPOSAL
Active Directory
Active Directory, the Windows-based directory service, stores information about
objects in a network and makes this information available to users and network
administrators. Administrators link GPOs to Active Directory containers such as sites,
domains, and OUs that include user and computer objects. In this way, Group Policy
settings can be targeted to users and computers throughout the organization.
HCL Confidential 76
PROPOSAL
Active Directory on each domain controller in the domain. The GPT contains the data
in a GPO and is stored in the Sysvol in the /Policies sub-directory. GPOs affect users
and computers that are contained in sites, domains, and OUs.
Sysvol
Sysvol is a shared directory that stores the server copy of the domain’s public files,
which are replicated among all domain controllers in the domain. The Sysvol contains
the data in a GPO: the GPT, which includes Administrative Template-based Group
Policy settings, security settings, script files, and information regarding applications
that are available for software installation. It is replicated using the File Replication
Service (FRS).
Local GPOs do not support certain extensions, such as Folder Redirection or Group
Policy Software Installation. Local GPOs do support many security settings, but the
Security Settings extension of Group Policy Object Editor does not support remote
management of local GPOs. Local GPOs are always processed, but are the least
influential GPOs in an Active Directory environment, because Active Directory-based
GPOs have precedence.
HCL Confidential 77
PROPOSAL
Snap-in extensions include Administrative Templates, Scripts, Security Settings,
Software Installation, Folder Redirection, Remote Installation Services, Internet
Explorer Maintenance, Disk Quotas, Wireless Network Policy, and QoS Packet
Scheduler. Snap-ins may in turn be extended. For example, the Security Settings
snap-in includes several extension snap-ins. Developers can also create their own
MMC extension snap-ins to Group Policy Object Editor to provide additional Group
Policy settings.
Client-Side Extensions
Client-side extensions (CSEs) run within dynamic-link libraries (DLLs) and are
responsible for implementing Group Policy at the client computer. The following CSEs
are loaded, by default, in Windows Server 2003:
Administrative Templates, Wireless Network Policies, Folder Redirection, Disk
Quotas, QoS Packet Scheduler, Scripts, Security, Internet Explorer Maintenance, EFS
Recovery, Software Installation, and IP Security.
Group Policy Management Console (GPMC)
GPMC is a new tool designed to simplify implementation and management of Group
Policy. It consists of a new MMC snap-in and a set of scriptable interfaces for
managing Group Policy. The Group Policy Management Console provides:
• A user interface based on how customers use and manage Group Policy, rather
than on how the technology is built.
• Reporting (printing, saving, read-only access to GPOs) for GPO and Resultant Set
of Policy (RSoP) data.
• Backup/Restore of GPOs.
• Scripting of GPO operations that are exposed within this tool (but NOT scripting of
settings within a GPO).
HCL Confidential 78
PROPOSAL
Winlogon
A component of the Windows operating system that provides interactive logon
support, Winlogon is the service in which the Group Policy engine runs.
Registry
A database repository for information about a computer’s configuration, the
registry contains information that Windows continually references during operation,
such as:
2. The programs installed on the computer and the types of documents that each
can create.
The registry is organized hierarchically as a tree, and it is made up of keys and their
subkeys, hives, and entries. The Group Policy engine has read and writes access to
the Registry.
Registry settings can be controlled via the Group Policy Administrative Templates
extension.
Event Log
The Event log is a service, located in Event Viewer, which records events in the
system, security, and application logs. The Group Policy engine has write access to
the Event Log on client computers and domain controllers. The Help and Support
Center on each computer has read access to the Event Log.
HCL Confidential 79
PROPOSAL
In logging mode (Group Policy Results), RSoP queries the CIMOM database on the
target computer, receives information about the policies and displays it in GPMC. In
planning mode (Group Policy Modeling), RSoP simulates the application of policy
using the Group Policy Directory Access Service (GPDAS) on a domain controller.
GPDAS simulates the application of GPOs and passes them to virtual client-side
extensions on the domain controller. The results of this simulation are stored to a
local CIMOM database on the domain controller before the information is passed back
and displayed in GPMC.
WMI
WMI makes data about a target computer available for administrative use. Such data
can include hardware and software inventory, settings, and configuration
information. For example, WMI exposes hardware configuration data such as CPU,
memory, disk space, and manufacturer, as well as software configuration data from
the registry, drivers, file system, Active Directory, the Windows Installer service,
networking configuration, and application data. WMI Filtering in Windows Server
2003 allows you to create queries based on this data. These queries (also called WMI
filters) determine which users and computers receive all of the policy configured in
the GPO where you create the filter.
HCL Confidential 80
PROPOSAL
DHCP
DHCP is an open industry protocol used to assign the ip address to the hosts
automatically. While the host pc connected to the network.
Benefits of DHCP:-
DHCP automates the host configuration process for key configuration parameters.
HCL Confidential 81
PROPOSAL
DHCP Processes
DHCP DISCOVER
DHCP OFFER
DHCP REQUEST
DHCP ACKNOWLEDGEMENT
Client broad casts a DHCP DISCOVER message to find a DHCP server (The
client doesn’t have its own IP address and the destination server IP also). The DHCP
DISCOVER message is sent to a LAN broad cast with 0.0.0.0 as the source IP and
255.255.255.255 as the destination address. The DHCP DISCOVER message is a
request for the location of a DHCP server and IP addressing information. It contains
client MAC address and computer name. So that DHCP server’s know which client
sends the request.
DHCP OFFER:-
Once the DHCP server receives the DISCOVER message with the following
information.
Source (DHCP SERVER) IP address
Destination (DHCP CLIENT) IP address
An offered IP address
Client hardware (NIC) address
Subnet mask
Length of lease.
DHCP REQUEST:-
Once the client receives an offer from at least one DHCP server it broad casts a
DHCP REQUEST message to all DHCP servers. The DHCPREQUEST contains the
following information.
Subnet mask
DHCP ACKNOWLEDGEMENT:-
HCL Confidential 82
PROPOSAL
The DHCP server with the accepted offer sends a success full acknowledgement to
the client in the form of a DHCPACK message. The DHCP ACK contains the following
information.
A valid lease for an IP address including the renewal times.
DHCP LEASE:-
The IP lease has finite life time. The client must periodically renew the lease after
obtaining it.
If your TCP/IP network configuration doesn’t change often or if we have enough free
IP on the address pool we can increase the lease time. The default lease time is 8
days. If the address pool has less IP we need to keep reservation time short. The
reason is that if the pool of IP address is used up. Machines that added or moved
from network might be unable to obtain an IP address from a DHCP server.
If a windows DHCP client renews a lease while booting these messages are send
through broadcast IP packets.
If the renewal is made while DHCP client is running both the client and server will
communicate through unicast messages.
In implementations of DHCP prior to WIN2000 any user can create a DHCP server on
network, an action that could lead IP conflicts. For example if the client receives an
IP address from incorrect configured DHCP server which will prevent user from
logging on.
Active directory must be present to authorize DHCP servers and block unauthorized
servers.
The DHCP server initializes and determines if it is a part of the directory domain. It
will contact the directory service to determine if it is authorized. The directory service
confirms the server is authorized. After receiving this conformation the server will
broad cast a DHCPINFORM message to determine if other directory services are
started after this is completed the server begins servicing DHCP clients accordingly.
If the DHCP server is not a part of domain it will check for member server by sending
a DHCP INFORM message once in every 5 minutes and shuts down its service.
HCL Confidential 83
PROPOSAL
DHCP SCOPE:-
Scopes determine which IP addresses are allocated to clients. You can configure
many scopes on a DHCP server. The DHCP server does not communicate the scope
information with each other.
EXCLUSION RANGES:-
DHCP RESERVATION:-
• scopes
• Reservations
• Leases
• Options
AUTOMATIC BACKUP:-
By default the DHCP service automatically backs up to the database and related
registry entries to the local drive. This occurs every 60 min’s. It will store in the %
system root% system 32 \DHCP\BACKUP directory. We can change the backup
location.
Automatic backup use only the automatic restore and it will perform by the DHCP
service when corruption is detected.
MANUALLY BACKUP:-
We can also backup the DHCP database manually to an offline storage location such
as a tape drive or disk. It supports only manual restore.
Backup
HCL Confidential 84
PROPOSAL
2000&03 supports tapes, floppies, HDDS (Hard Disk Drives), zip floppies, RSD
(Remote Storage Devices)
Back up utilities:
The default backup utility provided by NT, 2000, 2003.
NTbackup utility Comes along with the OS. Provides minimum benefits could have
optimum benefits.
1 Veritas - BackupExec
2 Veritas - Foundation suite (for UNIX flavors)
3 Veritas - volume manager
4 Tivoli storage manager (IBM)
5 Netback up
Backing up a folder:
Create a folder in D drive and a file in that
Start - run – ntbackup – click on advanced mode
Back up
Next
Select 2nd option (backup selected files.)
Expand my computer from D drive select the folder you’ve created
Next
Verifying
Delete the backed up folder
Back up types
HCL Confidential 85
PROPOSAL
Normal
Copy
Incremental
Differential
Daily
1. Normal Backup: It is a full backup backs up all selected files & folders after
back up removes the Archie bit (A).Achieve Bit: It is a bit used by backup
utility to know whether a file is backed up.
It is used as a backup marker.
2. Copy backup: Copy backs up all selected folders but does not remove
archive bit after backing up. Copy is used between normal backup and
incremental backup.
3. Incremental backup: backs up all selected files & folders which are changed
since backup marks the files as having been backed up. Removes the archive
bit after back up.
4. Differential backup: backs up all selected files & folders. After backup does
not remove the archive bit. It backs up all the files changed since normal
back up.
5. Daily backup: it backs up all selected files & folders created or changed
during the day after backed up does not remove the archive bit.
SSD is a data store if we want to backup complete AD we can back up system state
data from backup utility.
HCL Confidential 86
PROPOSAL
Restoration
There are two types of restoration
Non-authoritative restore
Authoritative restore
The application, presentation, and session layers are all application-oriented in that
they are responsible for presenting the application interface to the user. All three are
independent of the layers below them and are totally oblivious to the means by
which data gets to the application. These three layers are called the upper layers.
The lower four layers deal with the transmission of data, covering the packaging,
routing, verification, and transmission of each data group. The lower layers don't
worry about the type of data they receive or send to the application, but deal simply
with the task of sending it. They don't differentiate between the different applications
in any way.
The following sections explain each layer to help you understand the architecture of
the OSI-RM
The application layer is the end-user interface to the OSI system. It is where the
applications, such as electronic mail, USENET news readers, or database display
HCL Confidential 87
PROPOSAL
modules, reside. The application layer's task is to display received information and
send the user's new data to the lower layers.
The presentation layer's task is to isolate the lower layers from the application's data
format. It converts the data from the application into a common format, often called
the canonical representation. The presentation layer processes machine-dependent
data from the application layer into a machine-independent format for the lower
layers.
The presentation layer is where file formats and even character formats (ASCII and
EBCDIC, for example) are lost. The conversion from the application data format
takes place through a "common network programming language" (as it is called in
the OSI Reference Model documents) that has a structured format.
The presentation layer does the reverse for incoming data. It is converted from the
common format into application-specific formats, based on the type of application
the machine has instructions for. If the data comes in without reformatting
instructions, the information might not be assembled in the correct manner for the
user's application.
The session layer organizes and synchronizes the exchange of data between
application processes. It works with the application layer to provide simple data sets
called synchronization points that let an application know how the transmission and
reception of data are progressing. In simplified terms, the session layer can be
thought of as a timing and flow control layer.
The transport layer, as its name suggests, is designed to provide the "transparent
transfer of data from a source end open system to a destination end open system,"
HCL Confidential 88
PROPOSAL
according to the OSI Reference Model. The transport layer establishes, maintains,
and terminates communications between two machines.
The transport layer is responsible for ensuring that data sent matches the data
received. This verification role is important in ensuring that data is correctly sent,
with a resend if an error was detected. The transport layer manages the sending of
data, determining its order and its priority.
The network layer provides the physical routing of the data, determining the path
between the machines. The network layer handles all these routing issues, relieving
the higher layers from this issue.
The network layer examines the network topology to determine the best route to
send a message, as well as figuring out relay systems. It is the only network layer
that sends a message from source to target machine, managing other chunks of data
that pass through the system on their way to another machine.
The data link layer, according to the OSI reference paper, "provides for the control of
the physical layer, and detects and possibly corrects errors that can occur." In
practicality, the data link layer is responsible for correcting transmission errors
induced during transmission (as opposed to errors in the application data itself,
which are handled in the transport layer).
The data link layer is usually concerned with signal interference on the physical
transmission media, whether through copper wire, fiber optic cable, or microwave.
Interference is common, resulting from many sources, including cosmic rays and
stray magnetic interference from other sources.
The physical layer is the lowest layer of the OSI model and deals with the
"mechanical, electrical, functional, and procedural means" required for transmission
of data, according to the OSI definition. This is really the wiring or other transmission
form.
When the OSI model was being developed, a lot of concern dealt with the lower two
layers, because they are, in most cases, inseparable. The real world treats the data
link layer and the physical layer as one combined layer, but the formal OSI definition
HCL Confidential 89
PROPOSAL
stipulates different purposes for each. (TCP/IP includes the data link and physical
layers as one layer, recognizing that the division is more academic than practical.)
TCP/IP works across LANs and WANs, and there are several important aspects of LAN
and WAN topologies you should know about. You can start with LANs and look at
their topologies. Although there are many topologies for LANs, three topologies are
dominant: bus, ring, and hub.
To understand the roles of the many components of the TCP/IP protocol family, it is
useful to know what you can do over a TCP/IP network. Then, once the applications
are understood, the protocols that make it possible are a little easier to comprehend.
The following list is not exhaustive but mentions the primary user applications that
TCP/IP provides.
Telnet
The Telnet program provides a remote login capability. This lets a user on one
machine log onto another machine and act as though he or she were directly in front
of the second machine. The connection can be anywhere on the local network or on
another network anywhere in the world, as long as the user has permission to log
onto the remote system.
You can use Telnet when you need to perform actions on a machine across the
country. This isn't often done except in a LAN or WAN context, but a few systems
accessible through the Internet allow Telnet sessions while users play around with a
new application or operating system.
HCL Confidential 90
PROPOSAL
File Transfer Protocol
File Transfer Protocol (FTP) enables a file on one system to be copied to another
system. The user doesn't actually log in as a full user to the machine he or she wants
to access, as with Telnet, but instead uses the FTP program to enable access. Again,
the correct permissions are necessary to provide access to the files.
Once the connection to a remote machine has been established, FTP enables you to
copy one or more files to your machine. (The term transfer implies that the file is
moved from one system to another but the original is not affected. Files are copied.)
FTP is a widely used service on the Internet, as well as on many large LANs and
WANs.
Simple Mail Transfer Protocol (SMTP) is used for transferring electronic mail. SMTP is
completely transparent to the user. Behind the scenes, SMTP connects to remote
machines and transfers mail messages much like FTP transfers files. Users are
almost never aware of SMTP working, and few system administrators have to bother
with it. SMTP is a mostly trouble-free protocol and is in very wide use.
Internet Protocol
Internet Protocol (IP) is responsible for moving the packets of data assembled by
either TCP or UDP across networks. It uses a set of unique addresses for every
device on the network to determine routing and destinations.
Internet Control Message Protocol (ICMP) is responsible for checking and generating
messages on the status of devices on a network. It can be used to inform other
devices of a failure in one particular machine. ICMP and IP usually work together.
Value Description
0 Echo Reply
3 Destination Not Reachable
4 Source Quench
HCL Confidential 91
PROPOSAL
5 Redirection Required
8 Echo Request
11 Time to Live Exceeded
12 Parameter Problem
13 Timestamp Request
14 Timestamp Reply
15 Information Request (now obsolete)
16 Information Reply (now obsolete)
17 Address Mask Request
18 Address Mask Reply
IP Addresses
TCP/IP uses a 32-bit address to identify a machine on a network and the network to
which it is attached. IP addresses identify a machine's connection to the network, not
the machine itself—an important distinction. Whenever a machine's location on the
network changes, the IP address must be changed, too. The IP address is the set of
numbers many people see on their workstations or terminals, such as 127.40.8.72,
which uniquely identifies the device.
IP (or Internet) addresses are assigned only by the Network Information Center
(NIC), although if a network is not connected to the Internet, that network can
determine its own numbering. For all Internet accesses, the IP address must be
registered with the NIC.
LANs are an obvious target for TCP/IP, because TCP/IP helps solve many
interconnection problems between different hardware and software platforms. To run
TCP/IP over a network, the existing network and transport layer software must be
replaced with TCP/IP, or the two must be merged together in some manner so that
the LAN protocol can carry TCP/IP information within its existing protocol
(encapsulation).
Routing
HCL Confidential 92
PROPOSAL
address doesn't match the machine's, the packet is forwarded further around the
network. Forwarding can be to the destination machine itself, or to a gateway or
bridge if the packet is to leave the local network.
Routing is a primary contributor to the complexity of packet-switched networks. It is
necessary to account for an optimal path from source to destination machines, as
well as to handle problems such as a heavy load on an intervening machine or the
loss of a connection. The route details are contained in a routing table, and several
sophisticated algorithms work with the routing table to develop an optimal route for
a packet.
Creating a routing table and maintaining it with valid entries are important aspects of
a protocol. Here are a few common methods of building a routing table:
• A fixed table is created with a map of the network, which must be modified
and reread every time there is a physical change anywhere on the network.
• A dynamic table is used that evaluates traffic load and messages from other
nodes to refine an internal table.
• A fixed central routing table is used that is loaded from the central repository
by the network nodes at regular intervals or when needed.
Each method has advantages and disadvantages. The fixed table approach, whether
located on each network node or downloaded at regular intervals from a centrally
maintained fixed table, is inflexible and can't react to changes in the network
topology quickly. The central table is better than the first option, simply because it is
possible for an administrator to maintain the single table much more easily than a
table on each node.
The dynamic table is the best for reacting to changes, although it does require better
control, more complex software, and more network traffic. However, the advantages
usually outweigh the disadvantages, and a dynamic table is the method most
frequently used on the Internet.
Routing Daemons
To handle the routing tables, most UNIX systems use a daemon called routed. A few
systems run a daemon called gated. Both routed and gated can exchange RIP
messages with other machines, updating their route tables as necessary. The gated
program can also handle EGP and HELLO messages, updating tables for the
internetwork. Both routed and gated can be managed by the system administrator to
select favorable routes, or to tag a route as not reliable.
The configuration information for gated and routed is usually stored as files named
gated.cfg, gated.conf, or gated.cf. Some systems specify gated information files for
each protocol, resulting in the files gated.egp, gated.hello, and gated.rip. A sample
configuration file for EGP used by the gated process is shown here:
HCL Confidential 93
PROPOSAL
# sample EGP config file
autonomoussystem 519 ;
rip no;
egp yes {
neighbor 128.212.64.1 ;
};
};
static {
default gateway 128.212.64.1 pref 100 ;
};
};
proto direct {
};
};
proto default {
};
proto rip {
HCL Confidential 94
PROPOSAL
noannounce all ;
};
} ;
There are several IGPs in use, none of which have proven themselves dominant.
Usually, the choice of an IGP is made on the basis of network architecture and
suitability to the network's software requirements. Earlier today, RIP and HELLO
were mentioned. Both are examples of IGPs. Together with a third protocol called
Open Shortest Path First (OSPF), these IGPs are now examined in more detail.
Both RIP and HELLO calculate distances to a destination, and their messages contain
both a machine identifier and the distance to that machine. In general, messages
tend to be long, because they contain many entries for a routing table. Both
protocols are constantly connecting between neighbors to ensure that the machines
are active and communicating, which can cause network traffic to build.
The Routing Information Protocol found wide use as part of the University of
California at Berkeley's LAN software installations. Originally developed from two
routing protocols created at Xerox's Palo Alto Research Center, RIP became part of
UCB's BSD UNIX release, from which it became widely accepted. Since then, many
versions of RIP have been produced, to the point where most UNIX vendors have
their own enhanced RIP products. The basics are now defined by an Internet RFC.
RIP uses a broadcast technology (showing its LAN heritage). This means that the
gateways broadcast their routing tables to other gateways on the network at regular
intervals. This is also one of RIP's downfalls, because the increased network traffic
and inefficient messaging can slow networks down compared to other IGPs. RIP
tends to obtain information about all destinations in the autonomous system to which
the gateways belong. Like GGP, RIP is a vector-distance system, sending a network
address and distance to the address in its messages.
A machine in a RIP-based network can be either active or passive. If it is active, it
sends its routing tables to other machines. Most gateways are active devices. A
passive machine does not send its routing tables but can send and receive messages
that affect its routing table. Most user-oriented machines (such as PCs and
workstations) are passive devices. RIP employs the User Datagram Protocol (UDP)
for messaging, employing port number 520 to identify messages as originating with
RIP.
HCL Confidential 95
PROPOSAL
The HELLO protocol is used often, especially where TCP/IP installations are involved.
It is different from RIP in that HELLO uses time instead of distance as a routing
factor. This requires the network of machines to have reasonably accurate timing,
which is synchronized with each machine. For this reason, the HELLO protocol
depends on clock synchronization messages.
The format of a HELLO message is shown in Figure 5.12. The primary header fields
are as follows:
The Open Shortest Path First protocol was developed by the Internet Engineering
Task Force, with the hope that it would become the dominant protocol within the
Internet. In many ways, the name "shortest path" is inaccurate in describing this
protocol's routing process (both RIP and HELLO use a shortest path method—RIP
based on distance and HELLO on time). A better description for the system would be
"optimum path," in which several criteria are evaluated to determine the best route
to a destination. The HELLO protocol is used for passing state information between
gateways and for passing basic messages, whereas the Internet Protocol (IP) is used
for the network layer.
OSPF uses the destination address and type of service (TOS) information in an IP
datagram header to develop a route. From a routing table that contains information
about the topology of the network, an OSPF gateway (more formally called a router
in the RFC, although both terms are interchangeable) determines the shortest path
using cost metrics, which factor in route speed, traffic, reliability, security, and
several other aspects of the connection. Whenever communications must leave an
autonomous network, OSPF calls this external routing. The information required for
an external route can be derived from both OSPF and EGP.
There are two types of external routing with OSPF. A Type 1 route involves the same
calculations for the external route as for the internal. In other words, the OSPF
algorithms are applied to both the external and internal routes. A Type 2 route uses
the OSPF system only to calculate a route to the gateway of the destination system,
ignoring any routes of the remote autonomous system. This has an advantage in
that it can be independent of the protocol used in the destination network, which
eliminates a need to convert metrics.
HCL Confidential 96
PROPOSAL
OSPF enables a large autonomous network to be divided into smaller areas, each
with its own gateway and routing algorithms. Movement between the areas is over a
backbone, or the parts of the network that route messages between areas. Care
must be taken to avoid confusing OSPF's areas and backbone terminology with those
of the Internet, which are similar but do not mean precisely the same thing. OSPF
defines several types of routers or gateways:
• An Internal Router is one for which all connections belong to the same area,
or one in which only backbone connections are made.
• A Border Router is a router that does not satisfy the description of an Internal
Router (it has connections outside an area).
OSPF maintains several tables for determining routes, including the protocol data
table (the high-level protocol in use in the autonomous system), the area data table
or backbone data table (which describes the area), the interface data table
(information on the router-to-network connections), the neighbor data table
(information on the router-to-router connections), and a routing data table (which
contains the route information for messages). Each table has a structure of its own,
the details of which are not needed for this level of discussion. Interested readers are
referred to the RFC for complete specifications.
HCL Confidential 97
PROPOSAL
1.4.0.1.1OSPF Packets
As mentioned earlier, OSPF uses IP for the network layer. The OSPF specifications
provide for two reserved multicast addresses: one for all routers that support OSPF
(224.0.0.5) and one for a designated router and a backup router (224.0.0.6). The IP
protocol number 89 is reserved for OSPF. When IP sends an OSPF message, it uses
the protocol number and a Type of Service (TOS) field value of 0. Usually, the IP
precedence field is set higher than normal IP messages, also.
OSPF uses two header formats. The primary OSPF message header. Note that the
fields are not shown in their scale lengths in this figure for illustrative purposes. The
Version Number field identifies the version of the OSPF protocol in use (currently
version 1).
INTRODUCTION
TO
CLUSTER
HCL Confidential 98
PROPOSAL
Cluster
The basic idea of a cluster is multiple physical servers acting as a single virtual server.
Clustering is the group of Computers that function as single system. It provides high
availability and high fault tolerance for Server or Service or Applications. If one member
of the cluster is unavailable the other computer takes over the load so that the service or
Enterprise Edition.
Cluster consists of
Nodes
Network
Operating system
HCL Confidential 99
PROPOSAL
Cluster middleware
Cluster classification
Hybrid clusters
WINDOWS CLUSTER
1. Server Cluster
Server cluster supports to stateful applications. It shares the common database means
application running in database long time. For example SQL Server Application, Mail
Network Load Balancing (NLB) cluster is a stateless application support means two
or more cluster shares its own individual database. For example FTP cluster, DHCP
CLUSTER COMPONENTS
Node
Event Log Manager Checkpoint
Replication Manager
Manager
Backup/
Global
Restore
Update
Manager
Manager
Failover Database
Manager Log Manager
Cluster Service
Manager
Resource
DLLs…
Checkpoint Manager
To ensure that the cluster service can recover from a resource failure, the Checkpoint
Manager checks registry keys when a resource is brought online and writes checkpoint
data to the quorum resource when the resource goes offline. Cluster-aware applications
use the cluster configuration database to store recovery information. Applications that are
not cluster-aware store information in the local server registry.
The Checkpoint Manager also supports resources having application-specific registry
trees instantiated at the cluster node where the resource comes online (a resource can
have one or more registry trees associated with it). The Checkpoint Manager watches for
changes made to these registry trees if the resource is online. If it detects that changes
have been made, it creates a dump of the registry tree on the owner node of the resource
and then moves the file to the owner node of the quorum resource. The Checkpoint
Manager performs some amount of “batching” so that frequent changes to registry trees
do not place too heavy a load on the cluster service.
Log Manager
The Log Manager, along with the Checkpoint Manager, ensures that the recovery log on
the quorum resource contains the most recent configuration data and change checkpoints.
If one or more cluster nodes are down, configuration changes can still be made to the
surviving nodes. While these nodes are down, the Database Manager uses the Log
Manager to log configuration changes to the quorum resource.
As the failed nodes return to service, they read the location of the quorum resource from
their local cluster hives. Since the hive data could be stale, mechanisms are built in to
detect invalid quorum resources that are read from a stale cluster configuration database.
The Database Manager will then request the Log Manager to update the local copy of the
cluster hive using the checkpoint file in the quorum resource, and then replay the log file
in the quorum disk starting from the checkpoint log sequence number. The result is a
completely updated cluster hive.
Cluster hive snapshots are taken whenever the quorum log is reset and once every four
hours.
Failover Manager
The Failover Manager is responsible for stopping and starting resources, managing
resource dependencies, and for initiating failover of resource groups. To perform these
Failover
Failover can occur automatically because of an unplanned hardware or application
failure, or can be triggered manually by the person who administers the cluster. The
algorithm for both situations is identical, except that resources are shut down in an
orderly fashion for a manually initiated failover, while their shut down may be sudden
and disruptive in the failure case.
When an entire node in a cluster fails, its resource groups are moved to one or more
available servers in the cluster. Automatic failover is similar to planned administrative
reassignment of resource ownership. It is, however, more complicated, because the
orderly steps of a normal shutdown may have been interrupted or may not have happened
at all. As a result, extra steps are required in order to evaluate the state of the cluster at
the time of failure.
Automatic failover requires determining what groups were running on the failed node and
which nodes should take ownership of the various resource groups. All nodes in the
cluster that are capable of hosting the resource groups negotiate among themselves for
ownership. This negotiation is based on node capabilities, current load, application
feedback, or the node preference list. The node preference list is part of the resource
group properties and is used to assign a resource group to a node. Once negotiation of the
resource group is complete, all nodes in the cluster update their databases and keep track
of which node owns the resource group.
In clusters with more than two nodes, the node preference list for each resource group can
specify a preferred server plus one or more prioritized alternatives. This enables
cascading failover, in which a resource group may survive multiple server failures, each
time cascading or failing over to the next server on its node preference list. Cluster
administrators can set up different node preference lists for each resource group on a
server so that, in the event of a server failure, the groups are distributed amongst the
cluster’s surviving servers.
An alternative to this scheme, commonly called N+I failover, sets the node preference
lists of all cluster groups. The node preference list identifies the standby cluster nodes to
Failback
When a node comes back online, the Failover Manager can decide to move some
resource groups back to the recovered node. This is referred to as failback. The properties
of a resource group must have a preferred owner defined in order to failback to a
recovered or restarted node. Resource groups for which the recovered or restarted node is
the preferred owner will be moved from the current owner to the recovered or restarted
node.
Failback properties of a resource group may include the hours of the day during which
failback is allowed, plus a limit on the number of times failback is attempted. In this way
the cluster service provides protection against failback of resource groups at peak
processing times, or to nodes that have not been correctly recovered or restarted.
QUORUM
HCL Confidential 116
PROPOSAL
Quorum:
Each cluster has a special resource known as the quorum resource. A quorum resource
decisions.
A quorum log is simply a configuration database for the server clustering. It holds cluster
configuration information such as which servers are part of the cluster, what resources are
QUORUM TYPES
Standard Quorum
As mentioned above, a quorum is simply a configuration database for Microsoft Cluster
Service, and is stored in the quorum log file. A standard quorum uses a quorum log file
that is located on a disk hosted on a shared storage interconnect that is accessible by all
members of the cluster.
Note: It is possible to configure server clusters to use the local hard disk on a server to
store the quorum, but this is only supported for testing and development purposes, and
should not be used in a production environment.
Network
While the disks that make up the MNS could, in theory, be disks on a shared storage
fabric, the MNS implementation that is provided as part of Windows Server 2003 uses a
directory on each node’s local system disk to store the quorum data. If the configuration
of the cluster changes, that change is reflected across the different disks.
This ensures that a majority of the nodes have an up-to-date copy of the data. The cluster
service itself will only start up, and therefore bring resources online, if a majority of the
nodes configured as part of the cluster are up and running the cluster service. If there are
fewer nodes, the cluster is said not to have quorum and therefore the cluster service waits
(trying to restart) until more nodes try to join. Only when a majority or quorum of nodes
are available, will the cluster service start up, and the resources be brought online. In this
way, since the up-to-date configuration is written to a majority of the nodes regardless of
node failures, the cluster will always guarantee that it starts up with the latest and most
up-to-date configuration.
In the case of a failure or split-brain, all partitions that do not contain a majority of nodes
are terminated. This ensures that if there is a partition running that contains a majority of
the nodes, it can safely start up any resources that are not running on that partition, safe in
the knowledge that it can be the only partition in the cluster that is running resources
(since all other partitions are terminated).
Given the differences in the way the shared disk quorum clusters behave compared to
MNS quorum clusters, care must be taken when deciding which model to choose. For
example, if you only have two nodes in your cluster, the MNS model is not
recommended, as failure of one node will lead to failure of the entire cluster, since a
majority of nodes is impossible.
HEARTBEAT
Heartbeat:
is used to test whether the cluster is available or not. If the heartbeat is fail, the failover
process occurs.
1. Unicast Message
2. Multicast Message
INSTALLATION
&
CONFIGURATION
• Double check to ensure that all the nodes are working properly and are configured
identically (hardware, software, drivers, etc.).
• Verify that none of the nodes has been configured as a Domain Controller.
• Check to verify that all drives are NTFS and are not compressed.
• Verify that you have disabled NetBIOS for all private network cards.
• Verify that there are no network shares on any of the shared drives.
• Check to verify that no antivirus software has been installed on the nodes.
Antivirus software can reduce the availability of clusters and must not be installed
on them. If you want to check for possible viruses on a cluster, you can always
install the software on a non-node and then run scans on the cluster nodes
remotely.
2. From the Action drop-down box, select Create New Cluster and click OK. This brings
up the New Server Cluster Wizard, as show
.
3. Click Next to begin the wizard.
7. This step is very important. What the Cluster Wizard does is to verify that everything
is in place before it begins the actual installation of the cluster service on the node. As
you can see above, the wizard goes through many steps, and if you did all of your
preparation correctly, when the testing is done, you will see a green bar under Tasks
completed, and you will be ready to proceed. But if you have not done all the preliminary
steps properly, you may see yellow or red icons next to one or more of the many tested
steps, and a green or red bar under Tasks completed.
Note:
While the green bar does indicate that you can proceed, it does not mean the cluster will
be completed successfully or will be configured like you want it to be completed. If you
see any yellow warning icons, you can drill down into them and see exactly what the
warning is. Read each warning very carefully. If the warning is something unimportant to
you, it can be ignored. But in most cases, the yellow warnings need to be addressed. This
may mean you will have to abort the cluster service installation at this time to fix the
problem. Then you can try to install it again.
If you get any red warning icons next to any of the test steps, then you will also get a red
bar at the bottom, which means that you have a major problem that needs to be corrected
before you can proceed. Drill down to see the message and act accordingly. Most likely,
you will have to abort the installation, fix the issue, and then try installation again.
9. Then you have to type the user name and password and corresponding domain.
1.5
Once you have successfully installed the two nodes of your cluster, it is a good idea to
view the nodes from Cluster Administrator. When you bring up Cluster Administrator for
the first time after creating a cluster, you may have to tell it to Open a Connection to
Cluster, and type in the name of the virtual cluster you just created. Once you have done
this, the next time you open Cluster Administrator it will automatically open this cluster
for you by default.
TROUBLESHOOTING
TROUBLESHOOTING:
When the physical disks are not powering up or spinning, Cluster service cannot initialize
any quorum resources.
The Cluster service fails and the node cannot detect the network.
In this case, you probably have a configuration problem. Check the following:
• Cause: Have you made any configuration changes recently?
Solution: If the node was recently configured, or if you have installed some resource
that required you to restart the computer, make sure that the node is still properly
configured for the network.
• Cause: Is the node properly configured?
Solution: Check that the server is properly configured for TCP/IP. Also check that the
appropriate services are running. If the node recently failed, there is an instance of
failover; but, if the other nodes are misconfigured as well, the failover will be
inadequate and client access will fail
An IP address added to a group in the cluster fails.
• Cause: The Internet protocol (IP) address is not unique.
Solution: The IP address must be different from every other group IP address and
every other IP address on the network.
• Cause: The IP address is not a static IP address.
Solution: The IP addresses must be statically assigned outside of a DHCP scope, or
they must be reserved by the network administrator.
An IP address resource is unresponsive when taken offline, for example you are unable to
query its properties.
• Cause: You may not have waited long enough for the resource to go offline.
All nodes appear to be functioning correctly, but you cannot access all of the drives from
one node.
• Cause: The shared drive may not be functioning.
Solution: Confirm that the shared drive is still functioning.
Try to access the drive from another node. If you can do that, check the cable from the
device to the node that you cannot perform the access. If the cable is not the problem,
restart the computer and then try again to access the device. If you cannot access the
drive, check your configuration.
• Cause: The drive has completely failed.
Solution: Determine (from another node) whether the drive is functioning at all. You
may have to restart the drive (by restarting the computer) or replace the drive.
The hard disk with the resource or a dependency for the resource may have failed. You
may have to replace a hard disk. You may also have to reinstall the cluster.
FEATURES:
1. High Availability
2. High Scalability
3. Fault Tolerance
4. Load Balancing
References:
1. http://technet.microsoft.com
2. www.petri.co.il
3. www.windowsnetworking.com