Академический Документы
Профессиональный Документы
Культура Документы
branch office to connect in a secure manner to a remote corporate server using the
public Internet. VPN server or host is a computer that accepts VPN connections from
VPN clients. A VPN server or host can be a NT/W2K server or W2K/XP Pro. VPN
client is a computer that initiates a VPN connection to a VPN server or host. A VPN
client can be an individual computer running MS Windows NT version 4.0, Windows
2000, 9x. VPN clients can also be any non-Microsoft Point-to-Point Tunneling
Protocol (PPTP) client or Layer Two Tunneling Protocol (L2TP) client using IPSec.
Q: Can I setup my VPN client as a router to direct all local computers traffic
to the VPN.
If you have name resolution issue when using VPN, check the PPTP filtering on the
server. If you disable UDP ports 137 and 138 or TCP port 139, NetBIOS packets
can't pass through the network. You also need to enable these ports on all firewalls
and routers that are between the client and the server for unicast (point-to-point)
traffic.
How to add DNS and WINS into your Cisco VPN server
If your VPN client cannot find servers or cannot ping computernmae, you may need
to add DNS and WINS into your VPN server. For example, to add DNS and WINS on
a Cisco Firewall PIX, add vpdn group 1 client configuation dns dnsservername and
vpdn group 1 client configuration wins winsservername..
If you have Windows 2003 server as VPN server, you can assign a static IP under
user's properties. If you use other Windows OS as VPN server, you may do create a
DHCP reservation.
If you are running w2k/xp pro setup for a domain controller, you will have a option
to "log on using dial-up connection" on logon screen after creating a VPN/dial-up
connection. In the Log On to Windows dialog box, the user can select the Log on
using dial-up connection check box. After clicking OK, the user is prompted to
choose a network connection.
When you setup the RRAS, a set of default Input and Output Filters on the external
adapter on the VPN server will be created. If you aren't running your server in a
highly secure environment, you can comfortably place the server outside the
firewall and restrict incoming VPN traffic to PPTP packets only. To display and
mortify these filters, go to Routing and Remote Access>IP Routing>General, and
then you can add or edit the packet filters of the dedicated Local Area Connection.
Or to enable PPTP filtering from Control Panel, select the Network applet, Protocols,
TCP/IP Protocols, the WAN adapter, Advanced. Then, select the Enable PPTP
Filtering check box, as Screen 1 shows. When you enable PPTP filtering, the server
will refuse all non-PPTP requests.
You need to install your modem from the control panel if you haven't already,
and you need to set up the dialup networking server on your remote computer.
(This is included with Win98, NT4 and w2k/xp. On Win95 it is in the Plus! pack,
but you need to get an update to version 1.3 or later from Microsoft's site. At
the time of writing it can be found here.) You can enable the dialup server from
the 'Connections' menu of the dial-up networking window. If it isn't there, or if
you've updated the dialup networking as mentioned above, you need to install it
using the Windows Setup section of 'Add/Remove Programs' in the control panel.
W2K server supports 256 inbound dial-in connections while w2k pro supports 1.
You can configure an incoming connection to accept the following connection types:
(modem, ISDN, X.25), VPN (PPTP, L2TP), or direct (serial, infrared, DirectParallel).
On a computer running Windows 2000, 2003 or XP Pro, an incoming connection
can accept up to three incoming calls, up to one of each of these types. Note: on a
computer running Windows 2000/2003 Server, the number of inbound calls is only
limited by the computer and its hardware configuration.
Open RRAS, right-click on the RRAS server>Properties>IP. You will have two
options, DHCP and Static address pool.
You may have two options to setup VPN server on Windows 2003. 1) Create an
incoming networking connection if you have small network or you want to setup
one PC to PC VPN; 2) If you have large numbers of incoming connections on a
server that operates as part of a distributed network or as a domain controller, you
should use RRA to create a VPN server.
Symptoms: When attempting to create VPN on w2k server with one NIC, you may
receive "You have chosen the last available connection as the Internet connection.
A VPN server required that one connection be used as the private network
connection" if you select the NIC.
In order to use PPTP through a PIX, you must have a one-to-one mapping from the
external IP to an internal IP for type 47 GRE packets and port 1723.
To setup a Windows 2000 server for VPN, open Routing and Remote Access console
in the Administrative Tools folder, right-click the server and then click Configure
and Enable Routing and Remote Access>Virtual private network [VPN] server. Click
Next if TCP/IP is only protocol you will use. Select a connection you will connect to
on the Internet Connection. You will have two options to assign IP to VPN clients.
The default is Automatically. It is recommended to configure the server to assign
client addresses from a static address pool, rather than assigning addresses from a
DHCP server. If you configure RAS to assign client addresses from a static address
pool, clients inherit the DNS and WINS settings from the RAS server. If your RAS
server can browse the network, clients should also be able to browse the network
with the same settings. If you prefer DHCP, verify that DHCP scope option 44
(WINS/NetBIOS name server) points to the WINS server and scope option 6 shows
the address of your DNS server. When you don't define these options, you almost
guarantee problems with client browsing. Finally, you can select using RADIUS or
not.
NOTE: If VPN traffic is traveling through a router or firewall, configure the router or
firewall to pass PPTP (TCP Port 1723 and IP Protocol ID 47 [GRE - Generic Routing
Encapsulation]) or L2TP over IPSec (UDP Port 500 and IP Protocol ID 50
[Encapsulating Security Payload]) traffic to and from the VPN server.
Prior to Windows 2000/XP Pro, you must add PPTP on NT 4.0 Server to establish
VPN connections. With the release of Windows 2000/XP Pro, you have the ability to
run a Windows 2000/XP Pro as a VPN host. However, Windows 2000/XP Pro enables
only one VPN connection at a time and requires Internet Protocol (IP).
Before you start the VPN configuration, you should have a equipment (modem, T1,
Frame Relay, ADSL, or cable modem) connecting to the Internet. Also make sure
you have correct TCP/IP settings on the W2K/XP.
To setup Win XP (in our case) Pro as VPN host, go to the Properties of My
Network Places>Create a New Connections>Set up a Advanced
Connection>Accept Incoming Connections. On the Devices for Incoming
Connections dialog box, do not select any device, only click Next and check
Allow Private Connections, and then click Next. On the Allowed Users dialog
box, select or add all users for whom you want to enable access. The accounts have
to exist on both computers that are involved in establishing the VPN connection. On
the New Connection Wizard, File and Printer Sharing for Microsoft
Networks, Internet Protocol (TCP/IP) and Client for Microsoft Networks
should be listed as networking components. By default, Allow callers to access my
local area network and Assign TCP/IP address automatically using DHCP are
checked. If you would like to keep the default settings, click Next to continue. Now,
the Incoming Connection icon should show on Incoming section under the
Properties of My Network Places and is ready to use.
If the VPN server has two network cards, one for the LAN and one for the WAN,
leave the gateway on the LAN adapter blank. In the gateway field of the WAN
network interface, enter the TCP/IP address that your ISP defines; the gateway
address usually points to a router at your ISP. It is recommend you manually enter
the TCP/IP address, DNS and WINS for the LAN NIC instead of using DHCP.
To run logon script while establishing a VPN, you may have two options. 1) create
a batch including rasdial.exe plus mapping. 2) Use Microsoft CMAK
A Windows 2000 VPN server is installed with a default set of Input and Output
filters on the external adapter. These filters support PPTP, L2TP, and IPSec
connectivity only and block other traffic.. However, the filters can be modified. To
modify the filters, go to RRAS>IP Routing>General, right-click the external adapter
and select Properties.
A: PPTP VPN uses TCP Port 1723, IP Protocol 47 (GRE); L2TP: UDP Port 1701;
IPSec: UDP Port 500, Pass IP protocol 50 and 51. Note: 47 is a protocol number
and not TCP port. The protocol name is GRE. It'll make a big difference when
configuring your firewall or router.
What statements are required to allow a VPN inbound past my Cisco PIX?
Note: 1. x.x.x.x is outside ip. 2. If you use 6.3.1, you will need to enable fixup
protocol pptp 1723.
What is Tunneling?
Tunneling is a mechanism provided to transfer data securely between two networks. The data is
split into smaller packets and passed through the tunnel. The data passing through the tunnel has
3 layers of encryption. The data is encapsulated. Tunneling can be approached by Point to Point
tunneling protocol.
More Differences
NAS SAN
Almost any machine that can connect to the LAN Only server class devices with SCSI Fibre
(or is interconnected to the LAN through a WAN) Channel can connect to the SAN. The
can use NFS, CIFS or HTTP protocol to connect Fibre Channel of the SAN has a limit of
to a NAS and share files. around 10km at best
A NAS identifies data by file name and byte A SAN addresses data by disk block
offsets, transfers file data or file meta-data (file's number and transfers raw disk blocks.
owner, permissions, creation data, etc.), and
handles security, user authentication, file locking
A NAS allows greater sharing of information File Sharing is operating system dependent
especially between disparate operating systems and does not exist in many operating
such as Unix and NT. systems.
File System managed by NAS head unit File System managed by servers
Backups and mirrors (utilizing features like Backups and mirrors require a block by
NetApp's Snapshots) are done on files, not block copy, even if blocks are empty. A
blocks, for a savings in bandwidth and time. A mirror machine must be equal to or greater
Snapshot can be tiny compared to its source in capacity compared to the source
volume. volume.
The Wires
--NAS uses TCP/IP Networks: Ethernet, FDDI, ATM (perhaps TCP/IP over Fibre Channel
someday)
--SAN uses Fibre Channel
The Protocols
--NAS uses TCP/IP and NFS/CIFS/HTTP
--SAN uses Encapsulated SCSI
The Five FSMO Roles
There are just five operations where the usual multiple master model breaks down, and the Active
Directory task must only be carried out on one Domain Controller. FSMO roles:
• Firewall – the Firewall client is an extension to the ISA Server that features an enhanced set of
functions allowing it to compete with other similar products available on the IT market. With
Firewall client, Active Directory can be supported from Windows 2000 (or the SAM databases
from NT). These are used to provide specific security functions at user or group level. This
feature is not supported by a majority of third-party products that use either separate user
databases or IP addressing. Firewall functions are enhanced to support so called stateful packet
inspection, i.e. a solution for improved security where data packets passing through the firewall
are intercepted and analyzed at either a protocol or connectivity level.
• Policy-based administration – ISA Server lets the administrators manage using predefined
policy rules. Policies can include a set of consistent rules regarding users, groups of users,
protocols etc. A specific policy may apply to a single array or globally, to the whole enterprise.
For businesses that use networks with Active Directory enhancements, multi-tiered enterprise
policies are those that match their needs to have a comprehensive IT system, to facilitate
management of the entire enterprise and its infrastructure.
• Virtual Private Network Support – ISA Server provides an easy solution to create VPN – based
networks. The wizards supplied with ISA Server help to configure VPN tunneling and may
activate the RRAS service if not already initialized.
• Dynamic IP filtering – depending on the security policy used, an enterprise can dynamically
open firewall ports for authorized Internet users on a session-by-session basis. This considerably
simplifies the administrator’s duties in situations where there are applications that frequently
change ports though they communicate with each other.
• IDS (Intrusion Detection System) – Microsoft has equipped the ISA Server with an Intrusion
Detection System. This module had been purchased from Internet Security Systems, the leading
developer in these IT solutions. Thus, ISA offers out-of-box support for preventing several types
of attacks including WinNuke, Ping of Death, Land, UDP bombs, POP Buffer Overflow, Scan
Attack. Once an attack has been detected and identified, ISA may decide either to disable the
attack or notify administrators about the event.
• Web Cache – ISA Server provides fast Web caching performance. Administrators are allowed to
automatically refresh frequently requested www pages on reverse and scheduled caching basis.
• Reports – the major point of contrast between ISA and its predecessor i.e. Proxy Server 2.0 is
that ISA features numerous report generating possibilities. By scheduling report generation
connected. for example, with the users’ actions or security related events, managing ISA Server
based networks is a simple task.
• Gatekeeper H.323 – this component allows ISA Server to manage IP telephony calls or H.323-
based VoIP applications (for example Microsoft NetMeeting 3.0). The DNS SRV record must be
registered in order to have gatekeeper enabled.
• Client Deployment – with SecureNAT (Network Address Translation) feature, ISA Server
delivers to clients and servers a transparent and secure access to the Internet with no need to
configure extra software on client machines. SecureNAT allows monitoring of all traffic in ISA
Server.
Therefore, instead of being a simple product improvement, Microsoft Internet Security and Acceleration
Server fills a gap in the range of this type of products available at the Redmond colossus and is trying to
jump aggressively into the mass market sector associated with Web security and fast Web access
Differential Backup: The backup software looks at which files have changed since
you last did a full backup. Then creates copies of all the files that are different from
the ones in the full backup.
If you do a differential backup more than once, it will copy all the files, or parts of
files that have changed since the last full backup, even if you already have identical
copies of those files in a previous differential backup.
For restoring all the data, you will only need the the last full backup, and the last
differential backup. Faster to create than a full backup.
Not as much storage needed as in a full backup. Restoration is slower than using a
full backup.
Incremental Backup: The backup software creates copies of all the files, or parts
of files that have changed since previous backups of any type (full, differential or
incremental).
For example if you did a full backup on Sunday. An incremental backup made on
Monday, would only contain files changed since Sunday, and an incremental backup
on Tuesday, would only contain files changed since Monday, and so on. This method
is the fastest when creating a backup.
The least storage space is needed. Restoring from incremental backups is the
slowest because it may require several sets of data to fully restore all the data. For
example if you had a full backup and six incremental backups. To restore the data
would require you to process the full backup and all six incremental backups.
RAM is a quick-storage area designed to improve access time to frequently used programs,
processes, and files. Retrieving data from RAM is faster than retrieving it from standard platter-
style hard disks. As a computer system boots, it stores many routines into RAM so that the
system can perform better. As the user opens programs, even more RAM is consumed. Firewalls,
antivirus programs and other software that runs in the background also consumes RAM.
An Introduction to Groups
A group can be defined as a collection of accounts that are grouped together so that
Administrators can assign permissions and rights to the group as a single entity. This removes
the need for an Administrator to individually assign permissions and rights to each account.
Therefore, while a user account is associated with an individual, or one entity; a group account or
a group, is created to simplify the administration of multiple user accounts (users). When you
grant permissions to a group, all accounts that are part of that particular group are granted the
permissions. Permissions actually controls which actions users can perform on a network
resource. Rights on the other hand relate to system tasks.
Windows Server 2003 provides user accounts and group accounts (of which users can be a
member). User accounts are designed for individuals. Group accounts are designed to make the
administration of multiple users easier.
• User accounts
• Computer accounts
• Contacts
• Other group's members
• Other groups
You have to specify a group type and a group scope when you create a new group. Group types
and group scopes are discussed throughout the remainder of this Article.
Group Types
You can create two types of groups in Active Directory. Each group type is used for a different
purpose. Security groups are the group type which is created for security purposes, while
distribution groups is the group type created for purposes other than security purposes. Security
groups are typically created for assigning permissions, while distribution groups are usually
created for distributing bulk e-mail to users. As you can see, the main difference between the two
groups is the manner in which each group type is used. Active Directory does however allow you
to convert a security group to a distribution group, and to convert a distribution group to a
security group if the domain functional level is raised to Windows 2000 Native or above.
• Security groups: A security group is a collection of users who have the same permissions
to resources, and the same rights to perform certain system tasks. These are the groups to
which you assign permissions so that its members can access resources. Security groups
therefore remove the need for an Administrator to individually assign permissions to
users. Users that need to perform certain tasks can be grouped in a security group, and
then assigned the necessary permissions to perform these tasks. Each user that is a
member of the group would have the same permissions. In addition to this, any e-mail
sent to a security group is received by each member of that particular group. When a
security group is first created, it receives a SID. It is this SID that enables permissions to
be assigned to security groups – the SID can be included in the DACL of a resource. An
access token is created when a user logs on to the system. The access token contains the
SID of the user, and the SID of those groups to which the user is a member of. This
access token is referenced when the user attempts to access a resource – the access token
is compared with the DACL of the resource to determine which permissions the user
should receive for the resource.
• Distribution groups: Distribution groups are created to share information with a group of
users through e-mail messages. Thus, a distribution group is not created for security
purposes. A distribution does not obtain a SID when it is created. Distribution groups
enable the same messag to be simultaneously sent to its group members – messages do
not need to be individually sent to each user. Applications such as Microsoft Exchange
that work with Active Directory can use distribution groups to send bulk e-mail to groups
of users.
Group Scopes
The different group scopes make it possible for groups to be used differently to assign
permissions for accessing resources. The scope of a group defines the place in the network where
the group will be used or is valid. This is the degree to which the group will be able to reach
across a domain, domain tree, or forest. The group scope also determines what users can be
included as group members.
The domain functional level set for the domain determines which members can be
included in the global group.
o Windows 2000 Mixed: Only user accounts and computer accounts from the
domain in which the group was created, can be added as group members.
o Windows 2000 Native / Windows Server 2003: User accounts, computer
accounts, and other global groups from the domain in which the group was
created, can be added as group members
• Domain Local groups: Domain local groups can have user accounts, computer accounts,
global groups, and universal groups from any domain as group members. However, you
can only use domain local groups for assigning permissions to local resources, or to
resources that reside in the domain in which the domain local group was created. This
means that you can only include domain local groups in the ACL of objects that are
located in the local domain.
The domain functional level set for the domain determines which members can be
included in the domain local group.
o Windows 2000 Mixed: User accounts, computer accounts, and global groups from
any domain can be added as group members.
o Windows 2000 Native / Windows Server 2003: User accounts, computer
accounts, global groups, and universal groups from any domain can be added as
group members. You can also add other domain local groups from the same
domain as group members.
• Universal groups: Universal groups can have user accounts, computer accounts, global
groups, and other universal groups, from any domain in the tree or forest as members.
This basically means that you can add members from any domain in the forest to a
universal group. You can use universal groups to assign permissions to access resources
that are located in any domain in the forest. Universal groups are only available when the
domain functional level for the domain is Windows 2000 Native or Windows Server
2003. Universal groups are not available when domains are functioning in the Windows
2000 Mixed domain functional level. You can convert a universal group to a global group
or to a domain local group if the particular universal group has no other universal group
as a group member. When adding members to universal groups, it is recommended to add
global groups as members and not individual users.
When groups contain other groups as members, group nesting occurs. Group nesting occurs
when you add groups to other groups. Group nesting assists in reducing the number of instances
that you need to assign permissions, and in reducing replication traffic. As mentioned previously,
the domain functional level set for the domain determines what group nesting can be
implemented, as summarized below:
The scope of a group can be changed as well. You can use the Active Directory Users And
Computers (ADUC) console to view and modify the scope of an existing group. The command-
line can also be used – dsget and dsmod. The rules that govern this capability are summarized
below:
• You can convert domain local groups and global groups to universal groups
• You can convert universal groups to domain local groups or to global groups.
• You cannot convert domain local groups to global groups.
• You cannot convert global groups to domain local groups.
If you are using Windows Server 2003 Active Directory, Windows Server 2003 creates a few
default security groups that are used to assign administrative permissions to users. The default
security groups are created in the Users folder in Active Directory Users And Computers
(ADUC).
• The default domain local groups that are created are listed below:
o Cert Publishers: Members of this group are able to publish certificates to Active
Directory
o DnsAdmins: Group members have administrative access to the DNS server
service.
o HelpServicesGroup: Group members are able to assign rights to support
applications.
o RAS and IAS Servers: Servers assigned to this default group can access a user's
remote access properties.
o TelnetClients: Group members have administrative access to Telnet Server.
• The default global groups that are created are listed below:
o Domain Admins: Members of the Domain Admins group have permissions to
perform administrative functions on computers in the domain.
o Domain Users: Group members are user accounts that are created in the domain.
o Domain Computers: Group members are computer accounts that are created in the
domain. This includes all workstations and servers that are part of the domain.
o Domain Controllers: Group members are domain controllers of the domain.
o Domain Guests: Group members are guest accounts in the domain.
o Group Policy Creator: Group members are able to change the domain's group
policy.
o DnsUpdateProxy: Group members are DNS clients. Members are able to perform
dynamic updates for clients such as DHCP servers.
• The default universal groups that are created are listed below:
o Enterprise Admins: Members of this group are able to perform administrative
functions for the whole network.
o Schema Admins: Members of this group can perform administrative tasks on the
schema.
When formulating a strategy for setting up domain local groups and global groups, follow the
guidelines listed below:
• You should add users that perform the same function in the organization to a global
group.
• Domain local groups should be created for a resource(s) that needs to be shared by
multiple users.
• You should then add any global groups that have to access a resource(s) to the
appropriate domain local group.
• The domain local group should be assigned with the proper permissions to the resource.
In addition to the above mentioned group scopes, another group called a local group, can be
created. A local group is basically used on the local computer to assign permissions to resources
that are located on the computer on which the particular local group is created. Local groups are
created in the local security database and are not present in Active Directory. This means that
you cannot create local groups on domain controllers.
When a user tries to run a certain query (an example of an interactive domain logon), the domain
controller will authenticate the user by first validating the user's identity and also all groups that
the user is a part of. This is because the global catalog is the hold of all memberships to all
groups, which means that this access to a global catalog server is necessary to accessing all
forests, and thus is a requirement for Active Directory authentications. Therefore, it is best to
have at least one global catalog server in one Active Directory site. This is because then, the
authenticating domain controller does not need to transmit queries over a WAN connection to
source information and process tasks.
Replication Sequence
Terms:
• Latency - The required time for all updates to be completed
throughout all comain controllers on the network domain or forest.
• Convergence - The state at which all domain controllers have the
same replica contents of the Active directory database.
• Loose consistency - The state at which all changes to the
database are not yet replicated throughout all controllers in the
database (not converged).
If no changes have been performed in six hours, replication procedures are performed to be sure
no information has been missed.
• Updated object
• The GUID and USN of the domain server with the originating update.
• A local USN of the update on the updated object.
Replication Path
The replication path that domain controller Active Directory replicated data travels through an
enterprise is called the replication topology. Connection objects are used to define the
replication paths between domain controllers. Active Directory, by default, sets up a two way
ring replication path. The data can travel in both directions around the ring which provides
redundancy and reliability. Two types of replication occur in the path:
The Knowledge Consistency Checker (KCC) (running on all domain controllers) generates the
replication topology by specifying what domain controllers will replicate to which other domain
controllers in the site. The KCC maintains a list of connections, called a replication topology, to
other domain controllers in the site. The KCC ensures that changes to any object are replicated to
all site domain controllers and updates go through no more than three connections. Also an
administrator can configure connection objects.
The KCC uses information provided by the administrator about sites and subnets to
automatically build the Active Directory replication topology.
Propagation Dampening
Terms:
The information sent in an update request includes the high water mark entry for the originating
server for the last change received. If the highwater mark received from the server that sent the
update request is the same as the highwatermark for the originating server on the server receiving
the request, the receiving server will not send the replicated information.
The usnChanged parameter is the highest USN number for any object.
Replication Partitions
Types of Active Directory data storage categories which are called partitions:
• Schema partition - Defines rules for object creation and modification for all
objects in the forest. Replicated to all domain controllers in the forest.
Replicated to all domain controllers in the forest, it is known as an
enterprise partition.
• Configuration partition - Information about the forest directory structure is
defined including trees, domains, domain trust relationships, and sites (TCP/IP
subnet group). Replicated to all domain controllers in the forest, it is known
as an enterprise partition.
• Domain partition - Has complete information about all domain objects
(Objects that are part of the domain including OUs, groups, users and others).
Replicated only to domain controllers in the same domain.
o Partial domain directory partition - Has a list of all objects in the
directory with a partial list of attributes for each object.
These partitions are all replicated between domain controllers by Active directory. Different
partitions may be replicated between different replication partners.
Replication Conflict
Replication conflict occurs when changes are made to the same object and attribute before the
changes can be replicated throughout all domain controller's copies of the database. Additional
data (metadata) stored for each object attribute includes (not related to USN):
When an Active Directory database update is received on a domain controller, one of the
following happens:
• If the update attribute version number is higher than the current version
number on the controller, the new value of the attribute is stored and the
version number is updated.
• If the update attribute version number and stored attribute version number
are the same, timestamps are used to resolve the conflict.
• If the both version numbers and both timestamps are the same, the update
from the controller with the highest GUID is used.
In Windows 2000, the SYSVOL share is used to to authenticate users. The SYSVOL share
includes group policy information which is replicated to all local domain controllers. File
replication service (FRS) is used to replicate the SYSVOL share. The "Active Directory Users
and Computers" tool is used to change the file replication service schedule.
Intrasite Replication
Replication that happens between controllers inside one site. All of the subnets inside the site
should be connected by high speed network wires. Replication between two sites may need to be
sent over a slower WAN link or leased line. Intrasite replication data is sent uncompressed.
Site replication is done using Remote Procedure Call (RPC). If a change is made, replication
occurs within five minutes, and replication is done every six hours if no changes were made.
Domain controllers that receive updates replicate that information to other domain controllers on
their route list. All changes are therefore completed within a site within 15 minutes since there
can only be three hops.
The topology used here is the ring topology talked about earlier and this replication
is automatically set up by Active Directory, but may be modified by an
administrator.
DNS Replication
The DNS IP address and computer name is stored in Active Directory for Active Directory
integrated DNS zones and replicated to all local domain controllers. DNS information is not
replicated to domain controllers outside the domain.
Intersite Replication
Replication Management
The administrative tool, "Active Directory Sites and Services", is used to manage Active
Directory replication. Replication data is compressed before being sent to minimze bandwidth
use. There are two protocols used to replicate AD:
• Normally Remote Procedure Call (RPC) is used to replicate data and is
always used for intrasite replication since it is required to support the FRS.
RPC depends on IP (internet protocol) for transport.
• Simple Mail Transfer Protocol (SMTP) may be used for replication
between sites.
SMTP can't replicate the domain partition, however. Therefore the remote site would need to be
in another domain to be able to effectively use SMTP for carrying replication data.
Bridgehead server - A domain controller that is used to send replication information to one or
more other sites.
Flexible Single Master Operations (FSMO) (discussed in an earlier section) can be transferred
manually to various domain controllers. Roles and tools used to transfer are:
Any master role can be transferred by using the command line program, ntdsutil.exe. When a
server performing a master role fails and goes offline, you can perform "seizing master
operations" to have another server perform that role. Only the ntdsutil.exe program can perform
this function. Commands include:
Schema Cache
A schema cache which is a copy of the schema in memory can be used to speed up schema
queries but should be used sparingly due to the high memory requirements. If the
schemaUpdateNow attribute is added to the RootDSE a schema cache update is done
immediately. Normally the schema cache is stored in memory when the system boots and
updated every five minutes.
Replication provides access to users and services at any time from any computer in the
domain and in the forest. Replication of information occurs by category, and these categories are
called a Directory Partitions. There are four types of Directory partitions:
1. Schema Partition
2. Configuration Partition
3. Domain Partition
4. Application Directory partition
Schema Partition
Only one schema partition exists per forest. The schema partition is stored on all domain
controllers in a forest. The schema partition contains description of all objects and attributes that
you can create in the directory, and the rules for creating and manipulating them. Schema
information is replicated to all domain controllers in the attribute definitions.
Configuration Partition
There is only one configuration partition per forest. This partition contains information about the
AD structure/topology, name and numbers of domain controllers in teach forest, domains and
sites structure. Configuration information is replicated to all domain controllers in a forest.
Application Partition
Application partitions store information about application in Active Directory. Unlike a domain
partitions, an application partition cannot store security principal objects, such as user accounts.
In addition, the data in an application partition is not stored in the global catalog.
http://www.techpeoples.net
As an example of application partition, if you use a Domain Name System (DNS) that is
integrated with Active Directory you have two application partitions for DNS zones --
ForestDNSZones and DomainDNSZones:
Share permissions are the permissions you set for a folder when you share that folder. The share
permissions determine the type of access others have to the shared folder across the network.
There are three types of share permissions: Full Control, Change, and Read.
NTFS permissions determine the action users can take for a folder or file both across the network
and locally. Unlike share permissions, NTFS permissions offer several other permissions besides
Full Control, Change, and Read that can be set for groups or individually. The most restrictive
permission applies when share and NTFS permissions conflict.
Subneting is a process of breaking the network into smaller units. These units care called as
subnets. Here a subnet could be several machines in a single LAN. Networks using IP can create
sub networks of logical addresses. With every IP address there some of the bits in the machine
can be used to identify a specific subnet. The IP address then contains three parts: the network
number, the subnet number, and the machine number.