Windows.NET Windows.NET Beta 3 Beta 3 Active Directory New Features - PDF document

25. DECUS Symposium 16.04.2002 Windows.NET Beta 3 Windows.NET Windows.NET Beta 3 Beta 3 Active Directory New Features Directory New Features Active Active Directory New Features Wolfgang Werner Wolfgang Werner Compaq Compaq Decus Bonn 2002 Decus Bonn 2002 Agenda Agenda Agenda � Install Replica from Media � Domain Controller Rename � Domain Rename � Universal Group Membership Caching � Linked Value Replication � Forest Trusts � Application Directory Partitions � Defunct Schema Objects � InetOrgPerson http://www.decus.de 1

25. DECUS Symposium 16.04.2002 Install Replica from Install Replica from Media Media Install Replica from Media � Problem: Installing a Domain Controller at a site with slow network connection � Windows 2000 replicates a complete copy of the Active Directory database and possibly the Global Catalog over the network 1 Install Replica from Media Media Install Replica from Install Replica from Media � Windows.NET Server allows loading the Active Directory database from a backup of an existing Domain Controller or Global Catalog server – Backup the system state of an existing DC – Restore system state on an alternate location on target server http://www.decus.de 2

25. DECUS Symposium 16.04.2002 Install Replica from Install Replica from Media Media Install Replica from Media � Run DCPROMO in Advanced Mode – DCPROMO /ADV Install Replica from Media Media Install Replica from Install Replica from Media � Network connectivity still required for up-to-date information – Changes in the AD databases and SYSVOL folder updates are replicated over the network � Restrictions – The backup cannot be older than the tombstone lifetime (default 60 days) – Application directory partitions will not be restored http://www.decus.de 3

25. DECUS Symposium 16.04.2002 Agenda Agenda Agenda � Install Replica from Media � Domain Controller Rename � Domain Rename � Universal Group Membership Caching � Linked Value Replication � Forest Trusts � Application Directory Partitions � Defunct Schema Objects � InetOrgPerson Domain Controller Rename Rename Domain Controller Domain Controller Rename � Windows 2000 a domain controller (DC) can't be renamed � In Windows.NET DCs can be renamed without being demoted first � New name is automatically updated to DNS and Active Directory http://www.decus.de 4

25. DECUS Symposium 16.04.2002 Domain Controller Domain Controller Rename Rename Domain Controller Rename � No Explorer like features � Procedure: – Add a new name – Wait for the new name to propagate through the network – Remove the old name Domain Controller Rename Rename Domain Controller Domain Controller Rename � Add new name – NETDOM COMPUTERNAME oldname /ADD:newname � Wait for replication of – DNS host (A) records � servicePrincipalName attribute to all DCs in the domain and all Global Catalog servers in the forest http://www.decus.de 5

25. DECUS Symposium 16.04.2002 Domain Controller Domain Controller Rename Rename Domain Controller Rename � Update computer account in AD – NETDOM COMPUTERNAME oldname /MAKEPRIMARY:newname � Reboot � Wait for the replication of the DNS Locator resource records – Defined in system32\config\netlogon.dns Domain Controller Rename Rename Domain Controller Domain Controller Rename � Remove old name – NETDOM COMPUTEENAME newname /REMOVE:oldname – Removes old DNS host (A) records – Removes the old name in Active Directory � Change "Computer Name" in System Control Panel http://www.decus.de 6

25. DECUS Symposium 16.04.2002 Domain Controller Domain Controller Rename Rename Domain Controller Rename � Moving DCs between domains was planned but will not be implemented � Certification Authorities can not be renamed � DNS and Active Directory replication latency may cause a temporary inavailability Agenda Agenda Agenda � Install Replica from Media � Domain Controller Rename � Domain Rename � Universal Group Membership Caching � Linked Value Replication � Forest Trusts � Application Directory Partitions � Defunct Schema Objects � InetOrgPerson http://www.decus.de 7

25. DECUS Symposium 16.04.2002 R Renaming enaming D Domains omains Renaming Domains � Change the DNS and NetBIOS names – of the forest-root domain – any tree-root domains – any parent and child domains � Restructure a domain's position within a forest Renaming enaming D Domains omains R Renaming Domains � No Pruning and Grafting capabilities � Windows.Net Help and Support: "A domain rename will affect every domain controller in your forest and is a thorough multi-step process that requires a detailed understanding of the operation" � Resources from http://www.microsoft.com/windows2000/downloads/tools/ domainrename/default.asp – Understanding How Domain Rename Works (28 pages) – Step-by-Step Guide to Implementing Domain Rename (69 pages) – rendom.exe utility http://www.decus.de 8

25. DECUS Symposium 16.04.2002 R Renaming enaming D Domains omains Renaming Domains � Identity of the forest root domain cannot be changed � If Exchange 2000 is deployed in the same forest domain rename is blocked � Each domain controller in the forest will be out-of-service briefly � All Domain Controllers in the forest that where unreachable during the operation or finished in the Error state must be demoted � Any external trust relationships must be re-established � ... Agenda Agenda Agenda � Install Replica from Media � Domain Controller Rename � Domain Rename � Universal Group Membership Caching � Linked Value Replication � Forest Trusts � Application Directory Partitions � Defunct Schema Objects � InetOrgPerson http://www.decus.de 9

25. DECUS Symposium 16.04.2002 Universal Universal G Group roup M Membership embership C Caching aching Universal Group Membership Caching � In Windows 2000 a Global Catalog Server is required for logging on to a domain – To determine the users membership in universal groups – If no local GC is available a server in the remote site will be used � Recommendation: at least one GC per site – Adds replication traffic Universal G Group roup M Membership embership C Caching aching Universal Universal Group Membership Caching � If no Global Catalog is available: – If the user is an administrator logon succeeds – If only a Domain Controller is available the user fails to log on to the workstation – If no Domain Controller is available, the user is logged on with cached credentials http://www.decus.de 10

25. DECUS Symposium 16.04.2002 Universal Universal G Group roup M Membership embership C Caching aching Universal Group Membership Caching � Workaround in Windows 2000: HKLM\System\CCS\Control\Lsa\ IgnoreGCFailures 1 � Q241789 How to Disable Requirement that a Global Catalog Server Be Available to Validate User Logons � Potential security vulnerability if universal groups are also used Universal G Group roup M Membership embership C Caching aching Universal Universal Group Membership Caching � Windows.NET adds the ability to cache the Universal Memberships of the users � Enabling this caching process is done on a Site- by-Site basis � To enable GC-less logon modify AD Sites NTDS Site Settings object http://www.decus.de 11

25. DECUS Symposium 16.04.2002 Universal Universal G Group roup M Membership embership C Caching aching Universal Group Membership Caching � The DC will use the cached information even if a GC is available � Cache is updated in eight-hour intervals (default) – This caching mechanism may allow stale data � Cached data expires from lack of use – No logon in 180 days (default) Universal G Group roup M Membership embership C Caching aching Universal Universal Group Membership Caching � To adjust the default refresh interval HKLM\System\CCS\Services\NTDS\Parameters\ Cached Membership Refresh Interval DWORD in minutes � To adjust the default expiration time period HKLM\System\CCS\Services\NTDS\Parameters\ Cached Membership Site Stickiness DWORD in minutes http://www.decus.de 12

25. DECUS Symposium 16.04.2002 Universal Universal G Group roup M Membership embership C Caching aching Universal Group Membership Caching � msDS-Cached-Membership single valued attribute added to the user object – Stores the SIDs of the Universal Groups to which the user belongs – To populate the attribute the DC must contact a GC when a user first logs on – Not replicated between Domain Controllers Universal G Group roup M Membership embership C Caching aching Universal Universal Group Membership Caching � No GUI to control an update of the cached msDS-Cached-Membership attributes � Use ADSI set objRoot = GetObject("LDAP://RootDSE") objRoot.Put "UpdateCachedMemberships", 1 objRoot.SetInfo http://www.decus.de 13