Active Directory Certificate Services - Command Reference

Applies To: Windows Server 2008

   Active Directory Certificate Services (AD CS) provides customizable services for issuing and managing public key certificates used in software security systems that employ public key technologies. The following commands allow you to issue and manage public key certificates used in software security systems that employ public key technologies.

Certreq

Certreq can be used to:

1. Request certificates from a certification authority (CA).
2. Retrieve a response to a previous request from a CA.
3. Create a new request from an .inf file.
4. Accept and install a response to a request.
5. Construct a cross-certification or qualified subordination request from an existing CA certificate or request.
6. Sign a cross-certification or qualified subordination request.

Certutil

Displays certification configuration information, and configures Certificate Services.

Ref: http://technet.microsoft.com/en-us/library/cc772497%28WS.10%29.aspx

Active Directory Domain Services - Command Reference

Applies To: Windows Server 2008

   Active Directory Domain Services (AD DS) command-line tools are built into Windows Server 2008. They are available if you have the AD DS or Active Directory Lightweight Directory Services (AD LDS) server role installed. To use these tools, you must run them from an elevated command prompt. To open an elevated command prompt, click Start, right-click Command Prompt, and then click Run as administrator.

• Adprep - Extends the Active Directory schema and updates permissions as necessary to prepare a forest and domain for a domain controller that runs the Windows Server 2008 operating system.
• Csvde - Imports and exports data from Active Directory using files that store data in the comma-separated value (CSV) format. You can also support batch operations based on the CSV file format standard.
• Dcdiag - Analyzes the state of domain controllers in a forest or enterprise and reports any problems to help in troubleshooting.
• Dcpromo - Installs and removes Active Directory Domain Services (AD DS).
• Dsacls - Displays and changes permissions (access control entries) in the access control list (ACL) of objects in AD DS.
• Dsadd - Adds specific types of objects to the directory.
• Dsamain - Exposes Active Directory data that is stored in a snapshot or backup as a Lightweight Directory Access Protocol (LDAP) server.
• Dsdbutil - Provides database utilities for Active Directory Lightweight Directory Services (AD LDS).
• Dsget - Displays the selected properties of a specific object in the directory.
• Dsmgmt - Provides management facilities for Active Directory Lightweight Directory Services (AD LDS).
• Dsmod - Modifies an existing object of a specific type in the directory.
• Dsmove - Moves a single object in a domain from its current location in the directory to a new location or renames a single object without moving it in the directory tree.
• Dsquery - Queries AD DS according to specified criteria.
• Dsrm - Deletes an object of a specific type or any general object from the directory.
• Ldifde - Creates, modifies, and deletes directory objects on computers running Windows Server 2003 or Windows XP Professional operating systems.
• Ldp - Makes it possible for users to perform operations against an LDAP-compatible directory, such as AD DS. These operations include connect, bind, search, modify, add, and delete.
• Netdom - Makes it possible for administrators to manage Windows Server 2003 and Windows 2000 domains and trust relationships from a command prompt.
• Net computer - Adds or deletes a computer from a domain database.
• Net group - Adds, displays, or modifies global groups in domains.
• Net user - Adds or modifies user accounts, or displays user account information.
• Nltest - Performs network administrative tasks.
• Ntdsutil - Provides management facilities for AD DS.
• Redircmp - Redirects the default container for newly created computers to a specified target organizational unit (OU) so that newly created computer objects are created in the specific target OU instead of in CN=Computers.
• Redirusr - Redirects the default container for newly created users to a specified target OU so that newly created user objects are created in the specific target OU instead of in CN=Users.
• Repadmin - Makes it possible for administrators to diagnose Active Directory replication problems between domain controllers running Windows operating systems.
• Setspn - Makes it possible for administrators to read, modify, and delete the Service Principal Names (SPN) directory property for an Active Directory service account.

Ref: http://technet.microsoft.com/en-us/library/cc771131%28WS.10%29.aspx

AD Restoration - Authoritative & Non-Authoritative

Non-Authoritative Restoration

   Used most commonly in cases when a DC because of a hardware or software related reasons, this is the default directory services restore mode selection. In this mode, the operating system restores the domain controller’s contents from the backup. After this, the domain controller then through replication receives all directory changes that have been made since the backup from the other domain controllers in the network.

Authoritative Restoration

   An authoritative restore is most commonly used in cases in which a change was made within the directory that must be reversed, such as deleting an organization unit by mistake. This process restores the DC from the backup and then replicates to and overwrites all other domain controllers in the network to match the restored DC. The especially valuable thing about this is that you can choose to only make certain objects within the directory authoritative. For example, if you delete an OU by mistake you can choose to make it authoritative. This will replicate the deleted OU back to all of the other DC’s in the network and then use all of the other information from these other DC’s to update the newly restored server back up to date.

SRV Records of Domain Controller in DNS Zone

   The following knowledge helps you to determine the problem if SRV records of a domain controller is not registered in the DNS Zone of that domain.

   The following may happen when SRV records of a domain controller are not registered in DNS Zone of that domain:

• All the client computers make take long time to log on to the domain.
• Client computers stuck at Applying Computer Settings.
• Group Policy settings may not apply.
• Folder Redirection policy is not working
• Software Installation is not working.
• Replication between domain controllers is not happening.
• An application is giving error about SRV records. An application may use DNS to locate domain controllers by sending SRV queries.
• Nslookup returns error when querying using SRV records.
• Pinging of SRV records (_ldap, _keberos etc) are not successful.
• Group Policy Objects are not syncing.

   The SRV records may be the cause the above. The SRV Records of a domain controller in the domain plays an important role in Active Directory. Active Directory can not work without a DNS server. The DNS server in Active Directory is used to locate Domain Controllers in the forest or domain with the help of SRV records. Service Records or SRV records are registered specifically for domain controllers when you promote a member server to domain controller. The Netlogon service on domain controller is responsible to register SRV records.

   You can use the following methods to re-register SRV records of a domain controller in the domain DNS zone:

1. Restart the Netlogon service on domain controller.
2. Run DcDiag /fix
3. Run NetDiag /ifx
4. Re-register from Netlogon.dns file in \Windows or Winnt\System32\Config directory.

   The Netlogon.dns file is created when you promote a member server to domain controller.

http://msmvps.com/blogs/systmprog/archive/tags/Active+Directory/default.aspx

Zones and Records

Zones are an important concept in DNS. A zone is a container that represents a domain on DNS server. The zone contains the records to that domain. There are three types of zones primary, secondary and stub zones.

Every domain, immediately below a TLD, has a zone, such as blogspot.com, but sub-domains, such as scorpits.blogspot.com can be contained within the parent zone or in their own zones. A zone represents a domain in a DNS server, and it contains all of the records of the domain. Sometimes a zone will also contain sub-domains. All zones begin with a SOA record and contain NS records. Zones are typically contained in a zone file, a specially formatted text file that contains all of the records for the zone.

• A Primary zone is the master copy of the zone information; typically you'll only have one primary zone for a domain, but it is possible to have more than one in a multiple master configuration.
• A Secondary zone contains a copy of all of the records in the primary zone; secondary zones are used for redundancy, in case the DNS server containing the primary zone goes down. The secondary zone still contains a copy of the data and can be used for DNS resolution.
• Stub zones only contain name server records, and are used for delegation. When a DNS server is registered as the authoritative DNS server for a domain, stub zones are used to delegate that authority to other DNS servers. 

Those servers will then contain the primary and secondary zones for the domain. Only the primary zone can be edited; when primary zones are edited secondary zones are updated automatically through the zone transfer process, once their time to live expires. 
Zone transfers are used to copy the primary zone to any servers containing corresponding secondary zones. Incremental zone transfers are used where possible, primarily between Microsoft DNS servers. An incremental zone transfer only transfers the data that is changed, since the last zone transfer, so the process is faster and uses less bandwidth. When incremental transfers are not possible, or not supported, full zone transfers are done where the entire zone is transferred each time a change is made to the primary zone.

A sub-domain is set below parent domains; an example of a sub-domain is scorpits.blogspot.com, which resides below the parent domain blogspot.com. Sub-domains can be contained within the parent zone; they can also be contained in their own zone. In addition, through the use of stub zones, sub-domains can reside on other DNS servers. Stub zone indicates that the authority for the zone is delegated to another system.

FSMO Roles

FSMO Roles Explained:

   Within Active Directory not all Domain Controllers are equal some have certain roles assigned to them, these roles need to be performed by a single Domain Controller. These roles are called the FSMO roles (Flexible Single Master Operations). There are 5 roles 2 of which are forest wide and the other 3 are domain wide roles.

The 5 roles are as follows:

Schema master (forest wide):

   The Schema Master controls all updates to the Schema within the forest.

Domain Naming Master (forest wide):

   The Domain Naming Master role is responsible for the creation and deletion of domains in the forest.

PDC Emulator (domain wide):

   The PDC emulator role provides backwards compatability for Windows NT backup domain controllers (BDCs), the PDC emulator advertises itself as the primary domain controller for the domain. It also acts as the domain master browser and maintains the latest password for all users within the domain.

Infrastructure Master (domain wide):

   The Infrastructure Manager role is responsible for updating references from objects within its domain with objects in other domains.

RID Master (domain wide):

   The RID Master manages the Security Identifier (SID) for every object within the domain.

Identify FSMO Roles: You can easily identify the servers that hold the FSMO Roles using this free tool. Doverstones' "FSMO Roles" application is a Freeware. You can download it here: http://www.dovestones.com/downloads/FSMORoles.msi

More Info on FSMO Roles: http://techgurulive.com/2008/09/27/the-5-fsmo-server-roles-of-windows-domain-environment/

Migrating AD from W2K3 to W2K8

The safest and simplest way to migrate is to start by adding a Windows 2008 Domain controller to your existing domain

First you need to Adprep your 2003 Domain by running

adprep /forestprep and

adprep /domainprep and

adprep /gpprep

Do this by placing the from 2008 DVD in the Windows 2003 DC - ADPREP is in the SOURCES folder on the DVD.

Once done you can run the setup program from the 2008 DVD and do an upgrade, or you can do a clean install on a new box and join the 2008 machine to the domain – the latter is my preferred option.

If you take the latter route you need to assign the 2008 new computer an IP address and subnet mask on the existing network. Make sure that the preferred DNS server on new machine points to the existing DNS Server on the Domain (normally the existing domain controller)

Join the new 2008 machine to the existing domain as a member server

From the command line promote the new machine to a domain controller with the DCPROMO command from the command line Select “Additional Domain Controller in an existing Domain”

Once Active Directory is installed then to make the new machine a global catalog server, go to Administrative Tools, Active Directory Sites and Services, Expand, Sites, Default first site and Servers. Right click on the new server and select properties and tick the”Global Catalog” checkbox. (Global catalog is essential for logon as it needs to be queried to establish Universal Group Membership)

If necessary install DNS on the new server. Assuming that you were using Active Directory Integrated DNS on the first Domain Controller, DNS will automatically replicate to the new domain controller along with Active Directory.