Latest Entries »

Aging and Scavenging Parameters for Zones

list of the zone parameters that affect when records are scavenged. You configure these properties on the zone.

Zone Parameter Description Configuration Tool Notes
No-refresh interval Time during which the server does not accept refreshes for the record. (The server still accepts updates.) This value is the interval between the last time a record was refreshed and the earliest moment it can be refreshed again. DNS console and Dnscmd.exe When an Active Directory–integrated zone is created, this parameter is set to the DNS server parameter Default no-refresh interval . This parameter replicates through Active Directory replication.
Refresh interval The refresh interval comes after the no-refresh interval. At the beginning of the refresh interval, the server begins accepting refreshes. After the refresh interval expires, the DNS server can scavenge records that have not been refreshed during or after the refresh interval. DNS console and Dnscmd.exe When an Active Directory–integrated zone is created, this parameter is set to the DNS server parameter Default refresh interval . This parameter is replicated by Active Directory.
Enable Scavenging This flag indicates whether aging and scavenging is enabled for the records in the zone. DNS console and Dnscmd.exe When an Active Directory–integrated zone is created, this parameter is set to the DNS server parameter Default enable scavenging . This parameter is replicated by Active Directory.
ScavengingServers This parameter determines which servers can scavenge records in this zone. Only Dnscmd.exe This parameter is replicated by Active Directory.
Start scavenging This parameter determines when a server can start scavenging of this zone. Not configurable This parameter is not replicated by Active Directory.

list of the server parameters that affect when records are scavenged. You set these parameters on the server.

Aging and Scavenging Parameters for Servers

Server Parameter Description Configuration Tool Notes
Default no-refresh interval This value specifies the no-refresh interval that is used by default for the Active Directory–integrated zone. DNS console (shown as No-refresh interval ) and Dnscmd.exe By default, this is 7 days.
Default refresh interval This value specifies the refresh interval that is used by default for the Active Directory–integrated zone. DNS console (shown as Refresh interval ) and Dnscmd.exe By default, this is 7 days.
Default Enable Scavenging This value specifies the Enable Scavenging parameter that is used by default for the Active Directory–integrated zone. DNS console (shown as Enable scavenging )and Dnscmd.exe By default, scavenging is disabled.
Enable scavenging This flag specifies whether the DNS server can perform scavenging of stale records. If scavenging is enabled on a server, it automatically repeats scavenging as often as specified in the Scavenging Period parameter. DNS console, Advanced View (shown as Enable automatic scavenging of stale records ) and Dnscmd.exe By default, scavenging is disabled.
Scavenging Period This period specifies how often a DNS server enabled for scavenging can remove stale records. DNS console, Advanced View (shown as Scavenging Period ) and Dnscmd.exe By default, this is 7 days.

 

 

 

Hello All, hope you guys are doing great. Today, I wanted to write about the Change notification in site link.

what is Change Notification?

Change Notification is the interval between an originating update on a domain controller and notification of this change to its partners. When this interval elapses, the domain controller initiates a notification to each intra-site replication partner that it has changes that need to be propagated. Another configurable parameter determines the number of seconds to pause between notifications to other partners if any. This parameter prevents simultaneous replies by the replication partners.

There are two values for the interval – one for the first partner, and other for the subsequent partners. When a change is made on a Domain Controller’s Active Directory database, before the change is replicated, the DC waits for a specific period of time before sending the Change Notification to its first partner, and then waits for another period of time before sending the Change Notification to another partner, this process continues until all partners are notified.

For intra-site replication partners, a DC waits 15 seconds (300 in W2K) before notifying its first replication partner and then another 3 seconds (30 in W2K) before sending this change notification to subsequent partners. These intervals can be modified by the below DWORD values in the registry key:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NTDS\Parameters

Replicator notify pause after modify (secs)

&

Replicator notify pause between DSAs (secs)

These DWORD values control how long to wait before sending the Change Notification after a modify operation on a Domain Controller to its first partner and then all subsequent partners in the same site. But what about my Domain Controllers in other sites?. We know that replication honors Replication Intervals set on the Site Link between two sites and the minimum interval that can be set via the AD Sites and Services snap in is 15 minutes. What if your environment can afford to enable these change notifications between your sites or specific sites because you have a large amount of bandwidth. For this you can enable Change Notifications between sites as well.

To do this:

    • Open ADSIEdit.msc.
    • In ADSI Edit, expand the Configuration container.
  • Expand Sites, navigate to the Inter-Site Transports container, and select CN=IP.       Note: You cannot enable change notification for SMTP links.
  • Right-click the site link object for the sites where you want to enable change notification, e.g CN=DEFAULTSITELINK, click Properties.
  • In the Attribute Editor tab, double click on options.b.      If the Value(s) box contains a value, you must  derive the new value by using a Boolean BITWISE-OR calculation on the old value, as follows: old_value BITWISE-OR 1. For example, if the value in the Value(s) box is 2, calculate 0010 OR 0001 to equal 0011. Type the integer value of the result in the Edit Attribute box; for this example, the value is 3.
  • a.       If the Value(s) box shows <not set>, type 1
  • 6.       Click OK. or VBScript to Enable Change Notification for Site Links @ http://gallery.technet.microsoft.com/scriptcenter/390b54d2-cd49-4f46-92e0-c22ff6f25f1c  The value of Options attribute that we modified above, if the value is 1, then Change Notification is enabled with compression; and if you change the value to 5, then Change Notification is enabled without compression
  • But what about compression? Replication within a site for AD is not compressed, while in remote sites, replication data is always compressed to take advantage of the low speed links and intervals set between them. So if you are one of those environments that are enjoying the fruits of enabling Change Notification between sites and would like to replicate data uncompressed vs. compressed, then here is another tip.
  • What about disadvantage? Is there one? Well sure, it’s a possible and potential replication storm as all the domain controllers are part of the Change Notification intervals.
  • With Change Notification enabled between sites, changes propagate to the remote site with the same frequency that they are propagated within a site. The advantage of enabling Change Notification between sites is little to no conflicts. As a matter of fact, I have yet to see a Conflict object (will discuss some other time) between DCs in different sites if Change Notification is enabled between those sites. Plus if there are a lot of changes being made, these changes will not be queued up as they will be replicated with the same frequency as the domain controllers in the DC’s own site.
  • See PowerShell Script to Enable Change Notification @ http://gallery.technet.microsoft.com/scriptcenter/61cb88bb-8c61-477f-834e-79ed0c153669

In order to find out about user and computer account deletion, you must keep the “Account Management” auditing enabled, beforehand.

The Account Management auditing needs to be enabled as follows:

  • At Domain Controller OU level, edit the “Default Domain Controller” policy to enable auditing:

Computer configuration > Windows settings > Security settings > Local Policies > Audit Policies

Enable Success for “Audit Account Management”

  • Ensure that the GPO application is working on all DCs.

After the User/Computer account deletion occurs, the steps you need to follow to get more information about user or computer account deletion.

Note: The below steps need to be done before you restore the deleted object:

 

  1. Dump the deleted objects in “Deleted objects” container.

Ldifde –x –d “CN=Deleted Objects,DC=domain,DC=com” –f Deletedobj.ldf

  1. Search the Deletedobj.ldf file for the AD object that got deleted. The name of this object would have a GUID appended to it. Copy the DN attribute value of this object.

=========================================================

Extract from the LDF file above showing the deleted user object (TestUser):

dn: CN=TestUserADEL:aff006d7-7758-4b24-bb53-6e8f1a87834e,CN=Deleted Objects,DC=domain,DC=local

changetype: add

objectClass: top

objectClass: person

objectClass: organizationalPerson

objectClass: user

cn:: dGVydApERUw6YWZmMDA2ZDctNzc1OC00YjI0LWJiNTMtNmU4ZjFhODc4MzRl

distinguishedName: CN=TestUserADEL:aff006d7-7758-4b24-bb53-6e8f1a87834e,CN=Deleted Objects,DC=2008dom,DC=local

instanceType: 4

whenCreated: 20100526065020.0Z

whenChanged: 20100526065039.0Z

uSNCreated: 448479

isDeleted: TRUE – This attribute is set to true when an object is deleted.

uSNChanged: 448492

name:: dGVydApERUw6YWZmMDA2ZDctNzc1OC00YjI0LWJiNTMtNmU4ZjFhODc4MzRl

objectGUID:: 1wbwr1h3JEu7U26PGoeDTg==

userAccountControl: 512

objectSid:: AQUAAAAAAAUVAAAARb3/5MeOM1el+HeXPwgAAA==

sAMAccountName: TestUser

lastKnownParent: CN=Users,DC=2008dom,DC=local

 

if you didn’t got the lastknownparent for the about result, use Quest restore manager for AD to identify the lastknownparent

you can download from here

=========================================================

  1. Get the output of the following command on any DC.

Repadmin /Showmeta “DN of the deleted object” > Delshowmeta.txt

Eg:         Repadmin /Showmeta “CN=TestUserADEL:aff006d7-7758-4b24-bb53-6e8f1a87834e,CN=Deleted Objects,DC=2008dom,DC=local” > Delshowmeta.txt

  1. While reviewing the output in Delshowmeta.txt, check the “Org. Time/Date” and the “Originating DC” value of isDeleted attribute of this object. These values will tell you the time of deletion of this object and the source DC used to delete object, respectively.

=========================================================

Output of Showmeta:

Loc.USN Originating DSA Org.USN Org.Time/Date Ver Attribute

======= =============== ========= ============= === =========

448479 SiteA\2008-DC2 448479 2010-05-26 12:20:20 1 objectClass

448492 SiteA\2008-DC2 448492 2010-05-26 12:20:39 2 cn

448492 SiteA\2008-DC2 448492 2010-05-26 12:20:39 2 givenName

448479 SiteA\2008-DC2 448479 2010-05-26 12:20:20 1 instanceType

448479 SiteA\2008-DC2 448479 2010-05-26 12:20:20 1 whenCreated

448492 SiteA\2008-DC2 448492 2010-05-26 12:20:39 2 displayName

448492 SiteA\2008-DC2 448492 2010-05-26 12:20:39 1 isDeleted

448479 SiteA\2008-DC2 448479 2010-05-26 12:20:20 1 nTSecurityDescriptor

448492 SiteA\2008-DC2 448492 2010-05-26 12:20:39 2 name

448488 SiteA\2008-DC2 448488 2010-05-26 12:20:20 4 userAccountControl

448492 SiteA\2008-DC2 448492 2010-05-26 12:20:39 2 codePage

448492 SiteA\2008-DC2 448492 2010-05-26 12:20:39 2 countryCode

448481 SiteA\2008-DC2 448481 2010-05-26 12:20:20 2 dBCSPwd

448480 SiteA\2008-DC2 448480 2010-05-26 12:20:20 1 logonHours

448492 SiteA\2008-DC2 448492 2010-05-26 12:20:39 3 unicodePwd

448492 SiteA\2008-DC2 448492 2010-05-26 12:20:39 3 ntPwdHistory

448492 SiteA\2008-DC2 448492 2010-05-26 12:20:39 4 pwdLastSet

448492 SiteA\2008-DC2 448492 2010-05-26 12:20:39 2 primaryGroupID

448492 SiteA\2008-DC2 448492 2010-05-26 12:20:39 2 supplementalCredentials

448479 SiteA\2008-DC2 448479 2010-05-26 12:20:20 1 objectSid

448492 SiteA\2008-DC2 448492 2010-05-26 12:20:39 2 accountExpires

448492 SiteA\2008-DC2 448492 2010-05-26 12:20:39 3 lmPwdHistory

448479 SiteA\2008-DC2 448479 2010-05-26 12:20:20 1 sAMAccountName

448492 SiteA\2008-DC2 448492 2010-05-26 12:20:39 2 sAMAccountType

448492 SiteA\2008-DC2 448492 2010-05-26 12:20:39 2 userPrincipalName

448492 SiteA\2008-DC2 448492 2010-05-26 12:20:39 1 lastKnownParent

448492 SiteA\2008-DC2 448492 2010-05-26 12:20:39 2 objectCategory

=========================================================

  1. 5. With the above info, we need to just check the security event logs on the “Originating DSA” during “Org. Time/Date”. With “Account Management” auditing enabled on the DCs, we should see the following events in the security log.

For computer account deletion:

  • On Windows 2003, we should get Event ID: 647
  • On Windows 2008, we should get Event ID: 4743

For User account deletion:

  • On Windows 2003, we should get Event ID: 630
  • On Windows 2008, we should get Event ID: 4726

=========================================================

Below is an example of an event confirming deletion and providing info about who deleted it.

Log Name: Security

Source: Microsoft-Windows-Security-Auditing

Date: 5/26/2010 12:20:39 PM

Event ID: 4726

Task Category: User Account Management

Level: Information

Keywords: Audit Success

User: N/A

Computer: 2008-dc2.2008dom.local

Description: A user account was deleted.

Subject:

Security ID: 2008DOM\Administrator

Account Name: Administrator

Account Domain: 2008DOM

Logon ID: 0x5fe2d

Target Account:

Security ID: S-1-5-21-3841965381-1462996679-2541222053-2111

Account Name: TestUser

Account Domain: 2008DOM

What’s New

Flexible Authentication Secure Tunneling (FAST) is part of the framework for Kerberos Pre-authentication. FAST provides a protected channel between the client and the Key Distribution Center (KDC), and it can optionally deliver key material used to strengthen the reply key within the protected channel. With FAST in place, it is relatively straightforward to chain multiple authentication mechanisms, utilize a different key management system, or support a new key agreement algorithm.

With FAST enabled and required, brute forcing the reply key is no longer possible and the highest possible cryptographic protocols and cipher strengths are guaranteed to be used by Windows 8 clients in their pre-authentication traffic with Windows Server 2012 Domain Controllers.

When FAST is required, this enables the Compound Authentication functionality in Dynamic Access Control (DAC), allowing authorization based on the combination of both user claims and device claims.

Enabling FAST

Enabling Flexible Authentication Secure Tunneling (FAST) can be achieved through Group Policy once you fulfill the requirements. (see below)

The Group Policy you need for this is located in Computer Configuration, Administrative Templates, System, KDC and is named KDC support for claims, compound authentication and Kerberos armoring:

a

This Group Policy supports four possible settings after you enable it:

  • Supported
  • Not supported
  • Always provide claims
  • Fail unarmored authentication requests

When you choose the ‘Supported’ setting and link the Group Policy to the Domain Controllers Organizational Unit (OU), it’s time to enable Flexible Authentication Secure Tunneling (FAST) on the Windows 8 clients.

Point your Group Policy Management Console (GPMC), assign a Group Policy object to the Organization Unit(s) containing your domain-joined Windows 8 computers. Open the Group Policy object and navigate to Computer Configuration, Administrative Templates, System, Kerberos. Here, enable the Kerberos client support for claims, compound authentication and Kerberos armoring Group Policy:

b

You will have Flexible Authentication Secure Tunneling (FAST) on your network between domain-joined Windows 8 clients and Windows Server 2012-based Domain Controllers after the next Group Policy refresh cycle.

Requiring FAST

Requiring Flexible Authentication Secure Tunneling is the next step. You will still use the Group Policy Management Console (GPMC) as your tool of choice, because a couple more Group Policies need to be configured.

Assign a Group Policy object to the Domain Controllers Organizational Unit (OU) and within the Group Policy object, again, navigate to Computer Configuration, Administrative Templates, System, Kerberos. Here, enable the Fail authentication requests when Kerberos armoring is not available Group Policy.

c

Lastly, the above mentioned Group Policy KDC support for claims, compound authentication and Kerberos armoring, located in Computer Configuration, Administrative Templates, System, KDC needs to be configured with the Fail unarmored authentication requests setting.

Requirements

Flexible Authentication Secure Tunneling can be enabled in an Active Directory environment when:

  • Sufficient Domain Controllers are running Windows Server 2012, with sufficient processing power (to additionally encrypt Kerberos messages and sign Kerberos errors on top of the baseline processing power needs) and networking connectivity (to handle the additional message exchange and increased Kerberos services tickets on top of the baseline networking connectivity needs).

Note:
When FAST is enabled Windows 8 clients will only communicate with Windows Server 2012 Domain Controllers. This might create a pile-on effect. Therefore, ensure you have sufficient Domain Controllers to prevent authentication traffic passing Active Directory site links.

  • The environment no longer contains domain controllers running Windows Server 2003. Supported Domain Controller Operating Systems include Windows Server 2008, Windows Server 2008 R2 and Windows Server 2012.
  • Clients need to be running Windows 8

Flexible Authentication Secure Tunneling can be required in an Active Directory environment when:

  • All Domain Controllers in domains the client uses are running Windows Server 2012
    (including transited referral domains)
  • All domains the client uses are running the Windows Server 2012 Domain Functional Level (DFL).
  • Clients need to be running Windows 8
  1. Move all FSMO roles to one domain controller and configure all the DC’s as GC’s.
  2. Move the domain controller from step 1 to unique VLAN that will be isolated from the regular network.
  3. Backup the domain controller from step 1 by using backup tape backup, and some image utility.
  4. After running ADPREP /Forestprep check that Windows 2003 schema upgrade to contain new 2003 forest attributs.
  5.  After running ADPREP /Domainprep check that Windows 2003 schema upgrade to contain new 2003 domain attributs.
  6. Disable any antivirus software on the software before the upgrade process.
  7. Log on to the domain controller from step 1 with account that member of: Enterprise Admin group, Domain Admin group, Schema Admin group – and if you have Exchange System in your organization – the account should be with Full Exchange Admin permission on the Exchange organization, administrative groups (sites in Exchange 5.5 environment), Exchange Servers (and in Exchange 5.5 environment – also full control on “Configuration” container).
  8. Test this upgrade in a lab before implement it on production server.
  9.  Copy the I386 directory content from the Windows 2003 cd rom, to the local server hard disk.
  10.  Verity that the all servers in the domain have the correct time zone and the configure to be synchronization from the same server (usually this the PDC emulator).
  11.  Activate the new Windows 2003 Server before implement any changes on the system.
  12.  If you add new Windows 2003 server to the domain, make sure to configure the correct domain name and domain suffix.
  13. Don’t use forbidden characters in the domain or/and server name (etc *, _).
  14. Before you implement – Windows 2003 CA, Windows 2003 Cluster, Exchange 2003 configure at least one DC as Windows 2003 DC and GC, and configure Windows 2003 CA, Windows 2003 Cluster, Exchange 2003 to use this server as default logon server.
  15. If you have multidomain hierarchy, upgrade first the forest root domain, and only after this upgrade complete, the rest of the forest.
  16. If you have multisites hierarchy, let the changes of ADPREP command to repliacte to all other sites. Verify that each DC upgrade its schema version before you install the Windows 2003 Server.
  17. After running ADPREP command, open %systemroot%\system32\debug\adprep\logs\ADPrep.log, and see if there are error messages that might need to be resolved.
  18. Read: How to Troubleshoot Inter-Forest sIDHistory Migration with ADMTv2 article before beggining the migration. http://support.microsoft.com/default.aspx?scid=kb;en-us;322970
  19. If you installed Exchange 2000/2003, its recommended to run Policytest.exe utility before the upgrade: http://support.microsoft.com/default.aspx?scid=kb;en-us;281537&FR=1&PA=1&SD=HSCH
  20. Read: HOW TO: Upgrade a Windows NT 4.0-Based PDC to a Windows Server 2003-Based Domain Controller http://support.microsoft.com/default.aspx?scid=kb;en-us;326209 HOW TO: Set Up ADMT for a Windows NT 4.0-to-Windows Server 2003 Migration http://support.microsoft.com/default.aspx?scid=kb;en-us;325851 How to Use Active Directory Migration Tool Version 2 to Migrate from Windows 2000 to Windows Server 2003 http://support.microsoft.com/default.aspx?scid=kb;en-us;326480 Active Directory Migration Tool v3.0 http://www.microsoft.com/downloads/details.aspx?FamilyId=6F86937B-533A-466D-A8E8-AFF85AD3D212&displaylang=en How to Upgrade Windows 2000 Domain Controllers to Windows Server 2003 http://support.microsoft.com/default.aspx?scid=kb;en-us;325379 Upgrading to Windows Small Business Server 2003 http://www.microsoft.com/WindowsServer2003/sbs/upgrade/default.mspx Domain Migration Cookbook http://www.microsoft.com/technet/prodtechnol/windows2000serv/deploy/cookbook/cookchp1.mspx Windows Server 2003 PKI Operations Guide http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/security/ws03pkog.mspx
  21. If the upgrade process need to take more then a few hours, consider to change the domain configuration to eliminate Overloading on the First Domain Controller. How to Prevent Overloading on the First Domain Controller During Domain Upgrade http://support.microsoft.com/?kbid=298713

replication changes in sysvol 2008

Group Policy replication change

Before I start the SYSVOL replication changes in windows server 2008, I would like to explain how the GPO has been replicated in windows server 2003 and earlier versions
Understanding SYSVOL/GPO replication

Group policy template (GPT) and group policy container (GPC) are two types of Group policy settings, Its stored in two different locations and uses different replication technology to replicate the changes, however both should be available up-to-date on domain controller to function properly

Group policy templates are stored in SYSVOL, it’s a folder structure in SYSVOL share on a domain controller, if you create a new Group Policy it will create a Group policy templates folder on SYSVOL share for the new policy that contain the group policy setting related to this policy, GPT folder name would be Globally Unique Identifier (GUID) of the GPO that you created, you can view all the GPT folders from the below Path (it’s a default GPT path)

C:WindowsSysvolSysvolDomainNamePolicies

Group Policy template (GPT) is replicated by SYSVOL through FRS, FRS uses state-based replication. As soon as there is a change to any file under the Sysvol folder structure, replication is triggered and entire file get replicated

Group policy containers are stored in Active Directory, mostly all the GPO setting are stored in GPT (Group policy templates), GPC only have the reference information of the corresponding GPO, like GPT path, GUID of the GPO, version information, WMI filter information, and a list of components that have settings in the GPO, you can view the GPC from Active Directory Users and Computers (ADUC)

SystemPolicies

Group policy container (GPC) is replicated through Active Directory replication

Note: By default the Group Policy Management Editor console (GPME) uses the PDC Emulator so that all administrators can work on the same domain controller, if you want a different Domain controller you can change through Group Policy Management console (GPMC)

File Replication Services (FRS)

I will try to explain step by step, let say you modify the Policy A from Server001 and how this change get replicated to Server002 (Server002 is a downstream replication partner for server001)

  • Once you modify the Policy A from server001, the corresponding GPT folder on SYSVOL gets updated on the server001 (also updates the Group policy containers in Active Directory on server001)
  • NTFS will change the USN journal according to the file and folder change.
  • FRS monitors the USN journal for changes on the SYSVOL folder
  • FRS updates the inbound log on server001, FRS not only updates the local changes on inbound log, also updates the inbound log for the changes from entire upstream replication partner (all inbound partners)
  • FRS creates a file in staging folder on server001 by using APIs (backup application programming interfaces) based on the change.
  • This change has been updated on outbound log on server001 by FRS. And also send change notification to entire downstream replication partner about the change (all outbound partners)
  • Server002 get the change notification from Server001 and store the change order in inbound log, Server002 copies the staging file from Server001 to the staging folder on Server002. Server002 then update outbound log so other outbound partners can pick up the change
  • Using Restore APIs, Server002 reconstructs the file and folder in the preinstall folder, and then FRS renames the file or folder into the replica tree

In FRS replication process the entire changed file and folder get replicate to source to destination server

What is NTFS USN journal?

Logs all the changes to an NTFS volume, including file creations, deletions, and changes, Separate log on each NTFS volume and it has a size limit (Windows server 2003 SP2 & Windows server 2008 is 128 MB) if require you can increase the size up to 2 TB, however MS Recommends increasing by 128 MB for every 100,000 files/folders

What happens when the NTFS USN change journal fills up?

If the USN journal log fills up then NTFS will be overwrite the old entry’s, that’s why in some scenarios before the change get updated, NTFS delete the entries in USN journal log, it’s called journal_wrap

USN journal wrap Error

An error that occurs when large numbers of files change so quickly that the USN journal must remove the oldest changes (before FRS has a chance to detect the changes) to stay within the specified size limit, to resolve this issue you have to perform a non-authoritative restore also called D2

Morphed folder

Replication conflict will occur if identically named directories are created in different servers, to resolve this conflict FRS create a folder and this folder called morphed folder

Let’s say two identical directories are created in different replication members, FRS identifies the conflict during replication, and the receiving member protects the original copy of the folder and renames (morphs) the later inbound copy of the folder. The morphed folder names have a suffix of “_NTFRS_xxxxxxxx,” where “xxxxxxxx” represents eight random hexadecimal digits.

Version vector join (vvjoin)

Till now we are discussing about the SYSVOL replication, how the SYSVOL replication works for the newly added replication partner, newly added replication member doesn’t have any updates, and it should build the folder structure from the beginning, this process is called vvjoin, in which a downstream partner joins with an upstream partner for the first time.

Vvjoin is a CPU-intensive operation that can affect the performance of the server and increase the replication traffic

Distributed File System (DFS)

Now we are coming to the point, how the SYSVOL replicating using DFS and how it’s been improved to provide better replication performance, to use this feature you should have Windows Server 2008 domain functional level that means all the domain controller has to be Windows Server 2008

SYSVOL replication using DFS is called DFS-Replicated SYSVOL (DFSR)

DFSR is a multimaster replication engine and changes that occur on one of the replication member are then replicated to all of the other servers in the replication group

DFSR also monitors the NTFS for the update sequence number (USN) journal to detects changes on the volume, and then DFSR replicate the changes only after the file closed

And before sending or receiving a file, DFSR uses a staging folder to stage the file

If any changes in SYSVOL share, FRS replicate the entire file unlike the DFSR, DFSR replicates only the changes blocks and not the entire file, sounds like a attribute level Active Directory replication, it compare the source and destination file using remote differential compression (RDC), it reduce the SYSVOL replication traffic

Other improvements are… (Difference between DFRS and FRS)

• DFSR and Journal Wraps, DFSR also monitors the NTFS change journal, but DFSR always heals itself hence no Journal Wrap error

  • Morphed files and folders automatically taken care of
  • FRS silently fails if the volume SYSVOL resides on < 1GB of free space
  • Copies the changes on files and folder not entire files and folder
  • Uses Version Vector tables to confirm the changes, also to resolve the conflicts
  • Support read-only replication on a particular members in which users cannot add or change files
  • You can also make the changes to the SYSVOL folder of an RODC

• DFSR does not require the version vector join (vvjoin) operation

commands to manage DHCP

Use Netsh to find authorised DHCP Servers

 

netsh dhcp show server

Use DSQuery to find authorised DHCP Servers

 

Dsquery * “cn=NetServices,cn=Services,cn=Configuration, DC=forestRootDomain” -attr dhcpServers

 DHCP server information

 

netsh dhcp server \\DHCP_SERVER show all

 DHCP server dump

 netsh dhcp server \\DHCP_SERVER dump >>FilePath

Adding Single scope through command prompt

 Syntax: 

netsh dhcp server \\servername add scope subnetID subnetmask “ScopeName”

 netsh dhcp Server \\servername Scope subnetID Add iprange IPRangevalue

 netsh dhcp Server \\servername Scope subnetID set optionvalue Optionnumber Datatype “Value”

 Example:

 netsh dhcp server \\indiaw1234 add scope 10.15.254.0 255.255.254.0 “INDIA” “INDIA Site”

 netsh dhcp Server \\indiaw1234 Scope 10.15.254.0 Add iprange 10.200.3.1 10.200.3.99

 netsh dhcp Server \\indiaw1234 Scope 10.15.254.0 set optionvalue 3 IPADDRESS “10.200.3.154”

 netsh dhcp Server \\indiaw1234 Scope 10.15.254.0 set optionvalue 6 IPADDRESS “159.12.83.60”

 netsh dhcp Server \\indiaw1234 Scope 10.15.254.0 set optionvalue 15 STRING “contoso.com”

 DHCP Reservation through Command

 Syntax:

 netsh dhcp Server \\servername Scope subnetID add reservedip <ipaddress> <MAC> <hostname> <description>

 Example:

 Dhcp Server \\indiaw1234 Scope 10.15.254.0 Add reservedip 10.15.254.120 0001e6ac351e “printer1.contoso.com” “printer1”

 Command to delete a Scope:

 Syntax:

 netsh dhcp server \\servername delete scope subnetID DHCPFULLFORCE

 netsh dhcp server \\indiaw1234 delete scope 10.15.254.0 DHCPFULLFORCE

 Command to Set server Option:

 Syntax:

 Netsh dhcp server \\servername set optionvalue optionnumber datatype value

 Example:

 Netsh dhcp server \\indiaw1234 set optionvalue 066 STRING 10.156.100.250

 Netsh dhcp server \\indiaw1235 set optionvalue 067 STRING \boot\x86

 Bulk Scope Creation:

 Syntax:

 For /f “token=number of input attributes delims=,” %%a in (file path) do netsh dhcp server DHCP SERVERNAME addscope Attributes.

 Example:

 for /f “tokens=1,2,3,4,5 delims=,” %%a in (C:\temp\dhcpscope.txt) do netsh dhcp server \\INDIA123 add Scope %%a %%b %%c

 for /f “tokens=1,2,3,4,5 delims=,” %%a in (C:\temp\dhcpscope.txt) do netsh dhcp Server \\INDIA123 Scope %%a Add iprange %%d

 for /f “tokens=1,2,3,4,5 delims=,” %%a in (C:\temp\dhcpscope.txt) do netsh dhcp Server \\INDIA123 Scope %%a set optionvalue 3 IPADDRESS %%e

 for /f “tokens=1,2,3,4,5 delims=,” %%a in (C:\temp\dhcpscope.txt) do netsh dhcp Server \\INDIA123 Scope %%a set optionvalue 6 IPADDRESS “160.200.134.150” “160.200.134.252”

 for /f “tokens=1,2,3,4,5 delims=,” %%a in (C:\temp\dhcpscope.txt) do netsh dhcp Server \\INDIA123 Scope %%a set optionvalue 15 STRING “contoso.com”

 for /f “tokens=1,2,3,4,5 delims=,” %%a in (C:\temp\dhcpscope.txt) do netsh dhcp Server \\INDIA123 Scope %%a set optionvalue 43 BINARY “616C636174656C2E61343430302E30”

 for /f “tokens=1,2,3,4,5 delims=,” %%a in (C:\temp\dhcpscope.txt) do netsh dhcp Server \\INDIA123 Scope %%a set optionvalue 66 STRING “105.41.11.225”

 for /f “tokens=1,2,3,4,5 delims=,” %%a in (C:\temp\dhcpscope.txt) do netsh dhcp Server \\INDIA123 Scope %%a set optionvalue 67 STRING “a44N6”

 for /f “tokens=1,2,3,4,5 delims=,” %%a in (C:\temp\dhcpscope.txt) do netsh dhcp Server \\INDIA123 Scope %%a set optionvalue 46 Byte “2”

 Sample Input:

 103.142.32.0,255.255.255.0,”Scope 1″,103.142.32.1 103.142.32.254,103.142.32.254

103.142.33.0,255.255.255.0,”Scope 2 “,103.142.33.1 103.142.33.254,103.142.33.254

103.142.34.0,255.255.255.0,”Scope 3″,103.142.34.1 103.142.34.254,103.142.34.254

103.142.35.0,255.255.255.0,”Scope 4”,103.142.35.1 103.142.35.254,103.142.35.254

Message -:A DHCP Server Error has occurred. The first event logged is detailed below, however examine System Event Logs for more detail.Event Number of first event recorded: 1014 The following problem occurred with the Jet database -1032: Jet database read or write operations failed. If the computer or database has just been upgraded, then this message can be safely ignored. If this message appears frequently, either there is not enough disk space to complete the operation or the database or backup database may be corrupt. To correct this problem, either free additional space on your hard disk or restore the database. After you restore the database, ensure that conflict detection is enabled in DHCP server properties. For information about restoring the database, see Help and SupportCenter. Additional Debug Information: JetBackup. (EventID = 1014)          (IAM Ref=000-000-002-000-043-000-001)

 Cause: The following problem occurred with the Jet database %1: Jet database read or write operations failed. If the computer or database has just been upgraded, then this message can be safely ignored. If this message appears frequently, either there is not enough disk space to complete the operation, or the database or backup database may be corrupt. To correct this problem, either free additional space on your hard disk, or restore the database. After you restore the database, ensure that conflict detection is enabled in DHCP server properties. For information about restoring the database, see Help and SupportCenter. Additional Debug Information: %2.

 Event ID: Event ID 1014 — DHCP Database Integrity

Event ID 1016 

Explanation: The DHCP service could not access the database to perform the backup

Possible causes include:

  • Another program is accessing the database.
  • The database and its backup directories were moved from the default location

 Resolution:

User Action: To resolve this problem, do one of the of the following:

  • Verify that other programs, such as an antivirus program, are not accessing the database. If such a program is accessing the database, make sure that the program does not scan the directory where the database is stored.
  • Verify that the database and its backup directories are located in the default folder.

Repair database and restore from a known good backup

If the DHCP server database becomes corrupted or is lost, recovery is possible by replacing the server database file (Dhcp.mdb), located in the %SystemRoot%\System32\Dhcp folder, with a backup copy of the same file.

If DHCP Manager was used previously to perform a backup, you can obtain the backup copy of the server database file located in the %SystemRoot%\System32\Dhcp\Backup folder. You can also restore the Dhcp.mdb file from a tape backup or other backup media.

To perform these procedures, you must be a member of the Administrators group, or you must have been delegated the appropriate authority.

To restore a backup copy of the DHCP database:

  1. Click Start, click All Programs, click Accessories, right-click Command Prompt, and then click Run as Administrator.
  2. Type net stop dhcpserver, and then press ENTER.
  3. Type md c:\olddhcp, and then press ENTER.
  4. Type move %SystemRoot%\system32\DHCP\*.* c:\olddhcp, and then press ENTER.
  5. Type del %SystemRoot%\system32\DHCP\Dhcp.md, and then press ENTER.
  6. Type copy%SystemRoot%\system32\dhcp\backup\jet\new\dhcp.mdb%SystemRoot%\system32\dhcp\dhcp.mdb, and then press ENTER.
  7. Type net start dhcpserver, and then press ENTER.

Verify

Confirm that the server starts successfully and without errors.

Possible causes are listed here pls use any of the below as reference while handling the IM.

 1.Jet database read or write operations failed due to Another program(Symantec AntiVirus) is accessing the database.

 2.Jet database read or write operations failed due to tcpsvcs (4160) An attempt to move the file “C:\WINNT\System32\dhcp\backup\new” to “C:\WINNT\System32\dhcp\backup\old” failed with system error 5 (0x00000005): “Access is denied. “.  The move file operation will fail with error -1032 (0xfffffbf8).

 3.Jet database read or write operations failed due totcpsvcs (4160) The backup has been stopped because it was halted by the client or the connection with the client failed.

 4.Jet database read or write operations failed due to Another program(Backup Exec) is accessing the database.

 Website for reference:

 http://technet.microsoft.com/en-us/library/cc726907(WS.10).aspx

 http://www.microsoft.com/technet/support/ee/transform.aspx?ProdName=Windows%20Operating%20System&ProdVer=5.2&EvtID=1016&EvtSrc=DHCPServer&LCID=1033

Had you asked me what Active Directory was before I went to the Masters class, I probably would have just answered, “An LDAP-enabled database with many dependent LDAP-enabled applications and services sitting on top of it including Kerberos, Authentication, DNS, etc.” Now, having gone through the Master class, my answer would change to “A distributed Jet/ESE database that’s exposed through LDAP by the Directory System Agent (DSA) with many dependent LDAP-enabled applications and services sitting on top of it including Kerberos, Authentication, DNS, etc.”

Now, that I just explained what AD is at its lowest level, a Jet database, why in the world would Microsoft choose Jet over say, a SQL database? SQL is so very well known, easy to access and manipulate; it almost sounds like a match made in heaven.  Jet was chosen because it’s a ridiculously simple and fast database. If Active Directory was going to be the center of many enterprises, it had to be fast and Jet delivers on that promise in spades.

 p1

 I like to describe the Directory System Agent (DSA) as the man behind the curtain, the bouncer, and the translator. It’s the component that talks to the database but also enables LDAP. Sorry to break it to you, but at the database level, distinguished names like ‘CN=users,DC=Contoso,DC=local’ don’t exist. It’s the DSA that creates this LDAP path based on the data in the underlying Jet database; this will make more sense in the next section. It also enforces data integrity, which data types are allowed for certain attributes. It really is the magic that creates this awesome LDAP database we call Active Directory. Jet makes it fast, the DSA makes it LDAP.

Now, within the ntds.dit file, there are actually many tables of data. The tables that are of most interest to us are the data table, which contains all the users, groups, OU’s. The link table, which contains any linked attributes for example, the members of a group. And lastly the SD table, which contains security descriptors or permissions that are assigned throughout Active Directory.

 p2

Structure of NTDS.dit

 Let’s first take a look at data table. One easy way to do this without some fancy third party tools is to run LDP.exe and leverage an operational attribute called ‘DumpDatabase’. Do note that this forest is called contoso.local with a child domain named child.contoso.local.

Start Ldp.exe on the domain controller.

  1. Connect locally, and then bind as an Domain Admin.
  2. Click Modify on the Browse menu.
  3. Edit for Attribute: dumpdatabase.
  4. Edit for Values: name ncname objectclass objectguid instancetype. You must leave one space between the attributes.
  5. Click Enter. The Entry List box contains the following entry:[Add]dumpdatabase:name ncname objectclass objectguid instancetype
  6. Click the Extended and Run options.
  7. The %systemroot%\NTDS\Ntds.dmp file is created, or you receive an error message in Ldp.exe that you must investigate.

Source: http://support.microsoft.com/kb/315098

 Data Table

The file created, ntds.dmp, is a text file that can be opened in notepad although the file size will depend on how big your Active Directory database is and we all know that notepad doesn’t like huge files. 🙂 Nonetheless, once you open it in notepad, what you’re looking at is the data table from Active Directory and it should look something like this:

Disclaimer: I excluded some columns from this picture that wouldn’t fit nor was relevant to this blog.

 p3

Here is a key for some of the above terms:

DNT: Distinguished Name Tag. Essentially is a primary key to identify each row within the database.

PDNT: Parent Distinguished Name Tag. Indicates which object in the database is the parent object of this object. References another objects DNT.

NCDNT: Naming Context Distinguished Name Tag. Indicates which “partition” this object belongs to. References the root of a partition’s DNT.

The first thing you’ll notice is that all the partitions in Active Directory are represented in this one data table. This is why we call them logical partitions. So, how does Active Directory keep track of the different
partitions and which objects belong to which partitions? This is where the DNT, PDNT, NCDNT values you see above come into play. The PDNT value tells each object what their parent object is plus the NCDNT value tells the object which partition it belongs to.

 p4

In the above diagram, you’ll notice that the DNT is just like a unique identifier where each row as a different value. The PDNT on each object tells us which object within the data table is its parent object. Additionally, you’ll notice the NCDNT on the Dave user account tells us that he belongs in the contoso.local domain partition. You’ll notice that the users container also has a NCDNT of 1788. This just indicates that the users container also belongs to the contoso.local domain partition. NCDNT tells us which partition each object belongs to.

The DSA then uses this information to map out the hierarchy of all objects and their partitions and delivers them in LDAP syntax. When I realized that almost all data and partitions in Active Directory are in this one data table and just organized by these hierarchal numbers, it forever changed my understanding of Active Directory. You’ll fully understand what I mean in a little bit.

Now, let’s also take a look at a GC at this low level. The official definition of a GC is that it contains a partial attribute set of every object in the Active Directory forest. While that is true, once again, all of this is stored in the one data table in Active Directory and organized by DNT’s, PDNT’s and NCDNT’s:

 p5

The diagram above is a dump from a forest-root GC. Once again, you’ll notice the PDNT references the parent object. The NCDNT references what partition this object belongs to. And the PDNT on the child object, which is the root of the child domain, points to the DNT of contoso.local. We know this is a GC because these objects here at the bottom are from the child domain, which only a GC would have.

Key Takeaway: Active Directory does not have different tables to store the different partitions including the GC partition. Everything is stored in the one data table which is logically and hierarchy organized.

Now that I knew and understood Active Directory in this way, my mind started to open up and understand things that I couldn’t fully comprehend before.

 Link Table & Linked Values

Linked values are a way of telling Active Directory that two attributes are related to one another. For example, on groups, we have an attribute called member that contains all the users that belong to that group. On each user account, we have an attribute called memberof that will show you all the groups that that user belongs to. Consequently, the member and memberof attributes are linked values that tell Active Directory they are related. Earlier, I mentioned the link table in the Active Directory database. It contains all the information about these linked values and in this case, who’s a member of these groups. Do remember that the link table may also contain information about other linked values as well, like the attributes ‘DirectReports’ and ‘ManagedBy’. Here is an example of the Dave user account belonging to the administrators group in contoso.local:

 p6

So when you go to the properties of the administrators group to see who is a member, the database would take the administrators DNT of 3566, search the link table for all matching link_DNT values, and then return backlink_DNT values, which would correspond to a user or group within the DB that are members of that group.

In the reverse, when I go to the properties of the Dave account to see what groups he belong to, the database takes my DNT of 3830 and searches the link table for all matching backlink_DNT values, and then returns the link_DNT values, which would correspond to groups within the DB that I belong to.

Key Takeaway: Anything that is linked, like member and memberof attributes, must reference a physical object in the database. This is for purposes of referential integrity and it must have a corresponding DNT value, which means it will have its own row in the database. Contrast this with any generic multi-valued attribute within AD. If it isn’t linked, you can go ahead and add any value you want to it.

With that being said, let’s say that I log onto the child domain (child.contoso.local) and want to make the user account Dave, from the forest root, an administrator in the child domain. Now remember that this child DC is NOT a GC so he wouldn’t have a copy of the Dave user account in his data table. Also, remember that when you add someone to a group, they MUST physically exist in the local data table in Active Directory.

Does that mean that I have to make this child DC a GC so Dave would exist in the data table so we could then then add him to the administrators group?

 Phantom Objects

No, what actually happens under the hood is the DC creates what’s called a phantom object in the data table that references the Dave account in the forest root. This phantom object is now a real object with its own DNT and exists in the data table in the child domain on all non-GC’s. Now, he can properly be added to the administrators group. Let’s take a look at this under the hood from the child DC that is not a GC:

 p7

 The first clue that this is a phantom object is because OBJ=False. But if we compare this phantom object to the actual user account in the forest-root domain, it looks like this:

  p8

Since this child DC isn’t a GC and didn’t have a copy of forest-root Dave account but had to still add Dave to the administrators group, it has to create a representation of Dave in its local database because the rules of linking state that the object must exist in the local data table and have a valid DNT.

Key Takeaway: Remember that GC’s don’t have nor need phantom objects because they have a row in their data table for every object in the forest so phantoms objects aren’t necessary. Non-GC’s only have the objects from their local domain so they have to create phantom objects to represent accounts from other domains.

 Now, let’s take a look at the link table on this DC in the child domain from adding the Dave account in the forest root to the administrators group in the child domain:

  p9

Tying It all Together

Now, why does any of this matter? Well, do you remember that recommendation that Microsoft made a long time ago about not putting the Infrastructure Master on a Global Catalog server? Everything I explained above is why. Let’s step through it one more time to make it clear. Before we do, let’s summarize some absolutes about Active Directory:

    1. Every domain controller is personally responsible for maintaining their own data table and how that data is internally linked. Internally, the DB on each DC may not be identical but the outcome will be the same.
    2. On each DC, to add a user to a group, that user must physically be present in the local data table either as a user account or a phantom object.
    3. A Global Catalog Server has a partial copy of every object in the forest in its data table. Objects from other domains don’t have all their attributes populated but nonetheless are present. Because of this, it doesn’t need phantom objects because it has the real objects locally.
    4. A Domain Controller that isn’t a GC doesn’t have a copy of every object in the forest in its data table. It only contains objects from its own domain. Because of this, it has to create phantom objects to reference the real objects from other domains.
    5. The infrastructure master is responsible for updating or deleting phantom objects if/when they change. For example, does the actual Dave account in the forest root still exist? Has he been moved or renamed? This process runs every 2 days and asks this question and then either updates or deletes the phantom objects accordingly.

 One day, the forest-root Dave account gets deleted. The infrastructure Master role is running in the child domain on a global catalog server. Let’s go through it step-by-step:

Disclaimer: AD replication occurs at a much higher level than this and does not occur based on DNT values. I am just doing it this way to put it into the context of this blog. Plus, DNT’s are local to each DC.

 1.) The Dave account in the forest-root domain contoso.local gets deleted.

p91

 2.) The DC in contoso.local replicates that deletion to the child domain GC by telling it to delete DNT 3830.

p92

 3.) The non-GC’s in the child domain don’t have the Dave account with a DNT of 3830. Instead, they have a phantom object that represents Dave with a DNT of 5585. Consequently, the Dave phantom object does not get deleted.

p93

  4.) This is where the Infrastructure Master comes in. There is one IM per domain. The IM process in this child domain runs every two days and says, “Let me review my phantom objects to make sure that the actual user accounts still exist”. Under normal conditions, it would determine that the actual Dave account got deleted and would then delete the Dave phantom object from itself and then replicate that to other DC’s in the child domain that aren’t GC’s. The problem here is though, the Infrastructure Master is running on a GC and we all know by now that GC’s doesn’t have any phantom objects. Consequently, the IM determines, “since I don’t have any phantom objects, there’s really nothing for me to do”. Therefore, the phantom object for the Dave account remains on all non-GC’s in the child domain. If you were to look at the administrators group on any of these non-GC’s in the child domain, Dave would still show as present even though the actual user account was deleted from the forest-root and replicated to all global catalog servers in the child.

Technically, the best practice should have been “Only put the Infrastructure Master on DC’s that have phantom objects” but this would have caused more confusion so Microsoft simplified it and just made it “Don’t put the Infrastructure Master on a GC”.

 Why, Oh Why?

I know you’re probably thinking all of this is a convoluted way of adding users from one domain to groups in another domain, right? Well, what are all of the possible options? Let’s think about this:

  1. Allow a DC to add a user to a group even though the user account doesn’t exist in the local data table. This would break the database and referential integrity. Definitely not a good option.
  2. Don’t allow our customers to add users from one domain into groups from another domain. Once again, not a good option.
  3. Recommend that all domain controllers be global catalog servers, which negates the entire phantom object scenario. Wait a minute, we already recommend that!
  4. Create Phantom Objects on non-GC’s in other domains and then allow the Infrastructure Master to keep those phantom objects update to date, which is exactly what we’re doing today.

The Windows 7 Boot Process (sbsl):

http://social.technet.microsoft.com/wiki/contents/articles/11341.the-windows-7-boot-process-sbsl.aspx

Active Directory Domain Services (AD DS) Overview: http://social.technet.microsoft.com/wiki/contents/articles/699.active-directory-domain-services-ad-ds-overview.aspx

Troubleshooting: Multiple members are referencing the same computer object, DFS-R Console: http://social.technet.microsoft.com/wiki/contents/articles/13092.troubleshooting-multiple-members-are-referencing-the-same-computer-object-dfs-r-console.aspx

Active Directory Domain Services (AD DS) Troubleshooting Survival Guide and Content Map: http://social.technet.microsoft.com/wiki/contents/articles/2285.active-directory-domain-services-ad-ds-troubleshooting-survival-guide-and-content-map.aspx

How AD RMS Works:                                                                               http://social.technet.microsoft.com/wiki/contents/articles/435.how-ad-rms-works.aspx

Active Directory Services Overview:                                         http://social.technet.microsoft.com/wiki/contents/articles/1026.active-directory-services-overview.aspx

Kerberos Survival Guide:                                                       http://social.technet.microsoft.com/wiki/contents/articles/4209.kerberos-survival-guide.aspx

Wiki: Active Directory Domain Services (AD DS) Portal http://social.technet.microsoft.com/wiki/contents/articles/13752.wiki-active-directory-domain-services-ad-ds-portal.aspx

How Active Directory Replication Works (en-US):                   http://social.technet.microsoft.com/wiki/contents/articles/4592.how-active-directory-replication-works-en-us.aspx

My TechNet WIKI : Biswajit Biswas:                                         http://social.technet.microsoft.com/wiki/contents/articles/14580.my-technet-wiki.aspx

Windows Trust, Migration, AGUDLP & ADMT

http://social.technet.microsoft.com/wiki/contents/articles/15079.windows-trust-migration-agudlp-admt.aspx

Active Directory: SYSVOL Replication Migration Guide: FRS to DFS Replication http://blogs.technet.com/b/schadinio/archive/2010/08/10/active-directory-sysvol-replication-migration-guide-frs-to-dfs-replication.aspx

Active Directory Quotas:

http://blogs.technet.com/b/activedirectoryua/archive/2009/03/18/active-directory-quotas.aspx

A Guide to Active Directory Replication: Must Read 

http://technet.microsoft.com/en-us/magazine/2007.10.replication.aspx

Domain controller demotion & Metadata cleanup   http://social.technet.microsoft.com/wiki/contents/articles/3984.domain-controller-demotion-metadata-cleanup.aspx

Troubleshooting AD Replication error 1818 The remote procedure call was cancelled: http://social.technet.microsoft.com/wiki/contents/articles/11795.troubleshooting-ad-replication-error-1818-the-remote-procedure-call-was-cancelled.aspx

http://blogs.technet.com/b/ashleymcglone/archive/2012/01/03/everything-you-need-to-get-started-with-active-directory.aspx

http://blogs.technet.com/b/ad/archive/2009/01/02/fooling-the-dc-locator.aspx