Automate user creation

Basics of Powershell

===============

A few powershell commands are listed below. Most of the times, you will have to run powershell as an administrator to process all the commands successfully.

get-service : It lists all the services

start-service name spooler : It starts the spooler service

get-help get-service: It gives help for the get-service command.

$x=get-service: It will shorten the command to $x and next time when you run, $x, it will run get-service command as that shortcut.

new-alias np notepad: Creates an alias, np to open notepad

To run a vb script from command prompt,

cscript <scriptname.vbs>

DNS delegation and DNS tools

DNS delegation is used if you want to point to a DNS subdomain zone being administered by someone else. Make sure that the name server record of the server exists on the server where the DNS of the subdomain resides. Then you right click on the zone - Choose new delegation - Click next- Type the delegated domain- Click next- Click add and type the FQDN of the server where the subdomain resides- Click Ok and Ok again.

Now if anyone wants to resolve again the subdomain- it points to the Nameserver record in the zone of the primary server. Once it points to that server it looks for the record in the subdomain on the pointed server and resolves the query using that.

DNS TIP: In case if you are not able to resolve internet queries but the intranet queries work fine, the reason can be that someone has created a .(root) zone on the DNS server.

dnscmd /zoneexport infoit.com.au infoit
This command will export all your zone info to the file named infoit for zone infoit.com into C:/windows/system32/dns/infoit

dnscmd /createdirectorypartition app1.infoit.com.au

To check use
dnscmd /enumdirectorypartitions

Now, to replicate this newly created partition to server2 only and not the whole AD, use
dnscmd server2 /enlistdirectorypartion app1.infoit.com.au

To delete this newly created directory partition,
dnscmd /deletedirectorypartition app1.infoit.com.au

DNS Zones

In Microsoft world, DNS zones are the heart of the DNS server. Let's talk about DNS zones now.

Forward zone

1. Primary zone: This is the read/write copy of the zone. If the DNS server resolves a query in this zone, it is an authoritative answer.

2. Secondary zone: This is a read only copy of the primary zone on another server.

3. Stub zone: When a user accesses a lot of resources in other domain, we can create a stub zone in our domain so that it gives enough information for the user to query resources in the other domain. It will not be authoritative which means- It will say that I will not answer any question but point you to other server who can answer question.

Reverse Zone:
A reverse is opposite of a forward zone and it is used to resolve an IP address into name. That situation might arise while someone is troubleshooting a network connectivity problem and the network sniffer program has detected a problem with a computer and we just know the ipaddress of the computer. Otherwise, some applications also make use of reverse zones.

Conditional Forwarders:
Conditional forwarders are used if the server needs to forward the queries to another server in a different domain. You can right click on conditional forwarders and choose the option new conditional forwarder. Enter the domain name where it says DNS domain and enter the ipaddress of the server where it says, IP addresses of the master servers.

Before resolving the queries, do not forget to clear the resolved queries from the cache using the following command:

ipconfig /flushdns

On the DNS server, queries can be cleared using the following command:

dnscmd /clearcache

Stub Zones

Conditional forwarders are a bit of a problem in case when the the IT admin of the other domain adds another DNS server in their IT server room. The server is not updated automatically under the conditional forwarders. With Stub zones, the dns servers are automatically updated.

DNS Basics

DNS is used to translate the ipaddresses to names. To explain, how DNS works, please look at the diagram on left. There is a DNS client which is also known as resolver. If DNS Client needs to resolve admin.server2.com it will check its client cache for which it used HOSTS file. It is usually in

C:/>Windows/System32/Drivers/etc/

If the record is not found in that file, it looks for a dns server. You enter that under the IPv4 properties for the network adapter.

When it find the DNS server, the server looks for the record in the server cache. Cache.dns file is located in the server at the following location

C:/>Windows/System32/DNS/

If it does not find the entry on the root hint file, it goes on the internet and looks for the "." Once that is resolved, "." server will resolve for the ".com" server. In same way the ".com" server resolves for "server2.com" and in turn the "student.server2.com" address gets resolved. This all happens on UDP PORT 53. If there is another DNS server in and the zones have to be transferred, it used TCP PORT 53 to transfer.

There are two types of queries:

1. Recursive: When the server HAS to resolve the query

2. Iterative: When the server can look for other servers, if it cannot resolve the query



Active Directory Trusts

* Manual Trust
* External Trust
* Realm Trust
* Forest Trust
* Shortcut Trust

In a school environment, for eg. Student domain should trust admin domain (outgoing).

Replication

If a domain controller has to replicate the changes to other domain controllers in the topology, it replicates the data to other DC in 15 sec and if there is another DC on which it has to replicate the change, it will 15+3 sec to replicate the same change to the other DC. Intrasite replication can only go upto 3 hops or then optimising network connections has to be created. KCC (knowledge consistency checker) lets the replication to occur if there are more than 3 hops by optimising network connections (intrasite). KCC also uses ISTG (intersite topology generator) to choose a bridgehead server on each site (single entry and exit point), which is used to transfer the data across sites. If a server is selected manually as bridgehead server, then ISTG will not select other server as bridgehead in case if the that server goes down for some reason.
If the replication is happening inter-site, divide the servers in different SITES and join the sites by a link. The replication in that case will be a STORE AND FORWARD replication which will be by default after every 3 hours instead of every 15 secs. A site is usually an area of high speed connectivity.

Next thing that can be done is to create different subnets. When you create subnets, they can be associated with different sites. Then, when a computer logs on in one of the sites, and gets an ipaddress ranging in one of the subnets, it will only use one of the domain controller, to logon associated with that site.

The way one DC replicates to another DC in a different site is by POLLING. If a DC2 from Site B somehow feels that it does not have updated information, it will POLL DC1 in Site A and DC1 will replicate the changes only to DC2 in site B.

Lower cost of a site link takes precedence in replicating data across the site.

Now I will show some commands,

1. repadmin /bridgeheads /v : Used to identify the bridgehead server. /v is for verbose and gives information about what time was last replication done.

2. repadmin /syncall : This can be used to push al the replication changes to all the servers to across sites as well.

The way the data is replicated across the sites is by POLLING. After every 3 hours the bridgehead server will POLL the other bridgehead server and only the changes in directory are replicated.

If you use SMTP for site replication, remember that it can not replicate the domain naming information so basically it cannot replicate between same domain names.

What is a GLOBAL CATALOGUE?
* Server which has all forest objects
*  But it does not store all attributes
*  A server from which Universal groups can query
*  Exchange apps need a global catlogue server to function properly
* It queries on port 3268

Functional Levels

There are two types of functional levels:

1. Domain functional level
2. Forest functional level

DFL: Windows 2000 Native
-----------------------------------------------------------------------
* No mixed or native
* DC: W2k, W2k3, W2k8
* Basic AD services

DFL: Windows Server 2003
----------------------------------------------------------------------
* DC: W2k3, W2k8
* DC rename possible : To change the computer name using command line, use the netdom command as follows:

netdom computername %computername% /add:newcompname.domain.com

netdom computername %computername% /makeprimary:newcompname.domain.com

To restart the computer,

shutdown /r /t 0
/r- restart
/t- time after which to restart

To remove the old computer name,

netdom computername %computername% /remove:oldcompname.domain.com


* Attributes :
- Last logon time stamp- Check the saved queries folder in Active directory to find out last logon information.
- User password

* Rediruser, Redircmp
* Selective Authentication
* Constrained Delegation
* Authorization Manager

DFL: Windows Server 2008
-------------------------------------
- DFL W2K3 + .....
- DC : W2k8
- DFS R SysVol Replication
- Last Logon
- Fine Grained Passwords

To raise the functional level,
1. Go to dsa.msc and right click on the domain and click on raise domain functional level

FFL: Windows 2000
---------------------------
DFL: W2k Native, Win2k3, Win2k8

FFL: Windows 2003
---------------------------
Forest Trust
Domain rename
Linked Value Replication: Just replicates new objects instead of entire group
RODC
Improved KCC algorithms
and with FFL Windows 2008, you get the same features as in FFL windows 2003.

To raise FFL: Go to Active directory domains and trusts and right click on forest level and choose Raise forest functional level.