The following video shows you how to install Microsoft Active Directory Domain Services (AD DS), formerly known as Active Directory, on a Windows Server 2008 R2 computer.
Topic: Active Directory Installation
Length: 9 minutes, 26 seconds
Format: Flash
Resolution: 800 x 600
Microsoft’s Active Directory relies on Domain Name System (DNS) so it’s important to have a good understanding of DNS concepts and terms. Here’s a glossary of DNS terminology in alphabetical order.
You can also download a PDF version of this glossary here.
| Alias (CNAME)
An Alias resource record is also sometimes called CNAME (canonical name) resource record. With these records, you can use more than one name to point to a single host, which makes it easy to do such things as host both a File Transfer Protocol (FTP) server and a Web server on the same computer. The most common or popular use of an alias (CNAME) resource record is to provide a permanent DNS aliased domain name for generic name resolution of a service-based name, such as www.tailspintoys.com, to more than one computer or one IP address on a Web server. |
| Authoritative DNS Server
A DNS server is considered authoritative for a name if it loads the zone authoritative for that name. |
| Authoritative DNS Zone
A DNS zone is considered authoritative for a name if the name belongs to the DNS sub-tree, delegated to that zone. |
| AXFR
Type of zone file replication. AXFR replicates the entire zone. (See also IXFR.) |
| DNS Dynamic Update An update to the DNS standard that permits DNS clients to dynamically register and update their resource records in the zones of the primary server. |
| DNS server A server that maintains a database of mappings of FQDNs to various types of data, such as IP addresses. |
| Domain Any branch of the DNS namespace. |
| Domain Name System (DNS) A hierarchical, distributed database that contains mappings of DNS domain names to various types of data, such as IP addresses. DNS enables the location of computers and services by user-friendly names and the discovery of other information stored in the database. |
| Forward Lookup A DNS query that maps an FQDN to an IP address. |
| Forwarder A DNS server designated by other internal DNS servers to be used to forward queries for resolving external or offsite DNS domain names, such as those used on the Internet. |
| FQDN (fully qualified domain name) A DNS name that has been stated to indicate its absolute location in the domain namespace tree. An FQDN has a trailing period (.) to qualify its position relative to the root of the namespace. An example is host.example.microsoft.com. |
| Host (A) Record
A host (also known as “A”) resource record in a zone is used to associate DNS domain names of computers (or hosts) to their IP addresses. |
| Host Name The DNS name of a host or interface on a network. For one computer to find another, the name of the computer to locate must either appear in the Hosts file on the computer that is looking, or the name must be known by a DNS server. For most Windows-based computers, the host name and the computer name are the same. |
| Host Name Resolution The process of resolving a host name to a destination IP address. |
| Hosts File A local text file in the same format as the 4.3 BSD release of UNIX /etc/hosts file. This file maps host names to IP addresses, and it is stored in the systemroot\System32\Drivers\Etc folder. |
| Iterative Query A query made to a DNS server for the best answer the server can provide. |
| IXFR Type of zone file replication. IXFR, incremental zone transfer, replicates only the changed records of the zone file. |
| MX (Mail Exchanger) Record
E-mail applications use the mail exchanger (MX) resource record to locate a mail server based on a DNS domain name in the destination address for the e-mail recipient of a message. The mail exchanger (MX) resource record shows the DNS domain name for the computer or computers that process mail for a domain. |
| Master and Slave DNS Servers Two DNS servers are called Master and Slave if they contain the copies of the same zone, one of which is directly replicated from another. The source of replication is called Master server, the destination of replication is called Slave server. Every Master may have one or more Slaves and vice versa, every Slave may have one or more Masters. The same DNS server may be the Master and Slave at the same time. |
| Master Server A DNS server that is authoritative for a zone and that is also a source of zone information for other secondary servers. A master server can be either a primary or secondary master server, depending on how the server obtains its zone data. |
| Pointer (PTR) Record A pointer (PTR) resource record supports the reverse lookup process, based on zones that are created and rooted in the in-addr.arpa domain. These records locate a computer by its IP address and resolve this information to the DNS domain name for that computer. |
| Primary and Secondary Zones The same zone may be represented by primary and secondary copies. The primary is the zone/copy that allows direct updates of its resource records. The secondary is the one that receives all the updates from primaries or secondary zones through the zone transfer mechanism only. Only the DS integrated zones may have multiple primaries. Multiple secondaries are allowed in either scenario. |
| Primary Server A DNS server that is authoritative for a zone and that can be used as a point of update for the zone. Only primary servers can be updated directly to process zone updates, which include adding, removing, or modifying resource records that are stored as zone data. |
| Recursive Query A query made to a DNS server in which the requester asks the server to assume the full workload and responsibility for providing a complete answer to the query. The DNS server will then use separate iterative queries to other DNS servers on behalf of the requester to assist in completing an answer for the recursive query. |
| Resource Record Atomic unit of the DNS database. All resource records have the same format that includes NAME, TYPE, CLASS, TTL, RDLENGTH and RDATA that depends on TYPE and CLASS of the resource record. A set of resource records builds up a DNS zone. |
| Reverse Lookup A DNS query that maps an IP address to an FQDN. |
| Root Domain The beginning of the DNS namespace. |
| Root Server DNS server that contains a root zone is called a root server. |
| Root Zone A zone that contains the DNS root domain is called the root zone. |
| Secondary Server A DNS server that is authoritative for a zone and that obtains its zone information from a master server. |
| Second-level Domain A DNS domain name that is rooted hierarchically at the second tier of the domain namespace, directly beneath the top-level domain names. Top-level domain names include .com and .org. When DNS is used on the Internet, second-level domains are names that are registered and delegated to individual organizations and businesses. |
| Service location (SRV) Record Service location (SRV) resource records are required for location of Active Directory domain controllers. Typically, you can avoid manual administration of service location (SRV) resource records when you install Active Directory Domain Services (AD DS). In the future, the service location (SRV) resource record may also be used to register and look up other well-known TCP/IP services on your network if applications implement and support DNS name queries that specify this record type. |
| Start of Authority (SOA) Record A start of authority (SOA) record specifies the following values for a zone: a primary server, zone administrator’s e-mail address, secondary zone expiration values, and minimum default TTL values for zone resource records. |
| Subdomain A DNS domain located directly beneath another domain (the parent domain) in the namespace tree. For example, example.microsoft.com would be a subdomain of the domain microsoft.com. |
| Top-Level Domains Domain names that are rooted hierarchically at the first tier of the domain namespace directly beneath the root (.) of the DNS namespace. On the Internet, top-level domain names such as .com and .org are used to classify and assign second-level domain names (such as microsoft.com) to individual organizations and businesses according to their organizational purpose. |
| TTL (Time-To-Live) TTL is duration of time when a specific resource record could be cached. |
| UCS-2
Also known as Unicode is a character encoding protocol. |
| UTF-8 A character encoding protocol specified in RFC 2044. |
| WINS (Windows Internet Name System)
WINS is the pre-DNS name system. It is still supported in the Windows 2000 and later servers in order to maintain interoperability between the different generations of Windows computers. |
| Zone A manageable unit of the DNS database that is administered by a DNS server. A zone stores the domain names and data of the domain with a corresponding name, except for domain names stored in delegated subdomains. |
| Zone Transfer The synchronization of authoritative DNS data between DNS servers. A DNS server configured with a secondary zone periodically queries its master server to synchronize its zone data. |
Today I was installing Exchange Server 2010 Enterprise on a Windows Server 2008 R2 Domain Controller. Although Microsoft recommends that you install Exchange 2010 on a member server if possible, the environment I was working was very small so the Exchange Server 2010 was installed on a Domain Controller. There was an Exchange Server 2007 already in the same forest.
After I installed Exchange Server 2007 SP3 (at least SP2 was required in my scenario) to meet the prerequisites, I was unable to install Exchange Server 2010. During the installation I received the following error, indicating IIS was not installed on the Windows Server 2008 R2 server.
I installed IIS but still received the same error. The event viewer displayed the following warning:
Log Name: System
Source: Microsoft-Windows-WAS
Date: 7/10/2010 8:54:01 AM
Event ID: 5153
Task Category: None
Level: Warning
Keywords: Classic
User: N/A
Computer: Exchange.SeattlePro.comDescription: The Windows Process Activation Service (WAS) encountered an error attempting to look up the built in IIS_IUSRS group. There may be problems in viewing and setting security permissions with the IIS_IUSRS group. This happens if the machine has been joined and promoted to be a Domain Controller in a legacy domain. Please see the online help for more information and solutions to this problem. The data field contains the error number.
Upon further investigation, I discovered that according to Microsoft KB article 946139, this is by design. Translation: This is a FEATURE, not a BUG.
Symptoms
You have a Windows Server 2008-based server that is running Internet Information Services (IIS) 7.0. You set the Windows Server 2008-based server as a domain controller of a Windows 2000-based domain or of a Windows Server 2003-based domain. In this scenario, you cannot resolve the built-in IIS accounts, such as the IIS_IUSRS group or the IUSR guest user account. You can see only the raw security identifier (SID) of the built-in IIS accounts.
Note: This problem does not occur if you set the Windows Server 2008-based server as a domain controller of a Windows Server 2008-based domain.
Reason
This problem occurs because the IIS 7.0 built-in accounts specification for Windows Server 2008 does not exist in earlier domains, such as Windows 2000-based domains and Windows Server 2003-based domains. When the IIS 7.0 server is set as a Windows 2000-based domain controller or a Windows Server 2003-based domain controller, the Windows Server 2008 accounts cannot be resolved.
Detailed Explanation
This TechNet article explains Event ID 5153 in more detail. Essentially, you have to remap the built-in IIS accounts. IIS 7.0 uses several built-in Windows Server 2008 accounts, including the IIS_IUSRS group and the IUSR guest user account. These replace the <MACHINE_NAME>_USR account that was created by IIS 6.0.
A problem occurs when a Windows Server 2008 computer that hosts IIS 7.0 becomes a domain controller (DC) of a non-Windows Server 2008 domain (that is, a DC of a Windows 2000 or Windows Server 2003 domain). When the DC promotion occurs, the new Windows Server 2008 built-in accounts are no longer available to IIS 7.0. Any Access Control List (ACL) that uses the built-in accounts will not be able to resolve to a friendly name, but will instead show their raw SID (Security Identifier) values.
To resolve this issue, run a script that will restore the mapping of SIDs to friendly names for the built-in accounts. The script must be run on the DC while it is connected to its Primary Domain Controller (PDC). This will reestablish access to the built-in accounts that IIS 7.0 requires.
Solution
To resolve this problem, use this sample script. Save it as SamUpgradeTask.js.
Note: You must restart the server after you run this script.
Troubleshooting Tips
After you have taken all these steps you may still get the same error, at least I did, and I know others have been in the same boat. Try these additional steps.
1. Go to Server Manager/Web Server (IIS)/Add role services and check the box for IIS 6 Management Compatibility. If that doesn’t help then go to step 2.
2. Start the PowerShell with elevated privileges (Start, All Programs, Accessories, Windows PowerShell) and run the following scripts one-by-one. You must start the PowerShell with elevated privileges, i.e. Run as Administrator.
- Import-Module ServerManager
- Add-WindowsFeature NET-Framework,RSAT-ADDS,Web-Server,Web-Basic-Auth,Web-Windows-Auth,Web-Metabase,Web-Net-Ext,Web-Lgcy-Mgmt-Console,WAS-Process-Model,RSAT-Web-Server,Web-ISAPI-Ext,Web-Digest-Auth,Web-Dyn-Compression,NET-HTTP-Activation,RPC-Over-HTTP-Proxy -Restart
- Set-Service NetTcpPortSharing -StartupType Automatic
Notice that after the second script your server will reboot. You may run the third script manually or use the GUI by going to the Services Console (services.msc) and set the Net.TCP Port Sharing Service to start automatically. Restart the Exchange Server 2010 setup again and Exchange should install successfully this time.
When you add a Windows Server 2008 Server in your Windows Server 2003 domain, you have to update the schema. You may notice that when you use Active Directory Users and Computers on your Windows Server 2003 Domain Controller, you get the following error:
MMC has detected an error in a snap-in. It is recommended that you shut down and restart MMC.
According to Microsoft “This problem occurs because the Adsiedit.dll module uses an uninitialized pointer. When the system frees this pointer, some random data is freed. Therefore, an access violation may occur.”
You can download the hotfix from Microsoft to fix the problem. Check out the KB article 946549 for more details.
In Windows Server 2003 Active Directory domains, there is a concept of immediate and urgent replication. Certain types of information gets replicated immediately, rather than waiting for the standard Active Directory replication. One such example is user account lockout. If an administrator locks a user account, the information is replicated to the PDC emulator immediately. Microsoft recommends that you define account lockout and password policies in only one Group Policy object (GPO) for every domain (in the Default Domain policy settings).
Microsoft explains the concepts of immediate and urgent replications in this TechNet article:
Account lockout relies on the replication of lockout information between domain controllers to ensure that all domain controllers are notified of an accounts status. In addition, password changes must be communicated to all domain controllers to ensure that a user’s new password is not considered incorrect. This data replication is accomplished by the various replication features of Active Directory and is also discussed in this section.
Immediate Replication
When you change a password, it is sent over Netlogon’s secure channel to the PDC operations master. Specifically, the domain controller makes a remote procedure call (RPC) to the PDC operations master that includes the user name and new password information. The PDC operations master then locally stores this value.Immediate replication between Windows 2000 domain controllers is caused by the following events:
- Lockout of an account
- Modification of a Local Security Authority (LSA) secret
- State changes of the Relative ID (RID) ManagerUrgent Replication
Active Directory replication occurs between domain controllers when directory data is updated on one domain controller and that update is replicated to all other domain controllers. When a change in directory data occurs, the source domain controller sends out a notice that its directory store now contains updated data. The domain controller’s replication partners then send a request to the source domain controller to receive those updates. Typically, the source domain controller sends out a change notification after a delay. This delay is governed by a notification delay. (The Windows 2000 default notification delay is 5 minutes; the Windows Server 2003 default notification delay is 15 minutes.) However, any delay in replication can result in a security risk for certain types of changes. Urgent replication ensures that critical directory changes are immediately replicated, including account lockouts, changes in the account lockout policy, changes in the domain password policy, and changes to the password on a domain controller account. With urgent replication, an update notification is sent out immediately, regardless of the notification delay. This design allows other domain controllers to immediately request and receive the critical updates. Note, however, that the only difference between urgent replication and typical replication is the lack of a delay before the transmission of the change notification. If this does not occur, urgent replication is identical to standard replication. When replication partners request and subsequently receive the urgent changes, they receive, in addition, all pending directory updates from the source domain controller, and not only the urgent updates.When either an administrator or a delegated user unlocks an account, manually sets password expiration on a user account by clicking User Must Change Password At Next Logon, or resets the password on an account, the modified attributes are immediately replicated to the PDC emulator operations master, and then they are urgently replicated to other domain controllers that are in the same site as the PDC emulator. By default, urgent replication does not occur across site boundaries. Because of this, administrators should make manual password changes and account resets on a domain controller that is in that user’s site.
The following events are not urgent replications in Windows 2000 domains:
- Changing the account lockout policy
- Changing the domain password policy
- Changing the password on a computer account
- Domain trust passwords
Note: There is an error in TechNet’s article quoted above. The default notification delay for Windows Server 2003 listed under Urgent Replication should be 15 seconds, not 15 minutes, as pointed out by Rickard Nobel. The KB article 214678 confirms that the default notification period is 15 seconds in Windows Server 2003.
Contact E-mail | Terms of Use | Privacy Policy
Copyright ©2010 Zubair Alexander. All rights reserved.
| M | T | W | T | F | S | S |
|---|---|---|---|---|---|---|
| « Apr | ||||||
| 1 | 2 | 3 | 4 | 5 | 6 | |
| 7 | 8 | 9 | 10 | 11 | 12 | 13 |
| 14 | 15 | 16 | 17 | 18 | 19 | 20 |
| 21 | 22 | 23 | 24 | 25 | 26 | 27 |
| 28 | 29 | 30 | 31 | |||
25 queries. 0.641 seconds
