Active Directory Cookbook for windows server 2003- P35 pptx

Attributes of siteLink objects Attribute Description siteList Multivalued list of distinguished names of each site that is associated with the site link.. msDS-HasDomainNCs Contains the

Trang 1

Table 11-4 Attributes of siteLink objects

Attribute Description

siteList Multivalued list of distinguished names of each site that is associated with the

site link See Recipe 11.8 for more information

Table 11-5 Attributes of server objects

bridgeheadTransportList Multivalued attribute that contains the list of transports (e.g., IP or

SMTP) for which the server is a preferred bridgehead server

cn RDN of the object This is set to the hostname of the associated

server

dNSHostName Fully qualified domain name of the server This attribute is

automatically maintained for domain controllers

serverReference Distinguished name of the corresponding computer object

contained within one of the domain-naming contexts

Table 11-6 Attributes of nTDSDSA (NTDS Settings) objects

cn RDN of the object, which is always equal to NTDS Settings

invocationID GUID that represents the DIT (ntds.dit) on the domain controller

hasMasterNCs

Multivalued attribute containing the list of writeable naming contexts (does not include application partitions) stored on the domain controller

hasPartialReplicaNCs

Multivalued attribute containing the list of read-only naming contexts stored on the domain controller This will be populated only

if the domain controller is a global catalog server

msDS-Behavior-Version

Number that represents the functional level (i.e., operating system)

of the domain controller This attribute is new to Windows Server

2003

msDS-HasDomainNCs

Contains the distinguished name of the writeable Domain naming context stored on the domain controller This attribute is new to Windows Server 2003

msDs-HasInstantiatedNCs

A combination of all available read-only and writeable naming contexts stored on the domain controller This attribute is new to Windows Server 2003

Trang 2

hasPartialReplicaNCs be populated only if the domain controller is a global catalog server

This attribute is new to Windows Server 2003

msDS-hasMasterNCs

Multivalued attribute that contains distinguished names of each writeable naming context and application partition stored on the domain controller This attribute is new to Windows Server 2003

options Bit flag that determines if domain controller is a global catalog

server

queryPolicyObject If set, the distinguished name of LDAP query policy object to be

used by the domain controller

Table 11-7 Attributes of nTDSConnection objects

cn RDN of the object For Knowledge Consistency Checker (KCC)

generated connections, this is a GUID

enabledConnection Boolean that indicates if the connection is available to be used

fromServer Distinguished name of the NTDS Settings object of the domain

controller this connection replicates with

ms-DS-ReplicatesNCReason

Multivalued attribute that stores reason codes for why the connection exists There will be one entry per naming context the connection is used for

options

Bit flag where a value of 1 indicates the connection was created by the KCC and a value of 0 means the connection was manually created See Recipe 11.22 for more information

schedule Octet string that represents the replication schedule for the site link

transportType Distinguished name of the transport type (e.g., IP or SMTP) that is

used for the connection

Recipe 11.1 Creating a Site

11.1.1 Problem

You want to create a site

Trang 3

11.1.2 Solution

11.1.2.1 Using a graphical user interface

1 Open the Active Directory Sites and Services snap-in

2 Right-click on the Sites container and select New Site

3 Beside Name, enter the name of the new site

4 Under Link Name, select a site link for the site

5 Click OK twice

11.1.2.2 Using a command-line interface

Create an LDIF file called create_site.ldf with the following contents:

dn: cn=<SiteName>,cn=sites,cn=configuration,<ForestRootDN>

changetype: add

objectclass: site

dn: cn=Licensing Site Settings,cn=<SiteName>,cn=sites,cn=configuration,

<ForestRootDN>

changetype: add

objectclass: licensingSiteSettings

dn: cn=NTDS Site

Settings,cn=<SiteName>,cn=sites,cn=configuration,<ForestRootDN>

changetype: add

objectclass: nTDSSiteSettings

dn: cn=Servers,cn=<SiteName>,cn=sites,cn=configuration,<ForestRootDN>

changetype: add

objectclass: serversContainer

then run the following command:

> ldifde -v -i -f create_site.ldf

11.1.2.3 Using VBScript

' This code creates the objects that make up a site

' - SCRIPT CONFIGURATION -

strSiteName = "<SiteName>" ' e.g Dallas

' - END CONFIGURATION -

set objRootDSE = GetObject("LDAP://RootDSE")

set objSitesCont = GetObject("LDAP://cn=sites," & _

objRootDSE.Get("configurationNamingContext") ) ' Create the site

set objSite = objSitesCont.Create("site","cn=" & strSiteName)

objSite.SetInfo

' Create the Licensing Site Settings object

set objLicensing = objSite.Create("licensingSiteSettings", _

"cn=Licensing Site Settings")

Trang 4

' Create the Servers container

set objServersCont = objSite.Create("serversContainer","cn=Servers")

objServersCont.SetInfo

WScript.Echo "Successfully created site " & strSiteName

11.1.3 Discussion

To create a site in Active Directory, you have to create a number of objects The first is a site object, which is the root of all the other objects The site object contains the following:

licensingSiteSettings

This object isn't mandatory, but is created automatically when creating a site with AD Sites and Services It is intended to point clients to a license server for the site

nTDSSiteSettings

This object stores replication-related properties about a site, such as the replication schedule, current ISTG role holder, and whether universal group caching is enabled

serversContainer

This container is the parent of the server objects that are part of the site All the domain controllers that are members of the site will be represented in this container

After these objects are created, you've essentially created an empty site If you didn't do anything else, the site would not be of much value To make it usable, you need to assign subnet objects

to it (see Recipe 11.4), and add the site to a siteLink object to link the site to other sites (see Recipe 11.7) At that point, you can promote or move domain controllers into the site, and it should be fully functional

11.1.4 See Also

MS KB 318480 (HOW TO: Create and Configure an Active Directory Site in Windows 2000)

Recipe 11.2 Listing the Sites

11.2.1 Problem

You want to obtain the list of sites

Trang 5

11.2.2 Solution

2 Click on the Sites container

3 The list of sites will be displayed in the right pane

4 Double-click on a site to view its properties

Run the following command to list the sites:

> dsquery site

Run the following command to view the properties for a particular site:

> dsget site "<SiteName>"

' This code lists all of the site objects

set objSitesCont = GetObject("LDAP://cn=sites," & _

objRootDSE.Get("configurationNamingContext") ) objSitesCont.Filter = Array("site")

for each objSite in objSitesCont

Wscript.Echo " " & objSite.Get("cn")

cn=sites,cn=configuration,dc=rallencorp,dc=com) in the Configuration Naming Context (CNC)

For more information on creating sites, see Recipe 11.1

Recipe 11.3 Deleting a Site

11.3.1 Problem

You want to delete a site

11.3.2 Solution

Trang 6

' This code deletes a site and all child containers

strSiteName = "<SiteName>" ' e.g Dallas

set objSite = GetObject("LDAP://cn=" & strSiteName & ",cn=sites," & _

objRootDSE.Get("configurationNamingContext") )

objSite.DeleteObject(0)

WScript.Echo "Successfully deleted site " & strSiteName

When deleting a site, be very careful to ensure that no active server objects exist within it If you delete a site that contains domain controllers, it will disrupt replication for all domain

controllers in that site A more robust VBScript solution would be to first perform an ADO query for all server objects using the distinguished name of the site as the base DN If no servers were returned, then you could safely delete the site If server objects were found, you should move them before deleting the site

It is also worth noting that deleting a site does not delete any of the subnets or site links that were associated with the site This would be another good thing to add to the VBScript solution That

is, before you delete the site, delete any subnets and site links that are associated with site

Recipe 11.4 Creating a Subnet

11.4.1 Problem

You want to create a subnet

11.4.2 Solution

2 Right-click on the Subnets container and select New Subnet

3 Enter the Address and Mask and then select which site the subnet is part of

4 Click OK

Trang 7

Create an LDIF file called create_subnet.ldf with the following contents:

dn: cn=<Subnet>,cn=subnets,cn=sites,cn=configuration,<ForestRootDN>

changetype: add

objectclass: subnet

siteObject: cn=<SiteName>,cn=sites,cn=configuration,<ForestRootDN>

then run the following command:

> ldifde -v -i -f create_subnet.ldf

' This code creates a subnet object and associates it with a site

strSubnet = "<Subnet>" ' e.g 10.5.3.0/24

strSite = "<SiteName>" ' e.g Dallas

set objSubnetsCont = GetObject("LDAP://cn=subnets,cn=sites," & _

objRootDSE.Get("configurationNamingContext") ) set objSubnet = objSubnetsCont.Create("subnet", "cn=" & strSubnet)

objSubnet.Put "siteObject", "cn=" & strSite & ",cn=sites," & _

objRootDSE.Get("configurationNamingContext") objSubnet.SetInfo

WScript.Echo "Successfully created subnet " & strSubnet

Subnet objects reside in the Subnets container (e.g.,

cn=subnets,cn=sites,cn=configuration,dc=rallencorp,dc=com) in the CNC The relative

distinguished name (RDN) of the subnet should be the subnet address and bit-mask combination (e.g., 10.5.3.0/24) The other important attribute to set is siteObject, which should contain the

DN of the site that the subnet is associated with

11.4.4 See Also

MS KB 323349 (HOW TO: Configure Subnets in Windows Server 2003 Active Directory)

Recipe 11.5 Listing the Subnets

11.5.1 Problem

You want to list the subnet objects in Active Directory

11.5.2 Solution

Trang 8

The following command will list all subnets:

> dsquery subnet

The following command will display the properties for a particular subnet Replace <Subnet>

with the subnet address and mask (e.g., 10.5.3.0/24):

> dsget subnet "<Subnet>"

' This code lists all the subnets stored in Active Directory

set objSubnetsCont = GetObject("LDAP://cn=subnets,cn=sites," & _

objRootDSE.Get("configurationNamingContext") ) objSubnetsCont.Filter = Array("subnet")

for each objSubnet in objSubnetsCont

Wscript.Echo " " & objSubnet.Get("cn")

To display the site that subnets are associated with, include the siteObject attribute as one of the attributes to return from the query For example, the second to last line of the VBScript solution could be modified to return the site by using this code:

Wscript.Echo " " & objSubnet.Get("cn") & " : " & objSubnet.Get("siteObject")

11.5.4 See Also

MS KB 323349 (HOW TO: Configure Subnets in Windows Server 2003 Active Directory)

Recipe 11.6 Finding Missing Subnets

11.6.1 Problem

You want to find the subnets that are missing from your site topology Missing subnets can result

in clients not authenticating against the most optimal domain controller, which can degrade performance

Trang 9

11.6.2 Solution

Having all of your subnets in Active Directory is important because a client that attempts to logon from a subnet that is not associated with any site may authenticate with any domain

controller in the domain This can result in the logon process taking longer to complete

Unfortunately, Microsoft has not provided an easy way to rectify this problem

Under Windows 2000, the only source of missing subnet information was the System event 5778 Here is an example:

Event Type: Information

Event Source: NETLOGON

Event Category: None

Event ID: 5778

Date: 1/27/2003

Time: 12:07:04 AM

User: N/A

Computer: DC2

Description:

'JSMITH-W2K' tried to determine its site by looking up its IP address

('10.21.85.34')

in the Configuration\Sites\Subnets container in the DS No subnet matched the IP

address Consider adding a subnet object for this IP address

The only way to dynamically determine missing subnets is to query each domain controller for

5778 events and map the IP addresses specified within the events to a subnet you add to the site topology

With Windows Server 2003 things are not that much better One of the issues with the 5778 events under Windows 2000 is that they could easily fill up your System event log if you had many missing subnets In Windows 2003, Microsoft decided to instead display a summary event

5807 that states that some number of connection attempts have been made by clients that did not map to a subnet in the site topology Here is an example:

Event Type: Warning

Event Source: NETLOGON

Event Category: None

Event ID: 5807

Date: 1/10/2003

Time: 10:59:53 AM

User: N/A

Computer: DC1

Description:

During the past 4.18 hours there have been 21 connections to this Domain

Controller

from client machines whose IP addresses don't map to any of the existing

sites in the

enterprise Those clients, therefore, have undefined sites and may connect to any

Domain Controller including those that are in far distant locations from the

Trang 10

The names and IP addresses of the clients in question have been logged on this

computer in the following log file '%SystemRoot%\debug\netlogon.log' and, potentially, in the log file '%SystemRoot%\debug\netlogon.bak' created if the former

log becomes full The log(s) may contain additional unrelated debugging

information

To filter out the needed information, please search for lines which contain text

'NO_CLIENT_SITE:' The first word after this string is the client name and the second

word is the client IP address The maximum size of the log(s) is controlled

by the

following registry DWORD value

'HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\

Netlogon\Parameters\LogFileMaxSize'; the default is 20000000 bytes The

current

maximum size is 20000000 bytes To set a different maximum size, create the above

registry value and set the desired maximum size in bytes

For more information, see Help and Support Center at

http://go.microsoft.com/fwlink/

events.asp

Instead of scraping the event logs on every domain controller, you can look at the

%SystemRoot%\debug\netlogon.log file on each domain controller and parse out all the

NO_CLIENT_SITE entries This is still far from an easy process, but at least the event logs are

no longer cluttered with 5778 events

Here is an example of some of the NO_CLIENT_SITE entries from the netlogon.log file:

01/16 15:50:07 RALLENCORP: NO_CLIENT_SITE: RALLEN-TEST4 164.2.45.157

01/16 15:50:29 RALLENCORP: NO_CLIENT_SITE: SJC-BACKUP 44.25.26.142

01/16 16:57:00 RALLENCORP: NO_CLIENT_SITE: JSMITH-W2K1 10.61.80.19

If you wanted to get creative and automate a solution to do this, you could write a script that goes

out to each domain controller, opens the netlogon.log file and retrieves NO_CLIENT_SITE

entries You can then examine all of the IP addresses and create subnets in Active Directory that would contain them You could associate all of those subnets with a default site or even use the Default-First-Site-Name site Then once a week (or whenever), you could look at the sites

Định dạng
Số trang	10
Dung lượng	35,64 KB