What is Active Directory replication?

Intrasite replication or Replication within site

The KCC creates separate replication topologies to transfer Active Directory updates within a site and between all configured sites in the forest. The connections that are used for replication within sites are created automatically with no additional configuration. Intrasite replication takes advantage of LAN network speeds by providing replication as soon as changes occur, without the overhead of data compression, thus maximizing CPU efficiency. Intrasite replication connections form a ring topology with extra shortcut connections where needed to decrease latency. The fast replication of updates within sites facilitates timely updates of domain data. In deployments where large datacenters constitute hub sites for the centralization of mission-critical operations, directory consistency is critical.

Intersite Replication or Replication between sites

Replication between sites is made possible by user-defined site and site link objects that are created in Active Directory to represent the physical LAN and WAN network infrastructure. When Active Directory sites and site links are configured, the KCC creates an intersite topology so that replication flows between domain controllers across WAN links. Intersite replication occurs according to a site link schedule so that WAN usage can be controlled, and is compressed to reduce network bandwidth requirements. Site link settings can be managed to optimize replication routing over WAN links. The connections that are created between sites form a spanning tree for each directory partition in the forest, merging where common directory partitions can be replicated over the same connection.

What is FRS?

File Replication service (FRS) is related to Active Directory replication because it requires the Active Directory replication topology. FRS is a multimaster replication service that is used to replicate files and folders in the system volume (SYSVOL) shared folder on domain controllers and in Distributed File System (DFS) shared folders. FRS works by detecting changes to files and folders and then replicating the updated files and folders to other replica members, which are connected in a replication topology.

FRS uses the replication topology that is generated by the KCC to replicate the SYSVOL files to all domain controllers in the domain. SYSVOL files are required by all domain controllers for Active Directory to function.

What are the two protocols that are used in replication?

Simple Mail Transfer Protocol (SMTP) is a packaging protocol that can be used as an alternative to the remote procedure call (RPC) replication transport. SMTP can be used to transport nondomain replication over IP networks in mail-message format. Where networks are not fully routed, e-mail is sometimes the only transport method available

Replication transports provide the wire protocols that are required for data transfer. There are three levels of connectivity for replication of Active Directory information:

• Uniform high-speed, synchronous RPC over IP within a site.

• Point-to-point, synchronous, low-speed RPC over IP between sites.

• Low-speed, asynchronous SMTP between sites.

The following rules apply to the replication transports:

• Replication within a site always uses RPC over IP.

• Replication between sites can use either RPC over IP or SMTP over IP.

• Replication between sites over SMTP is supported for only domain controllers of different domains. Domain controllers of the same domain must replicate by using the RPC over IP transport. Therefore, replication between sites over SMTP is supported for only schema, configuration, and global catalog replication, which means that domains can span sites only when point-to-point, synchronous RPC is available between sites.

Synchronous and Asynchronous Communication

The RPC intersite and intrasite transport (RCP over IP within sites and between sites) and the SMTP intersite transport (SMTP over IP between sites only) correspond to synchronous and asynchronous communication methods, respectively. Synchronous communication favors fast, available connections, while asynchronous communication is better suited for slow or intermittent connections.

It creates the replication topology within the site.

It creates the topology for the replication between the sites of the same domain.
These servers are responsible to receive the receiving the replication data from another site and then replicate to the servers within the site. Any replication originating from its site will be sent to other sites by this <a id=”KonaLink2″ href=”http://activedirectoryfaq.blogspot.com/2007/10/what-is-active-directory-replication.html&quot; only.

The File Replication service (FRS) is a multi-threaded, multi-master replication engine that replaces the LMREPL (LanMan Replication) service in the 3.x/4.0 versions of Microsoft Windows NT. Windows 2000 domain controllers and servers use FRS to replicate system policy and logon scripts for Windows 2000 and earlier clients that are located in the System Volume (Sysvol).

FRS can also replicate content between Windows 2000 servers hosting the same fault-tolerant Distributed File System (DFS) roots or child node replicas.

What is Journal Wrap?

Journal wrap errors occur if a sufficient number of changes take place while FRS is turned off such that the last USN change that FRS recorded during shutdown no longer exists in the USN journal during startup. The risk is that changes to files and folders for FRS replicated trees may have taken place while the service was turned off, and no record of the change exists in the USN journal. To guard against data inconsistency, FRS asserts into a journal wrap state.

Troubleshooting journal_wrap errors on Sysvol and DFS replica sets.



10 things to secure DNS

1. Use DNS forwarders

A DNS forwarder is a DNS server that performs DNS queries on behalf of another DNS server. The primary reasons to use a DNS forwarder are to offload processing duties from the DNS server forwarding the query to the forwarder and to benefit from the potentially larger DNS cache on the DNS forwarder.

Another benefit of using a DNS forwarder is that it prevents the DNS server forwarding the requests from interacting with Internet DNS servers. This is especially important when your DNS server is hosting your internal domain DNS resource records. Instead of allowing your internal DNS servers to perform recursion and contacting DNS servers itself, configure the internal DNS server to use a forwarder for all domains for which it is not authoritative.
2. Use caching-only DNS servers

A caching-only DNS server is one that is not authoritative for any DNS domains. It’s configured to perform recursion or use a forwarder. When the caching-only DNS server receives a response, it caches the result and returns the answer to the system issuing the DNS query to the caching-only DNS server. Over time, the caching-only DNS server can amass a large cache of DNS responses, which can significantly improve DNS response times for DNS clients of that caching-only DNS server.

Caching-only DNS servers can improve security for your organization when used as forwarders that are under your administrative control. Internal DNS servers can be configured to use the caching-only DNS server as their forwarders and the caching-only DNS server performs recursion on behalf of your internal DNS servers. Using your own caching-only DNS servers as forwarders improves security because you don’t have to depend on your ISP’s DNS servers as forwarders when you’re unsure of the security configuration of your ISP’s DNS servers.
3. Use DNS advertisers

A DNS advertiser is a DNS server that resolves queries for domains for which the DNS advertiser is authoritative. For example, if you host publicly available resources for domain.com and corp.com, your public DNS server would be configured with DNS zone files for the domain.com and corp.com domains.

What sets the DNS advertiser apart from any other DNS server hosting DNS zone files is that the DNS advertiser answers queries only for domains for which it is authoritative. The DNS server will not perform recursion for queries to other DNS servers. This prevents users from using your public DNS server to resolve names in other domains. This increases security by lessening the risks associated with running a public DNS resolver, which include cache poisoning.
4. Use DNS resolvers

A DNS resolver is a DNS server that can perform recursion to resolve names for domains for which that DNS server is not authoritative. For example, you might have a DNS server on your internal network that’s authoritative for your internal network domain, internalcorp.com. When a client on your network uses that DNS server to resolve the name techrepublic.com, that DNS server performs recursion by querying other DNS servers to get the answer.

The difference between this DNS server and a DNS resolver is that a DNS resolver is a DNS server that is dedicated to resolving Internet host names. A resolver could be a caching-only DNS server that isn’t authoritative for any DNS domains. You can make the DNS resolver available to only your internal users, you can make it available only to your external users to provide a secure alternative to using a DNS server outside of your administrative control, or you can allow both internal and external users access to the DNS resolver.
5. Protect DNS from cache pollution

DNS cache pollution is an increasingly common problem. Most DNS servers are able to cache the results of DNS queries before forwarding the response to the host issuing the query. The DNS cache can significantly improve DNS query performance throughout your organization. The problem is that if the DNS server cache is “polluted” with bogus DNS entries, users can subsequently be forwarded to malicious Web sites instead of the sites they intended to visit.

Most DNS servers can be configured to prevent cache pollution. The Windows Server 2003 DNS server is configured to prevent cache pollution by default. If you’re using a Windows 2000 DNS server, you can configure it to prevent cache pollution by opening the Properties dialog box for the DNS server and clicking the Advanced tab. Select the Prevent Cache Pollution check box and restart the DNS server.
6. Enable DDNS for secure connections only

Many DNS servers accept dynamic updates. The dynamic update feature enables these DNS servers to register DNS host names and IP addresses for hosts that use DHCP for host IP addressing. DDNS can be a great boon in reducing the administrative overhead for DNS administrators who otherwise would need to manually configure DNS resource records for these hosts.

However, there can be a major security issue with DDNS updates if they are allowed unchecked. A malicious user can configure a host to dynamically update DNS host records of a file server, Web server, or database server and have connections that should be destined to those servers diverted to his machine instead of the intended target.

You can reduce the risk of malicious DNS updates by requiring secure connections to the DNS server in order to perform the dynamic update. This is easily achieved by configuring your DNS server to use Active Directory integrated zones and requiring secure dynamic updates. All domain members will be able to dynamically update their DNS information in a secure context after you make this change.
7. Disable zone transfers

Zone transfers take place between primary and secondary DNS servers. Primary DNS servers that are authoritative for specific domains contain writable DNS zone files that are updated as needed. Secondary DNS servers received a read-only copy of these zone files from primary DNS servers. Secondary DNS servers are used to improved DNS query performance throughout an organization or over the Internet.

However, zone transfers are not limited to only secondary DNS servers. Anyone can issue a DNS query that will cause a DNS server configured to allow zone transfers to dump the entirety of its zone database files. Malicious users can use this information to reconnoiter the naming schema in your organization and attack key infrastructure services. You can prevent this by configuring your DNS servers to deny zone transfer requests or by configuring the DNS servers to allow zone transfers only to specific servers in the organization.
8. Use firewalls to control DNS access

Firewalls can be used to gain access control over who can connect to your DNS servers. For DNS servers that are used only for internal client queries, configure firewalls to block connections from external hosts to those DNS servers. For DNS servers used as caching-only forwarders, configure firewalls to allow DNS queries only from those DNS servers that use the caching-only forwarders. An especially important firewall policy setting is to block internal users from using the DNS protocol to connect to external DNS servers.
9. Set access controls on DNS registry entries

On Windows-based DNS servers, you should configure access controls on the DNS server-related Registry settings so that only the accounts that require access to them are allowed to read or change those Registry settings.

The HKLMCurrentControlSetServicesDNS key should be configured to allow only the Administrator and System account access, and these accounts should have Full Control permissions.

10. Set access control on DNS file system entries

On Windows-based DNS servers, you should configure access controls on the DNS server-related file system entries so that only the accounts that require access to them are allowed to read or change those files.

The %system_directory%DNS folder and subfolders should be configured to allow only the system account to access the files, and the system account should be given Full Control permissions.

All about DHCP

DHCP Advantage

1) Adding DHCP to the network does not cost anything extra beacause the dhcp capability is placed on windows server 2003.

2) Once the IP configuration information is entered in the server , it is automatically passed to the clients . Thus a user cannot misconfigure any parameter.

3) Problems that occur ,during configuration are minimized.

4) DHCP assign the IP addresses only when the client makes a request. This leads to the conservation of ip addresses


DHCP Disadvantage

1) Only some of the DHCP client implementations work properly with the DHCP Server in windows server 2003.

2) The information in dhcp server is automatically deliverd to all the dhcp clients .Thus , it become important to put correct information into dhcp server.

3) If there is a single dhcp server and it is not available, lease will not be requested or renewed .this way it will be single point of failure for the network.

4)In oreder to use dhcp on a multisegment network , DHCP server or relay agent should be placed on each segment .you can also ensure that the router is forwarding Bootstrap protocol Broadcasts.


Managing DHCP

Managing DHCP Involves prforming Various functions to ensure smooth running of the DHCP service.

To use the DHCp Console To modify the dhcp Status

1) Select Start> All programs > Admin tools >DHCp.

2) Select the DHCP Server .

3) Select action > all tasks .A drop menu appears .

4) Select the required option.

Alternatively you can use the services console to modify the DHCP Status

1) Select start > All programs > Admin Tools > Services.

2) Double Click Dhcp Server.

3) To modify the Dhcp server status Clickany of the buttons from the service status group .


1) DHCP Automates the allocation of ip addresses to clients.

2) A DHCP server must be authorizes in active directory before they can assign ip address.

3) A set of one or more ip addresses is called an exclusion range .

4) Multinet is a configuration where more than one logical ip network is used on each physical network or subnet.

5) DHCP clients can be configured to receive ip addresses automatically or manually

6) You can soecify alternative settings for dhcpclients using the altern configuration tab.

7)Atleast period is the length of time for which the DHCp server allocates an ip address to the client.

8) The process to obtain an ip address is called the initial lease process.

9) There are four messages sent during the initial lease process

# DHCP Server

# DHCP Offer

# DHCP Request

# DHCp Ack

10) The deafault lease period for an ip address is 8 days.

interview question

How to Add a Windows 8 Start Menu

How to Install Classic Shell

To get Windows 8 working the way you want it to work, download the free open-source tool Classic Shell. Click Download Now, and your download will start automatically. Save the file and run it when it has finished downloading.

Classic Shell’s setup is fairly simple. You click Next, agree to the EULA, verify that you want to install all components (you do), and click Next again. Click Install to bring up a User Account Control prompt; this is Windows asking for your permission to install something you downloaded from the Internet. Since you’ve downloaded from a known good source, click Yes.  After that, you’re good!

A start button will appear using the Classic Shell logo (a Windows-themed shell.) This is a “classic”-style start menu, harkening back to Windows 2000, rather than Windows XP or Windows 7. The classic start menu also puts the Windows 8 shutdown functionality in a more familiar place, allowing us to restart, sleep, hibernate, or shut down our PCs without having to use the charms bar.

Start Classic Shell

In the above photo, Classic Shell adds the start button back where it should be. 

Start Menu Open

The Classic Shell start menu…

Classic Shell Shut down

…and the Classic Shell shut-down option.

How to Customize Classic Shell Install

To begin customizing your Classic Shell install, click Start, then go to settings and choose classic start menu. Here you have the straightforward option of choosing between a truly classic start menu, a Windows XP-style start menu, or a Windows 7-style start menu. Pick your favorite and then select Advanced Settings. This will reveal a wealth of options that allow you to customize the behavior of Windows 8 to suit your needs.

Classic Shell Start Settings

Classic Shell start settings options.

Basic Settings

Classic Shell start menu styles. Advanced Settings

Advanced settings for Classic Shell. 

The most critical choices to make regarding the new Windows 8 experience are found under the Windows 8 tab. Here you can choose to bypass TIFKAM at startup and also choose whether or not you wish to disable hot corners.

Skip Metro Screen Disable Active Corners

The most important setting: Telling Classic Shell to bypass the Metro start screen and disable active corners. 

If you disable all hot corners, you functionally turn Windows 8 back into Windows 7: The charms bar doesn’t appear on the right-hand corners, you don’t have the Start Screen pop-up when you move to the bottom left corner, and you don’t have the task-switching pop-up in the top left corner. TIFKAM is sealed away, only to return if you specifically go looking for it.

Choosing the Skip Metro Screen option will try to prevent you form having to deal too much with TIFKAM when you log in. You’ll still have to swipe the stylized space needle away with your mouse, and you’ll still have to log in. The change this option provides is that instead of dumping you into the Start Screen at login, the system will behave as though you had clicked the “desktop” tile immediately after login. The Start Screen will appear for a fraction of a second and then fold out of the way, dropping you on the desktop.

The niggle with this option is that on a brand-new system, Windows 8 loads to the login screen so fast that you may log in before Classic Shell has had a chance to load in the background. If you are quick on the draw, you still end up at the Start Screen immediately after login, despite choosing Skip Metro Screen in Classic Shell’s settings. Yes, the developers are aware of the issue and they are working on it.

Investigating the controls tab in Classic Shell reveals the means to access TIFKAM even after the hot corners have been disabled. By default, holding down the shift key while clicking on the start menu will cause the Start Screen to appear instead. I prefer to set my mouse’s middle button up for this purpose; there are other combinations available here as well.

By default Shift + Win opens Windows Start, use Middle Click

More Classic Shell options.

Shift Click Windows Start Menu

Setting Shift-Click behavior options in Classic Shell.

There are many other options that Classic Shell presents for customizing your Windows 8 experience, so take the time to fully explore the various tabs. With any luck, the settings we’ve discussed here should take care of the most jarring differences and help you become more comfortable with your new operating system.

Creating a Virtual Hard Disk Image from a Running OS with Disk2vhd

There are other physical-to-virtual tools that are available to create images out of installed operating systems running on physical hardware; the main advantage of the Disk2vhd tool is that you can run it on a system that is up and loaded as it uses the Windows’ Volume Snapshot capability to create a point-in-time snapshot of the volumes you want to include in a conversion.

The Disk2vhd tool also allows for the ability to create the VHDs on other local volumes including the active one being converted.

 [NOTES FROM THE FIELD]  While the tool does allow you to create the file in this manner there is a performance hit; it is always better to create the VHD is on a different physical disk.


Running Disk2vhd

Once you download the tool from the Microsoft Website (which still shows as a Sysinternals download point at http://download.sysinternals.com/Files/Disk2vhd.zip) you would open the ZIP file to expand the files to a location to run them.

Disk2vhd 0001

Once that is done you would run disk2vhd.exe and accept the Sysinternals Software License Terms which would then bring you to the application’s main view.


Disk2vhd 0002

The default view of my physical system is shown below. You’ll notice that the tool automatically selects all of the available drives and sets a default location and name where to drop the VHD file if you were to accept the defaults and select CREATE.

Disk2vhd 0003

Since a couple of these partitions are just data and others are alternate operating systems rather than my base image that I am currently running (Windows 7 Ultimate Edition x64) I am going to clear all the defaults with the exception of the C:\ which is where my Windows 7 install resides.

I would like to avoid the performance hit so I will change the default file location to my DATA drive.

Disk2vhd 0005

Once I have made the changes and hit the CREATE button you’ll notice the progress bar will begin and it will create an empty file holder at the destination directory as it builds as shown in the second image below just above the active application window.

Disk2vhd 0006

Once the image is created you’ll see that its actual size is shown and it is ready to be mounted within the Virtual PC environment.

 I am running the Virtual PC environment of Windows 7. When I attempt to walk through the steps to mount the virtual machine under Virtual PC in the sequence of steps show below you’ll notice I have a critical failure and cannot continue.

Disk2vhd 0008

Disk2vhd 0009

Disk2vhd 0010

Disk2vhd 0011

Disk2vhd 0012

This is because Virtual PC doesn’t support the Multiprocessor Specification and it will not be able to boot VHDs captured from multiprocessor systems.

In order to boot this successfully I would need boot my Server 2008 system running Hyper-V in order to mount the VHD (after configuring everything necessary in the Hyper-V Manager as shown below).

Disk2vhd 0013

Disk2vhd 0014

Disk2vhd 0015

Disk2vhd 0016

Disk2vhd 0017

Disk2vhd 0018


Disk2vhd Best Practices and other Support Notes

Briefly, it is important to note what is supported under the tool and what are the recommended operational boundaries.

  • Disk2vhd can run on the following operating systems: Windows XP SP2, Windows Vista and Windows 7, including x64 systems.
  • On the server platform side it supports Windows Server 2003 SP1 and Windows Server 2008, including x64 systems.
  • With respect to Virtual PC, it can support a maximum virtual disk size of 127GB. If a VHD is created from a larger disk, it will not be accessible from a Virtual PC VM.
  • Virtual PC doesn’t support the Multiprocessor Specification and it will not be able to boot VHD’s captured from multiprocessor systems.
  • You cannot run VHDs on the same system from which they were created in an effort to boot from them. By default, Windows assigns the VHD a new disk signature to avoid a collision with the signature of the VHD’s original source disk. Because of the way that the operating system references disks in the boot configuration database (BCD) by disk signature, this forced change causes the VM to fail because after the change it cannot locate the boot disk.
  • You can use Disk Management or Diskpart utilities under Windows Server 2008 or Windows 7 to mount the VHDs directly and view their contents through Windows Explorer or via the command line as if they were any other available volume.
  • Disk2vhd includes command-line options that enable you to script the creation of VHDs (as outlined below, provided from the tool’s help notes).

 Usage: disk2vhd <[drive: [drive:]…]|[*]>

Example: disk2vhd * c:\vhd\snapshot.vhd

In this tutorial we took an overview look of the Disk2vhd tool and also reviewed some of the best practices.

%d bloggers like this: