Archive for December 2011
25 Easy Steps to Recover a Downed Domain Controller (Don’t Panic)
If you are one of the many businesses that have Windows Server 2008, then you may have had the unexpected pleasure of having a Domain Controller fail on you. Now if you do not know what the domain controller is then you are in for a treat. The domain controller is only the most important computer within your Windows Server 2008 domain. But, on the other hand, you may have had a technician install this beast of a computer. I put this lightly. The domain controller is a power server but it does not have to be put on a very powerful box. What you do need to do is make sure that it is redundant. So, what should we do if the domain controller does go down and we have another domain controller? Well, first, I want to tip my hat to you. Not many companies know the importance of having more than one domain controller in their environment. Let’s digress a little. Why do you want to have multiple domain controllers? See, the domain controller does several different things. It has roles such as the Schema master, Domain Naming Master, RID Master, Infrastructure Master and PDC Emulator. These control the overall environment. Let’s go over some definitions. Don’t go to sleep on me. We will be getting to the good stuff soon enough.
Schema Master
Now you are asking, what is a schema? The schema is just a database. If you have used Excel or Access in the past then you have been exposed to a database. The schema is a database. Now the schema is composed of Classes which are the Tables and Attributes which are the fields. So, the Schema Master controls the updates to the schema. So, you can say that this is relatively important server. It only controls every entry that we make into the Active Directory Domain Service utility called ADUC which is short for Active Directory Users and Computers. This role is located on the first domain controller that is added to the Forest by default. There is only one Schema Master per Forest. When you update the schema which is known as extending the schema, you need to be in the same Forest as this domain controller.
Domain Naming Master
So, what is the definition of a domain? A domain is a logical grouping of computers where the domain controller is the central repository for accounts, security and policies. The Domain Naming Master is in charge of keeping track of the adding and deletion of more domains within the environment. This role is located on the first domain controller that is added to the Forest default. There is only one Domain Naming Master in the Forest.
PDC Emulator
Remember the old Operating System know as Windows NT 4.0. It was the predecessor to Windows Server 2008. Well in the old days which is really little over 10 years, the main domain controller was known as the Primary Domain Controller. So, that is where this role comes into play. It takes the place of the Primary Domain Controller. The main service that it controls is time. If this puppy is not functioning right then you whole environment will suffer. This role is located on the first domain controller that is added to the Forest by default. Now unlike the other roles, the PDC Emulator is located in every domain in the Forest. But, there is only one per domain. This is one of the most important servers in the Domain.
RID Master
The unique identifier for a database is known as the primary key. Well the primary key that provides uniqueness within Active Directory Domain Services is the SID which is known as the Security ID. The RID Master controls the RID Pool for the domain. The RID is the Relative Identifier. When we run out of RIDs then we will not be able to add additional security principals such as accounts. Here is a tip do not recover this server. If you bring this server on at the same time as another RID server then you will have a majorly messed up domain. This role is located in every domain in the forest but only one per domain.
Infrastructure Master
This is an odd animal. The main purpose of the Infrastructure Master is tracking movement within the domain. This needs some clarification. We are not talking about Big Brother. Well, maybe. The Infrastructure Master tracks the moving of an object (account) from one OU (Organizational Unit) to another or domain. Now the reason I call this an odd animal is because it should not be on the same server as the Global Catalog. Ok, I know we are about to go over the threshold limit of the human mind. But, the Global Catalog has a copy of every attribute in the Forest. This will be covered in another article. Back the Infrastructure Master, this role is also located in every domain and there is only one per domain.
Whew, I know that is a lot to remember. But this is important. See, remember our problem…. The domain is down. If you only have one domain controller is contains all of these roles. HELLO, can you see where we are going with this. Make sure you have more than one domain controller per domain. Ok, here is another topic. Replication. No this is not cloning but similar. The domain controllers in the Forest replicate there information to each other. This introduces another term multi-master replication. This just means that they have the same settings as the other guys. Anyway, we come into work and find that the #1 domain controller has bit the dust. Don’t panic we can fix this. Take a coffee break and realign your thought process.
To the Rescue
So, we have a pretty bad situation. Users cannot logon; email server is down, yada yada yada. So, here is the good stuff. How do we get our domain back up and functioning? Call me of course. Just kidding. This article is here to instruct you on how to recover from this disaster. Before can do this we need to use one of two tools ADUC (Active Directory Users and Computers) or ntdsutil. Of the tool tools, ntdsutil will allow us to everything that we need to do. Ok, are you ready…..
Recovering From Disaster
Step 1. Go to the second domain controller (will Call this Jupiter). Logon with administrative credentials
Step 2. Bring up the command prompt. Type cmd at the run command prompt or access it from the Accessories menu under Programs on the menu
Step 3. Type ntdsutil at the command prompt and press Enter
Step 4. Type roles at the ntdsutil prompt and press Enter
Step 5. Type connections at the roles prompt and press Enter
Step 6. Type connect to server Jupiter at the connections prompt and press Enter. You will be presented with a message saying you are connected and using current credentials
Step 7. Type quit at the connections prompt and press Enter. This will return you to the roles section
Step 8. Type seize Schema Master at the roles prompt and press Enter. This will take over the Schema Master role and give it to Jupiter.
Step 9. Type seize Naming Master at the roles prompt and press Enter. This will take over the Domain Naming Master role and give it to Jupiter
Step 10. Type seize PDC at the roles prompt and press Enter. This will take over the PDC Emulator and give it to Jupiter
Step 11. Type seize RID master at the roles prompt and press Enter. This will take over the RID Master and give it to Jupiter
Step 12. Type seize infrastructure master at the roles prompt and press Enter
Right now you are probably saying that is a lot of steps. We are complete with the first part. WHAT, there is more? Hold on don’t get antsy this will have take only about 5 hours. Just kidding. This whole process will take about 10-20 minutes. You will be the savior of the network. All righty then, on to the next part. By the way, the steps that are shown can be re-ordered when it comes to seizing. The commands are not case sensitive either.
Cleanup Time
Now in the beginning of the article, I pointed out each of the different roles and their purpose. Well we forcibly took over the roles. The other domain controller is still offline but still theoretically has those roles. If we were to bring that domain controller up again there would be major confusion. Also, Active Directory Domain Services does not know who to replicate changes. The KCC (Knowledge Consistency Check) is looking for the partner. The partner is no longer available. We need to clean up this mess and quickly.
Step 13. Type quit at the roles prompt and press Enter. This will take us back to the beginning.
Step 14. Type metadata cleanup at the ntdsutl prompt and press Enter. This routine will get rid of the SRV records lingering in DNS and also records of the other domain controller in Active Directory Domain Services database the Schema.
Step 15. Type select operation target at the metadata cleanup prompt and press Enter. We need to identify the downed domain controller.
Step 16. Type list sites at the select operation target prompt and press Enter. This will list the sites within the Forest
Step 17. Type the # associated with the Site which the downed domain controller is part and press Enter. This will select the site which has the records for the downed domain controller
Step 18. Type list servers in the site at the select operation target prompt and press Enter. This will list the domain controllers that are in the Site
Step 19. Type the # associated with domain the down domain controller and press Enter. This will select the domain with the downed domain controller
Step 20. Type quit at the select operation target and press Enter. This will take you back to the Metadata Cleanup section
Step 21. Type remove selected server at the metadata cleanup prompt and press Enter. This will remove the records within Active Directory Domain Services
Step 22. Type quit at the metadata cleanup prompt and press Enter. Takes you back to the beginning of ntdsutils
Step 23. Type quit at the ntdsutil prompt and press Enter. Quits the ntdsutil utility
Step 24. Check ADUC, DNS etc. Ensure that you can open ADUC. You may have to change focus of the domain controller.
Step 25. Take old domain controller off line and reinstall Windows Server 2008 and dcpromo it
Wow, what an ordeal. Just think if you did not have another domain controller within your Forest. Do yourself a favor and make sure you have more than one domain controller in your environment. There is a lot more that we can teach you. But, we will leave that for another article. Right now, go get that cup of coffee, high five your staff and relax. Your domain is back up and running. Now go change some passwords and play Halo at your desk. Oops, did I say that. See you later.
Create and Sell Cookbooks and Recipes From Public Domain Information
Cookbooks and individual recipes are always hot sellers but sadly a great many lack perceived value especially those being sold for pennies on eBay and piled in huge quantities into cheap resell rights packages.
You must differentiate yourself from elements like this that despoil the publishing business, you need to find quality products, from great writers, you need to have unique products, and the public domain is an excellent place to start looking for recipes and even complete cookbooks and recipe compilations that only you know about.
The most important thing of all to succeed in the publishing business is to seek recipes not currently offered for sale, especially from cheap suppliers, and when you find those products you must work hard to lift yours way above what anyone else is selling. These tips will show you how:
* Add perceived value to your public domain derived cookbooks and recipes by creating a mouth-watering sales letter and rather than offering digital download only, offer a choice of representations, on CD for example, or in printed fashion, or print / CD combined with digital download.
* Take public domain recipes that anyone can access and make yours really different by repackaging them into unique compilations, such as ’20 Great Chocolate Cake Recipes’, ‘Long Forgotten Victorian Christmas Fayre Recipes’, and so on. This works well because you will find most publishers, especially those heavily dependent on the public domain, are very lazy. They will offer their products exactly as they obtained them from the public domain, without changes, without even creating a new title. The end result is many people selling exactly the same products, both sharing whatever market exists for their inferior products and making very little money to speak of.
* Be really different with your public domain derived products and offer compilations as well as individual recipes. Offer a variety of product types, such as single recipes in pdf format or as laminated printouts to safeguard against splashes from water and ingredients during the preparation and cooking process.
* Increase the perceived value of your single recipe products or multiple recipe cookbooks by charging a realistic price for your products. People actually do associate high price with quality, even if that isn’t always the case in practice. People charging in pennies are usually selling inferior products or growing a mailing list for selling higher priced products later. It’s still a good idea to sell inexpensively to create buyer trust and grow a list of potential buyers for later, more expensive products, but only if those inexpensive products are also high quality. Sell low quality items, whatever the price, and few people will have confidence to buy from you again later.
* Add your own copyright notice (e.g. Copyright Avril Harper 2007) to cookbooks and individual recipes you have created from public domain information. As public domain ‘derivatives’ those items are now your exclusive copyright and are not legally available from any other source. Be sure to make at least a few changes to your products to detract others from stealing and reselling your work. You’ll be hard pushed to prove someone else is illegally selling copies of a book you created unchanged from the public domain. So make at least a few changes, such as italicising a few appropriate words, repaginating the text, adding a contents list where none existed before. All these little changes, and more, make your book unique and provide solid evidence against others pirating your work.
* Be different and, instead of creating everyday recipes or packing all kinds of recipes for all kinds of foods into one cookbook, go for themed cookbooks, such as ‘Native American Soups’, ‘Sexy Soups and Smoothies (Aphrodisiacs to Make in Minutes and Enjoy All Night Long)’, ‘Healthy Foods for Aging Pets’, ’100 Meals to Make in Minutes’, and so on.
Note that, although lists of ingredients can not be copyrighted, as for all basic lists, the words used to create the finished meal or dish, namely the recipe, are copyright protected. Also copyright protected are pictures and other illustrations used by the originator in cookbooks and single recipe items which are not in the public domain or which have been derived from the public domain and so have their own copyright protection.
* The cookbooks and recipes you republish from the public domain do not have to benefit just human beings. Recipes for cats and dogs are immensely popular, especially designed to benefit animals with special needs and specific health problems, such as aged and infirm pets and others suffering epilepsy, rheumatism, allergies, and so on. The more unusual the animal your recipes target, the tighter your niche market becomes, and the less competition you face, so the more likely potential customers are to buy your public domain derived information products. Great ideas for really tight niche markets include recipes for aging horses, post-operative cats and dogs, pregnant and nursing cats and dogs, and so on.
Active Directory
Let’s analyze a basic part of Active Directory: domains. A domain is a logical collection and a security boundary at the same time. For example, every domain has a name like “Microsoft.com”. Domains also have what we call a name space; “Microsoft.com” would be a good example. A “tree” is one or more domains that share a common name space. So, one might have “support.microsoft.com” or “train.support.microsoft.com”. Now, what happens within this tree is that is an automatic trust relationship with the other domains within the tree and subsequently within the “forest”, which is a collection of trees that share common configuration and schema (all the objects and all the object attributes that you can use inside your network -remember, only one schema per forest!). This trust relationship allows the user to go beyond the domain boundaries for certain functions if the other domain gives the permission to access it.
Active Directory is built on servers called domain controllers. These are servers that hold a local domain database (Active Directory), where all the user and computer accounts reside. This directory service also authenticates users and responds to queries every time members in the domain perform a search. So when someone searches for a printer or another user, or when one asks to connect to another server in the network, they are actually “talking” to the domain controller and perform searches in the active directory database.
A few domain controllers have an additional role called Global Catalog which allows the server to be the domain’s actual index. The Global Catalog is the server that hosts a subset of information from other domains in the forest – when someones searches for something that is on another domain, it can be found it a lot faster through this server.
No Active Directory can exist without the Domain Name Servers (DNS). All network services depend on DNS. Most people think that it only performs name resolution (“pinging” a name and returning the IP address), but DNS does a lot more. DNS helps clients find domain controllers and Global Catalog servers. Furthermore, DNS always gives you nearest resources first, so if your computer asks where the domain controller is, the answer will contain all the domain controllers sorted from the nearest to the furthest.
In order to have an effective domain, more than one domain controller must be used. This is done for redundancy and load balancing. If one goes down, you need to make sure that someone is authenticating the clients. In turn, when all of them are working, you need to use them all at the same time equally. In terms of replication itself, what is replicated is all the domain information that we have crated inside the Active Directory: user accounts, computer accounts, group objects, policies and the structure of the Active Directory. When you want to make a change to the Active Directory, you can connect to any domain controller you like. All domain controllers can accept any kind of change, which is a big improvement from the past. Replication is performed regularly, so changes made to one domain controller are automatically replicated to the others.
Another important thing you should be familiar with is that the Active Directory database is divided into what Microsoft calls partitions. A partition is a logical boundary or a specific type of information. Partitions are categorized into “domain partitions”, “configuration partitions”, “schema partitions” and “application partitions”. A domain partition contains all the objects in the directory for a domain. A configuration partition contains the configuration information for the Active Directory and the applications that are replicated throughout the entire forest. The schema partition has all the object types and their attributes. An application partition holds the specific application data as required by the application.
These are the basic functions of Microsoft Active Directory.