Comments : 8

Finding FSMO Roles in Active Directory using NTDSUtil

Posted by Vishal Vasu | Posted on 04-09-2009

Category : Active Directory

Tags: ,

First things first: FSMO means Flexible Single Master Operation and it is used within Active Directory to control, monitor and manage configuration updates. Without going in to more details about how FSMO works, let’s move on to understanding the Five (5) FSMO roles:

Schema Master: It controls all the updates and modifications that relate to schema of the Active Directory. It is the duty of the Schema Master to ensure that the latest schema has been replicated across all Domain Controllers in the directory. The role is forest-wide and there can be only one Schema Master in a forest.

Domain Naming Master: It controls the addition and deletion of domains in the forest. The role is once again forest-wide and there can be only one Domain Naming Master in a forest.

RID Master: Stands for Relative ID and is responsible for processing RID requests from all Domain Controllers in a particular domain. For example, if we create a user in Active Directory, a unique Security Identifier (SID) is created which identifies it in the domain. Along with this SID a Relative ID (RID) that is unique to the SID is also generated from a pool that is allocated. The main role of RID Master is to ensure that each DC has got enough RID pool and if not then process the request for the pool from the unallocated RID pool. The role is Domain specific and there can be only one Domain Controller handling this role.

Infrastructure Master: When an object in one domain is referenced by another object in another domain, it represents the reference by the GUID, the SID (for references to security principals), and the DN of the object being referenced. The infrastructure FSMO role holder is the DC responsible for updating an object’s SID and distinguished name in a cross-domain object reference. The role is Domain specific and there can be only one Domain Controller handling this role.

PDC Emulator: It seems to be a backward compatible role that has been handed over as a legacy from Windows NT 4.0 and is mainly used for syncing time in the Enterprise. The W32Time service that we see in the Services MMC has a very important role to play: synchronize time across the enterprise to that Kerberos Authentication works smoothly. After all, password changes, authentication, account lockout, etc. all depends on this. The role is Domain specific and there can be only one Domain Controller handling this role.

So why does an administrator need to know which Domain Controller is holding which role? Well, normally there is always a single machine that carries all the five FSMO roles, but there can be scenarios where an administrator would have moved one or more FSMO roles. To know why, read this KB article from Microsoft. With a better understanding of which server holds which role, the administrator can plan better for disaster recovery or scheduled maintenance. There are many ways to find out which DC holds which role, but here is one that uses NTDSUtil – a command line tool.

A word of caution before we proceed: If you do not know what you are doing and have no idea about how Active Directory works or even worse – what Active Directory is – please refrain from doing this practically. Doing this incorrectly or messing with this command can cause your Active Directory to crash and lose functionality.

Step #1: On any Domain Controller, click Start. In the Run command type CMD and hit Enter. You will be taken to the good old command prompt window (DOS were the days). Type ntdsutil and hit Enter.

Step #2: You shall see the screen with ntdsutil: prompt. Since we want to find out the roles, type roles and hit Enter. Notice that the prompt now changes to show fsmo maintenance:. Now is a good time to get more HELP on the list of available commands.

Step #3: On the fsmo maintenance: prompt, type ? and hit Enter. Right-click in the Window, mark and copy them. Paste the clipboard in to Notepad for easy reference.

Step #4: Type connection and press Enter. This will show a prompt with server connections:. Type connect to server <servername> (replace <servername with actual name> and press Enter.

Step #5: Once we are connected to the Domain Controller, type q to return back to the fsmo maintenance prompt. Now type, select operation target and then press Enter. Notice that the prompt changes to select operation target:.

Step #6: At the select operation target prompt, type list roles for connected server and press Enter. This would list all the FSMO roles for that Domain Controller. To get out of the ntdsutil, type q until you are back to the good old DOS prompt.

For those who are looking at ready solution rather than going through this process, check out DUMPFSMOS.CMD in the Resource Kit (Windows 2000/2003). This tool is a one-click utility that does the same trick.

Comments : 6

Remove index.php from URL for WordPress

Posted by Vishal Vasu | Posted on 10-06-2009

Category : Websites & Web Marketing

Tags: , , , ,

Many WordPress uses prefer to host their web sites on a Linux server so that they can get rid of the index.php that get’s in to the URL by using mod_rewrite module on Linux. This is not supported on Windows Server’s IIS.

The main idea is to make the URL more simple and SEO friendly. Normally, when you setup PermaLinks in IIS, we get something like this:

http://www.yourwordpresssite.com/index.php/2009/08/02/your-blog-post/

This means that each link to the post carries index.php in the URL which is not good. Outlined below are steps that can help to achieve the same results for a WordPress site on a Windows Server running IIS.

STEP: 1

Get the URL rewriting component on the Windows Server hosting your WordPress site. If you are not in control of the server or are not the server administrator, you can request the setup of the component from them. Click here to download the component from the vendor’s site. The component is absolutely free and distributed under GNU General Public License.

STEP: 2

Once the component is downloaded, copy the wp-url-rewriting.dll file to the Windows Server’s SYSTEM32 directory. Register the component so that it is available to IIS by using the REGSVR32 WP-URL-REWRITING.DLL command from the command prompt.

Note: You may get an error that the DLL entry point was not found, but let that not bother you.

STEP: 3

Once the DLL is registered, login to your WordPress admin area and navigate to PermaLinks and change the common setting to use Custom Structure. Add /%category%/%postname%/ as the choice and Save Changes.

That’s it! We are done. WordPress should now show the URL’s without the index.php in it.

I invite everyone to share their experience or any other methods that they might have used.

Comments : 0

Automate Patch Management with WSUS

Posted by Vishal Vasu | Posted on 02-06-2009

Category : Microsoft Windows Server

Tags: , ,

Patching the Windows Operating System in an organization with multiple desktops and many flavors of operating systems is a mammoth task. It is vital for any Systems Administrator to ensure all systems are properly patched and updated to safe guard against virus, worms, and Trojans. The biggest challenge in running Windows Update on individual machines is the inconvenience of visiting each desktop and approving the updates manually. Moreover, the amount of bandwidth used at each desktop to download the updates is huge not to forget the lack of centralized reporting.

So why do we need a centralized patch management policy? Well, the answer is simple – the systems are prone to risks and threats when exposed to the Internet or medias like USB pen drives, wireless networks and devices, etc. We all, at some point, might have experienced or read about the havoc caused by Blaster or the Sasser worms. Today software vendors have stepped up the releases of emergency and critical updates in a formalized manner to encounter these threats. Microsoft’s Patch Tuesday is a good example that highlights that. To learn more about this program, click here.

WSUS from Microsoft is a boon to Network and System Administrators in this scenario. WSUS (Windows Server Update Services) is basically designed to run on a company’s network and automate the process of patching. This free product from Microsoft does a fair job of streamlining the overall patch management process of an organization with centralized reporting. For a Network or System Administrator it is just a simple task of installing the WSUS server on a system and then configures all Desktops to use the WSUS server for software updates. This can be easily achieved by creating a group policy and linking the policy to the correct OU using Group Policy Editor. The Desktops would automatically announce their current status to the WSUS server with details like which patches are needed to be installed, which patches have failed to install, which patches have been successfully installed, etc.

In a nutshell, WSUS seems to be a good product especially when there is no price tag attached to it and starting with WSUS 3.0 the reports have also improved over its predecessor.

Previous