Monthly Archives: July 2009

Working with FSMO Roles

Seizing of  FSMO roles

The five FSMO roles are:

  • Schema master – Forest-wide and one per forest.
  • Domain naming master – Forest-wide and one per forest.
  • RID master – Domain-specific and one for each domain.
  • PDC – PDC Emulator is domain-specific and one for each domain.
  • Infrastructure master – Domain-specific and one for each domain.

In most cases an administrator can keep the FSMO role holders (all 5 of them) in the same spot (or actually, on the same DC) as has been configured by the Active Directory installation process. However, there are scenarios where an administrator would want to move one or more of the FSMO roles from the default holder DC to a different DC.

Moving the FSMO roles while both the original FSMO role holder and the future FSMO role holder are online and operational is called Transferring, and is described in the Transferring FSMO Roles article.

However, when the original FSMO role holder went offline or became non operational for a long period of time, the administrator might consider moving the FSMO role from the original, non-operational holder, to a different DC. The process of moving the FSMO role from a non-operational role holder to a different DC is called Seizing, and is described in this article.

If a DC holding a FSMO role fails, the best thing to do is to try and get the server online again. Since none of the FSMO roles are immediately critical (well, almost none, the loss of the PDC Emulator FSMO role might become a problem unless you fix it in a reasonable amount of time), so it is not a problem to them to be unavailable for hours or even days.

If a DC becomes unreliable, try to get it back on line, and transfer the FSMO roles to a reliable computer. Administrators should use extreme caution in seizing FSMO roles. This operation, in most cases, should be performed only if the original FSMO role owner will not be brought back into the environment. Only seize a FSMO role if absolutely necessary when the original role holder is not connected to the network.

Important: If the RID, Schema, or Domain Naming FSMOs are seized, then the original domain controller must not be activated in the forest again. It is necessary to reinstall Windows if these servers are to be used again.

The following table summarizes the FSMO seizing restrictions:

FSMO Role

Restrictions

Schema

Original must be reinstalled

Domain Naming

RID

PDC Emulator

Can transfer back to original

Infrastructure

Another consideration before performing the seize operation is the administrators group membership, as this table lists:

FSMO Role

Administrator must be a member of

Schema

Schema Admins

Domain Naming

Enterprise Admins

RID

Domain Admins

PDC Emulator

Infrastructure

To seize the FSMO roles by using Ntdsutil, follow these steps: Caution: Using the Ntdsutil utility incorrectly may result in partial or complete loss of Active Directory functionality.

  1. On any domain controller, click Start, click Run, type Ntdsutil in the Open box, and then click OK.

Microsoft Windows [Version 5.2.3790]

(C) Copyright 1985-2003 Microsoft Corp.

C:\WINDOWS>ntdsutil

ntdsutil:

  1. Type roles, and then press ENTER.

ntdsutil: roles

fsmo maintenance:

Note: To see a list of available commands at any of the prompts in the Ntdsutil tool, type ?, and then press ENTER.

  1. Type connections, and then press ENTER.

fsmo maintenance: connections

server connections:

  1. Type connect to server <servername>, where <servername> is the name of the server you want to use, and then press ENTER.

server connections: connect to server server100

Binding to server100 …

Connected to server100 using credentials of locally logged on user.

server connections:

  1. At the server connections: prompt, type q, and then press ENTER again.

server connections: q

fsmo maintenance:

  1. Type seize <role>, where <role> is the role you want to seize. For example, to seize the RID Master role, you would type seize rid master:

Options are:

Seize domain naming master

Seize infrastructure master

Seize PDC

Seize RID master

Seize schema master

  1. You will receive a warning window asking if you want to perform the seize. Click on Yes.

fsmo maintenance: Seize infrastructure master

Attempting safe transfer of infrastructure FSMO before seizure.

ldap_modify_sW error 0x34(52 (Unavailable).

Ldap extended error message is 000020AF: SvcErr: DSID-03210300, problem 5002 (UNAVAILABLE)

, data 1722

Win32 error returned is 0x20af(The requested FSMO operation failed. The current FSMO holde

r could not be contacted.)

)

Depending on the error code this may indicate a connection,

ldap, or role transfer error.

Transfer of infrastructure FSMO failed, proceeding with seizure …

Server “server100” knows about 5 roles

Schema – CN=NTDS Settings,CN=SERVER200,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=dpetri,DC=net

Domain – CN=NTDS Settings,CN=SERVER100,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=dpetri,DC=net

PDC – CN=NTDS Settings,CN=SERVER100,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=dpetri,DC=net

RID – CN=NTDS Settings,CN=SERVER200,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=dpetri,DC=net

Infrastructure – CN=NTDS Settings,CN=SERVER100,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=dpetri,DC=net

fsmo maintenance:

Note: All five roles need to be in the forest. If the first domain controller is out of the forest then seize all roles. Determine which roles are to be on which remaining domain controllers so that all five roles are not on only one server.

  1. Repeat steps 6 and 7 until youve seized all the required FSMO roles.
  2. After you seize or transfer the roles, type q, and then press ENTER until you quit the Ntdsutil tool.

Note: Do not put the Infrastructure Master (IM) role on the same domain controller as the Global Catalog server. If the Infrastructure Master runs on a GC server it will stop updating object information because it does not contain any references to objects that it does not hold. This is because a GC server holds a partial replica of every object in the forest.

With Regards

Prashant Deshpande

Leave a comment

Filed under Active Directory

Working with FSMO Roles

How to make DC with same Domain name in exisiting Network

 

1)      Install ADC first and then seize the FSMO rols as

 

 

Windows 2000/2003 Active Directory domains utilize a Single Operation Master method called FSMO (Flexible Single Master Operation), as described in Understanding FSMO Roles in Active Directory.

 

The five FSMO roles are:

 

  • Schema master – Forest-wide and one per forest.

     

  • Domain naming master – Forest-wide and one per forest.

     

  • RID master – Domain-specific and one for each domain.

     

  • PDC – PDC Emulator is domain-specific and one for each domain.

     

  • Infrastructure master – Domain-specific and one for each domain.

     

In most cases an administrator can keep the FSMO role holders (all 5 of them) in the same spot (or actually, on the same DC) as has been configured by the Active Directory installation process. However, there are scenarios where an administrator would want to move one or more of the FSMO roles from the default holder DC to a different DC.

 

Moving the FSMO roles while both the original FSMO role holder and the future FSMO role holder are online and operational is called Transferring, and is described in the Transferring FSMO Roles article.

 

However, when the original FSMO role holder went offline or became non operational for a long period of time, the administrator might consider moving the FSMO role from the original, non-operational holder, to a different DC. The process of moving the FSMO role from a non-operational role holder to a different DC is called Seizing, and is described in this article.

 

If a DC holding a FSMO role fails, the best thing to do is to try and get the server online again. Since none of the FSMO roles are immediately critical (well, almost none, the loss of the PDC Emulator FSMO role might become a problem unless you fix it in a reasonable amount of time), so it is not a problem to them to be unavailable for hours or even days.

 

If a DC becomes unreliable, try to get it back on line, and transfer the FSMO roles to a reliable computer. Administrators should use extreme caution in seizing FSMO roles. This operation, in most cases, should be performed only if the original FSMO role owner will not be brought back into the environment. Only seize a FSMO role if absolutely necessary when the original role holder is not connected to the network.

 

What will happen if you do not perform the seize in time? This table has the info:

 

FSMO Role

 

Loss implications

 

Schema

 

The schema cannot be extended. However, in the short term no one will notice a missing Schema Master unless you plan a schema upgrade during that time.

 

Domain Naming

 

Unless you are going to run DCPROMO, then you will not miss this FSMO role.

 

RID

 

Chances are good that the existing DCs will have enough unused RIDs to last some time, unless youre building hundreds of users or computer object per week.

 

PDC Emulator

 

Will be missed soon. NT 4.0 BDCs will not be able to replicate, there will be no time synchronization in the domain, you will probably not be able to change or troubleshoot group policies and password changes will become a problem.

 

Infrastructure

 

Group memberships may be incomplete. If you only have one domain, then there will be no impact.

 

Important: If the RID, Schema, or Domain Naming FSMOs are seized, then the original domain controller must not be activated in the forest again. It is necessary to reinstall Windows if these servers are to be used again.

 

The following table summarizes the FSMO seizing restrictions:

 

FSMO Role

 

Restrictions

 

Schema

 

Original must be reinstalled

 

Domain Naming

 

RID

 

PDC Emulator

 

Can transfer back to original

 

Infrastructure

 

Another consideration before performing the seize operation is the administrators group membership, as this table lists:

 

FSMO Role

 

Administrator must be a member of

 

Schema

 

Schema Admins

 

Domain Naming

 

Enterprise Admins

 

RID

 

Domain Admins

 

PDC Emulator

 

Infrastructure

 

To seize the FSMO roles by using Ntdsutil, follow these steps: Caution: Using the Ntdsutil utility incorrectly may result in partial or complete loss of Active Directory functionality.

 

  1. On any domain controller, click Start, click Run, type Ntdsutil in the Open box, and then click OK.

     

Microsoft Windows [Version 5.2.3790]

 

(C) Copyright 1985-2003 Microsoft Corp.

 

 

C:\WINDOWS>ntdsutil

 

ntdsutil:

 

  1. Type roles, and then press ENTER.

     

ntdsutil: roles

 

fsmo maintenance:

 

Note: To see a list of available commands at any of the prompts in the Ntdsutil tool, type ?, and then press ENTER.

 

  1. Type connections, and then press ENTER.

     

fsmo maintenance: connections

 

server connections:

 

  1. Type connect to server <servername>, where <servername> is the name of the server you want to use, and then press ENTER.

     

server connections: connect to server server100

 

Binding to server100 …

 

Connected to server100 using credentials of locally logged on user.

 

server connections:

 

  1. At the server connections: prompt, type q, and then press ENTER again.

     

server connections: q

 

fsmo maintenance:

 

  1. Type seize <role>, where <role> is the role you want to seize. For example, to seize the RID Master role, you would type seize rid master:

     

Options are:

 

Seize domain naming master

 

Seize infrastructure master

 

Seize PDC

 

Seize RID master

 

Seize schema master

 

  1. You will receive a warning window asking if you want to perform the seize. Click on Yes.

     

fsmo maintenance: Seize infrastructure master

 

Attempting safe transfer of infrastructure FSMO before seizure.

 

ldap_modify_sW error 0x34(52 (Unavailable).

 

Ldap extended error message is 000020AF: SvcErr: DSID-03210300, problem 5002 (UNAVAILABLE)

 

, data 1722

 

 

Win32 error returned is 0x20af(The requested FSMO operation failed. The current FSMO holde

 

r could not be contacted.)

 

)

 

Depending on the error code this may indicate a connection,

 

ldap, or role transfer error.

 

Transfer of infrastructure FSMO failed, proceeding with seizure …

 

Server "server100" knows about 5 roles

 

Schema – CN=NTDS Settings,CN=SERVER200,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=dpetri,DC=net

 

Domain – CN=NTDS Settings,CN=SERVER100,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=dpetri,DC=net

 

PDC – CN=NTDS Settings,CN=SERVER100,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=dpetri,DC=net

 

RID – CN=NTDS Settings,CN=SERVER200,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=dpetri,DC=net

 

Infrastructure – CN=NTDS Settings,CN=SERVER100,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=dpetri,DC=net

 

fsmo maintenance:

 

Note: All five roles need to be in the forest. If the first domain controller is out of the forest then seize all roles. Determine which roles are to be on which remaining domain controllers so that all five roles are not on only one server.

 

  1. Repeat steps 6 and 7 until youve seized all the required FSMO roles.

     

  2. After you seize or transfer the roles, type q, and then press ENTER until you quit the Ntdsutil tool.

     

Note: Do not put the Infrastructure Master (IM) role on the same domain controller as the Global Catalog server. If the Infrastructure Master runs on a GC server it will stop updating object information because it does not contain any references to objects that it does not hold. This is because a GC server holds a partial replica of every object in the forest.

 

Leave a comment

Filed under Virtualization

Cloud Computing with Microsoft Azure SDS

Dear All

This article will introduce the Microsoft Azure service and explore the SQL Data Services (SDS).

In general terms, Cloud Computing means interacting with a service or operating system whose physical location is somewhere in the internet cloud. This is one of the main benefits of Cloud Computing, that your application can leverage someone else?s infrastructure. In the case of Azure, it means running on a very vast array of machines hosted by Microsoft. As a DBA or developer, this translates into the opportunity to use a very stable and a performance oriented infrastructure without the management issues and problems of maintaining it.

The Azure cloud consists of many computers linked together to form a networking fabric. Microsoft manages the entire machine cloud fabric and these management tasks are hidden from our consuming application. Our applications will sit on top of this fabric, but not be aware of them. This is similar to how a traditional ASPX web application sits on top of IIS but doesn?t concern itself with the details of how the web server interacts with the operating system.

In Cloud computing, we?re either utilizing a virtual server system hosted in the cloud, or interacting with a service hosted in the cloud. Azure is a cloud hosted service. We interact with it by writing applications with SOAP or REST along with HTML and XML.

Azure is the foundation of Microsoft?s cloud solution. We can think of it as the base operating system or service that we interact with. The Azure provides a platform for hosting applications or services and storing any user or system data required by it. We usually create Azure applications with Visual Studio, but Ruby and Python can also be used.

There are additional add-ons available to develop with that sit on top of Azure, such as Live Services, Dot Net Services, CRM Services, Share Point, and SQL Data Services. Live Services exposes applications such as Live ID and Live Messenger. The Dot Net Services layer provides an interface for access control and workflow. Share Point and CRM Services are used to create collaborative applications. SQL Data Services (SDS) exposes SQL Server like data organization in the cloud. Pricing is not yet available for either Azure or the add-on products mentioned.

SQL Data Services (SDS)

SQL Data Services sit on top of Azure and provide database features. SDS is very much a work in progress. According to Microsoft, the final product will be release sometime in the second half of 2009. With that said, TSQL is not currently supported; instead, a version of LINQ is used to create queries. However, TSQL should be available soon.

SQL Data Services supports several common data types, including String, Date Time, Boolean, Numeric, and Binary. There is also a timestamp applied to each data change. These data types hold our data called ?Entities?. The Entities reside in a table structure called a ?Container?. Containers are created inside a database system called an ?Authority?. A single Authority (database) can hold a maximum of 1000 Containers (tables). Each Container can hold a maximum of 100 MB of non BLOB entities, or 1 GB of BLOB data. Maximum data Entity size is 2 MB for non BLOB and 100 MB for a BLOB. Keep in mind that SDS is under construction at the time of this writing, and these values are subject to change. These objects are created and managed by writing code to call either SOAP or REST web services.

With Regards,

Prashant Deshpande

 

Leave a comment

Filed under Database Server

Working With Boot Manager

Dear All

Interesting Technical Note for those who want to remove DUAL boot OS without formatting the System how to remove dual boot configuration from windows Xp , vista and 7  when we install multiple OS boot manager is get installed in the system 

  bootsect.exe command can be used to remove it

Steps :-

 1)      Start the OS which you want to keep

2)      insert DVD of OS

3)      Start

Leave a comment

Filed under Operating System

Remove Virus ( REGSVR.EXE )

Dear All

Found that one virus on most of the systems in office. Tried to remove by using Trend Micro but not got success so tried so many antivirus but failed to remove,  so at last manually removed by following steps 

Symptoms:-(  virus Infections )

This virus affects your system by

Disabling Task Manager

Disabling Registry Editor

Creates a startup entry to start upon system start and Disables Folder Options

Uses your 50% or more processor

In Task manager one process "regsvr.exe" is executing and ustilising appro 50 % CPU  

"newfolder.exe" folder is getting created when browse through any folder

Steps to remove it

1.    If the task manager and registry editor is disabled then we need to enable them first.

Download Zip

Extract the zip and then first Execute regtools.vbs and then remove_task.vbs

2.    Delete the Autorun.inf file created by the virus.

 3.    Now type msconfig in the Run dialog and click on startup tab.

4.    Look for regsvr and uncheck any options, click OK. 5.    Now traverse to control panel -> scheduled tasks, and delete the At1 task that might be listed there.

6.    Type regedit in the Run dialog to open the registry editor.

 7.    Click on Edit -> Find and search for regsvr.exe

 8.    Just delete all the occurrences of regsvr.exe virus (do not confuse it with regsvr32.exe which is not a virus).

9.    Navigate to entry HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon and modify the entry Shell = ?Explorer.exe regsvr.exe? to delete the regsvr.exe from it.

10.    Now to actually delete the virus from the system go to system32 folder and delete the regsvr.exe virus file from there (you will need to uncheck the option of ?Hide Protected System Files and Folders? in Folder Options to view the virus file). Reboot the system for changes to take place.

Thanks

Prashant Deshpande

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

Leave a comment

Filed under Antivirus

Importance of Indexes in Databases to avoid blocking of process

Dear all

Please check the document which shows the importance of using indexes in databases

Download the document

Thanks

Prashant Deshpande

Leave a comment

Filed under SQL Server

Session break from ASP.Net State Server

Dear All

Today i came across one fact that when we implement Web Farm and
configure ASP.Net State werver to handle Sessions , If  web server is
utilising CPU near to 100% OR state server is near to 100% CPU  Usage
then Session can break in two ways
1) the web server which si utilising near to 100% will reject the
session commin from State Server
2) State Server will reject session if it is near to 100% CPU Usage
This is because by default 10 seconds is the time period for session
management between web server and ASP.Net State Server,
We can overcome this by doing following settings
1) In State Server
                  a)  Stop the ASP.NET state server service.
                  b)  Click Start, click Run, type Regedt32.exe, and
then click OK to start Registry Editor.
                  c) Locate the following key in the registry:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\aspnet_state\Parameters
         Add a DWORD value that is named SocketTimeout.
and set to 30 ( means 30 seconds)

2) In web.config of all web servers  add
 <sessionState
           stateNetworkTimeout="30"    ( 30 is equl to State server
Sockettimeout value)
       />

 This will; increase the session managemnet time from 10 seconds to 30
secs which will overcome the Session breaking.

Thanks

Prashant Deshpande

 

Leave a comment

Filed under Web Farm