Remote Installation Services
Technical Data
The Schema partition, Configuration partition, and Global Catalog can be
replicated using either RPC or SMTP. The Domain parition can only be
replicated using RPC.
If the promotion of a domain controller fails, look in the folder:
%SYSTEMROOT%\debug\
for the following files: dcpromo.log and dcpromoui.log
Unattended setup requires the use of the dcpromo command with the
/answer: switch.
c:\>net local group "Pre-Windows 2000 Compatible Access" Everyone/delete
Active Directory database: %SYSTEMROOT%\NTDS\NTDS.DIT
dcpromo errors/log files: %SYSTEMROOT%\debug\dcpromo.log,dcpromoui.log
Show failed domain controllers: repadmin.exe /unreplicated
All domain controllers replicate with each other in intrasite replication,
only bridgehead servers participates in intersite replication.
For a small network, 512kb is the lowest speed for combining subnets or
sites.
The "site link schedule" is the adjustment area for replication interval or
"triggering".
On domain controller installation, the "Windows 2000-only permission" is not
the default. The default allows anonymous access for NT4 and 9x computers.
To prevent anonymous access and optimize security:
net local group "Pre-Windows 2000 Compatible Access" Everyone/delete
or check "Windows 2000-only permission" during dcpromo.
Microsoft Recommends:
Don't link existing GPOs to sites. Control site GPOs from site/props/
GP tab. Sites can contain more than one domain (security/owner?).
LDAP://CN=Admins,CN=ITDept,dc=spcsys,dn=com
PXE Boot:
Adapter/RIS disk initialize
DHCP
F12 - Initiates a network service boot
Roaming profiles:
redirect "Application data" and "My Documents"
no offline folders. roaming profiles and offline folders both sync!
The KCC creates only inbound connections.
If you manually create a preferred bridgehead server and it fails, the KCC
CANNOT select an alternate.
You can use AD zones with BIND if you delegate zones:
_tcp.spcsys.com
_udp.spcsys.com
_msdcs.spcsys.com
_sites.spcsys.com
to an Windows 2000 DNS and manually create the zones.
If you want to have Secure DDNS updates and also use non-Windows 2000 client
computers, you must have the DHCP server update the DDNS server for the
client. The DHCP server will be a member of the "DNS Update Proxy" group
which strips its security, therefore, don't have the DHCP server on a
domain controller; for security purposes.
For a domain based message queuing network, AD Sites and SERVICES / services
/ MsmqServices /
The search feature in Windows 2000 does not include shared folders.
Make a shortcut to published folders on users desktop?
"My Network Places/Entire Network/Entire Contents/Directory/domain/"
The Global Catalog begins: "My Network Places/Entire Network/"
implicit deny = not given access
explicit deny = denying specifically
No SMTP replication between domain controllers in seperate sites if they are
in the same domain because the entire domain content is replicated (not just
the Global Catalog section). This is probably because the type of data that
must be transferred (binary?).
A site-link can connect more >2 sites for replication.
A Distinguished Name or DN is:
dn="cn=jill jones,cn=Users,dc=spcsys,dc=com"
Write permissions on OU = change attributes
Create all child objects in OU = Create all...
If you move a domain controller to a new site, you must make changes to the
"NTDS Settings" object. The KCC does not detect physical location changes.
It would replicate over site links (WAN) as intrasite replication.