domain controller critical services
TRANSCRIPT
Domain Controller Critical ServicesPresented by: Jani Sabtriadi
AgendaIntroduction Domain Controller Critical Services Symptom Domain Controller Services issue
Domain Controller Critical Services• DHCP Client• File Replication Services (FRS)• Distributed File System Replication (DFRS)• DNS Client• DNS Server• Kerberos Key Distribution Center (KDC)• Netlogon• Windows Time• AD DS (Active Directory Domain Services)• AD WS (Active Directory Web Services)
DHCP Client Services• In Server 2003 and before the DHCP Client service registers A,
AAAA, and PTR records for the DC with DNS• In Server 2008 and above this is done by the DNS Client• Note that only the A and PTR records are registered. Other records
are by the Netlogon service
File Replication Services• Replicated content stored in SYSVOL on DC and in Distributed File
System (DFS) Shared Folder.• FRS is in maintenance mode starting with Windows Server 2008 , DFRS
replaces it.• Stopping FRS for extended periods can result in journal wrap errors,
failures in Group Policy Distribution, error as SYSVOL isn't replicated. Event id 13568 in FRS log.
Distributed File System Replication Services (DFSR)
• In windows server 2008 or windows server 2012, DFSR can be used to replicate SYSVOL content between DC.
• DFSRmig.exe tool used to migrate FRS to DFSR.• Group Policy and other replication issues occur if services is
interrupted
• For Server 2008 and above registers the A, AAAA, and PTR records for the DC with DNS.
• Caching resolved queries and other functions are affected if services is interrupted
DNS Client Service
DNS Server Service
• Provides name resolution for DNS client computer.• Common problem include.
- Failure to register DNS records.- Unable to locate DCs or other key services.
Kerberos Key Distribution Center (KDC) Service
• Required for Kerberos 5.0 authentication. AD domains use Kerberos for authentication.
• Services interruptions result in many different authentication issues (logon,trust, and so on)
Netlogon Service
• Maintains the secure channel between DCs and domain members (including other DCs). This secure channel is used for authentication (NTLS and Kerberos) and DC replication.
• Writes the SRV and other records to DNS. These records are what domain members use to find DCs
- The records are also written to a file %systemroot%\system32\config\Netlogon.DNS
• Service Interruptions result with authentication, Kerberos PAC verification, password changes, dynamic DNS record registration.
The records are also written to a file %systemroot%\system32\config\Netlogon.DNS The records are also written to a file %systemroot%\system32\config\Netlogon.DNS
The records are also written to a file %systemroot%\system32\config\Netlogon.DNS
Windows Time Services• Act as Network Time Protocol (NTP) client and NTP time server.• Critical for time-reliant transaction.
• W32time.exe comand line tool for troubleshooting issues. Such as when computer is unable to sync time with autoritative source.
Active Directory Domain Services (AD DS)
• Before Windows Server 2008, the service could not be stopped while the OS was online.
• Starting Windows Server 2008, service can be stopped and started while OS is online.
• Provides the DC services. If this service is stopped the DC stops acting as a DC.
Active Directory Web Services (AD WS)• Required for Active Directory Powershell module to work (v2 and
v3)• Required for Active Directory Administrative Center to work ( win
2008 R2 and win 2012).• By Default, running on windows server 2008 R2, 2012, and 2012 R2
DC.
Thank you...