Domain Controller Critical ServicesPresented by: Jani SabtriadiAgendaIntroduction Domain Controller Critical Services Symptom Domain Controller Services issueDomain Controller Critical ServicesDHCP ClientFile Replication Services (FRS)Distributed File System Replication (DFRS)DNS ClientDNS ServerKerberos Key Distribution Center (KDC)NetlogonWindows TimeAD DS (Active Directory Domain Services)AD WS (Active Directory Web Services)DHCP Client ServicesIn Server 2003 and before the DHCP Client service registers A, AAAA, and PTR records for the DC with DNSIn Server 2008 and above this is done by the DNS ClientNote thatonly the A and PTR recordsare registered. Other records are by the Netlogon servicePurposeThe Dynamic Host Configuration Protocol (DHCP) client service in Windows 2000 Server/Windows Server 2003 based DCs is responsible for dynamically registering the Host A and PTR records. However, the behavior has been changed starting with Windows Server 2008, and the Domain Name System (DNS) Client service registers Host A and PTR records.

SymptomsIn Windows Server 2003 based DCs, disabling or setting the DHCP client service to start manually prevents dynamic DNS updates from occurring. Even if a static IP address is in use, the DHCP client service must be running for dynamic DNS updates to occur. If the DHCP Client service itself is not working as expected, this could be related to issues with some dependency such as permissions on files/registry keys.

For more information, read "Understanding Dynamic Updates" at the following link: http://technet.microsoft.com/en-us/library/cc771255.aspx

Microsoft support engineers see scenarios where customers have attempted to harden DCs by disabling unnecessary services (for example, through security policies) and have disabled the DHCP Client service. Other known instances include in-place upgrades of Windows 2000 Server based DCs to Windows Server 2003.

For more information, see:http://support.microsoft.com/kb/8951494File Replication ServicesReplicated content stored in SYSVOL on DC and in Distributed File System (DFS) Shared Folder.FRS is in maintenance mode starting with Windows Server 2008 , DFRS replaces it.Stopping FRS for extended periods can result in journal wrap errors, failures in Group Policy Distribution, error as SYSVOL isn't replicated. Event id 13568 in FRS log.PurposeFile Replication Service (FRS) is a service for replicating content stored in the SYSVOL shared folder on DCs and Distributed File System (DFS) shared folders. It is also known as NTFRS after the name of the executable file that runs the service. The FRS component in Windows is now in maintenance mode and is present to merely help migrations to new Operating System (OS) platforms such as Windows Server 2008 and above. This service's functionality is now replaced by Distributed File System Replication (DFSR).

SymptomsAny interruption in this service will cause the contents of SYSVOL to stop replicating. This will have an effect on the replication and distribution of any changes to Group Policies and scripts across the domain. For example, a common cause of journal wrap errors is if this service is stopped for extended periods on a DC. This is often exhibited by a 13568 error in the FRS event log.

Note: While not covered extensively in this workshop, more information on symptoms and troubleshooting is discussed in more detail in Module 6: Troubleshooting FRS and DFSR.For more information, see:http://technet.microsoft.com/en-us/library/bb727056.aspx5Distributed File System Replication Services (DFSR)In windows server 2008 or windows server 2012, DFSR can be used to replicate SYSVOL content between DC.DFSRmig.exe tool used to migrate FRS to DFSR.Group Policy and other replication issues occur if services is interruptedPurposeThe DFS replication service is used to keep folders synchronized on multiple servers. In a Windows Server 2008 and above Domain mode environments, this service can be used to replicate the contents of the SYSVOL share between DCs. The replica set can be converted from FRS to DFSR using the dfsrmig.exe tool.

SymptomsInterruption in this service can directly affect the replication of Group Policies and other related scripts around your domain environment.Also there are mechanisms to provide content freshness (they should be in sync with TSL): http://blogs.technet.com/b/askds/archive/2009/11/18/implementing-content-freshness-protectionin-dfsr.aspx

For more information about using DFSR for SYSVOL replication, see: http://technet.microsoft.com/en-us/library/cc794837.aspx http://msdn.microsoft.com/en-us/library/bb540025(VS.85).aspx http://blogs.technet.com/filecab/archive/2007/12/26/what-s-new-in-windowsserver-2008.aspx6For Server 2008 and above registers the A, AAAA, and PTR records for the DC with DNS.

Caching resolved queries and other functions are affected if services is interruptedDNS Client ServicePurposeIn Windows Server 2008 and above based DCs, the DNS Client service is required to perform the dynamic DNS registrations of the host A record and PTR records. This functionality was previously performed by the DHCP Client service for Windows 2000 Server and Windows Server 2003 based DCs.SymptomsProblems with the DNS Client service will affect the ability to perform dynamic DNS updates. Other functionality such as the ability to cache resolved queries will also be affected. However, Dynamic DNS functionality is more important here.

For more information about DNS client behavior, see:http://technet.microsoft.com/en-us/library/bb727035.aspx7DNS Server ServiceProvides name resolution for DNS client computer.Common problem include.- Failure to register DNS records.- Unable to locate DCs or other key services.PurposeWhen Windows DNS is used to support an Active Directory environment, DNS is used by all domain members and DCs to locate each other. The primary use of Windows DNS in these environments is to resolve "easy to remember" text names to IP addresses.

SymptomsProblems with the DNS Server service can cause network performance to degrade or even prevent domain members from being able to locate services in the forest.8Kerberos Key Distribution Center (KDC) ServiceRequired for Kerberos 5.0 authentication. AD domains use Kerberos for authentication.Services interruptions result in many different authentication issues (logon,trust, and so on)PurposeThe Kerberos Key Distribution Center (KDC) Service is the service that supports Kerberos Version 5.0 Authentication. Kerberos is the primary authentication protocol used within Active Directory domains. The availability of Kerberos to process an authentication request is dependent on the trust path followed. External trusts are not supported for Kerberos.

SymptomsIf the KDC is stopped on a DC, this can affect transactions reliant on Kerberos. This is especially so if no other replica DC (KDC) is available9Netlogon ServiceMaintains the secure channel between DCs and domain members (including other DCs). This secure channel is used for authentication (NTLS and Kerberos) and DC replication.Writes the SRV and other records to DNS. These records are what domain members use to find DCs- The records are also written to a file %systemroot%\system32\config\Netlogon.DNSService Interruptions result with authentication, Kerberos PAC verification, password changes, dynamic DNS record registration.

The records are also written to a file%systemroot%\system32\config\Netlogon.DNS The records are also written to a file%systemroot%\system32\config\Netlogon.DNS The records are also written to a file%systemroot%\system32\config\Netlogon.DNS PurposeThis service is responsible for the following: Maintains a secure channel between domain members and DCs (and also directly between DCs where a trust is present) for authenticating users and services. Registers the Service Locator records in DNS to help domain members (and DCs) locate DCs. These records are also written to Netlogon.DNS, a file that is stored in the %systemroot%\system32\config directory

SymptomsIf this service is disabled, any services that explicitly depend on it will fail to start. Transactions that rely on the secure channel, such as NT LAN Manager (NTLM) authentication, Kerberos Privilege Attribute Certificate (PAC) verification, and computer/trust password changes, will be affected. This will also prevent the DC from dynamically registering DNS records.10Windows Time ServicesAct as Network Time Protocol (NTP) client and NTP time server.

Critical for time-reliant transaction.

W32time.exe comand line tool for troubleshooting issues. Such as when computer is unable to sync time with autoritative source.

PurposeThe Windows Time Service (W32Time) is designed to act as a Network Time Protocol (NTP) client and also as a NTP time server. In default mode, the W32Time service will use the domain hierarchy and hard-coded source selection algorithms to choose the most appropriate source for obtaining time to update its local clock and then publish it as a time server. Domain members using a default configuration also use the selection algorithm to choose the most appropriate source (DC) for synchronizing time. This is a critically important role within the domain as time-sensitive transactions such as Kerberos are completely reliant on closely synchronized time.

Virtualization and Time:For Virtual Machines (VM) that are configured as DCs, it is recommended that you disable time synchronization between the host system and guest OS acting as a DC. This enables your guest DC to synchronize time from the domain hierarchy.To disable the Hyper-V time synchronization provider, shut down the VM and clear the Time synchronization check box under Integration Services.

SymptomsIf the W32Time service is faulty, time skew will occur and will affect time sensitive transactions, especially Kerberos reliant transactions.

Time CorrectionWindows operating systems include the Windows Time service (W32Time). This service ensures that all the computers in an organization that are running Microsoft Windows operating systems (excluding operating systems earlier than Windows 2000) use a common time. By default, the DC that holds the Primary Domain Controller (PDC) emulator operations master (also known as Flexible Single Master Operations or FSMO) role at the root of the forest is the authoritative time server for the organization.A review of time rollbacks has shown that computers can adopt time that can be days, months, years, or even decades in the future or in the past. These time rollbacks can be caused, for example, by hardware failures on DC or on the networks PDC, an incorrect external time source, a failed CMOS battery, or other problems11Active Directory Domain Services (AD DS)Before Windows Server 2008, the service could not be stopped while the OS was online.Starting Windows Server 2008, service can be stopped and started while OS is online.Provides the DC services. If this service is stopped the DC stops acting as a DC.

PurposeStarting with Windows Server 2008, this service can be stopped and started while the operating system remains online. Because of this feature, the Active Directory Domain Services (AD DS) service must be monitored.

SymptomsIf this service is not operational, all services provided by the DC will stop.12Active Directory Web Services (AD WS)Required for Active Directory Powershell module to work (v2 and v3)Required for Active Directory Administrative Center to work ( win 2008 R2 and win 2012).By Default, running on windows server 2008 R2, 2012, and 2012 R2 DC.Active Directory Web Services (ADWS) in Windows Server 2008 R2 is a new Windows service that provides a web service interface to Active Directory domains, Active Directory Lightweight Directory Services (AD LDS) instances, and Active Directory Database Mounting Tool instances that are running on the same Windows Server 2008 R2 server as ADWS. If the ADWS service on a Windows Server 2008 R2 server is stopped or disabled, client applications, such as the Active Directory module for Windows PowerShell or the Active Directory Administrative Center will not be able to access or manage any directory service instances that are running on this server.ADWS is installed automatically when you add the AD DS or AD LDS server roles to your Windows Server 2008 R2 server. ADWS is configured to run if you make this Windows Server 2008 R2 server a DC by running Dcpromo.exe or if you create an AD LDS instance on this Windows Server 2008 R2 server.

For more info refer: http://technet.microsoft.com/en-us/library/dd391908(v=ws.10).aspx13Thank you...