PHẦN III: Operation Master
Giới thiệu: Mặc dù W2k/W2k3 hỗ trợ Multi Master (các DC hoạt động song song nhau, không phân biệt chính/phụ ). Tuy nhiên vẫn còn một số chức năng hoạt động ở chế độ Single Master, cụ thể là:
1. Schema Master: Quản lý schema, mỗi forest có 1 cái
2. Domain Naming: Quản lý danh sách các domain, mỗi forest có 1 cái
3. PDC: Giả lập server NT để chứng thực cho các WS đồi cũ (win9x), mỗi domain có 1 cái
4. RID: cấp số ID cho user, mỗi domain có 1 cái
5. Infrastructer: Quản lý danh sách user ở domain khác tham dự vào các nhóm của domain hiện tại., mỗi domain có 1 cái
Mặc định các chức năng do DC1 nắm giữ. Khi DC1 chết thì những thao tác liên quan đến 5 chức năng này sẽ không thực hiện được.
Khi DC1 “chết bất đắc kỳ tử”, ta cần “cưỡng chế” DC2 giữ 5 chức năng này. Bài viết sẽ hướng dẫn chi tiết các bước thực hiện việc “cưỡng chế”
Bài viết này gồm 3 bước:
1. Giả sử master DC bị chết (DC1 bị “die” bất đắc)
2. Từ Addition DC (DC2) ra CMD gõ các lệnh để cưỡng chế 5 chức năng single master của DC1 sang DC2
3. Sau khi thành công, DC2 tạo user và client join domain bằng user mới tạo thành công.
Thực hiện
1./ giả sử DC1 bị die (shutdown DC1)
2./ từ DC2, vào cmd gõ các lệnh để cưỡng chế 5 chức năng single master của DC1 sang DC2
Trình tự các lệnh như sau: (Copy từ màn hình DOS ra)
——————————————————–
Microsoft Windows [Version 5.2.3790]
(C) Copyright 1985-2003 Microsoft Corp.
C:\>ntdsutil ‘Lệnh đầu tiên trong wá trình Operation Master
ntdsutil: ?
‘Các lệnh trong ‘ntdsutil’
? – Show this help information
Authoritative restore – Authoritatively restore the DIT database
Configurable Settings – Manage configurable settings
Domain management – Prepare for new domain creation
Files – Manage NTDS database files
Group Membership Evaluation – Evaluate SIDs in token for a given user or group
Help – Show this help information
LDAP policies – Manage LDAP protocol policies
Metadata cleanup – Clean up objects of decommissioned servers
Popups %s – (en/dis)able popups with “on” or “off”
Quit – Quit the utility
Roles – Manage NTDS role owner tokens
Security account management – Manage Security Account Database – Duplicate SID Cleanup
Semantic database analysis – Semantic Checker
Set DSRM Password – Reset directory service restore mode administrator account password
ntdsutil: Roles ‘Lệnh thứ 2 trong wá trình Operation Master
fsmo maintenance: ?
‘Các lệnhh trong ‘Roles’
? – Show this help information
Connections – Connect to a specific domain controller
Help – Show this help information
Quit – Return to the prior menu
Seize domain naming master – Overwrite domain role on connected server
Seize infrastructure master – Overwrite infrastructure role on connected server
Seize PDC – Overwrite PDC role on connected server
Seize RID master – Overwrite RID role on connected server
Seize schema master – Overwrite schema role on connected server
Select operation target – Select sites, servers, domains, roles and naming contexts
Transfer domain naming master – Make connected server the domain naming master
Transfer infrastructure master – Make connected server the infrastructure master
Transfer PDC – Make connected server the PDC
Transfer RID master – Make connected server the RID master
Transfer schema master – Make connected server the schema master
fsmo maintenance: connections ‘Lệnh thứ 3 trong quá trình Operation Master
server connections: ?
‘Các lệnh trong ‘connections’
? – Show this help information
Clear creds – Clear prior connection credentials
Connect to domain %s – Connect to DNS domain name
Connect to server %s – Connect to server, DNS name or IP address
Help – Show this help information
Info – Show connection information
Quit – Return to the prior menu
Set creds %s %s %s – Set connection creds as domain, user, pwd.
Use “NULL” for null password,
* to enter password from the console.
server connections: connect to server ser.anthaifood.com ‘Lệnh thứ 4 trong wá trình Operation Master
Binding to ser.anthaifood.com …
Connected to ser.anthaifood.com using credentials of locally logged on user.
server connections: quit ‘Lệnh thứ 5 trong wá trình Operation Master
fsmo maintenance: seize schema master ‘Lệnh thứ 6 trong wá trình Operation Master
Attempting safe transfer of schema FSMO before seizure.
ldap_modify_sW error 0×34(52 (Unavailable).
Ldap extended error message is 000020AF: SvcErr: DSID-0321032A, problem 5002 (UNAVAILABLE), data 1722
(Xuất hiện thông báo, chọn “YES”)
Win32 error returned is 0×20af(The requested FSMO operation failed. The current FSMO holder could not be contacted.))
Depending on the error code this may indicate a connection,
ldap, or role transfer error.
Transfer of schema FSMO failed, proceeding with seizure …
Server “ser.anthaifood.com” knows about 5 roles
Schema – CN=NTDS Settings,CN=SER,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=anthaifood,DC=co m
Domain – CN=NTDS Settings,CN=SERVER,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=anthaifood,DC=co m
PDC – CN=NTDS Settings,CN=SERVER,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=anthaifood,DC=co m
RID – CN=NTDS Settings,CN=SERVER,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=anthaifood,DC=co m
Infrastructure – CN=NTDS Settings,CN=SERVER,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=anthaifood,DC=co m
fsmo maintenance: seize domain naming master ‘Lệnh thứ 7 trong wá trình Operation Master
Attempting safe transfer of domain naming FSMO before seizure.
ldap_modify_sW error 0×34(52 (Unavailable).
Ldap extended error message is 000020AF: SvcErr: DSID-0321032A, problem 5002 (UNAVAILABLE), data 1722
(Xuất hiện thông báo, chọn “YES”)
Win32 error returned is 0×20af(The requested FSMO operation failed. The current FSMO holder could not be contacted.))
Depending on the error code this may indicate a connection,ldap, or role transfer error.
Transfer of domain naming FSMO failed, proceeding with seizure …
Server “ser.anthaifood.com” knows about 5 roles
Schema – CN=NTDS Settings,CN=SER,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=anthaifood,DC=co m
Domain – CN=NTDS Settings,CN=SER,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=anthaifood,DC=co m
PDC – CN=NTDS Settings,CN=SERVER,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=anthaifood,DC=co m
RID – CN=NTDS Settings,CN=SERVER,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=anthaifood,DC=co m
Infrastructure – CN=NTDS Settings,CN=SERVER,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=anthaifood,DC=co m
fsmo maintenance: seize RID master ‘Lệnh thứ 8 trong wá trình Operation Master (chữ RID viết hoa)
Attempting safe transfer of RID FSMO before seizure.
ldap_modify_sW error 0×34(52 (Unavailable).
Ldap extended error message is 000020AF: SvcErr: DSID-03210922, problem 5002 (UNAVAILABLE), data 1722
(Xuất hiện thông báo, chọn “YES”)
Win32 error returned is 0×20af(The requested FSMO operation failed. The currentFSMO holder could not be contacted.))
Depending on the error code this may indicate a connection,ldap, or role transfer error.
Transfer of RID FSMO failed, proceeding with seizure …
Searching for highest rid pool in domain
Server “ser.anthaifood.com” knows about 5 roles
Schema – CN=NTDS Settings,CN=SER,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=anthaifood,DC=co m
Domain – CN=NTDS Settings,CN=SER,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=anthaifood,DC=co m
PDC – CN=NTDS Settings,CN=SERVER,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=anthaifood,DC=co m
RID – CN=NTDS Settings,CN=SER,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=anthaifood,DC=co m
Infrastructure – CN=NTDS Settings,CN=SERVER,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=anthaifood,DC=co m
fsmo maintenance: seize PDC ‘Lệnh thứ 9 trong wá trình Operation Master (chữ PDC viết hoa)
Attempting safe transfer of PDC FSMO before seizure.
ldap_modify_sW error 0×34(52 (Unavailable).
Ldap extended error message is 000020AF: SvcErr: DSID-03210511, problem 5002 (UNAVAILABLE), data 1722
(Xuất hiện thông báo, chọn “YES”)
Win32 error returned is 0×20af(The requested FSMO operation failed. The current FSMO holder could not be contacted.))
Depending on the error code this may indicate a connection,
ldap, or role transfer error.
Transfer of PDC FSMO failed, proceeding with seizure …
Server “ser.anthaifood.com” knows about 5 roles
Schema – CN=NTDS Settings,CN=SER,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=anthaifood,DC=co m
Domain – CN=NTDS Settings,CN=SER,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=anthaifood,DC=co m
PDC – CN=NTDS Settings,CN=SER,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=anthaifood,DC=co m
RID – CN=NTDS Settings,CN=SER,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=anthaifood,DC=co m
Infrastructure – CN=NTDS Settings,CN=SERVER,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=anthaifood,DC=co m
fsmo maintenance: seize infrastructure master ‘Lệnh thứ 10 trong wá trình Operation Master
Attempting safe transfer of infrastructure FSMO before seizure.
ldap_modify_sW error 0×34(52 (Unavailable).
Ldap extended error message is 000020AF: SvcErr: DSID-0321032A, problem 5002 (UNAVAILABLE), data 1722
(Xuất hiện thông báo, chọn “YES”)
Win32 error returned is 0×20af(The requested FSMO operation failed. The current FSMO holder could not be contacted.))
Depending on the error code this may indicate a connection,
ldap, or role transfer error.
Transfer of infrastructure FSMO failed, proceeding with seizure …
Server “ser.anthaifood.com” knows about 5 roles
Schema – CN=NTDS Settings,CN=SER,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=anthaifood,DC=co m
Domain – CN=NTDS Settings,CN=SER,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=anthaifood,DC=co m
PDC – CN=NTDS Settings,CN=SER,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=anthaifood,DC=co m
RID – CN=NTDS Settings,CN=SER,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=anthaifood,DC=co m
Infrastructure – CN=NTDS Settings,CN=SER,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=anthaifood,DC=co m
fsmo maintenance: quit ‘Lệnh thứ 11 trong wá trình Operation Master
ntdsutil: quit ‘Lệnh thứ 12 trong wá trình Operation Master
Disconnecting from ser.anthaifood.com…
C:\>
——————————————————–
3./ Bây giờ ta thử bằng cách từ máy DC 2 (vừa được lên master) ta tạo user và từ máy client có thể join vào domain bằng user mới được tạo.
