Linux: All the Basics You Need to Know

After giving notice at my last job I found myself whipping together a lot of documentation for the person who would be taking over for me.

He really enjoyed the “Linux Basics” one I put together and said it would be a useful thing to stick on my blog… so here it is. 🙂

Note: Please forgive any odd formating, it is taken from a wiki.

File System

/ : root of the file system contains all devices and directory’s

/root : the root users home directory

/home : all other users home dirs reside in here

/boot : All the kernels and boot specific info

/tmp : temporary files are stored here, is commonly world writable so keep an eye on it

/dev : on linux even hardware devices are part of the file system, they are stored here.

/bin : executables that should be safe for normal users to run

/var : the system writes data here during its operation, commonly contains /var/lib/mysql and /var/www

/opt : optional software, 3rd parties stick stuff here

/sbin : system executables that only root should need

/proc : the OS uses this to keep track of everything on the system in real time. No need to muck around in here

/mnt or /media: this ware new file systems get mounted (cds, floppys, flash drives)

/etc : all config files

FS NOTE: when tweaking configs do ‘cp something.conf something.conf.bk’ and tweak away. If you flub something up just ‘rm -f something.conf; mv something.conf.bk something.conf; service restart something’ and your back up and running with your original config.

Basic commands

  • whoami : displays current user
  • top : displays the top cpu/memory eaters and system load.. like task manager on windows
  • ps : displays all processes running.. ps aux is the most useful way to run it
  • wall “some text” : sends a broadcast message to all logged on users
  • man program : displays the ‘man page’ or manual for a given program. Uber useful. Use space bar to page down and q to exit
  • program -h : displays the help for a given program, briefer than man
  • du -sh dirName : Displays the total size of a directory recursively
  • df -kh : displays total and available storage on all partitions for the system
  • locate filename : finds ware a program or file is located on the system
  • w : displays who is ssh’ed or logged in.
  • watch -n seconds filename : will execute a file every n seconds. Useful to watch who is online, watch -n 3 w
  • wget : gets a file via ftp, rsync, http, etc from a remote host.
  • netstat : displays all listening ports and active connections
  • ifconfig : used for listing network interface info and setting it
  • clear : clears the terminal
  • md5sum filename : displays the md5 checksum of the given file

additional command operators

the pipe is used to send one command through another.
ps | more -- pauses ps
ps | grep ssh -- only display lines that contain ssh

used to "stack commands" or issue multiple commands on 1 line.
cd ..; ls

puts a command in the background.  Will let you know when the command is finished

write what is displayed on the screen from a given command to a text file
ls -alh /root > /root/myRoot.txt

appends screen output to an existing file

File Permissions


Listing Permissions

ls -al will display all files in a list with their owners and permissions

-rw-r--r--   1 irq13 irq13 1006 Jan 24 10:16 .bashrc

Now to break down the above example…

-rw-r--r-- is the permissions area.  The first - would be d if the item is directory, otherwise it will be -.  The second 3 dashes indicate read/write/execute for the owner, the second is r/w/x for the group and third is r/w/x for everyone else.

The next number is the inodes associated with the file. This isn’t important for you to know the basics

Next when it says irq13 irq13 that indicates the owner of the files name group

Changing ownership of a file

chown username:groupname file

Changing permissions of a file

chmod XXX filename

chmod uses a numeric system for assigning ownership. XXX represents 3 numbers. The first is the permissions applied to the owning user, 2nd is group, 3rd is everyone else.
1: execute
2: write
3: write & execute
4: read
5: read & execute
6: read & write
7: read, write & execute

Remember that 777 is only to be used as a trouble shooting step to rule fs permissions out. NEVER leave a dir as 777. Its useful to do ‘ls -alh * > perm_capture.txt’ before messing with a file. That way you can restore its original permissions.


Files also have attributes, similar to the ones found in the windows world.

lsattr filename : Lists the attributes of a file or directory

chattr +-=[ASacDdIijsTtu] filename

to add an attribute use + to remove use –

File Attributes

append only (a)
compressed (c)
no  dump  (d)
immutable  (i)
data journaling (j)
secure deletion (s)
no tail-merging (t)
undeletable (u)
no atime updates (A)
synchronous  directory  updates  (D)
syn-chronous updates (S)
top of directory hierarchy (T)

Use man chattr for an explanation of each attribute

launching scripts and bins

  • If an executable file is in your path you may simply type its name from anywhere on the system and it will execute.
  • To see what your path is type ‘path’
  • To execute a file in the current directory type “./filename
  • To execute a file it must have execute permissions for either your username or a group you belong to.

User Management


useradd userName

then run “passwd userName” to set the new users pw


passwd username

will ask for the new pw twice

Service/Daemon Management

restarting/stopping/starting a service

On any init.d based linux distro you can restart a service with the following…

/etc/init.d/serviceName restart

You may replace ‘restart’ with ‘stop’ or ‘start’ (and in some cases ‘status’).

Forcefully stopping a service

killall processName

Killing on instance of a service

kill pid

The pid can be gathered by either top or ps

Disabling/adding/listing services

chkconfig –list

displays all the services and if they are set to run in different runlevels
use the –del daemonName to remove a service or –add daemonName to add one

setting a program to run at startup

Add a line executing the command at the end of /etc/rc.local

File Manipulation

Editing Text Files

vi is by far the best text editor but has a learning curve to it. If you want simplicity use nano

display a text file from the command line

cat filename


more filename

Display the last few lines of a text file

tail filename

or you can display the last 50 lines of a file with…

tail -50 filename

or you can display lines as they are written to a file (or follow) with the following: (UBER useful for log files)

tail -f filename

copy a file

cp filename destination

move a file

mv filename destination


delete a file

rm -f filename : removes the file. -f makes it so it doesn’t ask you if you are sure

Displaying the differences between two files

diff file1 file2

Installing crap

On redhat derived systems (RedHat, Fedora, CentOS, Rocks, Mandrake, etc) yum is your package manager.

yum install appname : installs the application from the remote yum repository

yum search appname : does a search on the repository for a given program

yum remove appname : uninstalls an app

use ‘man yum’ for a complete list


tar.gz or .tgz is the most common compression found in the linux world. that is tared (Tape ARchive) and gziped. Sometimes called “tar balls”.

tar -xzf file.tgz : will X’trackt a tar/gzip file.

tar -czf myfile.tgz someDir : will create a tar and gziped archive of the given directory

gunzip : un gzips a file

unzip : unzips a .zip file

Linux Security

Read these this SANs Checklist (www) (pdf) and install Bastille Linux.

TippingPoint UnityOne Super User (root) Password Reset

Last night after doing about 20 google searches for every possible combination of words I was unable to locate the procedure on how to reset the root password on a tipping point IPS.

I was also unable to locate any sort of online manual.

I am making this post in hopes that google indexes it and it helps others that are attempting to do the same thing I was trying.

1. Attach a serial cable to the management port on the front of the unit. (set it to 153,000 bps)

2. Reboot the IPS. Obviously this will kill all traffic that would normally flow through the unit, so schedule it!

3. After it displays the “Tipping Point” ascii logo it will say “Loading”. Within 3 seconds of that type “mkey” and hit enter.

4. You will prompted for a default security level, username and new password.


Microsoft’s .ANI Fix Timeline

Microsoft announced today that it will issue an urgent, out of cycle patch for the ‘recent’ animated cursor vulnerability (CVE-2007-0038)… a whole week ahead of its precious and ill-conceived patch tuesday.

Some would claim that this an example of Microsoft doing the right thing, getting urgent issues resolved quickly and cutting through their own patching release cycle. Upon closer examination you will find this to be false.

This vulnerability affects all version of MS Internet Explorer and Windows. All an attacker would have to do is embed a malicious animated cursor into a web page and anyone who visits the page is ‘auto-attacked’. Its important to keep in mind that sites like myspace allow anyone to modify their own pages and embed anything they like. Its also important to remember that hackers take over legitimate, commercial sites and embed their nastys. They get more bang for their buck that way.

To support my belief that MS is still only talking big and not following through, I present to you the time-line.

December 2006 – Determina discovers .ANI 0-day vulnerability and reports its findings to Microsoft
March 23 2007 – Microsoft releases MSIE patch MS05-020 to fix vulnerabilities related to this. This patch was shoddy and still allowed exploitation of this specific vulnerability
March 26 2007 – Security researchers start to see exploits for this vulnerability in the wild
March 27 2007 Determina releases their own ‘3rd party’ patch to mitigate this vulnerability
March 30 2007 eEye follows suite and releases their own patch
April 3 2007Microsoft releases MS07-017 ‘out of cycle’ to patch this bug

Exposure Times
System exposure since discovery: 93 days*
System exposure since active exploits discovered: 8 days

*This is a conservative estimate. The article states “In December 2006”. For fairness sake this figure assumes 12/31/06 but the figure could in fact be as large as 123 days, if it was discovered 12/01/06


Technician Error Costs TaxPayers $200,000 and Illustrates Lack of Procedures

I just read an article that illustrates how basic planning and proper implementation of procedures could have saved us tax payers $200,000.

Source: CNN

A computer technician reformatting a disk drive at the Alaska Department of Revenue. While doing routine maintenance work, the technician accidentally deleted applicant information for an oil-funded account — one of Alaska residents’ biggest perks — and mistakenly reformatted the backup drive, as well.

There was still hope, until the department discovered its third line of defense had failed: backup tapes were unreadable.

“Nobody panicked, but we instantly went into planning for the worst-case scenario,” said Permanent Fund Dividend Division Director Amy Skow. The computer foul-up last July would end up costing the department more than $200,000.

Now, you may ask: “How could this have been avoided?”

The answers are simple, “separation of privileges” and “regular backup validation”.

In this article it was mentioned that the data contained on the drive was for “an account worth $38 billion”.  So for data that is that important and that valuable, why do they only have one backup tape?  If they do only have one backup tape why wasn’t it validated?

The “seperation of privileges” is a security concept that you often see demonstrated in movies when a government is about to launch a rocket into space or a nuke.  Either, two people have two seperate keys to launch; or one person has a key and another a secret code.  This is a valuable security concept because it ensures that no single person is responsible for the launch of a nuke.

In this case the technician (most likely ex-technician by now) should have only had file system permissions to either the data drive or the backup drive, but not both.

I thought the U.S. government invented these concepts?  Why is it that they don’t follow them?

ColdFusion MX 7 2007 DST Update Instructions on Linux

What I have dubbed Y2k7DST went off (almost) without a hitch. All the hundreds of patched machines seemed to roll over properly… for the most part.

The one thing that completely slipped my mind was ColdFusion. Maybe because I haven’t coded in it in so long or maybe it was because I assumed it got its time hooks from the OS.

I any case, ColdFusion MX 7 needs to have the JVM updated to accommodate the new (<sarcasm> and infinitely wise </sarcasm>) daylight savings time change.

The ‘details’ of this update can be found in Adobe TechNote: d2ab4470

The install instructions are bit scattered so, because I’m such a nice a guy, I have summarized them here for the lazy or uninitiated. These instructions are only what you need to get CFMX7 updated. Because of this you should read the accompanying instructions so you know what you are doing. And as always I take no responsibility if anything mucks up during this process.

ColdFusion MX 7 2007 DST Update Instructions for Linux:

1. SSH to your web server and pull up a root shell or sudo all of the following.
2. Download the TZupdater from
3. Create an account, login or use to get the file.
4. Because the sunsite uses a special download application, you need to download the patch to your local workstation and scp/ftp the file to your server.
5. Change to the directory you downloaded the to.
6. unzip; cd tzupdater-1.1.0-2007c
7. /opt/coldfusionmx7/bin/coldfusion stop
8. /opt/coldfusionmx7/runtime/jre/bin/java -jar tzupdater.jar -u
9. /opt/coldfusionmx7/bin/coldfusion start

That should be it. Test it to be sure it worked.

The 10 Most Hilarious Terms in Information Security

1. Salami attack

What’s it mean?
A salami attack is a series of minor data-security attacks that together results in a larger attack. For example, a fraud activity in a bank where an employee steals a small amount of funds from several accounts, can be considered a salami attack. (source: wikipedia)
Why is it so hilarious?
Think SuperMan or Office Space. Now say “Salami attack” aloud and try not to snicker. See, I told you it was funny.

2. Cyberwoozle

What’s it mean?
This refers to the practice of siphoning data from users’ PCs as they surf the ‘net. (source:
Why is it so hilarious?
As best as I can remember a woozle is a weasel like creature that was friends with the heffalumps and arch enemy to Winnie the Pooh in the 80’s cartoon series. But this one would be upgraded with mechanized parts. Hence the ‘cyber’ prefix.

3. Smurf Attack

What’s it mean?
The Smurf attack works by spoofing the target address and sending a ping to the broadcast address for a remote network, which results in a large amount of ping replies being sent to the target. (source:
Why is it so hilarious?
Call me a child of the 80’s but this is one attack that I have a hard time taking seriously simply because of its name. It always conjures up images of Gargamel and Smurfet.

4. Sheep Dip

What’s it mean?
A computer that is isolated from a business core network used to screen incoming digital devices. They will often contain multiple malware scanners and egress packet detection. (source: wikipedia)
Why is it so hilarious?
Just picture it in literal terms and try not to laugh. In my head I always see a sheep being lowered into a vat of… something… by a crane with a leather strap holding the sheep up. That’s funny stuff.

5. OikMaster

What’s it mean?
A script that will help you update and manage your Snort rules. (source: oikmaster site)
Why is it so hilarious?
For starters it has the word oink in it. Call juvenile, but that’s funny. If you compound oink (the sound a pig makes) with a mastery of it, that’s just downright hilarious.

6. chaffing and winnowing

What’s it mean?
Chaffing and winnowing are dual components of a privacy-enhancement scheme that does not require encryption. The technique consists of adding false packets to a message at the source (sender end of the circuit), and then removing the false packets at the destination (receiver end). The false packets obscure the intended message and render the transmission unintelligible to anyone except authorized recipients. (source:
Why is it so hilarious?
Not a single term, but yet a strange situation in which two terms are tied to a single concept, and both of them are down right hilarious. Chaffing on its own means “To make fun of in a good-natured way; tease.” Good-natured teasing is humor based and… I’m grasping at straws here… besides, it sounds funny.

7. Port Swigger/Burp Suite

What’s it mean?
Burp suite is an integrated platform for attacking web applications (source:
Why is it so hilarious?
Now this is a project that doesn’t take it too seriously. It was previously known as Port Swigger, which, I guess, means to rapidly drink a port (or data from a port) and I’m sure Burp needs no explanation.

8. Diffie-Hellman

What’s it mean?
A key agreement algorithm published in 1976 by Whitfield Diffie and Martin Hellman. Diffie-Hellman does key establishment, not encryption. However, the key that it produces may be used for encryption, for further key management operations, or for any other cryptography. (source:
Why is it so hilarious?
I’d like to immediately apologies to Whitfield and Marin for making light of their last names, but when you combine them it just sounds silly. This is another one that has to be said aloud to be appreciated. Hearing it conjures images of rotten mayonnaise. Maybe I’m just warped.

9. Fuzzing

What’s it mean?
The use of special regression testing tools to generate out-of-spec input for an application in order to find security vulnerabilities. Also see “regression testing”. (source:
Why is it so hilarious?
Think puppies and kittens with their tickley softness.

10. Honeymonkey

What’s it mean?
Automated system simulating a user browsing websites. The system is typically configured to detect web sites which exploit vulnerabilities in the browser. Also known as Honey Client. (source:
Why is it so hilarious?
Monkeys are, by default, funny. They do human things, make funny faces and fling poo. Cover them in honey and you have a sure-fire recipe for hilarity. Try it, you won’t be disappointed.

MacBook Pro Networking Issue

Today while working feverishly I have had my MBP shutdown 3 times for no apparent reason. The power adapter is plugged in and I am using the wired ethernet.

The shutdowns occurred when I had wandered away from the machine for a few minutes and not actively using it. I have no sleep mode set to kick in when the power is plugged in and the last time it happened was during a 3 minute phone call (I checked my phone to be certain).

About an hour I lost network connectivity all together. I checked ipconfig and it was reporting I had a 169.* ethernet address. This is the default when it can’t contact a DHCP server. After renewing my DHCP lease a few times I gave up and rebooted. This did the trick.

On digging through the logs I see this…

kernel[0]: ar5212GetPendingInterrupts: fatal error, ISR_RAC=0x8402c ISR_S2_S=0x10000
kernel[0]: AppleYukon: error – Uncorrectable PCI Express error

Has anyone else experienced this?

I found a couple hits on google but nothing with a definitive resolution.

Security Basic Training: The CIA Triad

The CIA Triad Information Security is a game of tradeoffs. The most common way these trade offs are represented is the CIA Triad. It is often visually represented as a triangle with the three tenants (concepts, principles, whatever) written across each side. Then as the security of your project is being evaluated a dot will be drawn on each side of the triangle relative to the (evaluators perceived) level of each tenant.

In most cases the goal is to find an absolute balance so that the evaluation of your proposed security solution has dots in the exact center of each of the three sides. The idea is as security (confidentiality and integrity) is increased the availability (usability) will go down. In cases that require high security, this is absolutely acceptable.

The triad is broad and flexible enough that it can generally be used to gauge any product, project, problem or system. Because of this, the three tenets can often mean different things in different situations. I will explain them in the most general terms that will apply to most situations, but be aware that this is in no way exhaustive.

Confidentiality: Confidentiality is all about keeping things that are supposed to be secret… well… secret. Safeguards that would fall into this category include cryptography and anti-spyware. Attacks against confidentiality include sniffing, key logging and cryptanalysis.

Integrity: In the world of information security this is most generally likened to authentication. Non-repudiation is essentially what this one is all about. This can mean either proving you are who you say you are or the file has been unaltered. Other examples of how integrity comes into play in information security include code signing, file checksums, logins and biometrics or using PGP to digitally sign emails.

Availability: When most IT administrators think of the word ‘availability’ the first term that pops into their head is ‘up-time’. To be available is to be accessible by users. While that is still true in this case, it is also only a very small part of the availability definition. This is the one that often gets pushed lower as integrity and confidentiality get pushed higher. Availability can also be thought of as usability. How easy or hard is it for the end user to utilize your system.

Examples of situations that you could benefit from using the CIA triad could range from a user requesting to use their personal laptop at work to individual pieces of a new password policy.

A good example that was recently presented to me was the ballad of Bob (obviously not his real name). Bob works for Company A and Company B (obviously not the real companies, either) and splits his time between both with his laptop. Bob physically works from both offices and needs to access resources on the Active Directory domain of each company. Unfortunately, no trust relationship exists between these two domains.

The IT staff came to me with this dilemma and had three possible solutions; they wanted my input on which is the most ‘secure’.

Solution 1. Set Bob up with a network account under each active directoryCIA Triad: Example 1 domain: have him log in to which ever one he needs access to at the time. Although he may be physically working from Company A, he will likely still need to access resources from Company B and vice versa. Although this will allow both companies to stay in line with their security policy regarding expiring passwords and maximum password age, it introduces problems with file synchronization and having to login and out multiple times per day. Bob would likely perceive this to be a pain in the butt.

Solution 2.Create a local profile on Bob’s laptop and have him manually CIA Triad: Example 2map to the resources he needs access to and set his passwords to never expire on both domains. Bob would likely really like this solution as it involves less work and inconvenience for him. As you can see from the associated figure it would bring accessibility up on the triad while increasing the risk due to no password expiration.

Solution 3.Because Company A and Company B are both bound by internal andCIA Triad: Example 3 industry regulations regarding maximum password age, a third (hybrid) solution was developed. This involves Bob working from a local profile (as seen in solution 2) but having to log into each domain once per password cycle to change his passwords before expiration. As you can see by the figure, this provides and acceptable level of risk and accessibility.

From the above example you can see, even if you aren’t an information security professional, knowing and applying the CIA Triad is a good way to evaluate technology choices and serves as visual way to back up your decisions to management. Without much explanation management grasps why you would want the balance in the picture and will be more willing to follow your advice.

I Give Up.

‘I give up’ is not a phrase you will hear from me all that often. But I just can’t take any more. Novell has me at my wits end. I can’t believe people use this with any sort reliability.

Throughout my months of toying with it I have issues and stopping blocks with each and every component. Some servers require many, many components to effectively work.

Here’s a brief run down of just a couple of the annoyances:

Updates and patches come rapid fire (about two per day) and often leave the system broken. I have had them cause dependency issues each time I have applied them. This will do crazy stuff from switching the physical network card that eth0-2 are assigned or out right breaking NSS. In fact, every update I have run broke NSS. You just can’t have that in a production environment. Technically you could script an auto-updater, however, per Novell support “Automating the updates might have its own risks […] because of that, rug doesn’t have a –force option the way RPM does.”

Things that should be done by installers must be done manually. A great example of this is having to manually enable remote administration of a GroupWise server. For example, you need to share out /usr/local/gw using samba. But first you have to install and configure samba. That’s essentially all the docs say on the subject is to ‘install samba’. Not ‘Download package X, install it using command Y, tweak this directive in X.conf, and so on’. So I installed Samba from source. After struggling to get it integrated into the eDirectory I discover Novell-Samba. Who knew, they just said ‘Install samba’.
The install process for the OS and packages drives me insane! The OES cd set consists of 10 CDs. During the initial install you are asked to supply almost all 10 CDs in varying order and you have to re-insert a number of them multiple times. It also asks for the Suse Core 2 CD2 and 3. Which end up being the Suse Linux Enterprise Server disk 3 and 4. I figured that out just out of desperation and feeding it random CDs.

The documentation is lacking. It assumes that all Novell customers are intimately familiar with Novell terminology and technology (see previously mentioned GroupWise/samba example).

GroupWise acts as an open relay by default and no settings changes will help that. Users hate the GroupWise client, the outlook plug-in makes Outlook buggy and slow. The cross platform GroupWise client (Linux and Mac) is really bad. The only way to remedy this is to purchase an expensive third party app

I purchased the only (at the time) official Novell Press book for Open Enterprise entitled “Open Enterprise Server, Administrators Handbook, Suse Linux Edition”. Being the only official book I assumed it would be comprehensive and cover anything and everything relating to OES. What I found was that it is entirely based on a pre-release version of OES and a large number of important things have changed since it was published. In fact, a couple of things the book tells you to do regarding updates will break an otherwise happy server.

Overall I would just Novell to hammer all these things out, test thoroughly and make the docs useful. Don’t assume everyone using the product is a 15 year Novell-Netware veteran.

A Crash Course in Active Directory



Uses DNS for name resolution

WINS and NetBios aren’t needed unless a legacy app requires it

AD’s Tree is called the ‘Directory Information Tree’ (DIT)

It is based on the ‘Extensible Storage Engine’ (ESE)

AD Consists of two types of objects. Containers and non-containers (or leaf nodes)

All objects have a ‘Globally Unique Identifier’ (GUID)

Hierarchical paths in AD are known as ‘ADsPaths’

ADsPaths are normally referred to using LDAP standards

 Starts with a 'programmatic identifier' (progID)  followed by ://  separate each part with a comma  prefix each part with dc= (dc stands for domain name component)    prl.pbb.local becomes  LDAP://dc=pbb,dc=pbb,dc=local

A distinguished name (DN) is used to reference an object in a DIT

A relative distinguished name (RDN) is used to reference an object within its parent container

 To reference Alice's object in prl_biz ou within the prl ou it would look like this.  LDAP://cn=albin,ou=prl_biz,ou=prl,dc=pbb,dc=pbb,dc=local

The available DN’s are as follows

 CN = Common Name  L  = Locality  ST = Street of Province Name  O  = Organization Name  OU = Organization Unit  C  = County  STREET = Street address  DC = Domain Component  UID = User ID

domains and domain trees

A domain controller (DC) can be authoritative for one and only one domain.

Containers (the object type) may contain other container objects as well as leaf nodes.

An OU is the other type of container and can have group policies applied to it, and a container (the object) can not.

Each forest has a child container called ‘Configuration’ which has a child container called ‘Schema’

Global Catalog (GC)

Used to perform forest wide searches

Accessed via LDAP on port 3268

Uses progID of GC://

The GC is read-only and can not be directly updated

Objects available in the GC are members of the PAS (Partial Attributes Set)

To add/remove attributes use the AD Schema snap-in for mmc

Flexible Single Master of Operations (FSMO – pronounced fizmo)

Certain actions in the forest/domain will only be done by the FSMO regardless of how many other DC’s you have.

 Schema Master (forest-wide)    Only machine allowed to make schema changes.  Changes made on other DCs will be refered to the FSMO    Domain Naming Master (forest-wide)    PDC Emulator (domain-wide)    PW synching and PDC legacy compatibility.  Browser Master    RID Master (domain-wide)    Relative ID Master, All security principals have a Security Identifier (SID).    Infrastructure Master (domain-wide)    Maintains cross-domain object references (phantom references).  User is in domainA but a member of a group in domain B

 NTDSUTIL:   howto: [1]  download: support pack [2]  Allows transfer of FSMO roles to other DCs.  If the FSMO server dies you can ungracefully force the role to another dc -- known as 'seizing' the role. [3]


3 scopes…

 Domain Local: membership available only within domain.  May contain other groups (admin group)

 Domain Global: membership available only within domain.  Used to define roles (enterprise admin, backup admin, exchange admins, sql admins, ect.)

 Universal: Forest Wide

2 types…

 distribution: generally used as messaging lists for email and im (exchange distro lists)

 security: sid is passed to as auth token

The type of a group may be converted at any time.

Naming Contexts (NC) and Application Partitions

Breaks up replication of DCs. can be based on political, geographic or bw related things.

Consists of 3 predefined naming contexts, each represents a different aspect of AD data.

 Configuration NC: (forest) holds data pertaining to LDAP, Exchange, subnets

 Schema NC: (forest) defines types of data AD can store

 Domain NC: (domain) domain specific, users, groups, computers, ect.

 Application Partitions: User defined NCs.  Can not contain security principals

To retrieve a list of NCs you query the RootDSE entry.

 LDAP util  how to: [4]  download: support tools [5]   LDAP util can be used to view the RootDSE entry.  Connection -> Connection -> enter name of DC

… incomplete


The schema is located under the configuration container. It is the blueprint for datastorage in ad. each object has a corresponding class. IE user class, user object type.

 Active Directory Service Interfaces (ADSIEdit)  how to: [6]  download: support tools [7]   Can be viewed using and AD viewer such as ADSIEdit (MMC snap-in) or LDP

Schema is made of two types of ad objects…


… Very Incomplete


Note: details regarding cross-domain replication omitted.

Connection Objects define what DCs replicate with each other and how often. Generally managed by the DC

Knowledge Consistency Checker (KCC) is what generates the connection objects.

 RepAdmin  how to: [8]   Command line tool for admining replication
ReplMon  how to: [9]  Graphical util for managing and monitoring replication

Each DC maintains its own separate ‘Update Sequence Number’ (USN). It is a 64bit value assigned to each update transication. Each update increments the USN value. Like the serial number in DNS.

Each DC maintains its highest combined USN for all NCs in the highestCommittedUSN value of the RootDSE. The values are always different from DC to DC for a given replication.

If time is off by 5minutes or more on a DC it will not be able to replicate.

Originating Update (write)  The point of origin for an update (on which DC was this update made)
Replicated Update (write)  A change that did not originate on the DC in question.

Each DC has a GUID called the DSA GUID. It is used to uniquely identify a DC and is the objectGUID of the NTDS settings object for the DC in the configuration container.

The High-WaterMark Vector (HWMV) is a table maintained independently by each DC. Keeps info on where a DC last left off when replicating the NC with a specific partner.

The up-to-dateness vector (UTDV) is a table maintained independently by each DC. It is used for replication dampening to reduce traffic and endless replication.

An example of how an object is modified during replication…

1.  A user is created on serverA.  2.  The object (user) is replicated to serverB.  3.  The object is subsequently modified on serverB.  4.  The new changes are replicated back to serverA.
1.  Creation of the object on ServerA    1. values are set to defaults defined for user creation    2. users USN is set to 1000 (the USN of this transaction)    3. version number is set to 1.    4. timestamp is set to the time of creation    5. originating-server GUID is set to the GUID of the server    6. originating-server USN is set to 1000 (USN of this transaction)
2.  Replication of the object to serverB    serverB adds a copy of the object as a replicated write.  USN 2500 is assigned to the object.  This value is written to the USNCreated and USNChanged attributes of the object.
3.  Password changed for user on serverB.    1. Password value is set    2. passwords USN is set to 3777 (USN for this transaction)    3. users version number is set to 2.    4. timestamp is updated    5. originating-server GUID is set to the GUID of serverB    6. originating-server USN is set to 3777 (USN of this transaction)
4.  Password change replication to serverA    serverA generates a transaction USN of 1333.  USNChanged is set to 1333.  Originating-server GUID is set to that of serverB

… Incomplete (missing conflict resolution section)

AD and DNS

DC Locator

Resource Records used to AD

Delegation Options

… incomplete (duh)


A profile is created on each computer a user logs into. It is %systemDrive%\Documents and Settings\%userName%

It creates various data files including NTUSER.DAT. This file contains the user portion of the registry. This includes the screen saver, wallpaper, myDocuments location, etc.

Settings specific to the computer in question are also applied to the user via the AllUsers\NTUSER.DAT on the given machine.

You use the ADUC (Active Directory Users and Computers) tool to set the roaming profile info for a given user.

To have the profile deleted from the local machine upon logout set the following key on the computer (computer and teaching labs!)…


With a server based default user profile you can add icons to desktop, bookmarks, ect. It should exist under the NETLOGON share.

Group Policy

Group Policies are referred to GPOs or group policy objects. they contain a large amount of configuration info that is applied to all users automatically.

 Group Policy Management Console (GPMC)  howto: [10]  Allows for editing, viewing resultant set of policies (RSOP) and runing reports.

Three states a policy item can exist in are enabled, disabled or un-configured. unconfigured is the default for everything.

The structure of the templates in the editor looks like…

User Configuration    Software Settings    Windows Settings    Administrative Templates    Computer Configuration    Software Settings    Windows Settings    Administrative Templates

These are generated from the Administrative Template (ADM) files in the system volume.

By default workstations and member servers refresh GPOs every 90 minutes and DCs every 5.

On non DCs 1 to 30 minutes (randomly generated) will be added to the refresh time to avoid everyone checking in at once.

GPOs allow admin to remote deploy applications to users OR computers. MSI is the only way this works.

MSIs can be modified for the environment. This process is known as creating a ‘transform’.

You can set an MSI to auto-install when someone attempts to open a file with an extension that an MSI app can read.

If an install is assigned to the user portion of the GPO it will install when the user logs into a machine and uninstall upon log off. If its installed to the computer it is available to any user who logs into it.

MS Windows Installer  howto: [11]   Used to generate MSI files
Install Shield  site: [12]  The best tools in the installer maker.  3rd party
Installer Design Studio (scriptlogic)  site: [13]  The one scriptlogic makes.  Looks very easy to use and is fairly inexpensive.
Group Policy Settings Reference (document) : [14]
Group Policy Homepage : [15]
MSN docs for Group Policy : [16]

Backup, Recovery and Maintenance

Backup up AD

Restoring a DC

Restoring AD

FSMO recovery

DIT Maintenance

… Incomplete (duh)

Exchange Integration

… incomplete (duh)


Common admin tasks: [17]

Remote Administration: [18]

All information gleaned from…

Active Directory 3d Edition, O’Reilly Publishing By: Joe Richards, Robbie Allen & Alistair G. Lowe-Norris