What Is Active Directory?
Active Directory is the directory service in
windows 2000 and 2003, consists of two parts—a centralized hierarchical database
and Service.
The
database contains all information about all objects and other resources on a
network.
And a service manages the database and enables
users of computers on the network to access the database.
The Active
Directory data store contains information about various types of network
objects, including printers, shared folders, user accounts, groups, and
computers.
The computers
that have a copy of the Active Directory data store, and that run Active
Directory are called domain
controllers.
A domain is a logical
grouping of networked computers in which one or more of the computers has
shared resources, such as a shared folder or printer, and in which all of the
computers share a common Active Directory data store.
The
three primary purposes of Active Directory are:
- To provide user
logon and authentication services
- To enable or
organize and manage user accounts, groups, and network resources
- To enable
authorized users to easily locate network resources, regardless of where
they are located on the network.
Features of Active Directory:
·
It provides fully integrated
security.
- It provides ease
of administration by using group policies.
- It makes
resources easier to locate.
- It is scalable
to any size network.
- It is flexible
and extensible.
ACTIVE DIRECTORY-2003
Easier Deployment and ManagementDomain Rename--- supports changing Domain Name System and/or NetBios name
ADMT Active directory migration tool version 2.0 migrates password from NT4 to 2000 to 20003
Schema Redefine--- Allows deactivation of attributes and class definitions in the Active directory schema
AD/AM--- Active directory in application mode is a new capability of AD that addresses certain deployment scenarios related to directory enabled applications
Group Policy Improvements----introduced GPMC tool to manage group policy
UI—Enhanced User Interface
Grater Security
Cross-forest Authentication
Cross-forest Authorization
Cross-certification Enhancements
IAS and Cross-forest authentication
Credential Manager
Software Restriction Policies
Improved Performance and Dependability
Easier logon for remote offices
Group Membership replication enhancements
Application Directory Partitions
Install Replica from media
Enhanced replication capabilities
Another significant change, particularly for larger environments, is a replication enhancement called linked-value replication for objects such as Active Directory group objects. In Windows 2000, a group's membership list was replicated as one single block of information. This led to a number of potential problems, such as the following:
Inconsistent replication. Consider this:
you have a group called DOMAIN\Finance. From Domain Controller A, you add the
jsmith user to the Finance group. What happens if, at precisely the same
nanosecond, your junior admin removed the bthomas user from the Finance group
while connected to Domain Controller B? Without linked-value replication, this
would create a replication conflict, which would either lead to jsmith being
added to the group and bthomas not being removed, or vice versa.
Replication delays. In Windows 2000,
Microsoft published a size limitation where you could not place more than 5,000
members in a single group object; more than this created significant
replication delays since the membership list was replicated as a single block.
Built-in command-line tools those were not available in Windows 2000.
·
dsadd -- allows you to create objects from the command
line
·
dsmove -- moves an object from one OU or container to
another within the same domain
·
dsrm -- will delete an object from Active Directory
·
dsquery -- will return an object or list of objects that
matches criteria that you specify
·
dsget -- will return one or more attributes of a particular
Active Directory object
Volume shadow copy service
NTFS journaling file system
EFS
Improved CHDSK Performance
Enhanced DFS and FRS
Shadow copy of shared folders
Enhanced folder redirection
Remote document sharing (WEBDAV)
DNS:
Possible to configure stub zones in windows 2003 DNS
Windows 2003 gives an option to replicate DNS data b/w all DNS servers in forest or All DNS servers in the domain.
Others:
Application Server mode is introduced in windows 2003
Volume shadow copy services is introduced
Active Directory can be backed up easily with System state data
Difference between FAT,NTFS &
NTFSVersion5
NTFS Version 5 features
Encryption is possible
We can enable Disk Quotas
File compression is possible
Sparse files
Indexing Service
NTFS change journal
In FAT file system we can apply only share level
security. File level protection is not possible. In NTFS we can apply both
share level as well as file level security
NTFS supports large partition sizes than FAT file
systems
NTFS supports long file names than FAT file
systems
IIS
Fault-tolerant process architecture----- The IIS 6.0 fault-tolerant
process architecture isolates Web sites and applications into self-contained
units called application poolsHealth Monitoring---- IIS 6.0 periodically checks the status of an application pool with automatic restart on failure of the Web sites and applications within that application pool, increasing application availability. IIS 6.0 protects the server, and other applications, by automatically disabling Web sites and applications that fail too often within a short amount of time
Automatic Process Recycling--- IIS 6.0
automatically stops and restarts faulty Web sites and applications based on a
flexible set of criteria, including CPU utilization and memory consumption,
while queuing requests
Rapid-fail Protection---- If an application fails too often within a
short amount of time, IIS 6.0 will automatically disable it and return a
"503 Service Unavailable" error message to any new or queued requests
to the application
Edit-While-Running
- Difference
between NT & 2000
NT SAM database is a flat database. Where as in
windows 2000 active directory database is a hierarchical database.
In windows NT only PDC is having writable copy of
SAM database but the BDC is only read only database. In case of Windows 2000
both DC and ADC is having write copy of the database
Windows NT will not support FAT32 file system.
Windows 2000 supports FAT32
Default authentication protocol in NT is NTLM (NT
LAN manager). In windows 2000 default authentication protocol is Kerberos
V5.
Windows 2000 depends and Integrated with DNS. NT
user Netbios names
- Difference
between PDC & BDC
PDC contains a write copy of SAM database where as
BDC contains read only copy of SAM database. It is not possible to reset a
password or create objects with out PDC in Windows NT.
- Difference
between DC & ADC
There is no difference between in DC and ADC both
contains write copy of AD. Both can also handles FSMO roles (If transfers from
DC to ADC). It is just for identification. Functionality wise there is no
difference.
- What is
DNS & WINS
DNS is a Domain Naming System, which resolves Host
names to IP addresses. It uses fully qualified domain names. DNS is a Internet
standard used to resolve host names
WINS is a Windows Internet Name Service, which
resolves Netbios names to IP Address. This is proprietary for Windows
- Types of
DNS Servers
Primary DNS
Secondary DNS
Active Directory Integrated DNS
Forwarder
Caching only DNS
- If DHCP is not available what happens to the client
Client will not get IP and it cannot be
participated in network . If client already got the IP and having lease
duration it use the IP till the lease duration expires.
- what are the different types of trust relationships
Implicit Trusts
Explicit Trusts—NT to Win2k or Forest to Forest
- what is the process of DHCP for getting the IP address to the
client
There is a four way negotiation process b/w client
and server
DHCP Discover (Initiated by client)
DHCP Offer (Initiated by server)
DHCP Select (Initiated by client)
DHCP Acknowledgement (Initiated by Server)
DHCP Negative Acknowledgement (Initiated by server
if any issues after DHCP offer)
- What are the port numbers for FTP, Telnet, HTTP, DNS
FTP-21,
Telnet – 23, HTTP-80, DNS-53, Kerberos-88, LDAP-389
- what are the different types of profiles in 2000
Local Profiles
Roaming profiles
Mandatory Profiles
- what is the database files used for Active Directory
The key AD database files—edb.log, ntds.dit,
res1.log, res2.log, and edb.chk—all of which reside in \%systemroot%\ntds on a
domain controller (DC) by default. During AD installation, Dcpromo lets you
specify alternative locations for these log files and database files
NTDS.DIT
- What is the location of AD Database
%System root%/NTDS/NTDS>DIT
- What is the authentication protocol used in NT
NTLM (NT LAN Manager)
- What is
subnetting and supernetting
Subnetting is the process of borrowing bits from
the host portion of an address to provide bits for identifying additional
sub-networks
Supernetting merges several smaller blocks of IP
addresses (networks) that are continuous into one larger block of addresses.
Borrowing network bits to combine several smaller networks into one larger
network does supernetting
- what is the use of terminal services
Terminal services can be used as Remote
Administration mode to administer remotely as well as Application Server Mode
to run the application in one server and users can login to that server to user
that application.
- what is the protocol used for terminal services
RDP
- what is the port number for RDP
3389
Medium Level - what is the difference between Authorized DHCP and Non Authorized
DHCP
To avoid problems in the network causing by
mis-configured DHCP servers, server in windows 2000 must be validate by AD
before starting service to clients. If an authorized DHCP finds any DHCP server
in the network it stop serving the clients
- Difference between inter-site and intra-site replication. Protocols using for replication.
Intra-site replication can be done between the
domain controllers in the same site. Inter-site replication can be done between
two different sites over WAN links
BHS (Bridge Head Servers) is responsible for
initiating replication between the sites. Inter-site replication can be done
B/w BHS in one site and BHS in another site.
We can use RPC over IP or SMTP as a replication
protocols where as Domain partition is not possible to replicate using
SMTP
- How to
monitor replication
We can user Replmon tool from support tools
- Brief
explanation of RAID Levels
Basic Disk Storage
Basic storage uses normal partition tables supported by MS-DOS, Microsoft
Windows 95, Microsoft Windows 98, Microsoft Windows Millennium Edition (Me),
Microsoft Windows NT, Microsoft Windows 2000, Windows Server 2003 and Windows
XP. A disk initialized for basic storage is called a basic disk. A basic disk
contains basic volumes, such as primary partitions, extended partitions, and
logical drives. Additionally, basic volumes include multidisk volumes that are
created by using Windows NT 4.0 or earlier, such as volume sets, stripe sets,
mirror sets, and stripe sets with parity. Windows XP does not support these
multidisk basic volumes. Any volume sets, stripe sets, mirror sets, or stripe
sets with parity must be backed up and deleted or converted to dynamic disks
before you install Windows XP Professional.
Dynamic Disk Storage
Dynamic storage is supported in Windows XP Professional, Windows 2000 and
Windows Server 2003. A disk initialized for dynamic storage is called a dynamic
disk. A dynamic disk contains dynamic volumes, such as simple volumes, spanned
volumes, striped volumes, mirrored volumes, and RAID-5 volumes. With dynamic
storage, you can perform disk and volume management without the need to restart
Windows. Note: Dynamic disks are not supported on portable computers or on Windows XP Home Edition-based computers.
You cannot create mirrored volumes or RAID-5 volumes on Windows XP Home Edition, Windows XP Professional, or Windows XP 64-Bit Edition-based computers. However, you can use a Windows XP Professional-based computer to create a mirrored or RAID-5 volume on remote computers that are running Windows 2000 Server, Windows 2000 Advanced Server, or Windows 2000 Datacenter Server, or the Standard,
Storage types are separate from the file system type. A basic or dynamic disk can contain any combination of FAT16, FAT32, or NTFS partitions or volumes.
A disk system can contain any combination of storage types. However, all volumes on the same disk must use the same storage type.
To convert a Basic Disk to a Dynamic Disk:
Use the Disk Management snap-in in Windows XP/2000/2003 to convert a basic
disk to a dynamic disk. To do this, follow these steps: - Log on as Administrator or as a member of the Administrators group.
- Click Start, and then click Control Panel.
- Click Performance and Maintenance, click Administrative Tools, and
then double-click Computer Management. You can also right-click My
Computer and choose Manage if you have My Computer displayed on your desktop.
- In the left pane, click Disk Management.
- In the lower-right pane, right-click the basic disk that you want
to convert, and then click Convert to Dynamic Disk. You must right-click
the gray area that contains the disk title on the left side of the Details
pane.
- Select the check box that is next to the
disk that you want to convert (if it is not already selected), and then
click OK.
Dynamic Storage Terms
A volume is a storage unit made from free space on one or more
disks. It can be formatted with a file system and assigned a drive letter.
Volumes on dynamic disks can have any of the following layouts: simple,
spanned, mirrored, striped, or RAID-5. A simple volume uses free space from a single disk. It can be a single region on a disk or consist of multiple, concatenated regions. A simple volume can be extended within the same disk or onto additional disks. If a simple volume is extended across multiple disks, it becomes a spanned volume.
A spanned volume is created from free disk space that is linked together from multiple disks. You can extend a spanned volume onto a maximum of 32 disks. A spanned volume cannot be mirrored and is not fault-tolerant.
A striped volume is a volume whose data is interleaved across two or more physical disks. The data on this type of volume is allocated alternately and evenly to each of the physical disks. A striped volume cannot be mirrored or extended and is not fault-tolerant. Striping is also known as RAID-0.
A mirrored volume is a fault-tolerant volume whose data is duplicated on two physical disks. All of the data on one volume is copied to another disk to provide data redundancy. If one of the disks fails, the data can still be accessed from the remaining disk. A mirrored volume cannot be extended. Mirroring is also known as RAID-1.
A RAID-5 volume is a fault-tolerant volume whose data is striped across an array of three or more disks. Parity (a calculated value that can be used to reconstruct data after a failure) is also striped across the disk array. If a physical disk fails, the portion of the RAID-5 volume that was on that failed disk can be re-created from the remaining data and the parity. A RAID-5 volume cannot be mirrored or extended.
The system volume contains the hardware-specific files that are needed to load Windows (for example, Ntldr, Boot.ini, and Ntdetect.com). The system volume can be, but does not have to be, the same as the boot volume.
The boot volume contains the Windows operating system files that are located in the %Systemroot% and %Systemroot%\System32 folders. The boot volume can be, but does not have to be, the same as the system volume.
RAID 0 – Striping
RAID 1- Mirroring (minimum 2 HDD required)
RAID 5 – Striping With Parity (Minimum 3 HDD
required)
RAID levels 1 and 5 only gives redundancy
- What are the different backup strategies are available
Normal Backup
Incremental Backup
Differential Backup
Daily Backup
Copy Backup
- What is a
global catalog
Global catalog is a role, which maintains Indexes
about objects. It contains full information of the objects in its own domain
and partial information of the objects in other domains. Universal Group
membership information will be stored in global catalog servers and replicate
to all GC’s in the forest.
- What is Active Directory and what is the use of it
Active directory is a directory service, which
maintains the relation ship between resources and enabling them to work
together. Because of AD hierarchal structure windows 2000 is more scalable,
reliable. Active directory is derived from X.500 standards where information is
stored is hierarchal tree like structure. Active directory depends on two
Internet standards one is DNS and other is LDAP. Information in Active
directory can be queried by using LDAP protocol
- what is the physical and logical structure of AD
Active directory physical structure is a hierarchal
structure which fallows Forests—Trees—Domains—Child Domains—Grand
Child—etc
Active directory is logically divided into 3
partitions
1.Configuration partition 2. Schema Partition 3.
Domain partition 4. Application Partition (only in windows 2003 not available
in windows 2000)
Out of these Configuration, Schema partitions can
be replicated between the domain controllers in the in the entire forest. Where
as Domain partition can be replicated between the domain controllers in the
same domain
- What is the process of user authentication (Kerberos V5) in windows
2000
After giving logon credentials an encryption key
will be generated which is used to encrypt the time stamp of the client
machine. User name and encrypted timestamp information will be provided to
domain controller for authentication. Then Domain controller based on the
password information stored in AD for that user it decrypts the encrypted time
stamp information. If produces time stamp matches to its time stamp. It will
provide logon session key and Ticket granting ticket to client in an encryption
format. Again client decrypts and if produced time stamp information is
matching then it will use logon session key to logon to the domain. Ticket
granting ticket will be used to generate service granting ticket when accessing
network resources
- what are the port numbers for Kerberos, LDAP and Global catalog
Kerberos – 88, LDAP – 389, Global Catalog – 3268
- what is the use of LDAP (X.500 standard?)
LDAP is a directory access protocol, which is used
to exchange directory information from server to clients or from server to
servers
- what are the problems that are generally come across DHCP
Scope is full with IP addresses no IP’s available
for new machines
If scope options are not configured properly eg
default gateway
Incorrect creation of scopes etc
- what is the role responsible for time synchronization
PDC Emulator is responsible for time
synchronization. Time synchronization is important because Kerberos
authentication depends on time stamp information
- what is TTL & how to set TTL time in DNS
TTL is Time to Live setting used for the amount of
time that the record should remain in cache when name resolution happened.
We can set TTL in SOA (start of authority record)
of DNS
- How to take DNS and WINS,DHCP backup
%System root%/system32/dns
%System root%/system32/WINS
%System root%/system32/DHCP
- What is
recovery console
Recovery console is a utility used to recover the
system when it is not booting properly or not at all booting. We can perform
fallowing operations from recovery console
We can copy, rename, or replace operating system
files and folders
Enable or disable service or device startup the
next time that start computer
Repair the file system boot sector or the Master
Boot Record
Create and format partitions on drives
- what is DFS
& its usage
DFS is a distributed file system used to provide
common environment for users to access files and folders even when they are
shared in different servers physically.
There are two types of DFS domain DFS and Stand
alone DFS. We cannot provide redundancy for stand alone DFS in case of failure.
Domain DFS is used in a domain environment which can be accessed by /domain
name/root1 (root 1 is DFS root name). Stand alone DFS can be used in workgroup
environment which can be accessed through /server name/root1 (root 1 is DFS
root name). Both the cases we need to create DFS root ( Which appears like a
shared folder for end users) and DFS links ( A logical link which is pointing
to the server where the folder is physically shared)
The maximum number of Dfs roots per server
is 1.
The maximum numbers of Dfs root replicas are 31.
The maximum number of Dfs roots per domain is
unlimited.
The maximum number of Dfs links or shared folders
in a Dfs root is 1,000
- what is RIS and what are its requirements
RIS is a remote installation service, which is used
to install operation system remotely.
Client requirements
PXE DHCP-based boot ROM version 1.00 or later NIC,
or a network adapter that is supported by the RIS boot disk.
Should meet minimum operating system requirements
Software
Requirements
Below network services must be active on RIS server
or any server in the network
Domain Name System (DNS Service)
Dynamic Host Configuration Protocol (DHCP)
Active directory “Directory” service
- How many root replicas can be created in DFS
- What is the difference between Domain DFS and Standalone DFS
Refer question 17.
High Level
- Can we establish trust relationship between two forests
In Windows 2000 it is not possible. In Windows 2003
it is possible
- What is
FSMO Roles
Flexible single master operation (FSMO) roles are
Domain Naming Master
Schema Master
PDC Emulator
Infrastructure Master
RID Master
- Brief all
the FSMO Roles
Windows 2000/2003 Multi-Master Model
A multi-master enabled database, such as the Active
Directory, provides the flexibility of allowing changes to occur at any DC in
the enterprise, but it also introduces the possibility of conflicts that can
potentially lead to problems once the data is replicated to the rest of the
enterprise. One way Windows 2000/2003 deals with conflicting updates is by
having a conflict resolution algorithm handle discrepancies in values by
resolving to the DC to which changes were written last (that is, "the last
writer wins"), while discarding the changes in all other DCs. Although
this resolution method may be acceptable in some cases, there are times when
conflicts are just too difficult to resolve using the "last writer wins"
approach. In such cases, it is best to prevent the conflict from occurring
rather than to try to resolve it after the fact.
For certain types of changes, Windows 2000/2003
incorporates methods to prevent conflicting Active Directory updates from
occurring.
Windows 2000/2003 Single-Master Model
To prevent conflicting updates in Windows
2000/2003, the Active Directory performs updates to certain objects in a
single-master fashion.
In a single-master model, only one DC in the entire
directory is allowed to process updates. This is similar to the role given to a
primary domain controller (PDC) in earlier versions of Windows (such as
Microsoft Windows NT 4.0), in which the PDC is responsible for processing all
updates in a given domain.
In a forest, there are five FSMO roles that are
assigned to one or more domain controllers. The five FSMO roles are:
Schema Master:
The schema master domain controller controls all
updates and modifications to the schema. Once the Schema update is complete, it
is replicated from the schema master to all other DCs in the directory. To
update the schema of a forest, you must have access to the schema master. There
can be only one schema master in the whole forest.
Domain naming master:
The domain naming master domain controller controls
the addition or removal of domains in the forest. This DC is the only one that
can add or remove a domain from the directory. It can also add or remove cross
references to domains in external directories. There can be only one domain
naming master in the whole forest.
Infrastructure Master:
When an object in one domain is referenced by
another object in another domain, it represents the reference by the GUID, the
SID (for references to security principals), and the DN of the object being
referenced. The infrastructure FSMO role holder is the DC responsible for
updating an object's SID and distinguished name in a cross-domain object
reference. At any one time, there can be only one domain controller acting as
the infrastructure master in each domain.
Note: The Infrastructure Master (IM) role should be
held by a domain controller that is not a Global Catalog server (GC). If the
Infrastructure Master runs on a Global Catalog server it will stop updating
object information because it does not contain any references to objects that
it does not hold. This is because a Global Catalog server holds a partial
replica of every object in the forest. As a result, cross-domain object
references in that domain will not be updated and a warning to that effect will
be logged on that DC's event log. If all the domain controllers in a domain
also host the global catalog, all the domain controllers have the current data,
and it is not important which domain controller holds the infrastructure master
role.
Relative ID (RID) Master:
The RID master is responsible for processing RID
pool requests from all domain controllers in a particular domain. When a DC
creates a security principal object such as a user or group, it attaches a
unique Security ID (SID) to the object. This SID consists of a domain SID (the
same for all SIDs created in a domain), and a relative ID (RID) that is unique
for each security principal SID created in a domain. Each DC in a domain
is allocated a pool of RIDs that it is allowed to assign to the security
principals it creates. When a DC's allocated RID pool falls below a threshold,
that DC issues a request for additional RIDs to the domain's RID master. The
domain RID master responds to the request by retrieving RIDs from the domain's
unallocated RID pool and assigns them to the pool of the requesting DC. At any
one time, there can be only one domain controller acting as the RID master in
the domain.
PDC Emulator:
The PDC emulator is necessary to synchronize time
in an enterprise. Windows 2000/2003 includes the W32Time (Windows Time) time
service that is required by the Kerberos authentication protocol. All Windows
2000/2003-based computers within an enterprise use a common time. The purpose
of the time service is to ensure that the Windows Time service uses a
hierarchical relationship that controls authority and does not permit loops to
ensure appropriate common time usage.
The PDC emulator of a domain is authoritative for
the domain. The PDC emulator at the root of the forest becomes authoritative
for the enterprise, and should be configured to gather the time from an
external source. All PDC FSMO role holders follow the hierarchy of domains in
the selection of their in-bound time partner.
In a Windows 2000/2003 domain, the PDC emulator
role holder retains the following functions:
Password changes performed by other DCs in the
domain are replicated preferentially to the PDC emulator.
Authentication failures that occur at a given DC in
a domain because of an incorrect password are forwarded to the PDC emulator
before a bad password failure message is reported to the user.
Account lockout is processed on the PDC emulator.
Editing or creation of Group Policy Objects (GPO)
is always done from the GPO copy found in the PDC Emulator's SYSVOL share,
unless configured not to do so by the administrator.
The PDC emulator performs all of the functionality
that a Microsoft Windows NT 4.0 Server-based PDC or earlier PDC performs for
Windows NT 4.0-based or earlier clients.
This part of the PDC emulator role becomes
unnecessary when all workstations, member servers, and domain controllers that
are running Windows NT 4.0 or earlier are all upgraded to Windows 2000/2003.
The PDC emulator still performs the other functions as described in a Windows
2000/2003 environment.
At any one time, there can be only one domain
controller acting as the PDC emulator master in each domain in the forest.
- How to manually configure FSMO Roles to separate DC’s
Windows 2000/2003 Active Directory domains utilize a Single Operation Master method called FSMO (Flexible Single Master Operation), as described in Understanding FSMO Roles in Active Directory.
The five FSMO roles are:
- Schema master - Forest-wide and one per forest.
- Domain naming master - Forest-wide and one per forest.
- RID master - Domain-specific and one for each domain.
- PDC - PDC Emulator is domain-specific and one for each domain.
- Infrastructure master - Domain-specific and one for each domain.
In order to better understand your AD infrastructure and to know the added value that each DC might possess, an AD administrator must have the exact knowledge of which one of the existing DCs is holding a FSMO role, and what role it holds. With that knowledge in hand, the administrator can make better arrangements in case of a scheduled shut-down of any given DC, and better prepare him or herself in case of a non-scheduled cease of operation from one of the DCs.
How to find out which DC is holding which FSMO role? Well, one can accomplish this task by many means. This article will list a few of the available methods.
Method #1: Know the default settings
The FSMO roles were assigned to one or more DCs during the DCPROMO process.
The following table summarizes the FSMO default locations:
|
Method #2: Use the GUI
The FSMO role holders can be easily found by use of some of the AD snap-ins.
Use this table to see which tool can be used for what FSMO role:
|
To find out who currently holds the Domain-Specific RID Master, PDC Emulator, and Infrastructure Master FSMO Roles:
- Open the Active Directory Users and Computers snap-in from the
Administrative Tools folder.
- Right-click the Active Directory Users and Computers icon again and
press Operation Masters.
To find out who currently holds the Domain Naming Master Role:
- Open the Active Directory Domains and Trusts snap-in from the
Administrative Tools folder.
- Right-click the Active Directory Domains and Trusts icon again and
press Operation Masters.
To find out who currently holds the Schema Master Role:
- Register the Schmmgmt.dll library by pressing Start > RUN
and typing:
- Press OK. You should receive a success confirmation.
- From the Run command open an MMC Console by typing MMC.
- On the Console menu, press Add/Remove Snap-in.
- Press Add. Select Active Directory Schema.
- Press Add and press Close. Press OK.
- Click the Active Directory Schema icon. After it loads right-click
it and press Operation Masters.
Method #3: Use the Ntdsutil command
The FSMO role holders can be easily found by use of the Ntdsutil command.Caution: Using the Ntdsutil utility incorrectly may result in partial or complete loss of Active Directory functionality.
- On any domain controller, click Start, click Run, type Ntdsutil
in the Open box, and then click OK.
- Type roles, and then press ENTER.
- Type connections, and then press ENTER.
- Type connect to server <servername>, where <servername>
is the name of the server you want to use, and then press ENTER.
- At the server connections: prompt, type q, and then press
ENTER again.
- At the FSMO maintenance: prompt, type Select operation target,
and then press ENTER again.
select operation target: List roles for connected server
Server "server100" knows about 5 roles
Schema - CN=NTDS Settings,CN=SERVER100,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=C
onfiguration,DC=dpetri,DC=net
Domain - CN=NTDS Settings,CN=SERVER100,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=C
onfiguration,DC=dpetri,DC=net
PDC - CN=NTDS Settings,CN=SERVER100,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Conf
iguration,DC=dpetri,DC=net
RID - CN=NTDS Settings,CN=SERVER100,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Conf
iguration,DC=dpetri,DC=net
Infrastructure - CN=NTDS Settings,CN=SERVER100,CN=Servers,CN=Default-First-Site-Name,CN=Si
tes,CN=Configuration,DC=dpetri,DC=net
select operation target:
- Type q 3 times to exit the Ntdsutil prompt.
Another Note: Microsoft has a nice tool called Dumpfsmos.cmd, found in the Windows 2000 Resource Kit (and can be downloaded here: Download Free Windows 2000 Resource Kit Tools). This tool is basically a one-click Ntdsutil script that performs the same operation described above.
Method #4: Use the Netdom command
The FSMO role holders can be easily found by use of the Netdom command.Netdom.exe is a part of the Windows 2000/XP/2003 Support Tools. You must either download it separately (from here Download Free Windows 2000 Resource Kit Tools) or by obtaining the correct Support Tools pack for your operating system. The Support Tools pack can be found in the \Support\Tools folder on your installation CD (or you can Download Windows 2000 SP4 Support Tools, Download Windows XP SP1 Deploy Tools).
- On any domain controller, click Start, click Run, type CMD in the
Open box, and then click OK.
- In the Command Prompt window, type netdom query
/domain:<domain> fsmo (where <domain> is the name
of YOUR domain).
Note: You can download THIS nice batch file that will do all this for you (1kb).
Method #5: Use the Replmon tool
The FSMO role holders can be easily found by use of the Netdom command. Just like Netdom, Replmon.exe is a part of the Windows 2000/XP/2003 Support Tools. Replmon can be used for a wide verity of tasks, mostly with those that are related with AD replication. But Replmon can also provide valuable information about the AD, about any DC, and also about other objects and settings, such as GPOs and FSMO roles. Install the package before attempting to use the tool.
- On any domain controller, click Start, click Run, type REPLMON in
the Open box, and then click OK.
- Right-click Monitored servers and select Add Monitored Server.
- In the Add Server to Monitor window,
select the Search the Directory for the server to add. Make sure your AD
domain name is listed in the drop-down list.
- In the site list select your site, expand
it, and click to select the server you want to query. Click Finish.
Windows 2000/2003 Active Directory domains utilize a Single Operation Master method called FSMO (Flexible Single Master Operation), as described in Understanding FSMO Roles in Active Directory.
The five FSMO roles are:
- Schema master - Forest-wide and one per forest.
- Domain naming master - Forest-wide and one per forest.
- RID master - Domain-specific and one for each domain.
- PDC - PDC Emulator is domain-specific and one for each domain.
- Infrastructure master - Domain-specific and one for each domain.
Moving the FSMO roles while both the original FSMO role holder and the future FSMO role holder are online and operational is called Transferring, and is described in the Transferring FSMO Roles article.
However, when the original FSMO role holder went offline or became non operational for a long period of time, the administrator might consider moving the FSMO role from the original, non-operational holder, to a different DC. The process of moving the FSMO role from a non-operational role holder to a different DC is called Seizing, and is described in this article.
If a DC holding a FSMO role fails, the best thing to do is to try and get the server online again. Since none of the FSMO roles are immediately critical (well, almost none, the loss of the PDC Emulator FSMO role might become a problem unless you fix it in a reasonable amount of time), so it is not a problem to them to be unavailable for hours or even days.
If a DC becomes unreliable, try to get it back on line, and transfer the FSMO roles to a reliable computer. Administrators should use extreme caution in seizing FSMO roles. This operation, in most cases, should be performed only if the original FSMO role owner will not be brought back into the environment. Only seize a FSMO role if absolutely necessary when the original role holder is not connected to the network.
What will happen if you do not perform the seize in time? This table has the info:
|
The following table summarizes the FSMO seizing restrictions:
|
|
Caution: Using the Ntdsutil utility incorrectly may result in partial or complete loss of Active Directory functionality.
- On any domain controller, click Start, click Run, type Ntdsutil
in the Open box, and then click OK.
- Type roles, and then press ENTER.
- Type connections, and then press ENTER.
- Type connect to server <servername>, where <servername>
is the name of the server you want to use, and then press ENTER.
- At the server connections: prompt, type q, and then press
ENTER again.
- Type seize <role>, where <role> is the
role you want to seize. For example, to seize the RID Master role, you
would type seize rid master:
- You will receive a warning window asking if you want to perform the
seize. Click on Yes.
Attempting safe transfer of infrastructure FSMO before seizure.
ldap_modify_sW error 0x34(52 (Unavailable).
Ldap extended error message is 000020AF: SvcErr: DSID-03210300, problem 5002 (UNAVAILABLE)
, data 1722
Win32 error returned is 0x20af(The requested FSMO operation failed. The current FSMO holde
r could not be contacted.)
)
Depending on the error code this may indicate a connection,
ldap, or role transfer error.
Transfer of infrastructure FSMO failed, proceeding with seizure ...
Server "server100" knows about 5 roles
Schema - CN=NTDS Settings,CN=SERVER200,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=dpetri,DC=net
Domain - CN=NTDS Settings,CN=SERVER100,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=dpetri,DC=net
PDC - CN=NTDS Settings,CN=SERVER100,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=dpetri,DC=net
RID - CN=NTDS Settings,CN=SERVER200,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=dpetri,DC=net
Infrastructure - CN=NTDS Settings,CN=SERVER100,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=dpetri,DC=net
fsmo maintenance:
Note: All five roles need to be in the forest. If the first domain controller is out of the forest then seize all roles. Determine which roles are to be on which remaining domain controllers so that all five roles are not on only one server.
- Repeat steps 6 and 7 until you've seized all the required FSMO
roles.
- After you seize or transfer the roles, type q, and then press ENTER
until you quit the Ntdsutil tool.
- What is the difference between authoritative and non-authoritative
restore
In authoritative restore, Objects that are restored
will be replicated to all domain controllers in the domain. This can be used
specifically when the entire OU is disturbed in all domain controllers or
specifically restore a single object, which is disturbed in all DC’s
In non-authoritative restore, Restored directory
information will be updated by other domain controllers based on the latest
modification time.
- what is Active Directory De-fragmentation
De-fragmentation of AD means separating used space
and empty space created by deleted objects and reduces directory size (only in
offline De-fragmentation)
- Difference between online and offline de-fragmentation
The changed data is replicated between domain controllers, not the database, so there is no guarantee that the files are going to be the same size across all domain controllers.
Windows 2000 and Windows Server 2003 servers running Directory Services (DS) perform a directory online defragmentation every 12 hours by default as part of the garbage-collection process. This defragmentation only moves data around the database file (NTDS.DIT) and doesn’t reduce the file’s size - the database file cannot be compacted while Active Directory is mounted.
Active Directory routinely performs online database defragmentation, but this is limited to the disposal of tombstoned objects. The database file cannot be compacted while Active Directory is mounted (or online).
An NTDS.DIT file that has been defragmented offline (compacted), can be much smaller than the NTDS.DIT file on its peers.
However, defragmenting the NTDS.DIT file isn’t something you should really need to do. Normally, the database self-tunes and automatically tombstoning the records then sweeping them away when the tombstone lifetime has passed to make that space available for additional records.
Defragging the NTDS.DIT file probably won’t help your AD queries go any faster in the long run.
So why defrag it in the first place?
One reason you might want to defrag your NTDS.DIT file is to save space, for example if you deleted a large number of records at one time.
To create a new, smaller NTDS.DIT file and to enable offline defragmentation, perform the following steps:
Back up Active Directory (AD).
Reboot the server, select the OS option, and press F8 for advanced options.
Select the Directory Services Restore Mode option, and press Enter. Press
Enter again to start the OS.
W2K will start in safe mode, with no DS running.
Use the local SAM’s administrator account and password to log on.
You’ll see a dialog box that says you’re in safe mode. Click OK.
From the Start menu, select Run and type cmd.exe
In the command window, you’ll see the following text. (Enter the commands in bold.)
C:\> ntdsutil
ntdsutil: files
file maintenance:info
....
file maintenance:compact to c:\temp
You’ll see the defragmentation process. If the process was successful, enter quit to return to the command prompt.
Then, replace the old NTDS.DIT file with the new, compressed version. (Enter the commands in bold.)
C:\> copy c:\temp\ntds.dit %systemroot%\ntds\ntds.dit
Restart the computer, and boot as normal.
- What is
tombstone period
Tombstones are nothing but objects marked for
deletion. After deleting an object in AD the objects will not be deleted
permanently. It will be remain 60 days by default (which can be configurable)
it adds an entry as marked for deletion on the object and replicates to all
DC’s. After 60 days object will be deleted permanently from all Dc’s.
- what is white space and Garbage collection
refer question 7
- what are the monitoring tools used for Server and Network Heath. How to define alert mechanism
Spot Light , SNMP Need to enable .
- How to deploy the patches and what are the softwares used for this
process
Using SUS (Software update services) server we can
deploy patches to all clients in the network. We need to configure an option
called “Synchronize with Microsoft software update server” option and schedule
time to synchronize in server. We need to approve new update based on the
requirement. Then approved update will be deployed to clients
We can configure clients by changing the registry
manually or through Group policy by adding WUAU administrative template in
group policy
- What is Clustering. Briefly define & explain it
Clustering is a technology, which is used to
provide High Availability for mission critical applications. We can configure
cluster by installing MCS (Microsoft cluster service) component from Add remove
programs, which can only available in Enterprise Edition and Data center
edition.
In Windows we can configure two types of
clusters
NLB (network load balancing) cluster for
balancing load between servers. This cluster will not provide any high
availability. Usually preferable at edge servers like web or proxy.
Server Cluster: This provides High
availability by configuring active-active or active-passive cluster. In 2 node
active-passive cluster one node will be active and one node will be stand by.
When active server fails the application will FAILOVER to stand by server
automatically. When the original server backs we need to FAILBACK the
application
Quorum: A shared storage need to provide for
all servers which keeps information about clustered application and session
state and is useful in FAILOVER situation. This is very important if Quorum
disk fails entire cluster will fails
Heartbeat: Heartbeat is a private
connectivity between the servers in the cluster, which is used to identify the
status of other servers in cluster.
- How to
configure SNMP
SNMP can be configured by installing SNMP from
Monitoring and Management tools from Add and Remove programs.
For SNMP programs to communicate we need to
configure common community name for those machines where SNMP programs (eg DELL
OPEN MANAGER) running. This can be configured from services.msc--- SNMP service
-- Security
- Is it possible to rename the Domain name & how?
In Windows 2000 it is not possible. In windows 2003
it is possible. On Domain controller by going to MYCOMPUTER properties we can
change.
- What is
SOA Record
SOA is a Start Of Authority record, which is a
first record in DNS, which controls the startup behavior of DNS. We can
configure TTL, refresh, and retry intervals in this record.
- What is a Stub zone and what is the use of it.
Stub zones are a new feature of DNS in Windows
Server 2003 that can be used to streamline name resolution, especially in a
split namespace scenario. They also help reduce the amount of DNS traffic on
your network, making DNS more efficient especially over slow WAN links.
- What are the different types of partitions present in AD
Active directory is divided into three partitions
Configuration Partition—replicates entire forest
Schema Partition—replicates entire forest
Domain Partition—replicate only in domain
Application Partition (Only in Windows 2003)
- What are the (two) services required for replication
File Replication Service (FRS)
Knowledge
Consistency Checker (KCC)
- Can we use a Linux DNS Sever in 2000 Domain
We can use, But the BIND version should be 8 or
greater
- What is the difference between IIS Version 5 and IIS Version 6
Refer Question 1
- What is ASR (Automated System Recovery) and how to implement it
ASR is a two-part system; it includes ASR backup
and ASR restore. The ASR Wizard, located in Backup, does the backup portion.
The wizard backs up the system state, system services, and all the disks that
are associated with the operating system components. ASR also creates a file
that contains information about the backup, the disk configurations (including
basic and dynamic volumes), and how to perform a restore.
You can access the restore portion by pressing F2 when prompted in the text-mode portion of setup. ASR reads the disk configurations from the file that it creates. It restores all the disk signatures, volumes, and partitions on (at a minimum) the disks that you need to start the computer. ASR will try to restore all the disk configurations, but under some circumstances it might not be able to. ASR then installs a simple installation of Windows and automatically starts a restoration using the backup created by the ASR Wizard.
You can access the restore portion by pressing F2 when prompted in the text-mode portion of setup. ASR reads the disk configurations from the file that it creates. It restores all the disk signatures, volumes, and partitions on (at a minimum) the disks that you need to start the computer. ASR will try to restore all the disk configurations, but under some circumstances it might not be able to. ASR then installs a simple installation of Windows and automatically starts a restoration using the backup created by the ASR Wizard.
- What are the different levels that we can apply Group Policy
We can apply group policy at SITE level---Domain
Level---OU level
- What is Domain Policy, Domain controller policy, Local policy and
Group policy
Domain Policy will apply to all computers in the
domain, because by default it will be associated with domain GPO, Where as Domain
controller policy will be applied only on domain controller. By default domain
controller security policy will be associated with domain controller GPO. Local
policy will be applied to that particular machine only and effects to that
computer only.
- What is the use of SYSVOL folder
Policies and scripts saved in SYSVOL folder will be
replicated to all domain controllers in the domain. FRS (File replication
service) is responsible for replicating all policies and scripts
- What is
folder redirection?
Folder Redirection is a User group policy. Once you
create the group policy and link it to the appropriate folder object, an
administrator can designate which folders to redirect and where To do this, the
administrator needs to navigate to the following location in the Group Policy
Object:
User Configuration\Windows Settings\Folder
Redirection
In the Properties of the folder, you can choose
Basic or Advanced folder redirection, and you can designate the server file
system path to which the folder should be redirected.
The %USERNAME% variable may be used as part of the redirection path, thus allowing the system to dynamically create a newly redirected folder for each user to whom the policy object applies.
The %USERNAME% variable may be used as part of the redirection path, thus allowing the system to dynamically create a newly redirected folder for each user to whom the policy object applies.
- What different modes in windows 2003 (Mixed,
native & intrim….etc)
Functional levels are an extension of the mixed/native mode concept introduced in Windows 2000 to activate new Active Directory features after all the domain controllers in the domain or forest are running the Windows Server 2003 operating system.
When a computer that is running Windows Server 2003 is installed and promoted to a domain controller, new Active Directory features are activated by the Windows Server 2003 operating system over its Windows 2000 counterparts. Additional Active Directory features are available when all domain controllers in a domain or forest are running Windows Server 2003 and the administrator activates the corresponding functional level in the domain or forest.
To activate the new domain features, all domain controllers in the domain must be running Windows Server 2003. After this requirement is met, the administrator can raise the domain functional level to Windows Server 2003 (read Raise Domain Function Level in Windows Server 2003 Domains for more info).
To activate new forest-wide features, all domain controllers in the forest must be running Windows Server 2003, and the current forest functional level must be at Windows 2000 native or Windows Server 2003 domain level. After this requirement is met, the administrator can raise the domain functional level (read Raise Forest Function Level in Windows Server 2003 Active Directory for more info).
Note: Network clients can authenticate or access resources in the domain or forest without being affected by the Windows Server 2003 domain or forest functional levels. These levels only affect the way that domain controllers interact with each other.
|
|
When you raise the functional level of a domain or forest, a set of advanced features becomes available. For example, the Windows Server 2003 interim forest functional level supports more features than the Windows 2000 forest functional level, but fewer features than the Windows Server 2003 forest functional level supports. Windows Server 2003 is the highest functional level that is available for a domain or forest. The Windows Server 2003 functional level supports the most advanced Active Directory features; however, only Windows Server 2003 domain controllers can operate in that domain or forest.
If you raise the domain functional level to Windows Server 2003, you cannot introduce any domain controllers that are running versions of Windows earlier than Windows Server 2003 into that domain. This applies to the forest functional level as well.
Domain Functional Level
Domain functionality activates features that affect the whole domain and
that domain only. The four domain functional levels, their corresponding
features, and supported domain controllers are as follows:
Windows 2000 mixed (Default)
- Supported domain controllers: Microsoft Windows NT 4.0, Windows
2000, Windows Server 2003
- Activated features: local and global groups, global catalog support
Windows 2000 native
- Supported domain controllers: Windows 2000, Windows Server 2003
- Activated features: group nesting, universal groups, SidHistory,
converting groups between security groups and distribution groups, you can
raise domain levels by increasing the forest level settings
Windows Server 2003 interim
- Supported domain controllers: Windows NT 4.0, Windows Server 2003
- Supported features: There are no domain-wide features activated at
this level. All domains in a forest are automatically raised to this level
when the forest level increases to interim. This mode is only used when
you upgrade domain controllers in Windows NT 4.0 domains to Windows Server
2003 domain controllers.
Windows Server 2003
- Supported domain controllers: Windows Server 2003
- Supported features: domain controller rename, logon timestamp
attribute updated and replicated. User password support on the
InetOrgPerson objectClass. Constrained delegation, you can redirect the
Users and Computers containers.
After the domain functional level is raised, domain controllers that are running earlier operating systems cannot be introduced into the domain. For example, if you raise the domain functional level to Windows Server 2003, domain controllers that are running Windows 2000 Server cannot be added to that domain.
The following describes the domain functional level and the domain-wide features that are activated for that level. Note that with each successive level increase, the feature set of the previous level is included.
Forest Functional Level
Windows 2000 (default)
- Supported domain controllers: Windows NT 4.0, Windows 2000, Windows
Server 2003
- New features: Partial list includes universal group caching,
application partitions, install from media, quotas, rapid global catalog
demotion, Single Instance Store (SIS) for System Access Control Lists
(SACL) in the Jet Database Engine, Improved topology generation event
logging. No global catalog full sync when attributes are added to the PAS
Windows Server 2003 domain controller assumes the Intersite Topology Generator
(ISTG) role.
Windows Server 2003 interim
- Supported domain controllers: Windows NT 4.0, Windows Server 2003.
See the "Upgrade from a Windows NT 4.0 Domain" section of this
article.
- Activated features: Windows 2000 features plus Efficient Group
Member Replication using Linked Value Replication, Improved Replication
Topology Generation. ISTG Aliveness no longer replicated. Attributes added
to the global catalog. ms-DS-Trust-Forest-Trust-Info. Trust-Direction,
Trust-Attributes, Trust-Type, Trust-Partner, Security-Identifier,
ms-DS-Entry-Time-To-Die, Message Queuing-Secured-Source, Message
Queuing-Multicast-Address, Print-Memory, Print-Rate, Print-Rate-Unit
Windows Server 2003
- Supported domain controllers: Windows Server 2003
- Activated features: all features in Interim Level, Defunct schema
objects, Cross Forest Trust, Domain Rename, Dynamic auxiliary classes,
InetOrgPerson objectClass change, Application Groups, 15-second intrasite
replication frequency for Windows Server 2003 domain controllers upgraded
from Windows 2000
Different Active Directory features are available
at different functional levels. Raising domain and forest functional levels is
required to enable certain new features as domain controllers are upgraded from
Windows NT 4.0 and Windows 2000 to Windows Server 2003
Domain Functional Levels: Windows 2000 Mixed
mode, Windows 2000 Native mode, Windows server 2003 and Windows server 2003
interim ( Only available when upgrades directly from Windows NT 4.0 to
Windows 2003)
- Ipsec usage and difference window 2000
& 2003.
Microsoft doesn’t recommend Internet Protocol
security (IPSec) network address translation (NAT) traversal (NAT-T) for
Windows deployments that include VPN servers and that are located behind
network address translators. When a server is behind a network address
translator, and the server uses IPSec NAT-T, unintended side effects may occur
because of the way that network address translators translate network traffic
If you put a server behind a network address
translator, you may experience connection problems because clients that connect
to the server over the Internet require a public IP address. To reach servers
that are located behind network address translators from the Internet, static
mappings must be configured on the network address translator. For example, to
reach a Windows Server 2003-based computer that is behind a network address
translator from the Internet, configure the network address translator with the
following static network address translator mappings:
|
Public IP
address/UDP port 500 to the server's private IP address/UDP port 500.
|
|
|
•
|
Public IP
address/UDP port 4500 to the server's private IP address/UDP port 4500.
|
These mappings are required so that all Internet
Key Exchange (IKE) and IPSec NAT-T traffic that is sent to the public address
of the network address translator is automatically translated and forwarded to
the Windows Server 2003-based computer
- How to create application partition
windows 2003 and its usage?
An application directory partition is a directory
partition that is replicated only to specific domain controllers. A domain
controller that participates in the replication of a particular application
directory partition hosts a replica of that partition. Only domain controllers
running Windows Server 2003 can host a replica of an application directory
partition.
Applications and services can use application
directory partitions to store application-specific data. Application directory
partitions can contain any type of object, except security principals. TAPI is
an example of a service that stores its application-specific data in an
application directory partition.
Application directory partitions are usually
created by the applications that will use them to store and replicate data. For
testing and troubleshooting purposes, members of the Enterprise Admins group
can manually create or manage application directory partitions using the
Ntdsutil command-line tool.
- Is it possible to do implicit transitive
forest to forest trust relation ship in windows 2003?
Implicit Transitive trust will not be possible in
windows 2003. Between forests we can create explicit trust
Two-way trust
One-way: incoming
One-way: Outgoing
- What is universal group membership cache
in windows 2003.
Information is stored locally once this option is
enabled and a user attempts to log on for the first time. The domain controller
obtains the universal group membership for that user from a global catalog.
Once the universal group membership information is obtained, it is cached on
the domain controller for that site indefinitely and is periodically refreshed.
The next time that user attempts to log on, the authenticating domain
controller running Windows Server 2003 will obtain the universal group
membership information from its local cache without the need to contact a
global catalog.
By default, the universal group membership
information contained in the cache of each domain controller will be refreshed
every 8 hours.
- GPMC
& RSOP in windows 2003?
GPMC is tool which will be used for managing group
policies and will display information like how many policies applied, on which
OU’s the policies applied, What are the settings enabled in each policy, Who
are the users effecting by these polices, who is managing these policies. GPMC
will display all the above information.
RSoP provides details about all policy settings
that are configured by an Administrator, including Administrative Templates,
Folder Redirection, Internet Explorer Maintenance, Security Settings, Scripts,
and Group Policy Software Installation.
When policies are applied on multiple levels (for
example, site, domain, domain controller, and organizational unit), the results
can conflict. RSoP can help you determine a set of applied policies and their
precedence (the order in which policies are applied).
- Assign & Publish the applications in GP & how?
Through Group policy you can Assign and Publish the
applications by creating .msi package for that application
With Assign option you can apply policy for both
user and computer. If it is applied to computer then the policy will apply to
user who logs on to that computer. If it is applied on user it will apply where
ever he logs on to the domain. It will be appear in Start menu—Programs. Once
user click the shortcut or open any document having that extension then the
application install into the local machine. If any application program files
missing it will automatically repair.
With Publish option you can apply only on users. It
will not install automatically when any application program files are corrupted
or deleted.
- DFS in
windows 2003?
Refer Question 17 on level 2
- How to use recovery console?
The Windows 2000 Recovery Console is a
command-line console that you can start from the Windows 2000 Setup
program. Using the Recovery Console, you can start and stop services, format
drives, read and write data on a local drive (including drives formatted to use
NTFS), and perform many other administrative tasks. The Recovery Console is
particularly useful if you need to repair your system by copying a file from a
floppy disk or CD-ROM to your hard drive, or if you need to reconfigure a
service that is preventing your computer from starting properly. Because the
Recovery Console is quite powerful, it should only be used by advanced users
who have a thorough knowledge of Windows 2000. In addition, you must be an
administrator to use the Recovery Console.
There are two ways to start the Recovery Console:
If you are unable to start your computer, you can
run the Recovery Console from your Windows 2000 Setup disks or from the
Windows 2000 Professional CD (if you can start your computer from your
CD-ROM drive).
As an alternative, you can install the Recovery
Console on your computer to make it available in case you are unable to restart
Windows 2000. You can then select the Recovery Console option from the
list of available operating systems
- PPTP protocol for VPN in windows 2003?
Point-to-Point-Tunneling Protocol (PPTP) is a
networking technology that supports multiprotocol virtual private networks
(VPN), enableing remote users to access corporate networks securely across the
Microsoft Windows NT® Workstation, Windows® 95, and Windows 98 operating
systems and other point-to-point protocol (PPP)-enabled systems to dial into a
local Internet service provider to connect securely to their corporate network
through the Internet
Netdom.exe is domain management tool to rename domain controllerSID history
- What is Bridge Head Server?
- Crisis
Management?
- Mail flow in Exchange Server.
- DMZ
concept in Firewalls.
- Is NAT uses Port Number if so what is the Port number?
- Difference between Schema Master and
Global Catlog?
- Difference Between Incremental and Differential Backup? Which is
best backup Microsoft has recommended? (depends on
the volume of data)
- How DNS and DHCP are integrated?
- If RID master fails what happens?
- tool used
for FSMO?
- Difference between Assigning and Publishing through Group Policy?
Second level
- What are the services installed when RIS is installed. Read about RIS.
- How to trouble shoot if a DHCP client won’t get IP from DHCP
Server?
- What is online and offline fragmentations?
- Garbage collections and white spaces?
- Tell me one example when Infracture master
and Global catalog will be on one DC, what is the issue if both resides on
same system?
- When you require a Infrastructure Master.
- What are
Windows 2003 modes?
- What are FSMO roles and explain then?
- Stress on
PDC emulator?
- 2003
advantages?
- About migration?(W2k to W2k3 and NT to W2k3).
How to Set Up ADMT for a Windows NT 4.0-to-Windows
Server 2003 Migration:
Before you upgrade a Windows NT 4.0 domain to a
Windows Server 2003-based domain, the following domain and security
configurations are required.
Note: This article assumes that the source domain
is running Windows NT 4.0 Service Pack 4 (SP4) or later with 128-Bit
encryption, and that the target domain is a Windows Server 2003-based domain in
native mode. Also, the Windows Server 2003 must have 128-Bit encryption (which
comes as a default setting in Windows 2003).
Trusts
Configure the source domain to trust the target
domain.
Configure the target domain to trust the source
domain.
Groups
Add the Domain Admins global group from the source
domain to the Administrators local group in the target domain.
Add the Domain Admins global group from the target
domain to the Administrators local group in the source domain.
Create a new local group in the source domain
called Source Domain$$$.
Note: There must be no members in this group.
Auditing
Enable auditing for the success and failure of user
and group management on the source domain.
Enable auditing for the success and failure of
Audit account management on the target domain in the Default Domain Controllers
policy.
Registry
On the PDC in the source domain, add the
TcpipClientSupport:REG_DWORD:0x1 value to the following registry key:
HKEY_LOCAL_MACHINE\System\CurrentControlSet\
Control\LSA
Administrative Shares
Administrative shares must exist on the domain
controller in the target domain on which you run ADMT, and on any computers on
which an agent must be dispatched.
User Rights
You must log on to the computer on which you run
ADMT with an account that has the following permissions:
Domain Administrator rights in the target domain.
A member of the Administrators group in the source
domain.
Administrator rights on each computer that you
migrate.
Administrator rights on each computer on which you
translate security.
You will have the appropriate rights when you log
on to the PDC that is the FSMO role holder in the target domain with the Source
Domain\Administrator account, assuming that the Source Domain\Domain
Administrators group is a member of the Administrators group on each computer.
How to set up ADMT for a Windows 2000 to Windows
Server 2003 migration
How to Set Up ADMT for a Windows 2000 to Windows Server 2003 MigrationYou can install the Active Directory Migration Tool version 2 (ADMTv2) on any computer that is running Windows 2000 or later, including:
Microsoft Windows 2000 Professional
Microsoft Windows 2000 Server
Microsoft Windows XP Professional
Microsoft Windows Server 2003
The computer on which you install ADMTv2 must be a member of either the source or the target domain.
Intraforest Migration
Intraforest migration does not require any special domain configuration. The account you use to run ADMT must have enough permissions to perform the actions that are requested by ADMT. For example, the account must have the right to delete accounts in the source domain, and to create accounts in the target domain.
Intraforest migration is a move operation instead of a copy operation. These migrations are said to be destructive because after the move, the migrated objects no longer exist in the source domain. Because the object is moved instead of copied, some actions that are optional in interforest migrations occur automatically. Specifically, the sIDHistory and password are automatically migrated during all intraforest migrations.
Interforest Migration
ADMT requires the following permissions to run properly:
Administrator rights in the source domain.
Administrator rights on each computer that you migrate.
Administrator rights on each computer on which you translate security.
Before you migrate a Windows 2000-based domain to a Windows Server 2003-based domain, you must make some domain and security configurations. Computer migration and security translation do not require any special domain configuration. However, each computer you want to migrate must have the administrative shares, C$ and ADMIN$.
The account you use to run ADMT must have enough permissions to complete the required tasks. The account must have permission to create computer accounts in the target domain and organizational unit, and must be a member of the local Administrators group on each computer to be migrated.
User and Group Migration
You must configure the source domain to trust the target domain. Optionally, the target may be configured to trust the source domain. While this may ease configuration, it is not required to finish the ADMT migration.
Requirements for Optional Migration Tasks
You can complete the following tasks automatically by running the User Migration Wizard in Test mode and selecting the migrate sIDHistory option. The user account you use to run ADMT must be an Administrator in both the source and the target domains for the automatic configuration to succeed.
Create a new local group in the source domain that is named %sourcedomain%$$$. There must be no members in this group.
Turn on auditing for the success and failure of Audit account management on both domains in the Default Domain Controllers policy.
Configure the source domain to allow RPC access to the SAM by configuring the following registry entry on the PDC Emulator in the source domain with a DWORD value of 1:
HKEY_LOCAL_MACHINE\System\CurrentControlSet\
Control\LSA\TcpipClientSupport
You must restart the PDC Emulator after you make this change.
Note: For Windows 2000 domains, the account you use to run ADMTv2 must have domain administrator permissions in both the source and target domains. For Windows Server 2003 target domains, the 'Migrate sIDHistory' may be delegated. For more information, see Windows Server 2003 Help & Support.
You can turn on interforest password migration by installing a DLL that runs in the context of LSA. By running in this protected context, passwords are shielded from being viewed in cleartext, even by the operating system. The installation of the DLL is protected by a secret key that is created by ADMTv2, and must be installed by an administrator.
To install the password migration DLL:
Log on as an administrator or equivalent to the computer on which ADMTv2 is installed.
At a command prompt, run the ADMT KEY sourcedomainpath [* | password] command to create the password export key file (.pes). In this example, sourcedomain is the NetBIOS name of the source domain and path is the file path where the key will be created. The path must be local, but can point to removable media such as a floppy disk drive, ZIP drive, or writable CD media. If you type the optional password at the end of the command, ADMT protects the .pes file with the password. If you type the asterisk (*), ADMT prompts for a password, and the system will not echo it as it is typed.
Move the .pes file you created in step 2 to the designated Password Export Server in the source domain. This can be any domain controller, but make sure it has a fast, reliable link to the computer that is running ADMT.
Install the Password Migration DLL on the Password Export Server by running the Pwmig.exe tool. Pwmig.exe is located in the I386\ADMT folder on the Windows Server 2003 installation media, or the folder to which you downloaded ADMTv2 from the Internet.
When you are prompted to do so, specify the path to the .pes file that you created in step 2. This must be a local file path.
After the installation completes, you must restart the server.
If you are ready to migrate passwords, modify the following registry key to have a DWORD value of 1. For maximum security, do not complete this step until you are ready to migrate.
HKEY_LOCAL_MACHINE\System\CurrentControlSet\
Control\LSA\AllowPasswordExport
The Active Directory Migration Tool v2 is included in the I386\Admt folder on the Windows Server 2003 CD.
The Active Directory Migration Tool provides an easy, secure, and fast way to migrate to Windows 2000 Active Directory service. As a system administrator, you can use this tool to diagnose any possible problems before starting migration operations to Windows 2000 Server Active Directory. You can then use the task-based wizard to migrate users, groups, and computers; set correct file permissions; and migrate Microsoft Exchange Server mailboxes. The tool's reporting feature allows you to assess the impact of the migration, both before and after move operations.
In many cases, if there is a problem, you can use the rollback features to automatically restore previous structures. The tool also provides support for parallel domains, so you can maintain your existing Windows NT 4.0 domains while you deploy Windows 2000.
Note: To successfully run the AD Migration Tool the source domain must be running Windows NT 4.0 Service Pack 4 or later, and the target domain will be a Windows 2000-based domain in Native mode.
Version 2.0 of ADMT is from Windows Server 2003 and has many new features:
Scripting and Command line interface
Password Migration
Sid Mapping Files for Security
Translation
Windows 2000 Attribute Exclusion
Agent Credentials
Migration Log
Skip Membership Restoration
- Question
on System State data Backup?
- Diff
types of DNS roles and Zones?
- What are
the steps you follow when you are promoting a server as ADC in windows
2003?
- What are
the two parameters you run before upgrading the server to an
ADC(/forestprep, /domainprep).
- What is
the authentication process?
- What is
the role of GC in authentication process?
- What
happens if DNS server fails. Can a user is able to login if the DNS server
fails(if you have only one DNS Server).
- How do
you promote a server to a domain controller(in windows 2003) over a slow
wan links.
- Take the
backup of systemstate from the DC and restore it in the server where you
are promoting using “dcpromo /adv” and select restore from backup.
This article deals with the mechanism of deploying and verifying GPO deployment. It will not deal in the GPO itself and the settings inside it (these settings and configurations will be discussed in different articles).
Group Policy is a one of the most useful tools found in the Windows 2000/2003 Active Directory infrastructure. Group Policy can help you do the following:
- Configure
user's desktops
- Configure
local security on computers
- Install
applications
- Run
start-up/shut-down or logon/logoff scripts
- Configure
Internet Explorer settings
- Redirect
special folders
Here are some basic terms you need to be familiar with before drilling down into Group Policy:
Local policy - Refers to the policy that configures the local computer or server, and is not inherited from the domain. You can set local policy by running gpedit.msc from the Run command, or you can add "Group Policy Object Editor" snap-in to MMC. Local Policies also exist in the Active Directory environment, but have many fewer configuration options that the full-fledged Group Policy in AD.
GPO - Group Policy Object - Refers to the policy that is configured at the Active Directory level and is inherited by the domain member computers. You can configure a GPO – Group Policy Object - at the site level, domain level or OU level.
GPC – Group Policy Container - The GPC is the store of the GPOs; The GPC is where the GPO stores all the AD-related configuration. Any GPO that is created is not effective until it is linked to an OU, Domain or a Site. The GPOs are replicated among the Domain Controllers of the Domain through replication of the Active Directory.
GPT - Group Policy Templates - The GPT is where the GPO stores the actual settings. The GPT is located within the Netlogon share on the DCs.
Netlogon share - A share located only on Domain Controllers and contains GPOs, scripts and .POL files for policy of Windows NT/98. The Netlogon share replicates among all DCs in the Domain, and is accessible for read only for the Everyone group, and Full Control for the Domain Admins group. The Netlogon's real location is:
C:\WINDOWS\SYSVOL\sysvol\domain.com\SCRIPTS
When a domain member computer boots up, it finds the DC and looks for the Netlogon share in it.
To see what DC the computer used when it booted, you can go to the Run command and type %logonserver%\Netlogon. The content of the Netlogon share should be the same on all DCs in the domain.
GPO
behavior
Group
Policy is processed in the following order:Local Policy > Site GPO > Domain GPO > OU GPO > Child OU GPO
and so on.
GPOs inherited from the Active Directory are always stronger than local policy. When you configure a Site policy it is being overridden by Domain policy, and Domain policy is being overridden by OU policy. If there is an OU under the previous OU, its GPO is stronger the previous one.
The rule is simple, as more you get closer to the object that is being configured, the GPO is stronger.
What does it mean "stronger"? If you configure a GPO and linke it to "Organization" OU, and in it you configure Printer installation – allowed and then at the "
The example above is true when you have different GPOs that have similar configuration, configured with opposite settings. When you apply couple of GPOs at different levels and every GPO has its own settings, all settings from all GPOs are merged and inherited by the computers or users.
Group
Policy sections
Each GPO
is built from 2 sections:- Computer
configuration contains the settings that configure the computer
prior to the user logon combo-box.
- User
configuration contains the settings that configure the user
after the logon. You cannot choose to apply the setting on a single user,
all users, including administrator, are affected by the settings.
- Software settings and Windows settings both of computer and user are settings that configure local DLL
files on the machine.
- Administrative templates are settings
that configure the local registry of the machine. You can add more options
to administrative templates by right clicking it and choose .ADM files.
Many programs that are installed on the computer add their .ADM files to %systemroot%\inf
folder so you can add them to the Administrative Templates.
Tools
used to configure GPO
You can
configure GPOs with these set of tools from Microsoft (other 3rd-party tools
exist but we will discuss these in a different article):- Group
Policy Object Editor snap-in in MMC - or - use gpedit.msc from the
Run command.
- Active
Directory Users and Computers snap in - or dsa.msc – to invoke the
Group Policy tab on every OU or on the Domain.
- Active
Directory Sites and Services - or dssite.msc – to invoke the Group
Policy tab on a site.
- Group
Policy Management Console - or gpmc.msc - this utility is NOT
included in Windows 2003 server and needs to be separately installed. You
can download it from HERE
GPMC
utility - Creating a GPO
When you
create a GPO it is stored in the GPO container. After creation you should link
the GPO to an OU that you choose.
Linking a
GPO
To link a
GPO simply right click an OU and choose Link an existing GPO or you can
create and link a GPO in the same time. You can also drag and drop a GPO from
the Group Policy Objects folder to the appropriate Site, Domain or OU.When you right-click a link you can:
Edit a GPO - This will open the GPO window so you can configure settings.
Link/Unlink a GPO - This setting allows you to temporarily disable a link if you need to add settings to it or if you will activate it later.
Enabling/disabling
computer or user settings
GPO has
computer and user settings but if you create a GPO that contains only computer
settings, you might want to disable the user settings in that GPO, this will
reduce the amount of settings replicated and can also be used for testing.To disable one of the configurations simply choose the GPO link and go to Details tab:
How do I
know what are the settings in a GPO?
Prior to
the use of GPMC, an administrator who wanted to find out which one of the
hundreds of settings of a GPO were actually configured - had to open each GPO
and manually comb through each and every node of the GPO sections. Now, with
GPMC, you can simply see what the configurations of any GPO are if you point on
that GPO and go to the Settings tab. There you can use the drop-down menus to
see computer or user settings.
Block/Enforce
inheritance
You can
block policy inheritance to an OU if you don’t want the settings from upper
GPOs to configure your OU.To block GPO inheritance, simply right click your OU and choose "Block Inheritance". Blocking inheritance will block all upper GPOs.
In case you need one of the upper GPOs to configure all downstream OUs and overcome Block inheritance, use the Enforce option of a link. Enforcing a GPO is a powerful option and rarely should be used.
You can see in this example that when you look at Computers OU, three different GPOs are inherited to it.
In this example you can see that choosing "Block inheritance" will reject all upper GPOs.
Now, if we configure the "Default domain policy" with the Enforce option, it will overcome the inheritance blocking.
Link
order
When
linking more than one GPO to an OU, there could be a problem when two or more
GPOs have the same settings but with opposite configuration, like, GPO1 have
Allow printer installation among other settings but GPO2 is configured to
prevent printer installation among other settings. Because the two GPOs are at
the same level, there is a link order which can be changed.The GPO with the lowest link order is processed last, and therefore has the highest precedence.
Security
Filtering
Filtering
let you choose the user, group or computer that the GPO will apply onto. If you
configured "Computers" OU with a GPO but you only want to configure
Win XP stations with that GPO and exclude Win 2000 stations, you can easily
create a group of Win XP computers and apply the GPO only to that group.This option save you from creating complicated OU tree with each type of computer in it.
A user or a group that you configure in the filtering field have by default the "Read" and "Apply" permission. By default when you create a GPO link, you can see that "Authenticated users" are listed.
In the above example, Office 2K3 will be installed on all computers that are part of the two listed groups.
If we still were using Authenticated users, the installation of the Office suite could have followed the user to any computer that he logs onto, like servers or other machines. Using filtering narrows the installation options.
If you want to configure these permissions with higher resolution, you can go to Delegation tab and see the permissions. Going to the Advanced Tab will let you configure the ACL permission with the highest resolution.
How the
GPO is updated on the computers
GPO
inherited from AD is refreshed on the computers by several ways:- Logon to
computer (If the settings are of "user settings" in GPO)
- Restart of the
computer (If the settings are of "computer settings" in GPO)
- Every 60 to 90
minutes, the computers query their DC for updates.
- Manually by
using gpupdate command. You can add the /force switch to force all
settings and not only the delta.
for computer settings.
for user settings.
In both commands you can use the /enforce that is similar to the /force in gpupdate.
If any configuration change requires a logoff or a restart message will appear:
You can force logoff or reboot using gpupdate switches.
How to
check that the GPO was deployed
To be sure
that GPO was deployed correctly, you can use several ways. The term for the
results is called RSoP – Resultant Sets of Policies.- Use gpresult
command in the command prompt.
You can see what GPOs were applied and what GPOs were filtered out and the reason for not being deployed.
- Resultant Set
of Policy snap-in in MMC.
Logging mode which tells you what are the real settings that were deployed on the machine
Planning mode which tells you what will be the results if you choose some options.
This option is not so compatible because you need to browse in the RSoP data to find the settings.
This is the most comfortable option that let you check the RSoP data on every computer or user from a central location. This option also displays the summary of the RSoP and Detailed RSoP data in HTML format.
In the example above example you can see the summary of applied or non applied GPOs both of computer and user settings.
1. When
looking at the Settings tab we can see what settings did applied on the
computer and see which is the "Winning GPO" that actually configured
the computer with the particular setting.
Booting process in Windows 2000 server.
Booting process in Windows 2000 server.
2. What are the difference between 2000 and 2003 server?
3. Which role will takes care the login process?
4. If you got Blue screen error what you will do. This server having similar
problem frequently.
5. What are the dumps available in windows server OS – 3
6. Explain least security settings with one scenario.
7. What is the OU delegation?
- Difference between Global and universal
group.
Domain local groups assign access permissions
to global domain groups for local domain resources. Global groups provide
access to resources in other trusted domains. Universal groups grant access to
resources in all trusted domains.
9. What is the authentication process/protocol of Windows 2003 and its
version?
Kerberos ver.5
10. Difference between NTFS and FAT.
11. What is LDAP and its port number.
12. What are the default folders will be created along with AD creation and
participating with replication.
13. What is SYSVOL and what it contains?
14. Where you will place the logon scripts.
15. How to transfer the roles with GUI interface.
16. Which one is the most important in FSMO roles?
17. What is Forest , Domain, Child domain,
OU?
18. Group levels and its property.
19. How deep you can nest your OUS – 12
20. What is global catalog (Port number)
21. What are the objects in AD?
22. What is directory partition?
Configuration
Schema
Domain
Application
23. What is the name of the AD database and its location?
24. How to enable schema management console. What is the tool to modify
schema attributes?
25. What are the replication partitions in the active directory?
Configuration
Schema
Domain
Application
26. What is Ntdsutil and its function, Seizing, transferring roles.
27. What is authoritative and non-authoritative restore and procedures?
28. How do a client will locate DNS server and get resolved for its login.
29. Which file helps client to login in DNS.
30. Different records in DNS.
31. What is AD integrated DNS. Will it participate in AD replication?
32. DNS server roles.
33. What is zone in DNS?
34. What is root zone?
35. What is conditional forwarding and how to configure it.
36. What is zone transfer and conditions?
37. What is forwarders role.
38. What is root hint in DNS?
39. How do we know DNS configured correctly.
40. What is NSLOOKUP does.
41. What is the protocol that client uses to broadcast its request for DHCP.
42. What is scopes and available scopes in windows 2003 DHCP.
43. What is class in DHCP
44. Default IP address if DHCP is absent.
45. How to backup / restore DHCP database.
46. What is DHCP relay agent how to configure it?
47. Necessity of authorizing DHCP server.
48. What is leasing period and its default value?
49. What is IP exclusion and reservation?
50. What are the uses of IPCONFIG command in DHCP, DNS?
51. Can be hosted global catalog with Infrastructure master.
52. What is WINS?
53. What is NetBIOS?
54. What is group policy and why we need group policy.
55. What is the effective hierarchy of GP?
56. Scope of GP.
57. Commands used in GP
58. What are .adm files?
59. Will you be able to customize group policy refreshing intervals? If yes
how.
60. Will you be able to keep different password policies for a single domain?
61. How you will configure logon scripts.
62. Explain Folder redirection using GP.
63. What is delegation of GP and how to do that?
64. How to audit GP using RSOP.
65. Why do we use logging and planning of RSOP.
66. Scope of RSOP.
67. Where the default policies will be stored.
68. Procedure to rename administrator and guest accounts.
69. Software restriction policies.
70. How to setup SUS client setting in GP.
71. Differentiate policy over write and Block policy inheritance.
72. What are Site and Its boundary?
73. Why do we need sites for an organization??
74. Define Site, Site link, Connection Object
75. What is Global Catalog Server n what it does?
76. What’s a Bridgehead Server and What it does?
77. What’s Bridge link?
78. How do a client point (locate) their nearest Server / particular server?
79. How do you change your replication timings?
80. How do you force replication using command prompt with in domain and
cross domain?
81. Which service take care about bridge head server auto designation, incase
if you don’t set bridgehead for your infrastructure?
82. Which component takes care about the replication?? (KCC)
83. Does normally one KCC talk to each other?
84. Why do we use subnets and attach it to the server??
85. What is a subnet & Supernet?
86. How does a Windows NT server environment talk to Windows Server 2003
Server Environment?
87. How many types of replication you have??
88. List advantages of SMTP replication?
89. Why do you use replmon.exe utility?
90. What is one-way trust?? 2way trust??
91. Where do you find non replicated items in AD?
92. What is “sysprep.exe” tool??
93. What helps to enable access in cross forest?
94. Click this link for RIS full material & FA.
95. What is DFS and DFSR technology?
96. How many sites you can create in IIS on XP platform?
97. What is a virtual site?
98. What are the decencies of IIS?
99. Ports of HTTP,NNTP,SMTP & POP3
100.
What are the different tech we can
create multiple sites in one server and how?
101.
What is an application pool and how
it is used?
102.
Can u customize the error messages?
103.
Prerequisites of IIS?
104.
What are the different functional
modes of IIS?
105.
Why do we use IPSEC.EDIT
106.
What is SSL? MS-DES?
107.
What are the diff authentication
methods that windows use and its version
108.
Explain about VSS.
109.
Explain RAID 0, 1 & 5.
110.
What are the backup methods available
in Windows NT backup & about achieve bit setting.
111.
Explain VPN protocols.
112.
What is the specialty of Backup
Administrator Group?
113.
List different types of backups?
114.
List System
State
BY PRASAD PVVSV
115.
Explain hidden shares
116.
How do the permissions work in Windows
2000? What permissions does folder inherit from the parent?
117.
Why can’t I encrypt a compressed file on
Windows 2000?
118.
If I rename an account, what must I do to
make sure the renamed account has the same permissions as the original one?
119.
What’s the most powerful group on a
Windows system?
120.
What are the accessibility features in
Windows 2000?
121.
Why can’t I get to the Fax Service
Management console?
122.
What do I need to ensure before deploying
an application via a Group Policy?
123.
How do you configure mandatory profiles?
124.
I can’t get multiple displays to work in
Windows 2000.
- What’s a maximum number of
processors Win2k supports? 2
126.
I had some NTFS volumes under my Windows
NT installation. What happened to NTFS after Win 2k installation?
127.
How do you convert a drive from FAT/FAT32
to NTFS from the command line?
128.
Explain APIPA.
129.
How does Internet Connection Sharing work
on Windows 2000?
130.
Is a
DC database the same thing as a AD database. Or are they 2 seperate databases
on the same machine?
131.
How
do you restart a MTA when it has stopped, and what do you look for and where
when it has stopped.
132.
SID stands for? Significance of SID?
133.
Types of protocols (like HTTP, FTP, ICMP, TCP, IP, IPX, SPX, ) and on which
layer do they work?
134.
What does PING stand for? What are the error messages in PING
command? What does TTL stand for? On which layer does PING work? Which is the
protocol that PING uses?
135.
What is the format of TELNET? On which layer does it work?
136.
What is kerberos5.0?
137.
What is DMZ?
138.
What is SCHEMA in active directory database?
FOR
EXCHANGE
Exchange 5.5
1. Name at least 5
services on an Exchange 5.5 server.
2. What is the latest Service Pack for Exchange 5.5 server?
3. What files are usually located in the MDBDATA directory on an Exchange 5.5 server
4. What is the difference between Priv.edb and Pub.edb?
5. Where is the directory information stored in Exchange 2000?
6. How many times do you need to run forest prep in a single Active Directory forest that contains 4 domains?
7. What is the Active Directory Connector (ADC)?
8. What is the Recipient Update Service (RUS)?
9. What are the features of Exchange 2000 and Exchange 5.5?
10. What are the differences between exchange 5.5 and Exchange 2k.?
11. What do you understand by an Exchange Server?
12. Describe Mail Flow in an exchange Server.
13. Describe Exchange Structure.
14. What are the core services? Explain the order of starting the services.
15. Explain the hierarchy of exchange Admin program
16. What are the two versions of exchange 5.5 and compare them.
17. What is the component of exchange called where mails and public data is stored
18. What is latest SP for Exchange 5.5?
19. What is information store and directory database files and locations
20. What is custom recipient mailbox
21. What is the size of transaction log file
22. Difference between Sequential and circular logging. Where do you enable it?
23. Which service is responsible for server-to-server communication?
24. What is MTA used for?
25. What is GAL
26. What are different ways of connecting sites? Highlight differences between X.400 and Site Connector.
27. What are different mails clients supported by Exchange 5.5?
28. What is IMC used for?
29. What is X.400 and X.500 standards
30. What is IPM message format
Exchange 2000
1) What are the core services for Exchange 200
2) Explain the hierarchy of exchange management console program
3) Different versions of Exchange 2000
4) Latest SP for exchange 2000
4) How many storage groups and stores are supported in exchange 2000
5) What is RUS? Which service is responsible for the RUS?
6) What is recipient polices, email policy and Mailbox manager policy
7) what are DN, RDN UPN and SMTP naming formats?
8) What is System policy?
9) What are the different ways to apply mailbox restriction on certain mailboxes?
10) What is mapi and non-mapi tree?
11) What is edb.chk file used for?
12) What is eseutil /d, eseutil /p eseutil /g used for?
13) What is restore.env file?
14) What is dsacess and boostrap?
15) What is mailbox enabled and mail enabled user
2. What is the latest Service Pack for Exchange 5.5 server?
3. What files are usually located in the MDBDATA directory on an Exchange 5.5 server
4. What is the difference between Priv.edb and Pub.edb?
5. Where is the directory information stored in Exchange 2000?
6. How many times do you need to run forest prep in a single Active Directory forest that contains 4 domains?
7. What is the Active Directory Connector (ADC)?
8. What is the Recipient Update Service (RUS)?
9. What are the features of Exchange 2000 and Exchange 5.5?
10. What are the differences between exchange 5.5 and Exchange 2k.?
11. What do you understand by an Exchange Server?
12. Describe Mail Flow in an exchange Server.
13. Describe Exchange Structure.
14. What are the core services? Explain the order of starting the services.
15. Explain the hierarchy of exchange Admin program
16. What are the two versions of exchange 5.5 and compare them.
17. What is the component of exchange called where mails and public data is stored
18. What is latest SP for Exchange 5.5?
19. What is information store and directory database files and locations
20. What is custom recipient mailbox
21. What is the size of transaction log file
22. Difference between Sequential and circular logging. Where do you enable it?
23. Which service is responsible for server-to-server communication?
24. What is MTA used for?
25. What is GAL
26. What are different ways of connecting sites? Highlight differences between X.400 and Site Connector.
27. What are different mails clients supported by Exchange 5.5?
28. What is IMC used for?
29. What is X.400 and X.500 standards
30. What is IPM message format
Exchange 2000
1) What are the core services for Exchange 200
2) Explain the hierarchy of exchange management console program
3) Different versions of Exchange 2000
4) Latest SP for exchange 2000
4) How many storage groups and stores are supported in exchange 2000
5) What is RUS? Which service is responsible for the RUS?
6) What is recipient polices, email policy and Mailbox manager policy
7) what are DN, RDN UPN and SMTP naming formats?
8) What is System policy?
9) What are the different ways to apply mailbox restriction on certain mailboxes?
10) What is mapi and non-mapi tree?
11) What is edb.chk file used for?
12) What is eseutil /d, eseutil /p eseutil /g used for?
13) What is restore.env file?
14) What is dsacess and boostrap?
15) What is mailbox enabled and mail enabled user
What Is Active Directory?
Active Directory is the directory service in
windows 2000 and 2003, consists of two parts—a centralized hierarchical database
and Service.
The
database contains all information about all objects and other resources on a
network.
And a service manages the database and enables
users of computers on the network to access the database.
The Active
Directory data store contains information about various types of network
objects, including printers, shared folders, user accounts, groups, and
computers.
The computers
that have a copy of the Active Directory data store, and that run Active
Directory are called domain
controllers.
A domain is a logical
grouping of networked computers in which one or more of the computers has
shared resources, such as a shared folder or printer, and in which all of the
computers share a common Active Directory data store.
The
three primary purposes of Active Directory are:
- To provide user
logon and authentication services
- To enable or
organize and manage user accounts, groups, and network resources
- To enable
authorized users to easily locate network resources, regardless of where
they are located on the network.
Features of Active Directory:
·
It provides fully integrated
security.
- It provides ease
of administration by using group policies.
- It makes
resources easier to locate.
- It is scalable
to any size network.
- It is flexible
and extensible.
ACTIVE DIRECTORY-2003
Easier Deployment and ManagementDomain Rename--- supports changing Domain Name System and/or NetBios name
ADMT Active directory migration tool version 2.0 migrates password from NT4 to 2000 to 20003
Schema Redefine--- Allows deactivation of attributes and class definitions in the Active directory schema
AD/AM--- Active directory in application mode is a new capability of AD that addresses certain deployment scenarios related to directory enabled applications
Group Policy Improvements----introduced GPMC tool to manage group policy
UI—Enhanced User Interface
Grater Security
Cross-forest Authentication
Cross-forest Authorization
Cross-certification Enhancements
IAS and Cross-forest authentication
Credential Manager
Software Restriction Policies
Improved Performance and Dependability
Easier logon for remote offices
Group Membership replication enhancements
Application Directory Partitions
Install Replica from media
Enhanced replication capabilities
Another significant change, particularly for larger environments, is a replication enhancement called linked-value replication for objects such as Active Directory group objects. In Windows 2000, a group's membership list was replicated as one single block of information. This led to a number of potential problems, such as the following:
Inconsistent replication. Consider this:
you have a group called DOMAIN\Finance. From Domain Controller A, you add the
jsmith user to the Finance group. What happens if, at precisely the same
nanosecond, your junior admin removed the bthomas user from the Finance group
while connected to Domain Controller B? Without linked-value replication, this
would create a replication conflict, which would either lead to jsmith being
added to the group and bthomas not being removed, or vice versa.
Replication delays. In Windows 2000,
Microsoft published a size limitation where you could not place more than 5,000
members in a single group object; more than this created significant
replication delays since the membership list was replicated as a single block.
Built-in command-line tools those were not available in Windows 2000.
·
dsadd -- allows you to create objects from the command
line
·
dsmove -- moves an object from one OU or container to
another within the same domain
·
dsrm -- will delete an object from Active Directory
·
dsquery -- will return an object or list of objects that
matches criteria that you specify
·
dsget -- will return one or more attributes of a particular
Active Directory object
Volume shadow copy service
NTFS journaling file system
EFS
Improved CHDSK Performance
Enhanced DFS and FRS
Shadow copy of shared folders
Enhanced folder redirection
Remote document sharing (WEBDAV)
DNS:
Possible to configure stub zones in windows 2003 DNS
Windows 2003 gives an option to replicate DNS data b/w all DNS servers in forest or All DNS servers in the domain.
Others:
Application Server mode is introduced in windows 2003
Volume shadow copy services is introduced
Active Directory can be backed up easily with System state data
Difference between FAT,NTFS &
NTFSVersion5
NTFS Version 5 features
Encryption is possible
We can enable Disk Quotas
File compression is possible
Sparse files
Indexing Service
NTFS change journal
In FAT file system we can apply only share level
security. File level protection is not possible. In NTFS we can apply both
share level as well as file level security
NTFS supports large partition sizes than FAT file
systems
NTFS supports long file names than FAT file
systems
IIS
Fault-tolerant process architecture----- The IIS 6.0 fault-tolerant
process architecture isolates Web sites and applications into self-contained
units called application poolsHealth Monitoring---- IIS 6.0 periodically checks the status of an application pool with automatic restart on failure of the Web sites and applications within that application pool, increasing application availability. IIS 6.0 protects the server, and other applications, by automatically disabling Web sites and applications that fail too often within a short amount of time
Automatic Process Recycling--- IIS 6.0
automatically stops and restarts faulty Web sites and applications based on a
flexible set of criteria, including CPU utilization and memory consumption,
while queuing requests
Rapid-fail Protection---- If an application fails too often within a
short amount of time, IIS 6.0 will automatically disable it and return a
"503 Service Unavailable" error message to any new or queued requests
to the application
Edit-While-Running
- Difference
between NT & 2000
NT SAM database is a flat database. Where as in
windows 2000 active directory database is a hierarchical database.
In windows NT only PDC is having writable copy of
SAM database but the BDC is only read only database. In case of Windows 2000
both DC and ADC is having write copy of the database
Windows NT will not support FAT32 file system.
Windows 2000 supports FAT32
Default authentication protocol in NT is NTLM (NT
LAN manager). In windows 2000 default authentication protocol is Kerberos
V5.
Windows 2000 depends and Integrated with DNS. NT
user Netbios names
- Difference
between PDC & BDC
PDC contains a write copy of SAM database where as
BDC contains read only copy of SAM database. It is not possible to reset a
password or create objects with out PDC in Windows NT.
- Difference
between DC & ADC
There is no difference between in DC and ADC both
contains write copy of AD. Both can also handles FSMO roles (If transfers from
DC to ADC). It is just for identification. Functionality wise there is no
difference.
- What is
DNS & WINS
DNS is a Domain Naming System, which resolves Host
names to IP addresses. It uses fully qualified domain names. DNS is a Internet
standard used to resolve host names
WINS is a Windows Internet Name Service, which
resolves Netbios names to IP Address. This is proprietary for Windows
- Types of
DNS Servers
Primary DNS
Secondary DNS
Active Directory Integrated DNS
Forwarder
Caching only DNS
- If DHCP is not available what happens to the client
Client will not get IP and it cannot be
participated in network . If client already got the IP and having lease
duration it use the IP till the lease duration expires.
- what are the different types of trust relationships
Implicit Trusts
Explicit Trusts—NT to Win2k or Forest to Forest
- what is the process of DHCP for getting the IP address to the
client
There is a four way negotiation process b/w client
and server
DHCP Discover (Initiated by client)
DHCP Offer (Initiated by server)
DHCP Select (Initiated by client)
DHCP Acknowledgement (Initiated by Server)
DHCP Negative Acknowledgement (Initiated by server
if any issues after DHCP offer)
- What are the port numbers for FTP, Telnet, HTTP, DNS
FTP-21,
Telnet – 23, HTTP-80, DNS-53, Kerberos-88, LDAP-389
- what are the different types of profiles in 2000
Local Profiles
Roaming profiles
Mandatory Profiles
- what is the database files used for Active Directory
The key AD database files—edb.log, ntds.dit,
res1.log, res2.log, and edb.chk—all of which reside in \%systemroot%\ntds on a
domain controller (DC) by default. During AD installation, Dcpromo lets you
specify alternative locations for these log files and database files
NTDS.DIT
- What is the location of AD Database
%System root%/NTDS/NTDS>DIT
- What is the authentication protocol used in NT
NTLM (NT LAN Manager)
- What is
subnetting and supernetting
Subnetting is the process of borrowing bits from
the host portion of an address to provide bits for identifying additional
sub-networks
Supernetting merges several smaller blocks of IP
addresses (networks) that are continuous into one larger block of addresses.
Borrowing network bits to combine several smaller networks into one larger
network does supernetting
- what is the use of terminal services
Terminal services can be used as Remote
Administration mode to administer remotely as well as Application Server Mode
to run the application in one server and users can login to that server to user
that application.
- what is the protocol used for terminal services
RDP
- what is the port number for RDP
3389
Medium Level - what is the difference between Authorized DHCP and Non Authorized
DHCP
To avoid problems in the network causing by
mis-configured DHCP servers, server in windows 2000 must be validate by AD
before starting service to clients. If an authorized DHCP finds any DHCP server
in the network it stop serving the clients
- Difference between inter-site and intra-site replication. Protocols using for replication.
Intra-site replication can be done between the
domain controllers in the same site. Inter-site replication can be done between
two different sites over WAN links
BHS (Bridge Head Servers) is responsible for
initiating replication between the sites. Inter-site replication can be done
B/w BHS in one site and BHS in another site.
We can use RPC over IP or SMTP as a replication
protocols where as Domain partition is not possible to replicate using
SMTP
- How to
monitor replication
We can user Replmon tool from support tools
- Brief
explanation of RAID Levels
Basic Disk Storage
Basic storage uses normal partition tables supported by MS-DOS, Microsoft
Windows 95, Microsoft Windows 98, Microsoft Windows Millennium Edition (Me),
Microsoft Windows NT, Microsoft Windows 2000, Windows Server 2003 and Windows
XP. A disk initialized for basic storage is called a basic disk. A basic disk
contains basic volumes, such as primary partitions, extended partitions, and
logical drives. Additionally, basic volumes include multidisk volumes that are
created by using Windows NT 4.0 or earlier, such as volume sets, stripe sets,
mirror sets, and stripe sets with parity. Windows XP does not support these
multidisk basic volumes. Any volume sets, stripe sets, mirror sets, or stripe
sets with parity must be backed up and deleted or converted to dynamic disks
before you install Windows XP Professional.
Dynamic Disk Storage
Dynamic storage is supported in Windows XP Professional, Windows 2000 and
Windows Server 2003. A disk initialized for dynamic storage is called a dynamic
disk. A dynamic disk contains dynamic volumes, such as simple volumes, spanned
volumes, striped volumes, mirrored volumes, and RAID-5 volumes. With dynamic
storage, you can perform disk and volume management without the need to restart
Windows. Note: Dynamic disks are not supported on portable computers or on Windows XP Home Edition-based computers.
You cannot create mirrored volumes or RAID-5 volumes on Windows XP Home Edition, Windows XP Professional, or Windows XP 64-Bit Edition-based computers. However, you can use a Windows XP Professional-based computer to create a mirrored or RAID-5 volume on remote computers that are running Windows 2000 Server, Windows 2000 Advanced Server, or Windows 2000 Datacenter Server, or the Standard,
Storage types are separate from the file system type. A basic or dynamic disk can contain any combination of FAT16, FAT32, or NTFS partitions or volumes.
A disk system can contain any combination of storage types. However, all volumes on the same disk must use the same storage type.
To convert a Basic Disk to a Dynamic Disk:
Use the Disk Management snap-in in Windows XP/2000/2003 to convert a basic
disk to a dynamic disk. To do this, follow these steps: - Log on as Administrator or as a member of the Administrators group.
- Click Start, and then click Control Panel.
- Click Performance and Maintenance, click Administrative Tools, and
then double-click Computer Management. You can also right-click My
Computer and choose Manage if you have My Computer displayed on your desktop.
- In the left pane, click Disk Management.
- In the lower-right pane, right-click the basic disk that you want
to convert, and then click Convert to Dynamic Disk. You must right-click
the gray area that contains the disk title on the left side of the Details
pane.
- Select the check box that is next to the
disk that you want to convert (if it is not already selected), and then
click OK.
Dynamic Storage Terms
A volume is a storage unit made from free space on one or more
disks. It can be formatted with a file system and assigned a drive letter.
Volumes on dynamic disks can have any of the following layouts: simple,
spanned, mirrored, striped, or RAID-5. A simple volume uses free space from a single disk. It can be a single region on a disk or consist of multiple, concatenated regions. A simple volume can be extended within the same disk or onto additional disks. If a simple volume is extended across multiple disks, it becomes a spanned volume.
A spanned volume is created from free disk space that is linked together from multiple disks. You can extend a spanned volume onto a maximum of 32 disks. A spanned volume cannot be mirrored and is not fault-tolerant.
A striped volume is a volume whose data is interleaved across two or more physical disks. The data on this type of volume is allocated alternately and evenly to each of the physical disks. A striped volume cannot be mirrored or extended and is not fault-tolerant. Striping is also known as RAID-0.
A mirrored volume is a fault-tolerant volume whose data is duplicated on two physical disks. All of the data on one volume is copied to another disk to provide data redundancy. If one of the disks fails, the data can still be accessed from the remaining disk. A mirrored volume cannot be extended. Mirroring is also known as RAID-1.
A RAID-5 volume is a fault-tolerant volume whose data is striped across an array of three or more disks. Parity (a calculated value that can be used to reconstruct data after a failure) is also striped across the disk array. If a physical disk fails, the portion of the RAID-5 volume that was on that failed disk can be re-created from the remaining data and the parity. A RAID-5 volume cannot be mirrored or extended.
The system volume contains the hardware-specific files that are needed to load Windows (for example, Ntldr, Boot.ini, and Ntdetect.com). The system volume can be, but does not have to be, the same as the boot volume.
The boot volume contains the Windows operating system files that are located in the %Systemroot% and %Systemroot%\System32 folders. The boot volume can be, but does not have to be, the same as the system volume.
RAID 0 – Striping
RAID 1- Mirroring (minimum 2 HDD required)
RAID 5 – Striping With Parity (Minimum 3 HDD
required)
RAID levels 1 and 5 only gives redundancy
- What are the different backup strategies are available
Normal Backup
Incremental Backup
Differential Backup
Daily Backup
Copy Backup
- What is a
global catalog
Global catalog is a role, which maintains Indexes
about objects. It contains full information of the objects in its own domain
and partial information of the objects in other domains. Universal Group
membership information will be stored in global catalog servers and replicate
to all GC’s in the forest.
- What is Active Directory and what is the use of it
Active directory is a directory service, which
maintains the relation ship between resources and enabling them to work
together. Because of AD hierarchal structure windows 2000 is more scalable,
reliable. Active directory is derived from X.500 standards where information is
stored is hierarchal tree like structure. Active directory depends on two
Internet standards one is DNS and other is LDAP. Information in Active
directory can be queried by using LDAP protocol
- what is the physical and logical structure of AD
Active directory physical structure is a hierarchal
structure which fallows Forests—Trees—Domains—Child Domains—Grand
Child—etc
Active directory is logically divided into 3
partitions
1.Configuration partition 2. Schema Partition 3.
Domain partition 4. Application Partition (only in windows 2003 not available
in windows 2000)
Out of these Configuration, Schema partitions can
be replicated between the domain controllers in the in the entire forest. Where
as Domain partition can be replicated between the domain controllers in the
same domain
- What is the process of user authentication (Kerberos V5) in windows
2000
After giving logon credentials an encryption key
will be generated which is used to encrypt the time stamp of the client
machine. User name and encrypted timestamp information will be provided to
domain controller for authentication. Then Domain controller based on the
password information stored in AD for that user it decrypts the encrypted time
stamp information. If produces time stamp matches to its time stamp. It will
provide logon session key and Ticket granting ticket to client in an encryption
format. Again client decrypts and if produced time stamp information is
matching then it will use logon session key to logon to the domain. Ticket
granting ticket will be used to generate service granting ticket when accessing
network resources
- what are the port numbers for Kerberos, LDAP and Global catalog
Kerberos – 88, LDAP – 389, Global Catalog – 3268
- what is the use of LDAP (X.500 standard?)
LDAP is a directory access protocol, which is used
to exchange directory information from server to clients or from server to
servers
- what are the problems that are generally come across DHCP
Scope is full with IP addresses no IP’s available
for new machines
If scope options are not configured properly eg
default gateway
Incorrect creation of scopes etc
- what is the role responsible for time synchronization
PDC Emulator is responsible for time
synchronization. Time synchronization is important because Kerberos
authentication depends on time stamp information
- what is TTL & how to set TTL time in DNS
TTL is Time to Live setting used for the amount of
time that the record should remain in cache when name resolution happened.
We can set TTL in SOA (start of authority record)
of DNS
- How to take DNS and WINS,DHCP backup
%System root%/system32/dns
%System root%/system32/WINS
%System root%/system32/DHCP
- What is
recovery console
Recovery console is a utility used to recover the
system when it is not booting properly or not at all booting. We can perform
fallowing operations from recovery console
We can copy, rename, or replace operating system
files and folders
Enable or disable service or device startup the
next time that start computer
Repair the file system boot sector or the Master
Boot Record
Create and format partitions on drives
- what is DFS
& its usage
DFS is a distributed file system used to provide
common environment for users to access files and folders even when they are
shared in different servers physically.
There are two types of DFS domain DFS and Stand
alone DFS. We cannot provide redundancy for stand alone DFS in case of failure.
Domain DFS is used in a domain environment which can be accessed by /domain
name/root1 (root 1 is DFS root name). Stand alone DFS can be used in workgroup
environment which can be accessed through /server name/root1 (root 1 is DFS
root name). Both the cases we need to create DFS root ( Which appears like a
shared folder for end users) and DFS links ( A logical link which is pointing
to the server where the folder is physically shared)
The maximum number of Dfs roots per server
is 1.
The maximum numbers of Dfs root replicas are 31.
The maximum number of Dfs roots per domain is
unlimited.
The maximum number of Dfs links or shared folders
in a Dfs root is 1,000
- what is RIS and what are its requirements
RIS is a remote installation service, which is used
to install operation system remotely.
Client requirements
PXE DHCP-based boot ROM version 1.00 or later NIC,
or a network adapter that is supported by the RIS boot disk.
Should meet minimum operating system requirements
Software
Requirements
Below network services must be active on RIS server
or any server in the network
Domain Name System (DNS Service)
Dynamic Host Configuration Protocol (DHCP)
Active directory “Directory” service
- How many root replicas can be created in DFS
- What is the difference between Domain DFS and Standalone DFS
Refer question 17.
High Level
- Can we establish trust relationship between two forests
In Windows 2000 it is not possible. In Windows 2003
it is possible
- What is
FSMO Roles
Flexible single master operation (FSMO) roles are
Domain Naming Master
Schema Master
PDC Emulator
Infrastructure Master
RID Master
- Brief all
the FSMO Roles
Windows 2000/2003 Multi-Master Model
A multi-master enabled database, such as the Active
Directory, provides the flexibility of allowing changes to occur at any DC in
the enterprise, but it also introduces the possibility of conflicts that can
potentially lead to problems once the data is replicated to the rest of the
enterprise. One way Windows 2000/2003 deals with conflicting updates is by
having a conflict resolution algorithm handle discrepancies in values by
resolving to the DC to which changes were written last (that is, "the last
writer wins"), while discarding the changes in all other DCs. Although
this resolution method may be acceptable in some cases, there are times when
conflicts are just too difficult to resolve using the "last writer wins"
approach. In such cases, it is best to prevent the conflict from occurring
rather than to try to resolve it after the fact.
For certain types of changes, Windows 2000/2003
incorporates methods to prevent conflicting Active Directory updates from
occurring.
Windows 2000/2003 Single-Master Model
To prevent conflicting updates in Windows
2000/2003, the Active Directory performs updates to certain objects in a
single-master fashion.
In a single-master model, only one DC in the entire
directory is allowed to process updates. This is similar to the role given to a
primary domain controller (PDC) in earlier versions of Windows (such as
Microsoft Windows NT 4.0), in which the PDC is responsible for processing all
updates in a given domain.
In a forest, there are five FSMO roles that are
assigned to one or more domain controllers. The five FSMO roles are:
Schema Master:
The schema master domain controller controls all
updates and modifications to the schema. Once the Schema update is complete, it
is replicated from the schema master to all other DCs in the directory. To
update the schema of a forest, you must have access to the schema master. There
can be only one schema master in the whole forest.
Domain naming master:
The domain naming master domain controller controls
the addition or removal of domains in the forest. This DC is the only one that
can add or remove a domain from the directory. It can also add or remove cross
references to domains in external directories. There can be only one domain
naming master in the whole forest.
Infrastructure Master:
When an object in one domain is referenced by
another object in another domain, it represents the reference by the GUID, the
SID (for references to security principals), and the DN of the object being
referenced. The infrastructure FSMO role holder is the DC responsible for
updating an object's SID and distinguished name in a cross-domain object
reference. At any one time, there can be only one domain controller acting as
the infrastructure master in each domain.
Note: The Infrastructure Master (IM) role should be
held by a domain controller that is not a Global Catalog server (GC). If the
Infrastructure Master runs on a Global Catalog server it will stop updating
object information because it does not contain any references to objects that
it does not hold. This is because a Global Catalog server holds a partial
replica of every object in the forest. As a result, cross-domain object
references in that domain will not be updated and a warning to that effect will
be logged on that DC's event log. If all the domain controllers in a domain
also host the global catalog, all the domain controllers have the current data,
and it is not important which domain controller holds the infrastructure master
role.
Relative ID (RID) Master:
The RID master is responsible for processing RID
pool requests from all domain controllers in a particular domain. When a DC
creates a security principal object such as a user or group, it attaches a
unique Security ID (SID) to the object. This SID consists of a domain SID (the
same for all SIDs created in a domain), and a relative ID (RID) that is unique
for each security principal SID created in a domain. Each DC in a domain
is allocated a pool of RIDs that it is allowed to assign to the security
principals it creates. When a DC's allocated RID pool falls below a threshold,
that DC issues a request for additional RIDs to the domain's RID master. The
domain RID master responds to the request by retrieving RIDs from the domain's
unallocated RID pool and assigns them to the pool of the requesting DC. At any
one time, there can be only one domain controller acting as the RID master in
the domain.
PDC Emulator:
The PDC emulator is necessary to synchronize time
in an enterprise. Windows 2000/2003 includes the W32Time (Windows Time) time
service that is required by the Kerberos authentication protocol. All Windows
2000/2003-based computers within an enterprise use a common time. The purpose
of the time service is to ensure that the Windows Time service uses a
hierarchical relationship that controls authority and does not permit loops to
ensure appropriate common time usage.
The PDC emulator of a domain is authoritative for
the domain. The PDC emulator at the root of the forest becomes authoritative
for the enterprise, and should be configured to gather the time from an
external source. All PDC FSMO role holders follow the hierarchy of domains in
the selection of their in-bound time partner.
In a Windows 2000/2003 domain, the PDC emulator
role holder retains the following functions:
Password changes performed by other DCs in the
domain are replicated preferentially to the PDC emulator.
Authentication failures that occur at a given DC in
a domain because of an incorrect password are forwarded to the PDC emulator
before a bad password failure message is reported to the user.
Account lockout is processed on the PDC emulator.
Editing or creation of Group Policy Objects (GPO)
is always done from the GPO copy found in the PDC Emulator's SYSVOL share,
unless configured not to do so by the administrator.
The PDC emulator performs all of the functionality
that a Microsoft Windows NT 4.0 Server-based PDC or earlier PDC performs for
Windows NT 4.0-based or earlier clients.
This part of the PDC emulator role becomes
unnecessary when all workstations, member servers, and domain controllers that
are running Windows NT 4.0 or earlier are all upgraded to Windows 2000/2003.
The PDC emulator still performs the other functions as described in a Windows
2000/2003 environment.
At any one time, there can be only one domain
controller acting as the PDC emulator master in each domain in the forest.
- How to manually configure FSMO Roles to separate DC’s
Windows 2000/2003 Active Directory domains utilize a Single Operation Master method called FSMO (Flexible Single Master Operation), as described in Understanding FSMO Roles in Active Directory.
The five FSMO roles are:
- Schema master - Forest-wide and one per forest.
- Domain naming master - Forest-wide and one per forest.
- RID master - Domain-specific and one for each domain.
- PDC - PDC Emulator is domain-specific and one for each domain.
- Infrastructure master - Domain-specific and one for each domain.
In order to better understand your AD infrastructure and to know the added value that each DC might possess, an AD administrator must have the exact knowledge of which one of the existing DCs is holding a FSMO role, and what role it holds. With that knowledge in hand, the administrator can make better arrangements in case of a scheduled shut-down of any given DC, and better prepare him or herself in case of a non-scheduled cease of operation from one of the DCs.
How to find out which DC is holding which FSMO role? Well, one can accomplish this task by many means. This article will list a few of the available methods.
Method #1: Know the default settings
The FSMO roles were assigned to one or more DCs during the DCPROMO process.
The following table summarizes the FSMO default locations:
|
Method #2: Use the GUI
The FSMO role holders can be easily found by use of some of the AD snap-ins.
Use this table to see which tool can be used for what FSMO role:
|
To find out who currently holds the Domain-Specific RID Master, PDC Emulator, and Infrastructure Master FSMO Roles:
- Open the Active Directory Users and Computers snap-in from the
Administrative Tools folder.
- Right-click the Active Directory Users and Computers icon again and
press Operation Masters.
To find out who currently holds the Domain Naming Master Role:
- Open the Active Directory Domains and Trusts snap-in from the
Administrative Tools folder.
- Right-click the Active Directory Domains and Trusts icon again and
press Operation Masters.
To find out who currently holds the Schema Master Role:
- Register the Schmmgmt.dll library by pressing Start > RUN
and typing:
- Press OK. You should receive a success confirmation.
- From the Run command open an MMC Console by typing MMC.
- On the Console menu, press Add/Remove Snap-in.
- Press Add. Select Active Directory Schema.
- Press Add and press Close. Press OK.
- Click the Active Directory Schema icon. After it loads right-click
it and press Operation Masters.
Method #3: Use the Ntdsutil command
The FSMO role holders can be easily found by use of the Ntdsutil command.Caution: Using the Ntdsutil utility incorrectly may result in partial or complete loss of Active Directory functionality.
- On any domain controller, click Start, click Run, type Ntdsutil
in the Open box, and then click OK.
- Type roles, and then press ENTER.
- Type connections, and then press ENTER.
- Type connect to server <servername>, where <servername>
is the name of the server you want to use, and then press ENTER.
- At the server connections: prompt, type q, and then press
ENTER again.
- At the FSMO maintenance: prompt, type Select operation target,
and then press ENTER again.
select operation target: List roles for connected server
Server "server100" knows about 5 roles
Schema - CN=NTDS Settings,CN=SERVER100,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=C
onfiguration,DC=dpetri,DC=net
Domain - CN=NTDS Settings,CN=SERVER100,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=C
onfiguration,DC=dpetri,DC=net
PDC - CN=NTDS Settings,CN=SERVER100,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Conf
iguration,DC=dpetri,DC=net
RID - CN=NTDS Settings,CN=SERVER100,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Conf
iguration,DC=dpetri,DC=net
Infrastructure - CN=NTDS Settings,CN=SERVER100,CN=Servers,CN=Default-First-Site-Name,CN=Si
tes,CN=Configuration,DC=dpetri,DC=net
select operation target:
- Type q 3 times to exit the Ntdsutil prompt.
Another Note: Microsoft has a nice tool called Dumpfsmos.cmd, found in the Windows 2000 Resource Kit (and can be downloaded here: Download Free Windows 2000 Resource Kit Tools). This tool is basically a one-click Ntdsutil script that performs the same operation described above.
Method #4: Use the Netdom command
The FSMO role holders can be easily found by use of the Netdom command.Netdom.exe is a part of the Windows 2000/XP/2003 Support Tools. You must either download it separately (from here Download Free Windows 2000 Resource Kit Tools) or by obtaining the correct Support Tools pack for your operating system. The Support Tools pack can be found in the \Support\Tools folder on your installation CD (or you can Download Windows 2000 SP4 Support Tools, Download Windows XP SP1 Deploy Tools).
- On any domain controller, click Start, click Run, type CMD in the
Open box, and then click OK.
- In the Command Prompt window, type netdom query
/domain:<domain> fsmo (where <domain> is the name
of YOUR domain).
Note: You can download THIS nice batch file that will do all this for you (1kb).
Method #5: Use the Replmon tool
The FSMO role holders can be easily found by use of the Netdom command. Just like Netdom, Replmon.exe is a part of the Windows 2000/XP/2003 Support Tools. Replmon can be used for a wide verity of tasks, mostly with those that are related with AD replication. But Replmon can also provide valuable information about the AD, about any DC, and also about other objects and settings, such as GPOs and FSMO roles. Install the package before attempting to use the tool.
- On any domain controller, click Start, click Run, type REPLMON in
the Open box, and then click OK.
- Right-click Monitored servers and select Add Monitored Server.
- In the Add Server to Monitor window,
select the Search the Directory for the server to add. Make sure your AD
domain name is listed in the drop-down list.
- In the site list select your site, expand
it, and click to select the server you want to query. Click Finish.
Windows 2000/2003 Active Directory domains utilize a Single Operation Master method called FSMO (Flexible Single Master Operation), as described in Understanding FSMO Roles in Active Directory.
The five FSMO roles are:
- Schema master - Forest-wide and one per forest.
- Domain naming master - Forest-wide and one per forest.
- RID master - Domain-specific and one for each domain.
- PDC - PDC Emulator is domain-specific and one for each domain.
- Infrastructure master - Domain-specific and one for each domain.
Moving the FSMO roles while both the original FSMO role holder and the future FSMO role holder are online and operational is called Transferring, and is described in the Transferring FSMO Roles article.
However, when the original FSMO role holder went offline or became non operational for a long period of time, the administrator might consider moving the FSMO role from the original, non-operational holder, to a different DC. The process of moving the FSMO role from a non-operational role holder to a different DC is called Seizing, and is described in this article.
If a DC holding a FSMO role fails, the best thing to do is to try and get the server online again. Since none of the FSMO roles are immediately critical (well, almost none, the loss of the PDC Emulator FSMO role might become a problem unless you fix it in a reasonable amount of time), so it is not a problem to them to be unavailable for hours or even days.
If a DC becomes unreliable, try to get it back on line, and transfer the FSMO roles to a reliable computer. Administrators should use extreme caution in seizing FSMO roles. This operation, in most cases, should be performed only if the original FSMO role owner will not be brought back into the environment. Only seize a FSMO role if absolutely necessary when the original role holder is not connected to the network.
What will happen if you do not perform the seize in time? This table has the info:
|
The following table summarizes the FSMO seizing restrictions:
|
|
Caution: Using the Ntdsutil utility incorrectly may result in partial or complete loss of Active Directory functionality.
- On any domain controller, click Start, click Run, type Ntdsutil
in the Open box, and then click OK.
- Type roles, and then press ENTER.
- Type connections, and then press ENTER.
- Type connect to server <servername>, where <servername>
is the name of the server you want to use, and then press ENTER.
- At the server connections: prompt, type q, and then press
ENTER again.
- Type seize <role>, where <role> is the
role you want to seize. For example, to seize the RID Master role, you
would type seize rid master:
- You will receive a warning window asking if you want to perform the
seize. Click on Yes.
Attempting safe transfer of infrastructure FSMO before seizure.
ldap_modify_sW error 0x34(52 (Unavailable).
Ldap extended error message is 000020AF: SvcErr: DSID-03210300, problem 5002 (UNAVAILABLE)
, data 1722
Win32 error returned is 0x20af(The requested FSMO operation failed. The current FSMO holde
r could not be contacted.)
)
Depending on the error code this may indicate a connection,
ldap, or role transfer error.
Transfer of infrastructure FSMO failed, proceeding with seizure ...
Server "server100" knows about 5 roles
Schema - CN=NTDS Settings,CN=SERVER200,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=dpetri,DC=net
Domain - CN=NTDS Settings,CN=SERVER100,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=dpetri,DC=net
PDC - CN=NTDS Settings,CN=SERVER100,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=dpetri,DC=net
RID - CN=NTDS Settings,CN=SERVER200,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=dpetri,DC=net
Infrastructure - CN=NTDS Settings,CN=SERVER100,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=dpetri,DC=net
fsmo maintenance:
Note: All five roles need to be in the forest. If the first domain controller is out of the forest then seize all roles. Determine which roles are to be on which remaining domain controllers so that all five roles are not on only one server.
- Repeat steps 6 and 7 until you've seized all the required FSMO
roles.
- After you seize or transfer the roles, type q, and then press ENTER
until you quit the Ntdsutil tool.
- What is the difference between authoritative and non-authoritative
restore
In authoritative restore, Objects that are restored
will be replicated to all domain controllers in the domain. This can be used
specifically when the entire OU is disturbed in all domain controllers or
specifically restore a single object, which is disturbed in all DC’s
In non-authoritative restore, Restored directory
information will be updated by other domain controllers based on the latest
modification time.
- what is Active Directory De-fragmentation
De-fragmentation of AD means separating used space
and empty space created by deleted objects and reduces directory size (only in
offline De-fragmentation)
- Difference between online and offline de-fragmentation
The changed data is replicated between domain controllers, not the database, so there is no guarantee that the files are going to be the same size across all domain controllers.
Windows 2000 and Windows Server 2003 servers running Directory Services (DS) perform a directory online defragmentation every 12 hours by default as part of the garbage-collection process. This defragmentation only moves data around the database file (NTDS.DIT) and doesn’t reduce the file’s size - the database file cannot be compacted while Active Directory is mounted.
Active Directory routinely performs online database defragmentation, but this is limited to the disposal of tombstoned objects. The database file cannot be compacted while Active Directory is mounted (or online).
An NTDS.DIT file that has been defragmented offline (compacted), can be much smaller than the NTDS.DIT file on its peers.
However, defragmenting the NTDS.DIT file isn’t something you should really need to do. Normally, the database self-tunes and automatically tombstoning the records then sweeping them away when the tombstone lifetime has passed to make that space available for additional records.
Defragging the NTDS.DIT file probably won’t help your AD queries go any faster in the long run.
So why defrag it in the first place?
One reason you might want to defrag your NTDS.DIT file is to save space, for example if you deleted a large number of records at one time.
To create a new, smaller NTDS.DIT file and to enable offline defragmentation, perform the following steps:
Back up Active Directory (AD).
Reboot the server, select the OS option, and press F8 for advanced options.
Select the Directory Services Restore Mode option, and press Enter. Press
Enter again to start the OS.
W2K will start in safe mode, with no DS running.
Use the local SAM’s administrator account and password to log on.
You’ll see a dialog box that says you’re in safe mode. Click OK.
From the Start menu, select Run and type cmd.exe
In the command window, you’ll see the following text. (Enter the commands in bold.)
C:\> ntdsutil
ntdsutil: files
file maintenance:info
....
file maintenance:compact to c:\temp
You’ll see the defragmentation process. If the process was successful, enter quit to return to the command prompt.
Then, replace the old NTDS.DIT file with the new, compressed version. (Enter the commands in bold.)
C:\> copy c:\temp\ntds.dit %systemroot%\ntds\ntds.dit
Restart the computer, and boot as normal.
- What is
tombstone period
Tombstones are nothing but objects marked for
deletion. After deleting an object in AD the objects will not be deleted
permanently. It will be remain 60 days by default (which can be configurable)
it adds an entry as marked for deletion on the object and replicates to all
DC’s. After 60 days object will be deleted permanently from all Dc’s.
- what is white space and Garbage collection
refer question 7
- what are the monitoring tools used for Server and Network Heath. How to define alert mechanism
Spot Light , SNMP Need to enable .
- How to deploy the patches and what are the softwares used for this
process
Using SUS (Software update services) server we can
deploy patches to all clients in the network. We need to configure an option
called “Synchronize with Microsoft software update server” option and schedule
time to synchronize in server. We need to approve new update based on the
requirement. Then approved update will be deployed to clients
We can configure clients by changing the registry
manually or through Group policy by adding WUAU administrative template in
group policy
- What is Clustering. Briefly define & explain it
Clustering is a technology, which is used to
provide High Availability for mission critical applications. We can configure
cluster by installing MCS (Microsoft cluster service) component from Add remove
programs, which can only available in Enterprise Edition and Data center
edition.
In Windows we can configure two types of
clusters
NLB (network load balancing) cluster for
balancing load between servers. This cluster will not provide any high
availability. Usually preferable at edge servers like web or proxy.
Server Cluster: This provides High
availability by configuring active-active or active-passive cluster. In 2 node
active-passive cluster one node will be active and one node will be stand by.
When active server fails the application will FAILOVER to stand by server
automatically. When the original server backs we need to FAILBACK the
application
Quorum: A shared storage need to provide for
all servers which keeps information about clustered application and session
state and is useful in FAILOVER situation. This is very important if Quorum
disk fails entire cluster will fails
Heartbeat: Heartbeat is a private
connectivity between the servers in the cluster, which is used to identify the
status of other servers in cluster.
- How to
configure SNMP
SNMP can be configured by installing SNMP from
Monitoring and Management tools from Add and Remove programs.
For SNMP programs to communicate we need to
configure common community name for those machines where SNMP programs (eg DELL
OPEN MANAGER) running. This can be configured from services.msc--- SNMP service
-- Security
- Is it possible to rename the Domain name & how?
In Windows 2000 it is not possible. In windows 2003
it is possible. On Domain controller by going to MYCOMPUTER properties we can
change.
- What is
SOA Record
SOA is a Start Of Authority record, which is a
first record in DNS, which controls the startup behavior of DNS. We can
configure TTL, refresh, and retry intervals in this record.
- What is a Stub zone and what is the use of it.
Stub zones are a new feature of DNS in Windows
Server 2003 that can be used to streamline name resolution, especially in a
split namespace scenario. They also help reduce the amount of DNS traffic on
your network, making DNS more efficient especially over slow WAN links.
- What are the different types of partitions present in AD
Active directory is divided into three partitions
Configuration Partition—replicates entire forest
Schema Partition—replicates entire forest
Domain Partition—replicate only in domain
Application Partition (Only in Windows 2003)
- What are the (two) services required for replication
File Replication Service (FRS)
Knowledge
Consistency Checker (KCC)
- Can we use a Linux DNS Sever in 2000 Domain
We can use, But the BIND version should be 8 or
greater
- What is the difference between IIS Version 5 and IIS Version 6
Refer Question 1
- What is ASR (Automated System Recovery) and how to implement it
ASR is a two-part system; it includes ASR backup
and ASR restore. The ASR Wizard, located in Backup, does the backup portion.
The wizard backs up the system state, system services, and all the disks that
are associated with the operating system components. ASR also creates a file
that contains information about the backup, the disk configurations (including
basic and dynamic volumes), and how to perform a restore.
You can access the restore portion by pressing F2 when prompted in the text-mode portion of setup. ASR reads the disk configurations from the file that it creates. It restores all the disk signatures, volumes, and partitions on (at a minimum) the disks that you need to start the computer. ASR will try to restore all the disk configurations, but under some circumstances it might not be able to. ASR then installs a simple installation of Windows and automatically starts a restoration using the backup created by the ASR Wizard.
You can access the restore portion by pressing F2 when prompted in the text-mode portion of setup. ASR reads the disk configurations from the file that it creates. It restores all the disk signatures, volumes, and partitions on (at a minimum) the disks that you need to start the computer. ASR will try to restore all the disk configurations, but under some circumstances it might not be able to. ASR then installs a simple installation of Windows and automatically starts a restoration using the backup created by the ASR Wizard.
- What are the different levels that we can apply Group Policy
We can apply group policy at SITE level---Domain
Level---OU level
- What is Domain Policy, Domain controller policy, Local policy and
Group policy
Domain Policy will apply to all computers in the
domain, because by default it will be associated with domain GPO, Where as Domain
controller policy will be applied only on domain controller. By default domain
controller security policy will be associated with domain controller GPO. Local
policy will be applied to that particular machine only and effects to that
computer only.
- What is the use of SYSVOL folder
Policies and scripts saved in SYSVOL folder will be
replicated to all domain controllers in the domain. FRS (File replication
service) is responsible for replicating all policies and scripts
- What is
folder redirection?
Folder Redirection is a User group policy. Once you
create the group policy and link it to the appropriate folder object, an
administrator can designate which folders to redirect and where To do this, the
administrator needs to navigate to the following location in the Group Policy
Object:
User Configuration\Windows Settings\Folder
Redirection
In the Properties of the folder, you can choose
Basic or Advanced folder redirection, and you can designate the server file
system path to which the folder should be redirected.
The %USERNAME% variable may be used as part of the redirection path, thus allowing the system to dynamically create a newly redirected folder for each user to whom the policy object applies.
The %USERNAME% variable may be used as part of the redirection path, thus allowing the system to dynamically create a newly redirected folder for each user to whom the policy object applies.
- What different modes in windows 2003 (Mixed,
native & intrim….etc)
Functional levels are an extension of the mixed/native mode concept introduced in Windows 2000 to activate new Active Directory features after all the domain controllers in the domain or forest are running the Windows Server 2003 operating system.
When a computer that is running Windows Server 2003 is installed and promoted to a domain controller, new Active Directory features are activated by the Windows Server 2003 operating system over its Windows 2000 counterparts. Additional Active Directory features are available when all domain controllers in a domain or forest are running Windows Server 2003 and the administrator activates the corresponding functional level in the domain or forest.
To activate the new domain features, all domain controllers in the domain must be running Windows Server 2003. After this requirement is met, the administrator can raise the domain functional level to Windows Server 2003 (read Raise Domain Function Level in Windows Server 2003 Domains for more info).
To activate new forest-wide features, all domain controllers in the forest must be running Windows Server 2003, and the current forest functional level must be at Windows 2000 native or Windows Server 2003 domain level. After this requirement is met, the administrator can raise the domain functional level (read Raise Forest Function Level in Windows Server 2003 Active Directory for more info).
Note: Network clients can authenticate or access resources in the domain or forest without being affected by the Windows Server 2003 domain or forest functional levels. These levels only affect the way that domain controllers interact with each other.
|
|
When you raise the functional level of a domain or forest, a set of advanced features becomes available. For example, the Windows Server 2003 interim forest functional level supports more features than the Windows 2000 forest functional level, but fewer features than the Windows Server 2003 forest functional level supports. Windows Server 2003 is the highest functional level that is available for a domain or forest. The Windows Server 2003 functional level supports the most advanced Active Directory features; however, only Windows Server 2003 domain controllers can operate in that domain or forest.
If you raise the domain functional level to Windows Server 2003, you cannot introduce any domain controllers that are running versions of Windows earlier than Windows Server 2003 into that domain. This applies to the forest functional level as well.
Domain Functional Level
Domain functionality activates features that affect the whole domain and
that domain only. The four domain functional levels, their corresponding
features, and supported domain controllers are as follows:
Windows 2000 mixed (Default)
- Supported domain controllers: Microsoft Windows NT 4.0, Windows
2000, Windows Server 2003
- Activated features: local and global groups, global catalog support
Windows 2000 native
- Supported domain controllers: Windows 2000, Windows Server 2003
- Activated features: group nesting, universal groups, SidHistory,
converting groups between security groups and distribution groups, you can
raise domain levels by increasing the forest level settings
Windows Server 2003 interim
- Supported domain controllers: Windows NT 4.0, Windows Server 2003
- Supported features: There are no domain-wide features activated at
this level. All domains in a forest are automatically raised to this level
when the forest level increases to interim. This mode is only used when
you upgrade domain controllers in Windows NT 4.0 domains to Windows Server
2003 domain controllers.
Windows Server 2003
- Supported domain controllers: Windows Server 2003
- Supported features: domain controller rename, logon timestamp
attribute updated and replicated. User password support on the
InetOrgPerson objectClass. Constrained delegation, you can redirect the
Users and Computers containers.
After the domain functional level is raised, domain controllers that are running earlier operating systems cannot be introduced into the domain. For example, if you raise the domain functional level to Windows Server 2003, domain controllers that are running Windows 2000 Server cannot be added to that domain.
The following describes the domain functional level and the domain-wide features that are activated for that level. Note that with each successive level increase, the feature set of the previous level is included.
Forest Functional Level
Windows 2000 (default)
- Supported domain controllers: Windows NT 4.0, Windows 2000, Windows
Server 2003
- New features: Partial list includes universal group caching,
application partitions, install from media, quotas, rapid global catalog
demotion, Single Instance Store (SIS) for System Access Control Lists
(SACL) in the Jet Database Engine, Improved topology generation event
logging. No global catalog full sync when attributes are added to the PAS
Windows Server 2003 domain controller assumes the Intersite Topology Generator
(ISTG) role.
Windows Server 2003 interim
- Supported domain controllers: Windows NT 4.0, Windows Server 2003.
See the "Upgrade from a Windows NT 4.0 Domain" section of this
article.
- Activated features: Windows 2000 features plus Efficient Group
Member Replication using Linked Value Replication, Improved Replication
Topology Generation. ISTG Aliveness no longer replicated. Attributes added
to the global catalog. ms-DS-Trust-Forest-Trust-Info. Trust-Direction,
Trust-Attributes, Trust-Type, Trust-Partner, Security-Identifier,
ms-DS-Entry-Time-To-Die, Message Queuing-Secured-Source, Message
Queuing-Multicast-Address, Print-Memory, Print-Rate, Print-Rate-Unit
Windows Server 2003
- Supported domain controllers: Windows Server 2003
- Activated features: all features in Interim Level, Defunct schema
objects, Cross Forest Trust, Domain Rename, Dynamic auxiliary classes,
InetOrgPerson objectClass change, Application Groups, 15-second intrasite
replication frequency for Windows Server 2003 domain controllers upgraded
from Windows 2000
Different Active Directory features are available
at different functional levels. Raising domain and forest functional levels is
required to enable certain new features as domain controllers are upgraded from
Windows NT 4.0 and Windows 2000 to Windows Server 2003
Domain Functional Levels: Windows 2000 Mixed
mode, Windows 2000 Native mode, Windows server 2003 and Windows server 2003
interim ( Only available when upgrades directly from Windows NT 4.0 to
Windows 2003)
- Ipsec usage and difference window 2000
& 2003.
Microsoft doesn’t recommend Internet Protocol
security (IPSec) network address translation (NAT) traversal (NAT-T) for
Windows deployments that include VPN servers and that are located behind
network address translators. When a server is behind a network address
translator, and the server uses IPSec NAT-T, unintended side effects may occur
because of the way that network address translators translate network traffic
If you put a server behind a network address
translator, you may experience connection problems because clients that connect
to the server over the Internet require a public IP address. To reach servers
that are located behind network address translators from the Internet, static
mappings must be configured on the network address translator. For example, to
reach a Windows Server 2003-based computer that is behind a network address
translator from the Internet, configure the network address translator with the
following static network address translator mappings:
|
Public IP
address/UDP port 500 to the server's private IP address/UDP port 500.
|
|
|
•
|
Public IP
address/UDP port 4500 to the server's private IP address/UDP port 4500.
|
These mappings are required so that all Internet
Key Exchange (IKE) and IPSec NAT-T traffic that is sent to the public address
of the network address translator is automatically translated and forwarded to
the Windows Server 2003-based computer
- How to create application partition
windows 2003 and its usage?
An application directory partition is a directory
partition that is replicated only to specific domain controllers. A domain
controller that participates in the replication of a particular application
directory partition hosts a replica of that partition. Only domain controllers
running Windows Server 2003 can host a replica of an application directory
partition.
Applications and services can use application
directory partitions to store application-specific data. Application directory
partitions can contain any type of object, except security principals. TAPI is
an example of a service that stores its application-specific data in an
application directory partition.
Application directory partitions are usually
created by the applications that will use them to store and replicate data. For
testing and troubleshooting purposes, members of the Enterprise Admins group
can manually create or manage application directory partitions using the
Ntdsutil command-line tool.
- Is it possible to do implicit transitive
forest to forest trust relation ship in windows 2003?
Implicit Transitive trust will not be possible in
windows 2003. Between forests we can create explicit trust
Two-way trust
One-way: incoming
One-way: Outgoing
- What is universal group membership cache
in windows 2003.
Information is stored locally once this option is
enabled and a user attempts to log on for the first time. The domain controller
obtains the universal group membership for that user from a global catalog.
Once the universal group membership information is obtained, it is cached on
the domain controller for that site indefinitely and is periodically refreshed.
The next time that user attempts to log on, the authenticating domain
controller running Windows Server 2003 will obtain the universal group
membership information from its local cache without the need to contact a
global catalog.
By default, the universal group membership
information contained in the cache of each domain controller will be refreshed
every 8 hours.
- GPMC
& RSOP in windows 2003?
GPMC is tool which will be used for managing group
policies and will display information like how many policies applied, on which
OU’s the policies applied, What are the settings enabled in each policy, Who
are the users effecting by these polices, who is managing these policies. GPMC
will display all the above information.
RSoP provides details about all policy settings
that are configured by an Administrator, including Administrative Templates,
Folder Redirection, Internet Explorer Maintenance, Security Settings, Scripts,
and Group Policy Software Installation.
When policies are applied on multiple levels (for
example, site, domain, domain controller, and organizational unit), the results
can conflict. RSoP can help you determine a set of applied policies and their
precedence (the order in which policies are applied).
- Assign & Publish the applications in GP & how?
Through Group policy you can Assign and Publish the
applications by creating .msi package for that application
With Assign option you can apply policy for both
user and computer. If it is applied to computer then the policy will apply to
user who logs on to that computer. If it is applied on user it will apply where
ever he logs on to the domain. It will be appear in Start menu—Programs. Once
user click the shortcut or open any document having that extension then the
application install into the local machine. If any application program files
missing it will automatically repair.
With Publish option you can apply only on users. It
will not install automatically when any application program files are corrupted
or deleted.
- DFS in
windows 2003?
Refer Question 17 on level 2
- How to use recovery console?
The Windows 2000 Recovery Console is a
command-line console that you can start from the Windows 2000 Setup
program. Using the Recovery Console, you can start and stop services, format
drives, read and write data on a local drive (including drives formatted to use
NTFS), and perform many other administrative tasks. The Recovery Console is
particularly useful if you need to repair your system by copying a file from a
floppy disk or CD-ROM to your hard drive, or if you need to reconfigure a
service that is preventing your computer from starting properly. Because the
Recovery Console is quite powerful, it should only be used by advanced users
who have a thorough knowledge of Windows 2000. In addition, you must be an
administrator to use the Recovery Console.
There are two ways to start the Recovery Console:
If you are unable to start your computer, you can
run the Recovery Console from your Windows 2000 Setup disks or from the
Windows 2000 Professional CD (if you can start your computer from your
CD-ROM drive).
As an alternative, you can install the Recovery
Console on your computer to make it available in case you are unable to restart
Windows 2000. You can then select the Recovery Console option from the
list of available operating systems
- PPTP protocol for VPN in windows 2003?
Point-to-Point-Tunneling Protocol (PPTP) is a
networking technology that supports multiprotocol virtual private networks
(VPN), enableing remote users to access corporate networks securely across the
Microsoft Windows NT® Workstation, Windows® 95, and Windows 98 operating
systems and other point-to-point protocol (PPP)-enabled systems to dial into a
local Internet service provider to connect securely to their corporate network
through the Internet
Netdom.exe is domain management tool to rename domain controllerSID history
- What is Bridge Head Server?
- Crisis
Management?
- Mail flow in Exchange Server.
- DMZ
concept in Firewalls.
- Is NAT uses Port Number if so what is the Port number?
- Difference between Schema Master and
Global Catlog?
- Difference Between Incremental and Differential Backup? Which is
best backup Microsoft has recommended? (depends on
the volume of data)
- How DNS and DHCP are integrated?
- If RID master fails what happens?
- tool used
for FSMO?
- Difference between Assigning and Publishing through Group Policy?
Second level
- What are the services installed when RIS is installed. Read about RIS.
- How to trouble shoot if a DHCP client won’t get IP from DHCP
Server?
- What is online and offline fragmentations?
- Garbage collections and white spaces?
- Tell me one example when Infracture master
and Global catalog will be on one DC, what is the issue if both resides on
same system?
- When you require a Infrastructure Master.
- What are
Windows 2003 modes?
- What are FSMO roles and explain then?
- Stress on
PDC emulator?
- 2003
advantages?
- About migration?(W2k to W2k3 and NT to W2k3).
How to Set Up ADMT for a Windows NT 4.0-to-Windows
Server 2003 Migration:
Before you upgrade a Windows NT 4.0 domain to a
Windows Server 2003-based domain, the following domain and security
configurations are required.
Note: This article assumes that the source domain
is running Windows NT 4.0 Service Pack 4 (SP4) or later with 128-Bit
encryption, and that the target domain is a Windows Server 2003-based domain in
native mode. Also, the Windows Server 2003 must have 128-Bit encryption (which
comes as a default setting in Windows 2003).
Trusts
Configure the source domain to trust the target
domain.
Configure the target domain to trust the source
domain.
Groups
Add the Domain Admins global group from the source
domain to the Administrators local group in the target domain.
Add the Domain Admins global group from the target
domain to the Administrators local group in the source domain.
Create a new local group in the source domain
called Source Domain$$$.
Note: There must be no members in this group.
Auditing
Enable auditing for the success and failure of user
and group management on the source domain.
Enable auditing for the success and failure of
Audit account management on the target domain in the Default Domain Controllers
policy.
Registry
On the PDC in the source domain, add the
TcpipClientSupport:REG_DWORD:0x1 value to the following registry key:
HKEY_LOCAL_MACHINE\System\CurrentControlSet\
Control\LSA
Administrative Shares
Administrative shares must exist on the domain
controller in the target domain on which you run ADMT, and on any computers on
which an agent must be dispatched.
User Rights
You must log on to the computer on which you run
ADMT with an account that has the following permissions:
Domain Administrator rights in the target domain.
A member of the Administrators group in the source
domain.
Administrator rights on each computer that you
migrate.
Administrator rights on each computer on which you
translate security.
You will have the appropriate rights when you log
on to the PDC that is the FSMO role holder in the target domain with the Source
Domain\Administrator account, assuming that the Source Domain\Domain
Administrators group is a member of the Administrators group on each computer.
How to set up ADMT for a Windows 2000 to Windows
Server 2003 migration
How to Set Up ADMT for a Windows 2000 to Windows Server 2003 MigrationYou can install the Active Directory Migration Tool version 2 (ADMTv2) on any computer that is running Windows 2000 or later, including:
Microsoft Windows 2000 Professional
Microsoft Windows 2000 Server
Microsoft Windows XP Professional
Microsoft Windows Server 2003
The computer on which you install ADMTv2 must be a member of either the source or the target domain.
Intraforest Migration
Intraforest migration does not require any special domain configuration. The account you use to run ADMT must have enough permissions to perform the actions that are requested by ADMT. For example, the account must have the right to delete accounts in the source domain, and to create accounts in the target domain.
Intraforest migration is a move operation instead of a copy operation. These migrations are said to be destructive because after the move, the migrated objects no longer exist in the source domain. Because the object is moved instead of copied, some actions that are optional in interforest migrations occur automatically. Specifically, the sIDHistory and password are automatically migrated during all intraforest migrations.
Interforest Migration
ADMT requires the following permissions to run properly:
Administrator rights in the source domain.
Administrator rights on each computer that you migrate.
Administrator rights on each computer on which you translate security.
Before you migrate a Windows 2000-based domain to a Windows Server 2003-based domain, you must make some domain and security configurations. Computer migration and security translation do not require any special domain configuration. However, each computer you want to migrate must have the administrative shares, C$ and ADMIN$.
The account you use to run ADMT must have enough permissions to complete the required tasks. The account must have permission to create computer accounts in the target domain and organizational unit, and must be a member of the local Administrators group on each computer to be migrated.
User and Group Migration
You must configure the source domain to trust the target domain. Optionally, the target may be configured to trust the source domain. While this may ease configuration, it is not required to finish the ADMT migration.
Requirements for Optional Migration Tasks
You can complete the following tasks automatically by running the User Migration Wizard in Test mode and selecting the migrate sIDHistory option. The user account you use to run ADMT must be an Administrator in both the source and the target domains for the automatic configuration to succeed.
Create a new local group in the source domain that is named %sourcedomain%$$$. There must be no members in this group.
Turn on auditing for the success and failure of Audit account management on both domains in the Default Domain Controllers policy.
Configure the source domain to allow RPC access to the SAM by configuring the following registry entry on the PDC Emulator in the source domain with a DWORD value of 1:
HKEY_LOCAL_MACHINE\System\CurrentControlSet\
Control\LSA\TcpipClientSupport
You must restart the PDC Emulator after you make this change.
Note: For Windows 2000 domains, the account you use to run ADMTv2 must have domain administrator permissions in both the source and target domains. For Windows Server 2003 target domains, the 'Migrate sIDHistory' may be delegated. For more information, see Windows Server 2003 Help & Support.
You can turn on interforest password migration by installing a DLL that runs in the context of LSA. By running in this protected context, passwords are shielded from being viewed in cleartext, even by the operating system. The installation of the DLL is protected by a secret key that is created by ADMTv2, and must be installed by an administrator.
To install the password migration DLL:
Log on as an administrator or equivalent to the computer on which ADMTv2 is installed.
At a command prompt, run the ADMT KEY sourcedomainpath [* | password] command to create the password export key file (.pes). In this example, sourcedomain is the NetBIOS name of the source domain and path is the file path where the key will be created. The path must be local, but can point to removable media such as a floppy disk drive, ZIP drive, or writable CD media. If you type the optional password at the end of the command, ADMT protects the .pes file with the password. If you type the asterisk (*), ADMT prompts for a password, and the system will not echo it as it is typed.
Move the .pes file you created in step 2 to the designated Password Export Server in the source domain. This can be any domain controller, but make sure it has a fast, reliable link to the computer that is running ADMT.
Install the Password Migration DLL on the Password Export Server by running the Pwmig.exe tool. Pwmig.exe is located in the I386\ADMT folder on the Windows Server 2003 installation media, or the folder to which you downloaded ADMTv2 from the Internet.
When you are prompted to do so, specify the path to the .pes file that you created in step 2. This must be a local file path.
After the installation completes, you must restart the server.
If you are ready to migrate passwords, modify the following registry key to have a DWORD value of 1. For maximum security, do not complete this step until you are ready to migrate.
HKEY_LOCAL_MACHINE\System\CurrentControlSet\
Control\LSA\AllowPasswordExport
The Active Directory Migration Tool v2 is included in the I386\Admt folder on the Windows Server 2003 CD.
The Active Directory Migration Tool provides an easy, secure, and fast way to migrate to Windows 2000 Active Directory service. As a system administrator, you can use this tool to diagnose any possible problems before starting migration operations to Windows 2000 Server Active Directory. You can then use the task-based wizard to migrate users, groups, and computers; set correct file permissions; and migrate Microsoft Exchange Server mailboxes. The tool's reporting feature allows you to assess the impact of the migration, both before and after move operations.
In many cases, if there is a problem, you can use the rollback features to automatically restore previous structures. The tool also provides support for parallel domains, so you can maintain your existing Windows NT 4.0 domains while you deploy Windows 2000.
Note: To successfully run the AD Migration Tool the source domain must be running Windows NT 4.0 Service Pack 4 or later, and the target domain will be a Windows 2000-based domain in Native mode.
Version 2.0 of ADMT is from Windows Server 2003 and has many new features:
Scripting and Command line interface
Password Migration
Sid Mapping Files for Security
Translation
Windows 2000 Attribute Exclusion
Agent Credentials
Migration Log
Skip Membership Restoration
- Question
on System State data Backup?
- Diff
types of DNS roles and Zones?
- What are
the steps you follow when you are promoting a server as ADC in windows
2003?
- What are
the two parameters you run before upgrading the server to an
ADC(/forestprep, /domainprep).
- What is
the authentication process?
- What is
the role of GC in authentication process?
- What
happens if DNS server fails. Can a user is able to login if the DNS server
fails(if you have only one DNS Server).
- How do
you promote a server to a domain controller(in windows 2003) over a slow
wan links.
- Take the
backup of systemstate from the DC and restore it in the server where you
are promoting using “dcpromo /adv” and select restore from backup.
This article deals with the mechanism of deploying and verifying GPO deployment. It will not deal in the GPO itself and the settings inside it (these settings and configurations will be discussed in different articles).
Group Policy is a one of the most useful tools found in the Windows 2000/2003 Active Directory infrastructure. Group Policy can help you do the following:
- Configure
user's desktops
- Configure
local security on computers
- Install
applications
- Run
start-up/shut-down or logon/logoff scripts
- Configure
Internet Explorer settings
- Redirect
special folders
Here are some basic terms you need to be familiar with before drilling down into Group Policy:
Local policy - Refers to the policy that configures the local computer or server, and is not inherited from the domain. You can set local policy by running gpedit.msc from the Run command, or you can add "Group Policy Object Editor" snap-in to MMC. Local Policies also exist in the Active Directory environment, but have many fewer configuration options that the full-fledged Group Policy in AD.
GPO - Group Policy Object - Refers to the policy that is configured at the Active Directory level and is inherited by the domain member computers. You can configure a GPO – Group Policy Object - at the site level, domain level or OU level.
GPC – Group Policy Container - The GPC is the store of the GPOs; The GPC is where the GPO stores all the AD-related configuration. Any GPO that is created is not effective until it is linked to an OU, Domain or a Site. The GPOs are replicated among the Domain Controllers of the Domain through replication of the Active Directory.
GPT - Group Policy Templates - The GPT is where the GPO stores the actual settings. The GPT is located within the Netlogon share on the DCs.
Netlogon share - A share located only on Domain Controllers and contains GPOs, scripts and .POL files for policy of Windows NT/98. The Netlogon share replicates among all DCs in the Domain, and is accessible for read only for the Everyone group, and Full Control for the Domain Admins group. The Netlogon's real location is:
C:\WINDOWS\SYSVOL\sysvol\domain.com\SCRIPTS
When a domain member computer boots up, it finds the DC and looks for the Netlogon share in it.
To see what DC the computer used when it booted, you can go to the Run command and type %logonserver%\Netlogon. The content of the Netlogon share should be the same on all DCs in the domain.
GPO
behavior
Group
Policy is processed in the following order:Local Policy > Site GPO > Domain GPO > OU GPO > Child OU GPO
and so on.
GPOs inherited from the Active Directory are always stronger than local policy. When you configure a Site policy it is being overridden by Domain policy, and Domain policy is being overridden by OU policy. If there is an OU under the previous OU, its GPO is stronger the previous one.
The rule is simple, as more you get closer to the object that is being configured, the GPO is stronger.
What does it mean "stronger"? If you configure a GPO and linke it to "Organization" OU, and in it you configure Printer installation – allowed and then at the "
The example above is true when you have different GPOs that have similar configuration, configured with opposite settings. When you apply couple of GPOs at different levels and every GPO has its own settings, all settings from all GPOs are merged and inherited by the computers or users.
Group
Policy sections
Each GPO
is built from 2 sections:- Computer
configuration contains the settings that configure the computer
prior to the user logon combo-box.
- User
configuration contains the settings that configure the user
after the logon. You cannot choose to apply the setting on a single user,
all users, including administrator, are affected by the settings.
- Software settings and Windows settings both of computer and user are settings that configure local DLL
files on the machine.
- Administrative templates are settings
that configure the local registry of the machine. You can add more options
to administrative templates by right clicking it and choose .ADM files.
Many programs that are installed on the computer add their .ADM files to %systemroot%\inf
folder so you can add them to the Administrative Templates.
Tools
used to configure GPO
You can
configure GPOs with these set of tools from Microsoft (other 3rd-party tools
exist but we will discuss these in a different article):- Group
Policy Object Editor snap-in in MMC - or - use gpedit.msc from the
Run command.
- Active
Directory Users and Computers snap in - or dsa.msc – to invoke the
Group Policy tab on every OU or on the Domain.
- Active
Directory Sites and Services - or dssite.msc – to invoke the Group
Policy tab on a site.
- Group
Policy Management Console - or gpmc.msc - this utility is NOT
included in Windows 2003 server and needs to be separately installed. You
can download it from HERE
GPMC
utility - Creating a GPO
When you
create a GPO it is stored in the GPO container. After creation you should link
the GPO to an OU that you choose.
Linking a
GPO
To link a
GPO simply right click an OU and choose Link an existing GPO or you can
create and link a GPO in the same time. You can also drag and drop a GPO from
the Group Policy Objects folder to the appropriate Site, Domain or OU.When you right-click a link you can:
Edit a GPO - This will open the GPO window so you can configure settings.
Link/Unlink a GPO - This setting allows you to temporarily disable a link if you need to add settings to it or if you will activate it later.
Enabling/disabling
computer or user settings
GPO has
computer and user settings but if you create a GPO that contains only computer
settings, you might want to disable the user settings in that GPO, this will
reduce the amount of settings replicated and can also be used for testing.To disable one of the configurations simply choose the GPO link and go to Details tab:
How do I
know what are the settings in a GPO?
Prior to
the use of GPMC, an administrator who wanted to find out which one of the
hundreds of settings of a GPO were actually configured - had to open each GPO
and manually comb through each and every node of the GPO sections. Now, with
GPMC, you can simply see what the configurations of any GPO are if you point on
that GPO and go to the Settings tab. There you can use the drop-down menus to
see computer or user settings.
Block/Enforce
inheritance
You can
block policy inheritance to an OU if you don’t want the settings from upper
GPOs to configure your OU.To block GPO inheritance, simply right click your OU and choose "Block Inheritance". Blocking inheritance will block all upper GPOs.
In case you need one of the upper GPOs to configure all downstream OUs and overcome Block inheritance, use the Enforce option of a link. Enforcing a GPO is a powerful option and rarely should be used.
You can see in this example that when you look at Computers OU, three different GPOs are inherited to it.
In this example you can see that choosing "Block inheritance" will reject all upper GPOs.
Now, if we configure the "Default domain policy" with the Enforce option, it will overcome the inheritance blocking.
Link
order
When
linking more than one GPO to an OU, there could be a problem when two or more
GPOs have the same settings but with opposite configuration, like, GPO1 have
Allow printer installation among other settings but GPO2 is configured to
prevent printer installation among other settings. Because the two GPOs are at
the same level, there is a link order which can be changed.The GPO with the lowest link order is processed last, and therefore has the highest precedence.
Security
Filtering
Filtering
let you choose the user, group or computer that the GPO will apply onto. If you
configured "Computers" OU with a GPO but you only want to configure
Win XP stations with that GPO and exclude Win 2000 stations, you can easily
create a group of Win XP computers and apply the GPO only to that group.This option save you from creating complicated OU tree with each type of computer in it.
A user or a group that you configure in the filtering field have by default the "Read" and "Apply" permission. By default when you create a GPO link, you can see that "Authenticated users" are listed.
In the above example, Office 2K3 will be installed on all computers that are part of the two listed groups.
If we still were using Authenticated users, the installation of the Office suite could have followed the user to any computer that he logs onto, like servers or other machines. Using filtering narrows the installation options.
If you want to configure these permissions with higher resolution, you can go to Delegation tab and see the permissions. Going to the Advanced Tab will let you configure the ACL permission with the highest resolution.
How the
GPO is updated on the computers
GPO
inherited from AD is refreshed on the computers by several ways:- Logon to
computer (If the settings are of "user settings" in GPO)
- Restart of the
computer (If the settings are of "computer settings" in GPO)
- Every 60 to 90
minutes, the computers query their DC for updates.
- Manually by
using gpupdate command. You can add the /force switch to force all
settings and not only the delta.
for computer settings.
for user settings.
In both commands you can use the /enforce that is similar to the /force in gpupdate.
If any configuration change requires a logoff or a restart message will appear:
You can force logoff or reboot using gpupdate switches.
How to
check that the GPO was deployed
To be sure
that GPO was deployed correctly, you can use several ways. The term for the
results is called RSoP – Resultant Sets of Policies.- Use gpresult
command in the command prompt.
You can see what GPOs were applied and what GPOs were filtered out and the reason for not being deployed.
- Resultant Set
of Policy snap-in in MMC.
Logging mode which tells you what are the real settings that were deployed on the machine
Planning mode which tells you what will be the results if you choose some options.
This option is not so compatible because you need to browse in the RSoP data to find the settings.
This is the most comfortable option that let you check the RSoP data on every computer or user from a central location. This option also displays the summary of the RSoP and Detailed RSoP data in HTML format.
In the example above example you can see the summary of applied or non applied GPOs both of computer and user settings.
Excellent blog post.
ReplyDeleteMCITP Training in Chennai
MCITP Training Institute in Chennai
MCITP Training Center in Chennai
MCITP Training Course in Chennai
MCITP Training