[Type the document title]
|
|
|
Windows Server 2008 now provides a desktop
environment similar to Microsoft Windows Vista and includes tools also found in
Vista, such as the new backup snap-in and the BitLocker drive encryption
feature. Windows Server 2008 also provides the new IIS7 web server and the
Windows Deployment Service.
The entry-level version of Windows Server 2008 is
the Standard Edition. The Enterprise Edition provides a platform for large
enterprisewide networks. The Datacenter Edition provides support for unlimited
Hyper-V virtualization and advanced clustering services. The Web Edition is a
scaled-down version of Windows Server 2008 intended for use as a dedicated web
server. The Standard, Enterprise, and Datacenter Editions can be purchased with
or without the Hyper-V virtualization technology.
Any server on which you will install Windows
Server 2008 should have at least the minimum hardware requirement for running
the network operating system. Server hardware should also be on the Windows
Server 2008 Hardware Compatibility List to avoid the possibility of hardware
and network operating system incompatibility.
You can select to have activation happen
automatically when the Windows Server 2008 installation is complete. Make sure
that the Automatically Activate Windows When I’m Online check box is selected
on the Product Key page.
You can install Windows Server 2008 on a server
not currently configured with NOS, or you can upgrade existing servers running
Windows 2000 Server and Windows Server 2003
This stripped-down version of Windows Server 2008
is managed from the command line.
The Task Scheduler enables you to schedule the
launching of tools such as Windows Backup and Disk Defragmenter.
You can access virtual memory settings and the
Device Manager via the System Properties dialog box.
The Server Manager provides both the interface
and access to a large number of the utilities and tools that you will use as
you manage your Windows server.
Local user accounts and groups are managed in the
Local Users and Groups node in the Server Manager. Local user accounts and
groups are used to provide local access to a serve
Child domains and the root domain of a tree are
assigned transitive trusts. This means that the root domain and child domain
trust each other and allow resources in any domain in the tree to be accessed
by users in any domain in the tree.
The primary function of domain controllers is to
validate users to the network. However, domain controllers also provide the
catalog of Active Directory objects to users on the network.
A server running Windows Server 2008 can be
configured as a domain controller, a file server, a print server, a web server,
or an application server. Windows servers can also have roles and features that
provide services such as DNS, DHCP, and Routing and Remote Access.
The Server Manager window enables you to view the
roles and features installed on a server and also to quickly access the tools
used to manage these various roles and features. The Server Manager can be used
to add and remove roles and features as needed.
Windows Deployment Services (WDS) enables you to
install client and server operating systems over the network to any computer
with a PXE-enabled network interface.
Windows Deployment Services requires that a DHCP
server and a DNS server be installed in the domain.
The Windows Deployment Services snap-in enables
you to configure the WDS server and add boot and install images to the server.
The Disk Manager provides all the tools for
formatting, creating, and managing drive volumes and partitions.
A basic disk embraces the MS-DOS disk structure;
a basic disk can be divided into partitions (simple volumes).
Dynamic disks consist of a single partition that can be divided into any number of volumes. Dynamic disks also support Windows Server 2008 RAID implementations.
Dynamic disks consist of a single partition that can be divided into any number of volumes. Dynamic disks also support Windows Server 2008 RAID implementations.
RAID, or Redundant Array of Independent Disks, is
a strategy for building fault tolerance into your file servers. RAID enables
you to combine one or more volumes on separate drives so that they are accessed
by a single drive letter. Windows Server 2008 enables you to configure RAID 0
(a striped set), RAID 1 (a mirror set), and RAID 5 (disk striping with parity).
Regular backups of
network data provides the best method of protecting you from data loss.
The OSI model, consisting
of the application, presentation, session, transport, network, data link, and
physical layers, helps describe how data is sent and received on the network by
protocol stacks.
TCP/IP (v4 and v6) is the
default protocol for Windows Server 2008. It is required for Active Directory
implementations and provides for connectivity on heterogeneous networks.
You must provide at least
the IP address and the subnet mask to configure a TCP/IP client for an IPv4
client, unless that client obtains this information from a DHCP server. For
IPv6 clients, the interface ID is generated automatically from the MAC hardware
address on the network adapter. IPv6 can also use DHCP as a method to configure
IP clients on the network.
The ipconfig command can
be used to check a computer’s IP configuration and also renew the client’s IP
address if it is provided by a DHCP server. ping can be used to check the
connection between the local computer and any computer on the network, using
the destination computer’s IP address.
The first domain created in a tree is referred to
as the root domain. Child domains created in the tree share the same namespace
as the root domain.
Installing the Active Directory on a server
running Windows Server 2008 provides you with the option of creating a root
domain for a domain tree or of creating child domains in an existing tree.
Installing Active Directory on the server makes the server a domain controller.
When the Active Directory is installed on a
server (making it a domain controller), a set of Active Directory snap-ins is
provided. The Active Directory Users and Computers snap-in is used to manage
Active Directory objects such as user accounts, computers, and groups. The
Active Directory Domains and Trusts snap-in enables you to manage the trusts
that are defined between domains. The Active Directory Sites and Services
snap-in provides for the management of domain sites and subnets.
The Active Directory Users and Computers snap-in
provides the tools necessary for creating user accounts and managing account
properties. Properties for user accounts include settings related to logon
hours, the computers to which a user can log on, and the settings related to
the user’s password.
A group can contain users, computers, contacts,
and other nested groups.
Universal groups are not available in a
mixed-mode domain. The functional level must be raised to Windows 2003 or
Windows 2008 to make these groups available.
Organizational Units can hold users, groups,
computers, contacts, and other OUs. The Organizational Unit provides you with a
container directly below the domain level that enables you to refine the
logical hierarchy of how your users and other resources are arranged in the
Active Directory.
Active Directory sites are physical locations on
the network’s physical topology. Each regional domain that you create is
assigned to a site. Sites typically represent one or more IP subnets that are
connected by IP routers. Because sites are separated from each other by a
router, the domain controllers on each site periodically replicate the Active
Directory to update the Global Catalog on each site segment.
Client computer accounts can be added through the
Active Directory Users and Computers snap-in. You can also create client
computer accounts via the client computer by joining it to the domain via the
System Properties dialog box. This requires a user account that has
administrative privileges, such as members of the Domain Administrator or
Enterprise Administrator groups.
The Windows Firewall must allow remote
administration for a computer to be managed remotely.
Servers running Windows Server 2008 can be
configured to participate in a workgroup. The server can provide some services
to the workgroup peers but does not provide the security and management tools
provided to domain controllers.
Group Policy provides a method of controlling
user and computer configuration settings for Active Directory containers such
as sites, domains, and OUs. GPOs are linked to a particular container, and then
individual policies and administrative templates are enabled to control the
environment for the users or computers within that particular container.
GPOs and their settings, links, and other
information such as permissions can be viewed in the Group Policy Management
snap-in.
GPOs are inherited down through the Active
Directory tree by default. You can block the inheritance of settings from
upline GPOs (for a particular container such as an OU or a local computer) by
selecting Block Inheritance for that particular object. If you want to enforce
a higher-level GPO so that it overrides directly linked GPOs, you can use the
Enforce command on the inherited (or upline) GPO.
You can configure a Network Policy Server (a
service available in the Network Policy and Access Services role). The Network
Policy Server can be configured to compare desktop client settings with health
validators to determine the level of network access afforded to the client.
A domain DNS server
provides for the local mapping of fully qualified domain names to IP addresses.
Because the DNS is a distributed database, the local DNS servers can provide
record information to remote DNS servers to help resolve remote requests
related to fully qualified domain names on your network.
You would create both a
forward lookup zone and a reverse lookup zone on your Windows Server 2008 DNS
server.
The DNS snap-in enables
you to add or remove zones and to view the records in your DNS zones. You can
also use the snap-in to create records such as a DNS resource record.
A caching-only DNS server
supplies information related to queries based on the data it contains in its
DNS cache. Caching-only servers are often used as DNS forwarders. Because they
are not configured with any zones, they do not generate network traffic related
to zone transfers.
The IP addresses supplied
by the DHCP server are held in a scope. A scope that contains more than one
subnet of IP addresses is called a superscope. IP addresses in a scope that you
do not want to lease can be included in an exclusion range.
The DHCP server can supply a DHCP client an IP
address and subnet mask. It also can optionally include the default gateway
address, the DNS server address, and the WINS server address to the client.
You can create a reservation for the device (or
create reservations for a number of devices). To create a reservation, you need
to know the MAC hardware address of the device. You can use the ipconfig or
nbstat command-line utilities to determine the MAC address for a network device
such as a computer or printer.
The DHCP server must be authorized in the Active Directory
before it can function in the domain.
ACTIVE
DIRECTORY QUESTION AND ANSWERS
• What is Active Directory?
Active Directory is the central location for configuration information, authentication requests, and information about all of the objects that are stored within your forest. Using Active Directory, you can efficiently manage users, computers, groups, printers, applications, and other directory-enabled objects from one secure, centralized location.
• What is LDAP?
LDAP (Lightweight Directory Access Protocol) is a protocol for communications between LDAP Servers and LDAP clients. LDAP servers store "directories" which are access by LDAP clients.
LDAP is called lightweight because it is a smaller and easier protocol which was derived from the X.500 DAP (Directory Access Protocol) defined in the OSI network protocol stack.
LDAP servers store a hierarchical directory of information. In LDAP parlance, a fully-qualified name for a directory entry is called a Distinguished Name. Unlike DNS (Domain Name Service) FQDN's (Fully Qualified Domain Name), LDAP DN's store the most significant data to the right.
What do you do if earlier application doesn’t run on Windows Server 2003?
When an application that ran on an earlier legacy version of Windows cannot be loaded during the setup function or if it later malfunctions, you must run the compatibility mode function. This is accomplished by right-clicking the application or setup program and selecting Properties –> Compatibility –> selecting the previously supported operating system.
If you uninstall Windows Server 2003, which operating systems can you revert to?
Win ME, Win 98, 2000, XP. Note, however, that you cannot upgrade from ME and Windows 98 to Windows 2003.
Where are the Windows NT Primary Domain Controller (PDC) and its Backup Domain Controller (BDC) in Server 2003?
The Active Directory replaces them. Now all domain controllers share a multimaster peer-to-peer read and write relationship that hosts copies of the Active Directory.
How Active Directory replication works in a domain setup?
Only the changes are replicated, once a domain controller has been established
The controller the change was made on (after five minutes of stablilty), notifies its replication partners that a change was made. It sends a change notification to these partners, but only notifies one partner every 30 seconds so it is not overwhelmed with update requests. Each controller, in turn, when it is updated, sends a change notice to its respective replication partners.
The replication partners each send an update request with a USN to the domain controller that the change was made on. The USN identifies the current state of the domain controller making the change. Each change has a unique USN. This way the domain controller that has the change knows the state of the domain controller requesting the changes and only the changes are required to be sent. The time on each controller, therefore, does not need to be synchronized exactly although timestamps are used to break ties regarding changes.
When should you create a forest?
Organizations that operate on radically different bases may require separate trees with distinct namespaces. Unique trade or brand names often give rise to separate DNS identities. Organizations merge or are acquired and naming continuity is desired. Organizations form partnerships and joint ventures. While access to common resources is desired, a separately defined tree can enforce more direct administrative and security restrictions.
How can you authenticate between forests?
Four types of authentication are used across forests: (1) Kerberos and NTLM network logon for remote access to a server in another forest; (2) Kerberos and NTLM interactive logon for physical logon outside the user’s home forest; (3) Kerberos delegation to N-tier application in another forest; and (4) user principal name (UPN) credentials.
What snap-in administrative tools are available for Active Directory?
Active Directory Domains and Trusts Manager, Active Directory Sites and Services , Active Directory Users and Computers, Active Directory Replication (optional, available from the Resource Kit), Active Directory Schema Master (optional, available from adminpak) ,DHCP,DNS,Group Policy Management Console (optional).
What types of classes exist in Windows Server 2003 Active Directory?
1. Structural class. The structural class is important to the system administrator in that it is the only type from which new Active Directory objects are created. Structural classes are developed from either the modification of an existing structural type or the use of one or more abstract classes.
2. Abstract class. Abstract classes are so named because they take the form of templates that actually create other templates (abstracts) and structural and auxiliary classes. Think of abstract classes as frameworks for the defining objects.
3. Auxiliary class. The auxiliary class is a list of attributes. Rather than apply numerous attributes when creating a structural class, it provides a streamlined alternative by applying a combination of attributes with a single include action.
4. 88 class. The 88 class includes object classes defined prior to 1993, when the 1988 X.500 specification was adopted. This type does not use the structural, abstract, and auxiliary definitions, nor is it in common use for the development of objects in Windows Server 2003 environments.
How do you delete a lingering object?
Windows Server 2003 provides a command called Repadmin that provides the ability to delete lingering objects in the Active Directory.
What is Global Catalog?
A global catalog server is a domain controller. it is a master searchable database that contains information about every object in every domain in a forest. The global catalog contains a complete replica of all objects in Active Directory for its host domain, and contains a partial replica of all objects in Active Directory for every other domain in the forest. It have two important functions:
o Provides group membership information during logon and authentication
o Helps users locate resources in Active Directory
How is user account security established in Windows Server 2003?
When an account is created, it is given a unique access number known as a security identifier (SID). Every group to which the user belongs has an associated SID. The user and related group SIDs together form the user account’s security token, which determines access levels to objects throughout the system and network. SIDs from the security token are mapped to the access control list (ACL) of any object the user attempts to access.
If I delete a user and then create a new account with the same username and password, would the SID and permissions stay the same?
No. If you delete a user account and attempt to recreate it with the same user name and password, the SID will be different.
What do you do with secure sign-ons in an organization with many roaming users? Credential Management feature of Windows Server 2003 provides a consistent single sign-on experience for users. This can be useful for roaming users who move between computer systems. The Credential Management feature provides a secure store of user credentials that includes passwords and X.509 certificates.
Where are the documents and settings for the roaming profile stored?
All the documents and environmental settings for the roaming user are stored locally on the system, and, when the user logs off, all changes to the locally stored profile are copied to the shared server folder. Therefore, the first time a roaming user logs on to a new system the logon process may take some time, depending on how large his profile folder is.
Active Directory is the central location for configuration information, authentication requests, and information about all of the objects that are stored within your forest. Using Active Directory, you can efficiently manage users, computers, groups, printers, applications, and other directory-enabled objects from one secure, centralized location.
• What is LDAP?
LDAP (Lightweight Directory Access Protocol) is a protocol for communications between LDAP Servers and LDAP clients. LDAP servers store "directories" which are access by LDAP clients.
LDAP is called lightweight because it is a smaller and easier protocol which was derived from the X.500 DAP (Directory Access Protocol) defined in the OSI network protocol stack.
LDAP servers store a hierarchical directory of information. In LDAP parlance, a fully-qualified name for a directory entry is called a Distinguished Name. Unlike DNS (Domain Name Service) FQDN's (Fully Qualified Domain Name), LDAP DN's store the most significant data to the right.
What do you do if earlier application doesn’t run on Windows Server 2003?
When an application that ran on an earlier legacy version of Windows cannot be loaded during the setup function or if it later malfunctions, you must run the compatibility mode function. This is accomplished by right-clicking the application or setup program and selecting Properties –> Compatibility –> selecting the previously supported operating system.
If you uninstall Windows Server 2003, which operating systems can you revert to?
Win ME, Win 98, 2000, XP. Note, however, that you cannot upgrade from ME and Windows 98 to Windows 2003.
Where are the Windows NT Primary Domain Controller (PDC) and its Backup Domain Controller (BDC) in Server 2003?
The Active Directory replaces them. Now all domain controllers share a multimaster peer-to-peer read and write relationship that hosts copies of the Active Directory.
How Active Directory replication works in a domain setup?
Only the changes are replicated, once a domain controller has been established
The controller the change was made on (after five minutes of stablilty), notifies its replication partners that a change was made. It sends a change notification to these partners, but only notifies one partner every 30 seconds so it is not overwhelmed with update requests. Each controller, in turn, when it is updated, sends a change notice to its respective replication partners.
The replication partners each send an update request with a USN to the domain controller that the change was made on. The USN identifies the current state of the domain controller making the change. Each change has a unique USN. This way the domain controller that has the change knows the state of the domain controller requesting the changes and only the changes are required to be sent. The time on each controller, therefore, does not need to be synchronized exactly although timestamps are used to break ties regarding changes.
When should you create a forest?
Organizations that operate on radically different bases may require separate trees with distinct namespaces. Unique trade or brand names often give rise to separate DNS identities. Organizations merge or are acquired and naming continuity is desired. Organizations form partnerships and joint ventures. While access to common resources is desired, a separately defined tree can enforce more direct administrative and security restrictions.
How can you authenticate between forests?
Four types of authentication are used across forests: (1) Kerberos and NTLM network logon for remote access to a server in another forest; (2) Kerberos and NTLM interactive logon for physical logon outside the user’s home forest; (3) Kerberos delegation to N-tier application in another forest; and (4) user principal name (UPN) credentials.
What snap-in administrative tools are available for Active Directory?
Active Directory Domains and Trusts Manager, Active Directory Sites and Services , Active Directory Users and Computers, Active Directory Replication (optional, available from the Resource Kit), Active Directory Schema Master (optional, available from adminpak) ,DHCP,DNS,Group Policy Management Console (optional).
What types of classes exist in Windows Server 2003 Active Directory?
1. Structural class. The structural class is important to the system administrator in that it is the only type from which new Active Directory objects are created. Structural classes are developed from either the modification of an existing structural type or the use of one or more abstract classes.
2. Abstract class. Abstract classes are so named because they take the form of templates that actually create other templates (abstracts) and structural and auxiliary classes. Think of abstract classes as frameworks for the defining objects.
3. Auxiliary class. The auxiliary class is a list of attributes. Rather than apply numerous attributes when creating a structural class, it provides a streamlined alternative by applying a combination of attributes with a single include action.
4. 88 class. The 88 class includes object classes defined prior to 1993, when the 1988 X.500 specification was adopted. This type does not use the structural, abstract, and auxiliary definitions, nor is it in common use for the development of objects in Windows Server 2003 environments.
How do you delete a lingering object?
Windows Server 2003 provides a command called Repadmin that provides the ability to delete lingering objects in the Active Directory.
What is Global Catalog?
A global catalog server is a domain controller. it is a master searchable database that contains information about every object in every domain in a forest. The global catalog contains a complete replica of all objects in Active Directory for its host domain, and contains a partial replica of all objects in Active Directory for every other domain in the forest. It have two important functions:
o Provides group membership information during logon and authentication
o Helps users locate resources in Active Directory
How is user account security established in Windows Server 2003?
When an account is created, it is given a unique access number known as a security identifier (SID). Every group to which the user belongs has an associated SID. The user and related group SIDs together form the user account’s security token, which determines access levels to objects throughout the system and network. SIDs from the security token are mapped to the access control list (ACL) of any object the user attempts to access.
If I delete a user and then create a new account with the same username and password, would the SID and permissions stay the same?
No. If you delete a user account and attempt to recreate it with the same user name and password, the SID will be different.
What do you do with secure sign-ons in an organization with many roaming users? Credential Management feature of Windows Server 2003 provides a consistent single sign-on experience for users. This can be useful for roaming users who move between computer systems. The Credential Management feature provides a secure store of user credentials that includes passwords and X.509 certificates.
Where are the documents and settings for the roaming profile stored?
All the documents and environmental settings for the roaming user are stored locally on the system, and, when the user logs off, all changes to the locally stored profile are copied to the shared server folder. Therefore, the first time a roaming user logs on to a new system the logon process may take some time, depending on how large his profile folder is.
What’s the difference between local, global
and universal groups?
Domain local groups assign access permissions to global domain groups for local domain resources. Global groups provide access to resources in other trusted domains. Universal groups grant access to resources in all trusted domains.
· I am trying to create a new universal user group. Why can’t I?
Universal groups are allowed only in native-mode Windows Server 2003 environments. Native mode requires that all domain controllers be promoted to Windows Server 2003 Active Directory.
· What is LSDOU?
It’s group policy inheritance model, where the policies are applied to Local machines, Sites, Domains and Organizational Units.
· Why doesn’t LSDOU work under Windows NT?
If the NTConfig.pol file exist, it has the highest priority among the numerous policies.
· Where are group policies stored?
%SystemRoot%System32\GroupPolicy
· What is GPT and GPC?
Group policy template and group policy container.
· Where is GPT stored?
%SystemRoot%\SYSVOL\sysvol\domainname\Policies\GUID
· You change the group policies, and now the computer and user settings are in conflict. Which one has the highest priority?
The computer settings take priority.
· You want to set up remote installation procedure, but do not want the user to gain access over it. What do you do?
gponame–> User Configuration–> Windows Settings–> Remote Installation Services–> Choice Options is your friend.
· What’s contained in administrative template conf.adm?
Microsoft NetMeeting policies
· How can you restrict running certain applications on a machine?
Via group policy, security settings for the group, then Software Restriction Policies.
· You need to automatically install an app, but MSI file is not available. What do you do?
A .zap text file can be used to add applications using the Software Installer, rather than the Windows Installer.
· What’s the difference between Software Installer and Windows Installer?
The former has fewer privileges and will probably require user intervention. Plus, it uses .zap files.
· What can be restricted on Windows Server 2003 that wasn’t there in previous products?
Group Policy in Windows Server 2003 determines a users right to modify network and dial-up TCP/IP properties. Users may be selectively restricted from modifying their IP address and other network configuration parameters.
· How frequently is the client policy refreshed? 90 minutes give or take.
· Where is secedit? It’s now gpupdate.
· You want to create a new group policy but do not wish to inherit.
Make sure you check Block inheritance among the options when creating the policy.
· What is "tattooing" the Registry?
The user can view and modify user preferences that are not stored in maintained portions of the Registry. If the group policy is removed or changed, the user preference will persist in the Registry.
· How do you fight tattooing in NT/2000 installations? You can’t.
· How do you fight tattooing in 2003 installations?
User Configuration - Administrative Templates - System - Group Policy - enable - Enforce Show Policies Only.
· What does IntelliMirror do?
It helps to reconcile desktop settings, applications, and stored files for users, particularly those who move between workstations or those who must periodically work offline.
· What’s the major difference between FAT and NTFS on a local machine?
FAT and FAT32 provide no security over locally logged-on users. Only native NTFS provides extensive permission control on both remote and local files.
· How do FAT and NTFS differ in approach to user shares? They don’t, both have support for sharing.
· Explan the List Folder Contents permission on the folder in NTFS.
Same as Read & Execute, but not inherited by files within a folder. However, newly created subfolders will inherit this permission.
· I have a file to which the user has access, but he has no folder permission to read it. Can he access it?
It is possible for a user to navigate to a file for which he does not have folder permission. This involves simply knowing the path of the file object. Even if the user can’t drill down the file/folder tree using My Computer, he can still gain access to the file using the Universal Naming Convention (UNC). The best way to start would be to type the full path of a file into Run… window.
· For a user in several groups, are Allow permissions restrictive or permissive?
Permissive, if at least one group has Allow permission for the file/folder, user will have the same permission.
· For a user in several groups, are Deny permissions restrictive or permissive?
Restrictive, if at least one group has Deny permission for the file/folder, user will be denied access, regardless of other group permissions.
· What hidden shares exist on Windows Server 2003 installation? Admin$, Drive$, IPC$, NETLOGON, print$ and SYSVOL.
· What’s the difference between standalone and fault-tolerant DFS (Distributed File System) installations?
The standalone server stores the Dfs directory tree structure or topology locally. Thus, if a shared folder is inaccessible or if the Dfs root server is down, users are left with no link to the shared resources. A fault-tolerant root node stores the Dfs topology in the Active Directory, which is replicated to other domain controllers. Thus, redundant root nodes may include multiple connections to the same data residing in different shared folders.
· We’re using the DFS fault-tolerant installation, but cannot access it from a Win98 box.
Use the UNC path, not client, only 2000 and 2003 clients can access Server 2003 fault-tolerant shares.
· Where exactly do fault-tolerant DFS shares store information in Active Directory? In Partition Knowledge Table, which is then replicated to other domain controllers.
· Can you use Start->Search with DFS shares? Yes.
· What problems can you have with DFS installed?
Two users opening the redundant copies of the file at the same time, with no file-locking involved in DFS, changing the contents and then saving. Only one file will be propagated through DFS.
· I run Microsoft Cluster Server and cannot install fault-tolerant DFS. Yeah, you can’t. Install a standalone one.
· Is Kerberos encryption symmetric or asymmetric? Symmetric.
· How does Windows 2003 Server try to prevent a middle-man attack on encrypted line?
Time stamp is attached to the initial client request, encrypted with the shared key.
· What hashing algorithms are used in Windows 2003 Server?
RSA Data Security’s Message Digest 5 (MD5), produces a 128-bit hash, and the Secure Hash Algorithm 1 (SHA-1), produces a 160-bit hash.
· What third-party certificate exchange protocols are used by Windows 2003 Server?
Windows Server 2003 uses the industry standard PKCS-10 certificate request and PKCS-7 certificate response to exchange CA certificates with third-party certificate authorities.
· What’s the number of permitted unsuccessful logons on Administrator account? Unlimited. Remember, though, that it’s the Administrator account, not any account that’s part of the Administrators group.
· If hashing is one-way function and Windows Server uses hashing for storing passwords, how is it possible to attack the password lists, specifically the ones using NTLMv1?
A cracker would launch a dictionary attack by hashing every imaginable term used for password and then compare the hashes.
· What’s the difference between
guest accounts in Server 2003 and other editions? More restrictive in Windows Server 2003.
· How many passwords by default are remembered when you check "Enforce Password History Remembered"? User’s last 6 passwords.
Domain local groups assign access permissions to global domain groups for local domain resources. Global groups provide access to resources in other trusted domains. Universal groups grant access to resources in all trusted domains.
· I am trying to create a new universal user group. Why can’t I?
Universal groups are allowed only in native-mode Windows Server 2003 environments. Native mode requires that all domain controllers be promoted to Windows Server 2003 Active Directory.
· What is LSDOU?
It’s group policy inheritance model, where the policies are applied to Local machines, Sites, Domains and Organizational Units.
· Why doesn’t LSDOU work under Windows NT?
If the NTConfig.pol file exist, it has the highest priority among the numerous policies.
· Where are group policies stored?
%SystemRoot%System32\GroupPolicy
· What is GPT and GPC?
Group policy template and group policy container.
· Where is GPT stored?
%SystemRoot%\SYSVOL\sysvol\domainname\Policies\GUID
· You change the group policies, and now the computer and user settings are in conflict. Which one has the highest priority?
The computer settings take priority.
· You want to set up remote installation procedure, but do not want the user to gain access over it. What do you do?
gponame–> User Configuration–> Windows Settings–> Remote Installation Services–> Choice Options is your friend.
· What’s contained in administrative template conf.adm?
Microsoft NetMeeting policies
· How can you restrict running certain applications on a machine?
Via group policy, security settings for the group, then Software Restriction Policies.
· You need to automatically install an app, but MSI file is not available. What do you do?
A .zap text file can be used to add applications using the Software Installer, rather than the Windows Installer.
· What’s the difference between Software Installer and Windows Installer?
The former has fewer privileges and will probably require user intervention. Plus, it uses .zap files.
· What can be restricted on Windows Server 2003 that wasn’t there in previous products?
Group Policy in Windows Server 2003 determines a users right to modify network and dial-up TCP/IP properties. Users may be selectively restricted from modifying their IP address and other network configuration parameters.
· How frequently is the client policy refreshed? 90 minutes give or take.
· Where is secedit? It’s now gpupdate.
· You want to create a new group policy but do not wish to inherit.
Make sure you check Block inheritance among the options when creating the policy.
· What is "tattooing" the Registry?
The user can view and modify user preferences that are not stored in maintained portions of the Registry. If the group policy is removed or changed, the user preference will persist in the Registry.
· How do you fight tattooing in NT/2000 installations? You can’t.
· How do you fight tattooing in 2003 installations?
User Configuration - Administrative Templates - System - Group Policy - enable - Enforce Show Policies Only.
· What does IntelliMirror do?
It helps to reconcile desktop settings, applications, and stored files for users, particularly those who move between workstations or those who must periodically work offline.
· What’s the major difference between FAT and NTFS on a local machine?
FAT and FAT32 provide no security over locally logged-on users. Only native NTFS provides extensive permission control on both remote and local files.
· How do FAT and NTFS differ in approach to user shares? They don’t, both have support for sharing.
· Explan the List Folder Contents permission on the folder in NTFS.
Same as Read & Execute, but not inherited by files within a folder. However, newly created subfolders will inherit this permission.
· I have a file to which the user has access, but he has no folder permission to read it. Can he access it?
It is possible for a user to navigate to a file for which he does not have folder permission. This involves simply knowing the path of the file object. Even if the user can’t drill down the file/folder tree using My Computer, he can still gain access to the file using the Universal Naming Convention (UNC). The best way to start would be to type the full path of a file into Run… window.
· For a user in several groups, are Allow permissions restrictive or permissive?
Permissive, if at least one group has Allow permission for the file/folder, user will have the same permission.
· For a user in several groups, are Deny permissions restrictive or permissive?
Restrictive, if at least one group has Deny permission for the file/folder, user will be denied access, regardless of other group permissions.
· What hidden shares exist on Windows Server 2003 installation? Admin$, Drive$, IPC$, NETLOGON, print$ and SYSVOL.
· What’s the difference between standalone and fault-tolerant DFS (Distributed File System) installations?
The standalone server stores the Dfs directory tree structure or topology locally. Thus, if a shared folder is inaccessible or if the Dfs root server is down, users are left with no link to the shared resources. A fault-tolerant root node stores the Dfs topology in the Active Directory, which is replicated to other domain controllers. Thus, redundant root nodes may include multiple connections to the same data residing in different shared folders.
· We’re using the DFS fault-tolerant installation, but cannot access it from a Win98 box.
Use the UNC path, not client, only 2000 and 2003 clients can access Server 2003 fault-tolerant shares.
· Where exactly do fault-tolerant DFS shares store information in Active Directory? In Partition Knowledge Table, which is then replicated to other domain controllers.
· Can you use Start->Search with DFS shares? Yes.
· What problems can you have with DFS installed?
Two users opening the redundant copies of the file at the same time, with no file-locking involved in DFS, changing the contents and then saving. Only one file will be propagated through DFS.
· I run Microsoft Cluster Server and cannot install fault-tolerant DFS. Yeah, you can’t. Install a standalone one.
· Is Kerberos encryption symmetric or asymmetric? Symmetric.
· How does Windows 2003 Server try to prevent a middle-man attack on encrypted line?
Time stamp is attached to the initial client request, encrypted with the shared key.
· What hashing algorithms are used in Windows 2003 Server?
RSA Data Security’s Message Digest 5 (MD5), produces a 128-bit hash, and the Secure Hash Algorithm 1 (SHA-1), produces a 160-bit hash.
· What third-party certificate exchange protocols are used by Windows 2003 Server?
Windows Server 2003 uses the industry standard PKCS-10 certificate request and PKCS-7 certificate response to exchange CA certificates with third-party certificate authorities.
· What’s the number of permitted unsuccessful logons on Administrator account? Unlimited. Remember, though, that it’s the Administrator account, not any account that’s part of the Administrators group.
· If hashing is one-way function and Windows Server uses hashing for storing passwords, how is it possible to attack the password lists, specifically the ones using NTLMv1?
A cracker would launch a dictionary attack by hashing every imaginable term used for password and then compare the hashes.
· What’s the difference between
guest accounts in Server 2003 and other editions? More restrictive in Windows Server 2003.
· How many passwords by default are remembered when you check "Enforce Password History Remembered"? User’s last 6 passwords.
What is Active Directory Schema?
The Active Directory schema contains formal definitions of every object class that can be created in an Active Directory forest it also contains formal definitions of every attribute that can exist in an Active Directory object.
What is Global Catalog Server?
· A global catalog server is a domain controller it is a master searchable database that contains information about every object in every domain in a forest. The global catalog contains a complete replica of all objects in Active Directory for its host domain, and contains a partial replica of all objects in Active Directory for every other domain in the forest. It have two important functions:
o Provides group membership information during logon and authentication
o Helps users locate resources in Active Directory
What is NTDS.dit default size?
40 MB
What are the standard ports for SMTP, POP3,IMAP4,RPC,LDAPand Global catalog?SMTP – 25, POP3 – 110, IMAP4 – 143, RPC – 135, LDAP – 389, Global Catalog – 3268
What is a default gateway?
The exit-point from one network and entry-way into another network, often the router of the network.
Describe the lease process of DHCP?
· DHCP Server leases the IP addresses to the clients as follows: DORAD (Discover) : DHCP Client sends a broadcast packets to identify the dhcp server, this packet will contain the source MAC.O (Offer) : Once the packet is received by the DHCP server, the server will send the packet containing Source IP and Source MAC.R (Request) : Client will now contact the DHCP server directly and request for the IP address.A (Acknowledge) : DHCP server will send an acknowledge packet which contains the IP address.
The Active Directory schema contains formal definitions of every object class that can be created in an Active Directory forest it also contains formal definitions of every attribute that can exist in an Active Directory object.
What is Global Catalog Server?
· A global catalog server is a domain controller it is a master searchable database that contains information about every object in every domain in a forest. The global catalog contains a complete replica of all objects in Active Directory for its host domain, and contains a partial replica of all objects in Active Directory for every other domain in the forest. It have two important functions:
o Provides group membership information during logon and authentication
o Helps users locate resources in Active Directory
What is NTDS.dit default size?
40 MB
What are the standard ports for SMTP, POP3,IMAP4,RPC,LDAPand Global catalog?SMTP – 25, POP3 – 110, IMAP4 – 143, RPC – 135, LDAP – 389, Global Catalog – 3268
What is a default gateway?
The exit-point from one network and entry-way into another network, often the router of the network.
Describe the lease process of DHCP?
· DHCP Server leases the IP addresses to the clients as follows: DORAD (Discover) : DHCP Client sends a broadcast packets to identify the dhcp server, this packet will contain the source MAC.O (Offer) : Once the packet is received by the DHCP server, the server will send the packet containing Source IP and Source MAC.R (Request) : Client will now contact the DHCP server directly and request for the IP address.A (Acknowledge) : DHCP server will send an acknowledge packet which contains the IP address.
What is a NIC?
Ans: A network interface card, more commonly referred to as a NIC, is a device that allows computers to be joined together in a LAN, or local area network. Networked computers communicate with each other using a given protocol or agreed-upon language for transmitting data packets between the different machines, known as nodes. The network interface card acts as the liaison for the machine to both send and receive data on the LAN.
The most common language or protocol for LANs is Ethernet, sometimes referred to as IEEE 802.3.
Note: Ethernet is a standard communications protocol embedded in software and hardware devices, intended for building a local area network.
What is a MAC Address?
MAC address ( Media Access Control) is a unique value associated with a Network Interface Card. MAC address is also known as Hardware address or Physical Address. MAC address uniquely identifies a Network adaptor in the LAN.
MAC addresses are 48 bits in length.
When would you use a crosslink cable?
Cross link cables are used to connect a PC to PC, this cable is special because there are a few wires switched that allow the computer to send and receive data packets with Network card.
What is the difference between a Hub and a Switch?
A hub is typically the least expensive, least intelligent, and least complicated device than Switch. Its job is very simple: anything that comes in one port is sent out to the others. Every computer connected to the hub "sees" everything that every other computer on the hub sees. The hub itself is blissfully ignorant of the data being transmitted.
A switch does essentially what a hub does but more efficiently. By paying attention to the traffic that comes across it, it can "learn" where particular addresses are. For example, if it sees traffic from machine A coming in on port 2, it now knows that machine A is connected to that port and that traffic to machine A needs to only be sent to that port and not any of the others. The net result of using a switch over a hub is that most of the network traffic only goes where it needs to rather than to every port. On busy networks this can make the network significantly faster.
On which OSI layer can a router be found?
The OSI layer 2 and layer 3 router provides additional intelligence to networks by implementing the data link and network layers of the OSI model. The data link layer describes the logical organization of data bits transmitted on a particular medium; for example, this layer defines the framing, addressing, and cyclic redundancy checks of Ethernet packets. The network layer describes how a series of exchanges over various data links delivers data between any two nodes in a network and defines the addressing and routing structure of the Internet.
What is CSMA/CD?
CSMA/CD (Carrier Sense Multiple Access / Collision Detection) is the protocol used in Ethernet Network to ensure that only one network node is transmitting on the network wire at any one time.
What is multicast?
Multicasting may be used for streaming multimedia, video conferencing, shared white boards and more as the internet grows. Multicasting is still new to the internet and not widely supported by routers. New routing protocols are being developed to enable multicast traffic to be routed. Some of these routing protocols are:
Hierarchical Distance Vector Multicast Routing Protocol (HDVMRP)
Multicast Border Gateway
Protocol Independent Multicast
An IP multicast address is in the range 224.0.0.0 through 239.255.255.255.
What is Broadcast?
Broadcast - A transmission to all interface cards on the network.
RFC 919 and 922 describe IP broadcast datagrams as,
Limited Broadcast - Sent to all NICs on the some network segment as the source NIC. It is represented with the 255.255.255.255 TCP/IP address. This broadcast is not forwarded by routers so will only appear on one network segment.
Direct broadcast - Sent to all hosts on a network. Routers may be configured to forward directed broadcasts on large networks. For network 192.168.0.0, the broadcast is 192.168.255.255.
Below mentioned are examples of broadcast
ARP on IP
DHCP on IP
Routing table updates. Broadcasts sent by routers with routing table updates to other routers.
The ethernet broadcast address in hexadecimal is FF:FF:FF:FF:FF:FF.
There are several types of IP broadcasting:
The IP limited broadcast address is 255.255.255.255. This broadcast is not forwarded by a router.
A broadcast directed to a network has a form of x.255.255.255 where x is the address of a Class A network. This broadcast may be forwarded depending on the router program.
A broadcast sent to all subnetworks. If the broadcast is 10.1.255.255 on network 10.1.0.0 and the network is subnetted with multiple networks 10.1.x.0, then the broadcast is a broadcast to all subnetworks.
A broadcast sent to a subnet in the form 10.1.1.255 is a subnet broadcast if the subnet mask is 255.255.255.0.
What is the difference between TCP and UDP?
Describe some of the settings that are added by TCP and by UDP to the packet's header.
What are TCP Ports? Name a few.
What is a TCP Session?
What three elements make up a socket?
What will happen if you leave the default gateway information empty while manually configuring TCP/IP?
What will happen if you execute the following command: "arp –d *"?
What is ICMP?
When would you use the ping command with the "-t" switch?
Ans: A network interface card, more commonly referred to as a NIC, is a device that allows computers to be joined together in a LAN, or local area network. Networked computers communicate with each other using a given protocol or agreed-upon language for transmitting data packets between the different machines, known as nodes. The network interface card acts as the liaison for the machine to both send and receive data on the LAN.
The most common language or protocol for LANs is Ethernet, sometimes referred to as IEEE 802.3.
Note: Ethernet is a standard communications protocol embedded in software and hardware devices, intended for building a local area network.
What is a MAC Address?
MAC address ( Media Access Control) is a unique value associated with a Network Interface Card. MAC address is also known as Hardware address or Physical Address. MAC address uniquely identifies a Network adaptor in the LAN.
MAC addresses are 48 bits in length.
When would you use a crosslink cable?
Cross link cables are used to connect a PC to PC, this cable is special because there are a few wires switched that allow the computer to send and receive data packets with Network card.
What is the difference between a Hub and a Switch?
A hub is typically the least expensive, least intelligent, and least complicated device than Switch. Its job is very simple: anything that comes in one port is sent out to the others. Every computer connected to the hub "sees" everything that every other computer on the hub sees. The hub itself is blissfully ignorant of the data being transmitted.
A switch does essentially what a hub does but more efficiently. By paying attention to the traffic that comes across it, it can "learn" where particular addresses are. For example, if it sees traffic from machine A coming in on port 2, it now knows that machine A is connected to that port and that traffic to machine A needs to only be sent to that port and not any of the others. The net result of using a switch over a hub is that most of the network traffic only goes where it needs to rather than to every port. On busy networks this can make the network significantly faster.
On which OSI layer can a router be found?
The OSI layer 2 and layer 3 router provides additional intelligence to networks by implementing the data link and network layers of the OSI model. The data link layer describes the logical organization of data bits transmitted on a particular medium; for example, this layer defines the framing, addressing, and cyclic redundancy checks of Ethernet packets. The network layer describes how a series of exchanges over various data links delivers data between any two nodes in a network and defines the addressing and routing structure of the Internet.
What is CSMA/CD?
CSMA/CD (Carrier Sense Multiple Access / Collision Detection) is the protocol used in Ethernet Network to ensure that only one network node is transmitting on the network wire at any one time.
What is multicast?
Multicasting may be used for streaming multimedia, video conferencing, shared white boards and more as the internet grows. Multicasting is still new to the internet and not widely supported by routers. New routing protocols are being developed to enable multicast traffic to be routed. Some of these routing protocols are:
Hierarchical Distance Vector Multicast Routing Protocol (HDVMRP)
Multicast Border Gateway
Protocol Independent Multicast
An IP multicast address is in the range 224.0.0.0 through 239.255.255.255.
What is Broadcast?
Broadcast - A transmission to all interface cards on the network.
RFC 919 and 922 describe IP broadcast datagrams as,
Limited Broadcast - Sent to all NICs on the some network segment as the source NIC. It is represented with the 255.255.255.255 TCP/IP address. This broadcast is not forwarded by routers so will only appear on one network segment.
Direct broadcast - Sent to all hosts on a network. Routers may be configured to forward directed broadcasts on large networks. For network 192.168.0.0, the broadcast is 192.168.255.255.
Below mentioned are examples of broadcast
ARP on IP
DHCP on IP
Routing table updates. Broadcasts sent by routers with routing table updates to other routers.
The ethernet broadcast address in hexadecimal is FF:FF:FF:FF:FF:FF.
There are several types of IP broadcasting:
The IP limited broadcast address is 255.255.255.255. This broadcast is not forwarded by a router.
A broadcast directed to a network has a form of x.255.255.255 where x is the address of a Class A network. This broadcast may be forwarded depending on the router program.
A broadcast sent to all subnetworks. If the broadcast is 10.1.255.255 on network 10.1.0.0 and the network is subnetted with multiple networks 10.1.x.0, then the broadcast is a broadcast to all subnetworks.
A broadcast sent to a subnet in the form 10.1.1.255 is a subnet broadcast if the subnet mask is 255.255.255.0.
What is the difference between TCP and UDP?
Describe some of the settings that are added by TCP and by UDP to the packet's header.
What are TCP Ports? Name a few.
What is a TCP Session?
What three elements make up a socket?
What will happen if you leave the default gateway information empty while manually configuring TCP/IP?
What will happen if you execute the following command: "arp –d *"?
What is ICMP?
When would you use the ping command with the "-t" switch?
Windows Active directory Interview Questions – User Submitted Part 10
What is
sites ? What are they used for ?
One or more well-connected (highly reliable and fast) TCP/IP subnets.
A site allows administrators to configure Active Directory access and replication topology to take advantage of the physical network.
One or more well-connected (highly reliable and fast) TCP/IP subnets.
A site allows administrators to configure Active Directory access and replication topology to take advantage of the physical network.
A Site
object in Active Directory represents a physical geographic location that hosts
networks. Sites contain objects called Subnets.
Sites can
be used to Assign Group Policy Objects, facilitate the discovery of resources,
manage active directory replication, and manage network link traffic.
Sites can be linked to other Sites. Site-linked objects may be assigned a cost value that represents the speed, reliability, availability, or other real property of a physical resource. Site Links may also be assigned a schedule.
Sites can be linked to other Sites. Site-linked objects may be assigned a cost value that represents the speed, reliability, availability, or other real property of a physical resource. Site Links may also be assigned a schedule.
Trying to
look at the Schema, how can I do that ?
register schmmgmt.dll using this command
c:\windows\system32>regsvr32 schmmgmt.dll
Open mmc –> add snapin –> add Active directory schema
name it as schema.msc
Open administrative tool –> schema.msc
register schmmgmt.dll using this command
c:\windows\system32>regsvr32 schmmgmt.dll
Open mmc –> add snapin –> add Active directory schema
name it as schema.msc
Open administrative tool –> schema.msc
What is
the port no of Kerbrose ?
88
88
What is
the port no of Global catalog ?
3268
3268
What is
the port no of LDAP ?
389
389
Explain
Active Directory Schema ?
Windows 2000 and Windows Server 2003 Active Directory uses a database set of rules called “Schema”. The Schema is defines as the formal definition of all object classes, and the attributes that make up those object classes, that can be stored in the directory. As mentioned earlier, the Active Directory database includes a default Schema, which defines many object classes, such as users, groups, computers, domains, organizational units, and so on.
Windows 2000 and Windows Server 2003 Active Directory uses a database set of rules called “Schema”. The Schema is defines as the formal definition of all object classes, and the attributes that make up those object classes, that can be stored in the directory. As mentioned earlier, the Active Directory database includes a default Schema, which defines many object classes, such as users, groups, computers, domains, organizational units, and so on.
These
objects are also known as “Classes”. The Active Directory Schema can be
dynamically extensible, meaning that you can modify the schema by defining new
object types and their attributes and by defining new attributes for existing
objects. You can do this either with the Schema Manager snap-in tool included
with Windows 2000/2003 Server, or programmatically.
How can
you forcibly remove AD from a server, and what do you do later? ? Can I get
user passwords from the AD database?
Dcpromo /forceremoval , an administrator can forcibly remove Active Directory and roll back the system without having to contact or replicate any locally held changes to another DC in the forest. Reboot the server then After you use the dcpromo /forceremoval command, all the remaining metadata for the demoted DC is not deleted on the surviving domain controllers, and therefore you must manually remove it by using the NTDSUTIL command.
Dcpromo /forceremoval , an administrator can forcibly remove Active Directory and roll back the system without having to contact or replicate any locally held changes to another DC in the forest. Reboot the server then After you use the dcpromo /forceremoval command, all the remaining metadata for the demoted DC is not deleted on the surviving domain controllers, and therefore you must manually remove it by using the NTDSUTIL command.
In the
event that the NTDS Settings object is not removed correctly you can use the
Ntdsutil.exe utility to manually remove the NTDS Settings object. You will need
the following tool: Ntdsutil.exe, Active Directory Sites and Services, Active
Directory Users and Computers
What are
the FSMO roles? Who has them by default? What happens when each one
fails?
Flexible Single Master Operation (FSMO) role. Currently there are five FSMO roles:
Schema master
Domain naming master
RID master
PDC emulator
Infrastructure master
Flexible Single Master Operation (FSMO) role. Currently there are five FSMO roles:
Schema master
Domain naming master
RID master
PDC emulator
Infrastructure master
What is
domain tree ?
Domain Trees: A domain tree comprises several domains that share a common schema and configuration, forming a contiguous namespace. Domains in a tree are also linked together by trust relationships. Active Directory is a set of one or more trees.
Trees can be viewed two ways. One view is the trust relationships between domains. The other view is the namespace of the domain tree.
Domain Trees: A domain tree comprises several domains that share a common schema and configuration, forming a contiguous namespace. Domains in a tree are also linked together by trust relationships. Active Directory is a set of one or more trees.
Trees can be viewed two ways. One view is the trust relationships between domains. The other view is the namespace of the domain tree.
What is
forests ?
A collection of one or more domain trees with a common schema and implicit trust relationships between them. This arrangement would be used if you have multiple root DNS addresses.
A collection of one or more domain trees with a common schema and implicit trust relationships between them. This arrangement would be used if you have multiple root DNS addresses.
How to
Select the Appropriate Restore Method ?
You select the appropriate restore method by considering:
Circumstances and characteristics of the failure. The two major categories of failure, From an Active Directory perspective, are Active Directory data corruption and hardware failure.
You select the appropriate restore method by considering:
Circumstances and characteristics of the failure. The two major categories of failure, From an Active Directory perspective, are Active Directory data corruption and hardware failure.
Active
Directory data corruption occurs when the directory contains corrupt data that
has been replicated to all domain controllers or when a large portion of the
Active Directory hierarchy has been changed accidentally (such as deletion of
an OU) and this change has replicated to other domain controllers.
Where are
the Windows NT Primary Domain Controller (PDC) and its Backup Domain Controller
(BDC) in Server 2003?
The Active Directory replaces them. Now all domain controllers share a multimaster peer-to-peer read and write relationship that hosts copies of the Active Directory.
The Active Directory replaces them. Now all domain controllers share a multimaster peer-to-peer read and write relationship that hosts copies of the Active Directory.
What is Global Catalog?
The
Global Catalog authenticates network user logons and fields inquiries about
objects across a forest or tree. Every domain has at least one GC that is
hosted on a domain controller. In Windows 2000, there was typically one GC on
every site in order to prevent user logon failures across the network.
How long does it take for
security changes to be replicated among the domain controllers?
Security-related
modifications are replicated within a site immediately. These changes include
account and individual user lockout policies, changes to password policies,
changes to computer account passwords, and modifications to the Local Security
Authority (LSA).
When
should you create a forest?
Organizations that operate on radically different bases may require separate trees with distinct namespaces. Unique trade or brand names often give rise to separate DNS identities. Organizations merge or are acquired and naming continuity is desired. Organizations form partnerships and joint ventures. While access to common resources is desired, a separately defined tree can enforce more direct administrative and security restrictions.
Organizations that operate on radically different bases may require separate trees with distinct namespaces. Unique trade or brand names often give rise to separate DNS identities. Organizations merge or are acquired and naming continuity is desired. Organizations form partnerships and joint ventures. While access to common resources is desired, a separately defined tree can enforce more direct administrative and security restrictions.
Describe the process of working
with an external domain name ?
If it is
not possible for you to configure your internal domain as a subdomain of your
external domain, use a stand-alone internal domain. This way, your internal and
external domain names are unrelated. For example, an organization that uses the
domain name contoso.com for their external namespace uses the name
corp.internal for their internal namespace.
The
advantage to this approach is that it provides you with a unique internal
domain name. The disadvantage is that this configuration requires you to manage
two separate namespaces. Also, using a stand-alone internal domain that is
unrelated to your external domain might create confusion for users because the
namespaces do not reflect a relationship between resources within and outside
of your network.
In
addition, you might have to register two DNS names with an Internet name
authority if you want to make the internal domain publicly accessible
Windows Active directory
Interview Questions – User Submitted Part 8
Got a
list of some Active Directory Interview Questions submitted by User
: Noel.
What is the
default size of ntds.dit ?
10 MB in Server 2000 and 12 MB in Server 2003 .
10 MB in Server 2000 and 12 MB in Server 2003 .
Where is
the AD database held and What are other folders related to AD ?
AD Database is saved in %systemroot%/ntds. You can see other files also in this folder. These are the main files controlling the AD structure.
AD Database is saved in %systemroot%/ntds. You can see other files also in this folder. These are the main files controlling the AD structure.
ntds.dit
edb.log
res1.log
res2.log
edb.chk
edb.log
res1.log
res2.log
edb.chk
When a
change is made to the Win2K database, triggering a write operation, Win2K
records the transaction in the log file (edb.log). Once written to the log
file, the change is then written to the AD database. System performance
determines how fast the system writes the data to the AD database from the log
file. Any time the system is shut down, all transactions are saved to the
database.
During
the installation of AD, Windows creates two files: res1.log and res2.log. The
initial size of each is 10MB. These files are used to ensure that changes can
be written to disk should the system run out of free disk space. The checkpoint
file (edb.chk) records transactions committed to the AD database (ntds.dit).
During shutdown, a “shutdown” statement is written to the edb.chk file.
Then,
during a reboot, AD determines that all transactions in the edb.log file have
been committed to the AD database. If, for some reason, the edb.chk file doesn’t
exist on reboot or the shutdown statement isn’t present, AD will use the
edb.log file to update the AD database. The last file in our list of files to
know is the AD database itself, ntds.dit. By default, the file is located
in\NTDS, along with the other files we’ve discussed
What FSMO
placement considerations do you know of ?
Windows 2000/2003 Active Directory domains utilize a Single Operation Master method called FSMO (Flexible Single Master Operation), as described in Understanding FSMO Roles in Active Directory.
Windows 2000/2003 Active Directory domains utilize a Single Operation Master method called FSMO (Flexible Single Master Operation), as described in Understanding FSMO Roles in Active Directory.
In most
cases an administrator can keep the FSMO role holders (all 5 of them) in the
same spot (or actually, on the same DC) as has been configured by the Active
Directory installation process.
However,
there are scenarios where an administrator would want to move one or more of
the FSMO roles from the default holder DC to a different DC.
Windows Server 2003 Active Directory is a bit different than the Windows 2000 version when dealing with FSMO placement.
Windows Server 2003 Active Directory is a bit different than the Windows 2000 version when dealing with FSMO placement.
In this
article I will only deal with Windows Server 2003 Active Directory, but you
should bear in mind that most considerations are also true when planning
Windows 2000 AD FSMO roles
What do
you do to install a new Windows 2003 R2 DC in a Windows 2003 AD?
If you’re installing Windows 2003 R2 on an existing Windows 2003 server with SP1 installed, you require only the second R2 CD-ROM.
If you’re installing Windows 2003 R2 on an existing Windows 2003 server with SP1 installed, you require only the second R2 CD-ROM.
Insert
the second CD and the r2auto.exe will display the Windows 2003 R2 Continue
Setup screen. If you’re installing R2 on a domain controller (DC), you must
first upgrade the schema to the R2 version (this is a minor change and mostly
related to the new Dfs replication engine).
To update
the schema, run the Adprep utility, which you’ll find in the
Components\r2\adprep folder on the second CD-ROM.
Before running this command, ensure all DCs are running Windows 2003 or Windows 2000 with SP2 (or later).
Before running this command, ensure all DCs are running Windows 2003 or Windows 2000 with SP2 (or later).
Here’s a
sample execution of the Adprep /forestprep
command:
D:\CMPNENTS\R2\ADPREP>adprep /forestprep
ADPREP WARNING:
Before running adprep, all Windows 2000 domain controllers in the forest should be upgraded to Windows 2000 Service Pack 1 (SP1) with QFE 265089, or to Windows 2000 SP2 (or later).
command:
D:\CMPNENTS\R2\ADPREP>adprep /forestprep
ADPREP WARNING:
Before running adprep, all Windows 2000 domain controllers in the forest should be upgraded to Windows 2000 Service Pack 1 (SP1) with QFE 265089, or to Windows 2000 SP2 (or later).
QFE
265089 (included in Windows 2000 SP2 and later) is required to prevent
potential domain controller corruption.
[User Action] If ALL your existing Windows 2000 domain controllers meet this requirement, type C and then press ENTER to continue. Otherwise, type any other key and press ENT ER to quit.
C Opened Connection to SAV
[User Action] If ALL your existing Windows 2000 domain controllers meet this requirement, type C and then press ENTER to continue. Otherwise, type any other key and press ENT ER to quit.
C Opened Connection to SAV
DALDC01
SSPI Bind succeeded Current Schema Version is 30 Upgrading schema to version 31
Connecting to “SAVDALDC01″ Logging in as current user using SSPI Importing
directory from file “C:\WINDOWS\system32\sch31.ldf” Loading entries… 139
entries modified successfully.
The
command has completed successfully Adprep successfully updated the forest-wide
information.
After running Adprep, install R2 by performing these steps:
After running Adprep, install R2 by performing these steps:
1. Click
the “Continue Windows Server 2003 R2 Setup” link, as the figureshows.
2. At the “Welcome to the Windows Server 2003 R2 Setup Wizard” screen, click Next.
3. You’ll be prompted to enter an R2 CD key (this is different from your existing Windows 2003 keys) if the underlying OS wasn’t installed from R2 media (e.g., a regular Windows 2003 SP1 installation).
Enter the R2 key and click Next. Note: The license key entered for R2 must match the underlying OS type, which means if you installed Windows 2003 using a volume-license version key, then you can’t use a retail or Microsoft Developer Network (MSDN) R2 key.
4. You’ll see the setup summary screen which confirms the actions to be performed (e.g., Copy files). Click Next.
5. After the installation is complete, you’ll see a confirmation dialog box. Click Finish
2. At the “Welcome to the Windows Server 2003 R2 Setup Wizard” screen, click Next.
3. You’ll be prompted to enter an R2 CD key (this is different from your existing Windows 2003 keys) if the underlying OS wasn’t installed from R2 media (e.g., a regular Windows 2003 SP1 installation).
Enter the R2 key and click Next. Note: The license key entered for R2 must match the underlying OS type, which means if you installed Windows 2003 using a volume-license version key, then you can’t use a retail or Microsoft Developer Network (MSDN) R2 key.
4. You’ll see the setup summary screen which confirms the actions to be performed (e.g., Copy files). Click Next.
5. After the installation is complete, you’ll see a confirmation dialog box. Click Finish
What is
OU ?
Organization Unit is a container object in which you can keep objects such as user accounts, groups, computer, printer . applications and other (OU).
In organization unit you can assign specific permission to the user’s. organization unit can also be used to create departmental limitation.
Organization Unit is a container object in which you can keep objects such as user accounts, groups, computer, printer . applications and other (OU).
In organization unit you can assign specific permission to the user’s. organization unit can also be used to create departmental limitation.
Name some
OU design considerations ?
OU design requires balancing requirements for delegating administrative rights – independent of Group Policy needs – and the need to scope the application of Group Policy.
OU design requires balancing requirements for delegating administrative rights – independent of Group Policy needs – and the need to scope the application of Group Policy.
The
following OU design recommendations address delegation and scope issues:
Applying Group Policy An OU is the lowest-level Active Directory container to which you can assign Group Policy settings.
Delegating administrative authority
usually don’t go more than 3 OU levels
Applying Group Policy An OU is the lowest-level Active Directory container to which you can assign Group Policy settings.
Delegating administrative authority
usually don’t go more than 3 OU levels
How
do you view replication properties for AD partitions and DCs?
By using replication monitor
go to start > run > type repadmin
go to start > run > type replmon
By using replication monitor
go to start > run > type repadmin
go to start > run > type replmon
Why
can’t you restore a DC that was backed up 4 months ago?
Because of the tombstone life which is set to only 60 days.
Because of the tombstone life which is set to only 60 days.
Different
modes of AD restore ?
A nonauthoritative restore is the default method for restoring Active Directory. To perform a nonauthoritative restore, you must be able to start the domain controller in Directory Services Restore Mode. After you restore the domain controller from backup, replication partners use the standard replication protocols to update Active Directory and associated information on the restored domain controller.
A nonauthoritative restore is the default method for restoring Active Directory. To perform a nonauthoritative restore, you must be able to start the domain controller in Directory Services Restore Mode. After you restore the domain controller from backup, replication partners use the standard replication protocols to update Active Directory and associated information on the restored domain controller.
An authoritative restore brings a domain or a container
back to the state it was in at the time of backup and overwrites all changes
made since the backup. If you do not want to replicate the changes that have
been made subsequent to the last backup operation, you must perform an
authoritative restore. In this one needs to stop the inbound replication first
before performing the An authoritative restore.
How
do you configure a stand-by operation master for any of the roles?
# Open Active Directory Sites and Services.
# Expand the site name in which the standby operations master is located to display the Servers folder.
# Expand the Servers folder to see a list of the servers in that site.
# Expand the name of the server that you want to be the standby operations master to display its NTDS Settings.
# Right-click NTDS Settings, click New, and then click Connection.
# In the Find Domain Controllers dialog box, select the name of the current role holder, and then click OK.
# In the New Object-Connection dialog box, enter an appropriate name for the Connection object or accept the default name, and click OK.
# Open Active Directory Sites and Services.
# Expand the site name in which the standby operations master is located to display the Servers folder.
# Expand the Servers folder to see a list of the servers in that site.
# Expand the name of the server that you want to be the standby operations master to display its NTDS Settings.
# Right-click NTDS Settings, click New, and then click Connection.
# In the Find Domain Controllers dialog box, select the name of the current role holder, and then click OK.
# In the New Object-Connection dialog box, enter an appropriate name for the Connection object or accept the default name, and click OK.
What’s
the difference between transferring a FSMO role and seizing ?
Seizing an FSMO can be a destructive process and should only be attempted if the existing server with the FSMO is no longer available.
Seizing an FSMO can be a destructive process and should only be attempted if the existing server with the FSMO is no longer available.
If you perform a seizure of the FSMO roles from a DC, you need
to ensure two things:
the current holder is actually dead and offline, and that the old DC will NEVER return to the network. If you do an FSMO role Seize and then bring the previous holder back online, you’ll have a problem.
the current holder is actually dead and offline, and that the old DC will NEVER return to the network. If you do an FSMO role Seize and then bring the previous holder back online, you’ll have a problem.
An FSMO role TRANSFER is the graceful movement of the roles from
a live, working DC to another live DC During the process, the current DC
holding the role(s) is updated, so it becomes aware it is no longer the role
holder
I
want to look at the RID allocation table for a DC. What do I do?
dcdiag /test:ridmanager /s:servername /v (servername is the name of our DC)
dcdiag /test:ridmanager /s:servername /v (servername is the name of our DC)
What
is BridgeHead Server in AD ?
A bridgehead server is a domain controller in each site, which is used as a contact point to receive and replicate data between sites. For intersite replication, KCC designates one of the domain controllers as a bridgehead server. In case the server is down, KCC designates another one from the domain controller. When a bridgehead server receives replication updates from another site, it replicates the data to the other domain controllers within its site.
A bridgehead server is a domain controller in each site, which is used as a contact point to receive and replicate data between sites. For intersite replication, KCC designates one of the domain controllers as a bridgehead server. In case the server is down, KCC designates another one from the domain controller. When a bridgehead server receives replication updates from another site, it replicates the data to the other domain controllers within its site.
I am upgrading from NT to 2003. The only things that are NT are
the PDC and BDCs; everything else is 2000 or 2003 member servers. My question
is, when I upgrade my NT domain controllers to 2003, will I need to do anything
else to my Windows 2000/2003 member servers that were in the NT domain?
Your existing member servers, regardless of operating system, will simply become member servers in your upgraded AD domain. If you will be using Organizational Units and Group Policy (and I hope you are), you’ll probably want to move them to a specific OU for administration and policy application, since they’ll be in the default “Computers” container immediately following the upgrade.
Your existing member servers, regardless of operating system, will simply become member servers in your upgraded AD domain. If you will be using Organizational Units and Group Policy (and I hope you are), you’ll probably want to move them to a specific OU for administration and policy application, since they’ll be in the default “Computers” container immediately following the upgrade.
How do I use Registry keys to remove a user from a group?
In Windows Server 2003, you can use the dsmod command-line utility with the -delmbr switch to remove a group member from the command line. You should also look into the freeware utilities available from www.joeware.net . ADFind and ADMod are indispensable tools in my arsenal when it comes to searching and modifying Active Directory.
In Windows Server 2003, you can use the dsmod command-line utility with the -delmbr switch to remove a group member from the command line. You should also look into the freeware utilities available from www.joeware.net . ADFind and ADMod are indispensable tools in my arsenal when it comes to searching and modifying Active Directory.
Why are my NT4 clients failing to connect to the Windows 2000
domain?
Since NT4 relies on NetBIOS for name resolution, verify that your WINS server (you do have a WINS server running, yes?) contains the records that you expect for the 2000 domain controller, and that your clients have the correct address configured for the WINS server.
Since NT4 relies on NetBIOS for name resolution, verify that your WINS server (you do have a WINS server running, yes?) contains the records that you expect for the 2000 domain controller, and that your clients have the correct address configured for the WINS server.
How to add your first Windows 2003 DC to an existing Windows
2000 domain ?
The first step is to install Windows 2003 on your new DC. This
is a straighforward process, so we aren?t going to discuss that here.
Because significant changes have been made to the Active
Directory schema in Windows 2003, we need to make our Windows 2000 Active
Directory compatible with the new version. If you already have Windows 2003 DCs
running with Windows 2000 DCs, then you can skip down to the part about DNS.
Before you attempt this step, you should make sure that you have
service pack 4 installed on your Windows 2000 DC. Next, make sure that you are
logged in as a user that is a member of the Schema Admin and Enterprise Admin
groups.
Next, insert the Windows 2003 Server installation CD into the
Windows 2000 Server.
Bring up a command line and change directories to the I386 directory on the installation CD. At the command prompt, type: Code :
adprep /forestprep After running this command, make sure that the updates have been replicated to all existing Windows 2000 DCs in the forest. Next, we need to run the following command: Code : adprep /domainprep
Bring up a command line and change directories to the I386 directory on the installation CD. At the command prompt, type: Code :
adprep /forestprep After running this command, make sure that the updates have been replicated to all existing Windows 2000 DCs in the forest. Next, we need to run the following command: Code : adprep /domainprep
The above command must be run on the Infrastructure Master of
the domain by someone who is a member of the Domain Admins group.
Once this is complete, we move back to the Windows 2003 Server. Click ?start? then ?run? – type in dcpromo and click OK. During the ensuing wizard, make sure that you select that you are adding this DC to an existing domain.
After this process is complete, the server will reboot. When it comes back online, check and make sure that the AD database has been replicated to your new server.
Next, you will want to check and make sure that DNS was installed on your new server.
Once this is complete, we move back to the Windows 2003 Server. Click ?start? then ?run? – type in dcpromo and click OK. During the ensuing wizard, make sure that you select that you are adding this DC to an existing domain.
After this process is complete, the server will reboot. When it comes back online, check and make sure that the AD database has been replicated to your new server.
Next, you will want to check and make sure that DNS was installed on your new server.
If not, go to the control panel,
click on ?Add or Remove Programs?, and click the ?Add/Remove Windows Components? button.
In the Windows Components screen, click on ?Networking Services? and click the details button.
click on ?Add or Remove Programs?, and click the ?Add/Remove Windows Components? button.
In the Windows Components screen, click on ?Networking Services? and click the details button.
In the new window check ?Domain Name System (DNS)? and then
click the OK button. Click ?Next? in the Windows Components screen.
This will install DNS and the server will reboot. After reboot, pull up the DNS Management window and make sure that your DNS settings have replicated from the Windows 2000 Server. You will need to re-enter any forwarders or other properties you had set up, but the DNS records should replicate on their own.
This will install DNS and the server will reboot. After reboot, pull up the DNS Management window and make sure that your DNS settings have replicated from the Windows 2000 Server. You will need to re-enter any forwarders or other properties you had set up, but the DNS records should replicate on their own.
The next 2 items, global catalog and FSMO roles, are important
if you plan on decomissioning your Windows 2000 server(s). If this is the case,
you need to tansfer the global catalog from the old server to the new one.
First, let?s create a global catalog on our new server. Here are
the steps:
1. On the domain controller where you want the new global
catalog, start the Active Directory Sites and Services snap-in.
To start the snap-in, click ?Start?, point to ?Programs?, point to ?Administrative Tools?, and then click ?Active Directory Sites and Services?.
2. In the console tree, double-click ?Sites?, and then double-click ?sitename?.
To start the snap-in, click ?Start?, point to ?Programs?, point to ?Administrative Tools?, and then click ?Active Directory Sites and Services?.
2. In the console tree, double-click ?Sites?, and then double-click ?sitename?.
3. Double-click ?Servers?, click your domain controller,
right-click ?NTDS Settings?, and then click ?Properties?.
4. On the General tab, click to select the Global catalog check box to assign the role of global catalog to this server.
5. Restart the domain controller.
4. On the General tab, click to select the Global catalog check box to assign the role of global catalog to this server.
5. Restart the domain controller.
Make sure you allow sufficient time for the account and the
schema information to replicate to the new global catalog server before you
remove the global catalog from the original DC or take the DC offline.
After this is complete, you will want to transfer or seize the
FSMO roles for your new server.
For instructions, read Using Ntdsutil.exe to transfer or seize FSMO roles to a domain controller.
After this step is complete, we can now run DCPROMO on the Windows 2000 Servers in order to demote them.
For instructions, read Using Ntdsutil.exe to transfer or seize FSMO roles to a domain controller.
After this step is complete, we can now run DCPROMO on the Windows 2000 Servers in order to demote them.
Once this is complete, copy over any files you need to your new
server and you should have successfully replaced your Windows 2000 server(s)
with a new Windows 2003 server.
How do you change the DS Restore admin password ?
In Windows 2000 Server, you used to have to boot the computer
whose password you wanted to change in Directory Restore mode, then use either
the Microsoft Management Console (MMC) Local User and Groups snap-in or the
command net user administrator * to change the Administrator password.
Win2K Server Service Pack 2 (SP2) introduced the Setpwd utility, which lets you reset the Directory Service Restore Mode password without having to reboot the computer. (Microsoft refreshed Setpwd in SP4 to improve the utility?s scripting options.)
Win2K Server Service Pack 2 (SP2) introduced the Setpwd utility, which lets you reset the Directory Service Restore Mode password without having to reboot the computer. (Microsoft refreshed Setpwd in SP4 to improve the utility?s scripting options.)
In Windows Server 2003, you use the Ntdsutil utility to modify
the Directory Service Restore Mode Administrator password.
To do so, follow these steps:
1. Start Ntdsutil (click Start, Run; enter cmd.exe; then enter ntdsutil.exe).
2. Start the Directory Service Restore Mode Administrator password-reset utility by entering the argument ?set dsrm password? at the ntdsutil prompt: ntdsutil: set dsrm password.
3. Run the Reset Password command, passing the name of the server on which to change the password, or use the null argument to specify the local machine.
For example, to reset the password on server testing, enter the following argument at the Reset DSRM Administrator Password prompt: Reset DSRM Administrator Password: reset password on server testing
1. Start Ntdsutil (click Start, Run; enter cmd.exe; then enter ntdsutil.exe).
2. Start the Directory Service Restore Mode Administrator password-reset utility by entering the argument ?set dsrm password? at the ntdsutil prompt: ntdsutil: set dsrm password.
3. Run the Reset Password command, passing the name of the server on which to change the password, or use the null argument to specify the local machine.
For example, to reset the password on server testing, enter the following argument at the Reset DSRM Administrator Password prompt: Reset DSRM Administrator Password: reset password on server testing
To reset the password on the local machine, specify null as the
server name:
Reset DSRM Administrator Password: reset password on server null
Reset DSRM Administrator Password: reset password on server null
4. You?ll be prompted twice to enter the new password. You?ll
see the following messages:
5. Please type password for DS Restore Mode Administrator Account:
6. Please confirm new password:
Password has been set successfully.
7. Exit the password-reset utility by typing ?quit? at the following prompts:
8. Reset DSRM Administrator Password: quit
ntdsutil: quit
5. Please type password for DS Restore Mode Administrator Account:
6. Please confirm new password:
Password has been set successfully.
7. Exit the password-reset utility by typing ?quit? at the following prompts:
8. Reset DSRM Administrator Password: quit
ntdsutil: quit
Explain about Trusts in AD ?
To allow users in one domain to access resources in another, Active Directory uses trusts. Trusts inside a forest are automatically created when domains are created.
To allow users in one domain to access resources in another, Active Directory uses trusts. Trusts inside a forest are automatically created when domains are created.
The forest sets the default boundaries of trust, not the domain,
and implicit, transitive trust is automatic for all domains within a forest. As
well as two-way transitive trust, AD trusts can be a shortcut (joins two
domains in different trees, transitive, one- or two-way), forest (transitive,
one- or two-way), realm (transitive or nontransitive, one- or two-way), or
external (nontransitive, one- or two-way) in order to connect to other forests
or non-AD domains.
Trusts in Windows 2000 (native mode)
One-way trust – One domain allows access to users on another domain, but the other domain does not allow access to users on the first domain.
Two-way trust – Two domains allow access to users on both domains.
Trusting domain – The domain that allows access to users from a trusted domain.
Trusted domain – The domain that is trusted; whose users have access to the trusting domain.
Transitive trust – A trust that can extend beyond two domains to other trusted domains in the forest.
Intransitive trust – A one way trust that does not extend beyond two domains.
Explicit trust – A trust that an admin creates. It is not transitive and is one way only.
Cross-link trust – An explicit trust between domains in different trees or in the same tree when a descendant/ancestor (child/parent) relationship does not exist between the two domains.
Windows 2000 Server – supports the following types of trusts:
Two-way transitive trusts.
One-way intransitive trusts.
Additional trusts can be created by administrators. These trusts can be:
Shortcut
Windows Server 2003 offers a new trust type – the forest root trust. This type of trust can be used to connect Windows Server 2003 forests if they are operating at the 2003 forest functional level. Authentication across this type of trust is Kerberos based (as opposed to NTLM). Forest trusts are also transitive for all the domains in the forests that are trusted. Forest trusts, however, are not transitive.
One-way trust – One domain allows access to users on another domain, but the other domain does not allow access to users on the first domain.
Two-way trust – Two domains allow access to users on both domains.
Trusting domain – The domain that allows access to users from a trusted domain.
Trusted domain – The domain that is trusted; whose users have access to the trusting domain.
Transitive trust – A trust that can extend beyond two domains to other trusted domains in the forest.
Intransitive trust – A one way trust that does not extend beyond two domains.
Explicit trust – A trust that an admin creates. It is not transitive and is one way only.
Cross-link trust – An explicit trust between domains in different trees or in the same tree when a descendant/ancestor (child/parent) relationship does not exist between the two domains.
Windows 2000 Server – supports the following types of trusts:
Two-way transitive trusts.
One-way intransitive trusts.
Additional trusts can be created by administrators. These trusts can be:
Shortcut
Windows Server 2003 offers a new trust type – the forest root trust. This type of trust can be used to connect Windows Server 2003 forests if they are operating at the 2003 forest functional level. Authentication across this type of trust is Kerberos based (as opposed to NTLM). Forest trusts are also transitive for all the domains in the forests that are trusted. Forest trusts, however, are not transitive.
Difference between LDIFDE and CSVDE?
CSVDE is a command that can be used to import and export objects to and from the AD into a CSV-formatted file. A CSV (Comma Separated Value) file is a file easily readable in Excel. I will not go to length into this powerful command, but I will show you some basic samples of how to import a large number of users into your AD. Of course, as with the DSADD command, CSVDE can do more than just import users. Consult your help file for more info.
CSVDE is a command that can be used to import and export objects to and from the AD into a CSV-formatted file. A CSV (Comma Separated Value) file is a file easily readable in Excel. I will not go to length into this powerful command, but I will show you some basic samples of how to import a large number of users into your AD. Of course, as with the DSADD command, CSVDE can do more than just import users. Consult your help file for more info.
LDIFDE is a command that can be used to import and export
objects to and from the AD into a LDIF-formatted file. A LDIF (LDAP Data
Interchange Format) file is a file easily readable in any text editor, however
it is not readable in programs like Excel. The major difference between CSVDE
and LDIFDE (besides the file format) is the fact that LDIFDE can be used to
edit and delete existing AD objects (not just users), while CSVDE can only
import and export objects.
What is tombstone lifetime attribute ?
The number of days before a deleted object is removed from the directory services. This assists in removing objects from replicated servers and preventing restores from reintroducing a deleted object. This value is in the Directory Service object in the configuration NIC.
The number of days before a deleted object is removed from the directory services. This assists in removing objects from replicated servers and preventing restores from reintroducing a deleted object. This value is in the Directory Service object in the configuration NIC.
What are application partitions? When do I use them ?
AN application diretcory partition is a directory partition that is replicated only to specific domain controller.Only domain controller running windows Server 2003 can host a replica of application directory partition.
Using an application directory partition provides redundany,availability or fault tolerance by replicating data to specific domain controller pr any set of domain controllers anywhere in the forest.
AN application diretcory partition is a directory partition that is replicated only to specific domain controller.Only domain controller running windows Server 2003 can host a replica of application directory partition.
Using an application directory partition provides redundany,availability or fault tolerance by replicating data to specific domain controller pr any set of domain controllers anywhere in the forest.
How do you create a new application partition ?
Use the DnsCmd command to create an application directory partition.
To do this, use the following syntax:
DnsCmd ServerName /CreateDirectoryPartition FQDN of partition
Use the DnsCmd command to create an application directory partition.
To do this, use the following syntax:
DnsCmd ServerName /CreateDirectoryPartition FQDN of partition
How do you view all the GCs in the forest?
C:\>repadmin /showreps domain_controller where domain_controller is the DC you want to query to determine whether it?s a GC.
The output will include the text DSA Options: IS_GC if the DC is a GC.
C:\>repadmin /showreps domain_controller where domain_controller is the DC you want to query to determine whether it?s a GC.
The output will include the text DSA Options: IS_GC if the DC is a GC.
Can you connect Active Directory to other 3rd-party Directory
Services? Name a few options.
Yes, you can use dirXML or LDAP to connect to other directories.
In Novell you can use E-directory.
Yes, you can use dirXML or LDAP to connect to other directories.
In Novell you can use E-directory.
What is IPSec Policy
IPSec provides secure gateway-to-gateway connections across outsourced private wide area network (WAN) or Internet-based connections using L2TP/IPSec tunnels or pure IPSec tunnel mode. IPSec Policy can be deployed via Group policy to the Windows Domain controllers 7 Servers.
IPSec provides secure gateway-to-gateway connections across outsourced private wide area network (WAN) or Internet-based connections using L2TP/IPSec tunnels or pure IPSec tunnel mode. IPSec Policy can be deployed via Group policy to the Windows Domain controllers 7 Servers.
What are the different types of Terminal Services ?
User Mode & Application Mode.
User Mode & Application Mode.
What is RsOP
RsOP is the resultant set of policy applied on the object (Group Policy).
RsOP is the resultant set of policy applied on the object (Group Policy).
What is the System Startup process ?
Windows 2K boot process on a Intel architecture.
Windows 2K boot process on a Intel architecture.
1. Power-On Self Tests (POST) are run.
2. The boot device is found, the Master Boot Record (MBR) is
loaded into memory, and its program is run.
3. The active partition is located, and the boot sector is
loaded.
4. The Windows 2000 loader (NTLDR) is then loaded.
The boot sequence executes the following steps:
1. The Windows 2000 loader switches the processor to the 32-bit
flat memory model.
2. The Windows 2000 loader starts a mini-file system.
3. The Windows 2000 loader reads the BOOT.INI file and displays
the operating system selections (boot loader menu).
4. The Windows 2000 loader loads the operating system selected
by the user. If Windows 2000 is selected, NTLDR runs NTDETECT.COM. For other
operating systems, NTLDR loads BOOTSECT.DOS and gives it control.
5. NTDETECT.COM scans the hardware installed in the computer,
and reports the list to NTLDR for inclusion in the Registry under the
HKEY_LOCAL_MACHINE_HARDWARE hive.
6. NTLDR then loads the NTOSKRNL.EXE, and gives it the hardware
information collected by NTDETECT.COM. Windows NT enters the Windows load
phases.
What are the Groups types
available in active directory ?
Security groups: Use Security groups for granting permissions to gain access to resources. Sending an e-mail message to a group sends the message to all members of the group. Therefore security groups share the capabilities of distribution groups.
Security groups: Use Security groups for granting permissions to gain access to resources. Sending an e-mail message to a group sends the message to all members of the group. Therefore security groups share the capabilities of distribution groups.
Distribution groups: Distribution
groups are used for sending e-main messages to groups of users. You cannot
grant permissions to security groups. Even though security groups have all the
capabilities of distribution groups, distribution groups still requires,
because some applications can only read distribution groups.
Explain about the groups scope in
AD ?
Domain Local Group: Use this scope to grant permissions to domain resources that are located in the same domain in which you created the domain local group. Domain local groups can exist in all mixed, native and interim functional level of domains and forests. Domain local group memberships are not limited as you can add members as user accounts, universal and global groups from any domain. Just to remember, nesting cannot be done in domain local group. A domain local group will not be a member of another Domain Local or any other groups in the same domain.
Domain Local Group: Use this scope to grant permissions to domain resources that are located in the same domain in which you created the domain local group. Domain local groups can exist in all mixed, native and interim functional level of domains and forests. Domain local group memberships are not limited as you can add members as user accounts, universal and global groups from any domain. Just to remember, nesting cannot be done in domain local group. A domain local group will not be a member of another Domain Local or any other groups in the same domain.
Global Group: Users
with similar function can be grouped under global scope and can be given permission
to access a resource (like a printer or shared folder and files) available in
local or another domain in same forest. To say in simple words, Global groups
can be use to grant permissions to gain access to resources which are located
in any domain but in a single forest as their memberships are limited. User
accounts and global groups can be added only from the domain in which global
group is created. Nesting is possible in Global groups within other groups as
you can add a global group into another global group from any domain. Finally
to provide permission to domain specific resources (like printers and published
folder), they can be members of a Domain Local group. Global groups exist in
all mixed, native and interim functional level of domains and forests.
Universal Group Scope: These groups are precisely
used for email distribution and can be granted access to resources in all
trusted domain as these groups can only be used as a security principal
(security group type) in a windows 2000 native or windows server 2003 domain
functional level domain. Universal group memberships are not limited like
global groups. All domain user accounts and groups can be a member of universal
group. Universal groups can be nested under a global or Domain Local group in
any domain.
What is REPLMON ?
The Microsoft definition of the Replmon tool is as follows; This GUI tool enables administrators to view the low-level status of Active Directory replication, force synchronization between domain controllers, view the topology in a graphical format, and monitor the status and performance of domain controller replication.
The Microsoft definition of the Replmon tool is as follows; This GUI tool enables administrators to view the low-level status of Active Directory replication, force synchronization between domain controllers, view the topology in a graphical format, and monitor the status and performance of domain controller replication.
What is ADSIEDIT ?
ADSIEDIT :ADSIEdit is a Microsoft Management Console (MMC) snap-in that acts as a low-level editor for Active Directory. It is a Graphical User Interface (GUI) tool. Network administrators can use it for common administrative tasks such as adding, deleting, and moving objects with a directory service. The attributes for each object can be edited or deleted by using this tool. ADSIEdit uses the ADSI application programming interfaces (APIs) to access Active Directory. The following are the required files for using this tool: ADSIEDIT.DLL ADSIEDIT.
ADSIEDIT :ADSIEdit is a Microsoft Management Console (MMC) snap-in that acts as a low-level editor for Active Directory. It is a Graphical User Interface (GUI) tool. Network administrators can use it for common administrative tasks such as adding, deleting, and moving objects with a directory service. The attributes for each object can be edited or deleted by using this tool. ADSIEdit uses the ADSI application programming interfaces (APIs) to access Active Directory. The following are the required files for using this tool: ADSIEDIT.DLL ADSIEDIT.
What is NETDOM ?
NETDOM is a command-line tool that allows management of Windows domains and trust relationships. It is used for batch management of trusts, joining computers to domains, verifying trusts, and secure channels.
NETDOM is a command-line tool that allows management of Windows domains and trust relationships. It is used for batch management of trusts, joining computers to domains, verifying trusts, and secure channels.
What is REPADMIN?
This command-line tool assists administrators in diagnosing replication problems between Windows domain controllers.Administrators can use Repadmin to view the replication topology (sometimes referred to as RepsFrom and RepsTo) as seen from the perspective of each domain controller. In addition, Repadmin can be used to manually create the replication topology (although in normal practice this should not be necessary), to force replication events between domain controllers, and to view both the replication metadata and up-to-dateness vectors.
This command-line tool assists administrators in diagnosing replication problems between Windows domain controllers.Administrators can use Repadmin to view the replication topology (sometimes referred to as RepsFrom and RepsTo) as seen from the perspective of each domain controller. In addition, Repadmin can be used to manually create the replication topology (although in normal practice this should not be necessary), to force replication events between domain controllers, and to view both the replication metadata and up-to-dateness vectors.
How to take backup of AD ?
For taking backup of active directory you have to do this : first go START -> PROGRAM ->ACCESORIES -> SYSTEM TOOLS -> BACKUP OR Open run window and ntbackup and take systemstate backup when the backup screen is flash then take the backup of SYSTEM STATE it will take the backup of all the necessary information about the syatem including AD backup , DNS ETC.
For taking backup of active directory you have to do this : first go START -> PROGRAM ->ACCESORIES -> SYSTEM TOOLS -> BACKUP OR Open run window and ntbackup and take systemstate backup when the backup screen is flash then take the backup of SYSTEM STATE it will take the backup of all the necessary information about the syatem including AD backup , DNS ETC.
What are the DS* commands ?
The following DS commands: the DS family built in utility .
DSmod – modify Active Directory attributes.
DSrm – to delete Active Directory objects.
DSmove – to relocate objects
DSadd – create new accounts
DSquery – to find objects that match your query attributes.
DSget – list the properties of an object
The following DS commands: the DS family built in utility .
DSmod – modify Active Directory attributes.
DSrm – to delete Active Directory objects.
DSmove – to relocate objects
DSadd – create new accounts
DSquery – to find objects that match your query attributes.
DSget – list the properties of an object
What are the requirements for
installing AD on a new server?
An NTFS partition with enough free space.
An Administrator’s username and password.
The correct operating system version.
A NIC Properly configured TCP/IP (IP address, subnet mask and – optional – default gateway).
A network connection (to a hub or to another computer via a crossover cable) .
An operational DNS server (which can be installed on the DC itself) .
A Domain name that you want to use .
The Windows 2000 or Windows Server 2003 CD media (or at least the i386 folder) .
An NTFS partition with enough free space.
An Administrator’s username and password.
The correct operating system version.
A NIC Properly configured TCP/IP (IP address, subnet mask and – optional – default gateway).
A network connection (to a hub or to another computer via a crossover cable) .
An operational DNS server (which can be installed on the DC itself) .
A Domain name that you want to use .
The Windows 2000 or Windows Server 2003 CD media (or at least the i386 folder) .
What is the difference between Windows 2000 Active Directory and
Windows 2003 Active Directory? Is there any difference in 2000 Group Polices
and 2003 Group Polices? What is meant by ADS and ADS services in Windows 2003?
Windows 2003 Active Directory introduced a number of new security features, as well as convenience features such as the ability to rename a domain controller and even an entire domain
Windows Server 2003 also introduced numerous changes to the default settings that can be affected by Group Policy – you can see a detailed list of each available setting and which OS is required to support it by downloading the Group Policy Settings Reference.
Windows 2003 Active Directory introduced a number of new security features, as well as convenience features such as the ability to rename a domain controller and even an entire domain
Windows Server 2003 also introduced numerous changes to the default settings that can be affected by Group Policy – you can see a detailed list of each available setting and which OS is required to support it by downloading the Group Policy Settings Reference.
ADS stands for Automated Deployment Services, and is used to
quickly roll out identically-configured servers in large-scale enterprise
environments. You can get more information from the ADS homepage.
I want to setup a DNS server and Active Directory domain. What
do I do first? If I install the DNS service first and name the zone ‘name.org’
can I name the AD domain ‘name.org’ too?
Not only can you have a DNS zone and an Active Directory domain with the same name, it’s actually the preferred way to go if at all possible. You can install and configure DNS before installing Active Directory, or you can allow the Active Directory Installation Wizard (dcpromo) itself install DNS on your server in the background.
Not only can you have a DNS zone and an Active Directory domain with the same name, it’s actually the preferred way to go if at all possible. You can install and configure DNS before installing Active Directory, or you can allow the Active Directory Installation Wizard (dcpromo) itself install DNS on your server in the background.
How do I determine if user accounts have local administrative
access?
You can use the net localgroup administrators command on each workstation (probably in a login script so that it records its information to a central file for later review). This command will enumerate the members of the Administrators group on each machine you run it on. Alternately, you can use the Restricted Groups feature of Group Policy to restrict the membership of Administrators to only those users you want to belong.
You can use the net localgroup administrators command on each workstation (probably in a login script so that it records its information to a central file for later review). This command will enumerate the members of the Administrators group on each machine you run it on. Alternately, you can use the Restricted Groups feature of Group Policy to restrict the membership of Administrators to only those users you want to belong.
Why am I having trouble printing with XP domain users?
In most cases, the inability to print or access resources in situations like this one will boil down to an issue with name resolution, either DNS or WINS/NetBIOS. Be sure that your Windows XP clients’ wireless connections are configured with the correct DNS and WINS name servers, as well as with the appropriate NetBIOS over TCP/IP settings. Compare your wireless settings to your wired LAN settings and look for any discrepancies that may indicate where the functional difference may lie.
In most cases, the inability to print or access resources in situations like this one will boil down to an issue with name resolution, either DNS or WINS/NetBIOS. Be sure that your Windows XP clients’ wireless connections are configured with the correct DNS and WINS name servers, as well as with the appropriate NetBIOS over TCP/IP settings. Compare your wireless settings to your wired LAN settings and look for any discrepancies that may indicate where the functional difference may lie.
What is the ISTG? Who has that role by default?
Windows 2000 Domain controllers each create Active Directory Replication connection objects representing inbound replication from intra-site replication partners. For inter-site replication, one domain controller per site has the responsibility of evaluating the inter-site replication topology and creating Active Directory Replication Connection objects for appropriate bridgehead servers within its site. The domain controller in each site that owns this role is referred to as the Inter-Site Topology Generator (ISTG).
Windows 2000 Domain controllers each create Active Directory Replication connection objects representing inbound replication from intra-site replication partners. For inter-site replication, one domain controller per site has the responsibility of evaluating the inter-site replication topology and creating Active Directory Replication Connection objects for appropriate bridgehead servers within its site. The domain controller in each site that owns this role is referred to as the Inter-Site Topology Generator (ISTG).
What is difference between Server 2003 vs 2008?
1. Virtualization. (Windows Server 2008 introduces Hyper-V (V for Virtualization) but only on 64bit versions. More and more companies are seeing this as a way of reducing hardware costs by running several ‘virtual’ servers on one physical machine.)
2. Server Core (provides the minimum installation required to carry out a specific server role, such as for a DHCP, DNS or print server)
3. Better security.
4. Role-based installation.
5. Read Only Domain Controllers (RODC).
6. Enhanced terminal services.
7. Network Access Protection – Microsoft’s system for ensuring that clients connecting to Server 2008 are patched, running a firewall and in compliance with corporate security policies.
8. PowerShell – Microsoft’s command line shell and scripting language has proved popular with some server administrators.
9. IIS 7 .
10. Bitlocker – System drive encryption can be a sensible security measure for servers located in remote branch offices. >br> The main difference between 2003 and 2008 is Virtualization, management. 2008 has more in-build components and updated third party drivers.
11. Windows Aero.
1. Virtualization. (Windows Server 2008 introduces Hyper-V (V for Virtualization) but only on 64bit versions. More and more companies are seeing this as a way of reducing hardware costs by running several ‘virtual’ servers on one physical machine.)
2. Server Core (provides the minimum installation required to carry out a specific server role, such as for a DHCP, DNS or print server)
3. Better security.
4. Role-based installation.
5. Read Only Domain Controllers (RODC).
6. Enhanced terminal services.
7. Network Access Protection – Microsoft’s system for ensuring that clients connecting to Server 2008 are patched, running a firewall and in compliance with corporate security policies.
8. PowerShell – Microsoft’s command line shell and scripting language has proved popular with some server administrators.
9. IIS 7 .
10. Bitlocker – System drive encryption can be a sensible security measure for servers located in remote branch offices. >br> The main difference between 2003 and 2008 is Virtualization, management. 2008 has more in-build components and updated third party drivers.
11. Windows Aero.
What are the requirements for installing AD on a new server?
1 The Domain structure.
2 The Domain Name .
3 storage location of the database and log file.
4 Location of the shared system volume folder.
5 DNS config Methode.
6 DNS configuration.
1 The Domain structure.
2 The Domain Name .
3 storage location of the database and log file.
4 Location of the shared system volume folder.
5 DNS config Methode.
6 DNS configuration.
What is LDP?
LDP : Label Distribution Protocol (LDP) is often used to establish MPLS LSPs when traffic engineering is not required. It establishes LSPs that follow the existing IP routing, and is particularly well suited for establishing a full mesh of LSPs between all of the routers on the network.
LDP : Label Distribution Protocol (LDP) is often used to establish MPLS LSPs when traffic engineering is not required. It establishes LSPs that follow the existing IP routing, and is particularly well suited for establishing a full mesh of LSPs between all of the routers on the network.
Why doesn’t LSDOU work under Windows NT ?
If the NTConfig.pol file exist, it has the highest priority among the numerous policies.
If the NTConfig.pol file exist, it has the highest priority among the numerous policies.
What’s the number of permitted unsuccessful logons on
Administrator account? Unlimited.
Remember, though, that it’s the Administrator account, not any account that’s
part of the Administrators group.
What’s the difference between guest accounts in Server 2003 and
other editions?
More restrictive in Windows Server 2003.
More restrictive in Windows Server 2003.
How many passwords by default are remembered when you check
“Enforce Password History Remembered”?
User’s last 6 passwords.
User’s last 6 passwords.
Can GC Server and Infrastructure place in single server If not
explain why ?
No, As Infrastructure master does the same job as the GC. It does not work together.
No, As Infrastructure master does the same job as the GC. It does not work together.
Which is service in your windows is responsible for replication
of Domain controller to another domain controller.
KCC generates the replication topology.
Use SMTP / RPC to replicate changes.
KCC generates the replication topology.
Use SMTP / RPC to replicate changes.
What Intrasite and Intersite Replication ?
Intrasite is the replication with in the same site & intersite the replication between sites.
Intrasite is the replication with in the same site & intersite the replication between sites.
What is lost & found folder in ADS ?
It’s the folder where you can find the objects missed due to conflict.
Ex: you created a user in OU which is deleted in other DC & when replication happed ADS didn’t find the OU then it will put that in Lost & Found Folder.
It’s the folder where you can find the objects missed due to conflict.
Ex: you created a user in OU which is deleted in other DC & when replication happed ADS didn’t find the OU then it will put that in Lost & Found Folder.
What is Garbage collection ?
Garbage collection is the process of the online defragmentation of active directory. It happens every 12 Hours.
Garbage collection is the process of the online defragmentation of active directory. It happens every 12 Hours.
What System State data contains ?
Contains Startup files,
Registry
Com + Registration Database
Memory Page file
System files
AD information
Cluster Service information
SYSVOL Folder
Contains Startup files,
Registry
Com + Registration Database
Memory Page file
System files
AD information
Cluster Service information
SYSVOL Folder
What is Active Directory ?
Active Directory is a Meta Data. Active Directory is a data base which store a data base like your user information, computer information and also other network object info. It has capabilities to manage and administor the complite Network which connect with AD.
Active Directory is a Meta Data. Active Directory is a data base which store a data base like your user information, computer information and also other network object info. It has capabilities to manage and administor the complite Network which connect with AD.
What is domain ?
Windows NT and Windows 2000, a domain is a set of network resources (applications, printers, and so forth) for a group of users. The user need only to log in to the domain to gain access to the resources, which may be located on a number of different servers in the network. The ‘domain’ is simply your computer address not to confused with an URL. A domain address might look something like 211.170.469.
Windows NT and Windows 2000, a domain is a set of network resources (applications, printers, and so forth) for a group of users. The user need only to log in to the domain to gain access to the resources, which may be located on a number of different servers in the network. The ‘domain’ is simply your computer address not to confused with an URL. A domain address might look something like 211.170.469.
What is domain controller ?
A Domain controller (DC) is a server that responds to security authentication requests (logging in, checking permissions, etc.) within the Windows Server domain. A domain is a concept introduced in Windows NT whereby a user may be granted access to a number of computer resources with the use of a single username and password combination.
A Domain controller (DC) is a server that responds to security authentication requests (logging in, checking permissions, etc.) within the Windows Server domain. A domain is a concept introduced in Windows NT whereby a user may be granted access to a number of computer resources with the use of a single username and password combination.
What is LDAP ?
Lightweight Directory Access Protocol LDAP is the industry standard directory access protocol, making Active Directory widely accessible to management and query applications. Active Directory supports LDAPv3 and LDAPv2.
Lightweight Directory Access Protocol LDAP is the industry standard directory access protocol, making Active Directory widely accessible to management and query applications. Active Directory supports LDAPv3 and LDAPv2.
What is KCC ?
KCC ( knowledge consistency checker ) is used to generate replication topology for inter site replication and for intrasite replication.with in a site replication traffic is done via remote procedure calls over ip, while between site it is done through either RPC or SMTP.
KCC ( knowledge consistency checker ) is used to generate replication topology for inter site replication and for intrasite replication.with in a site replication traffic is done via remote procedure calls over ip, while between site it is done through either RPC or SMTP.
Where is the AD database held? What other folders are related to
AD?
The AD data base is store in c:\windows\ntds\NTDS.DIT.
The AD data base is store in c:\windows\ntds\NTDS.DIT.
What is the SYSVOL folder?
The sysVOL folder stores the server’s copy of the domain’s public files. The contents such as group policy, users etc of the sysvol folder are replicated to all domain controllers in the domain.
The sysVOL folder stores the server’s copy of the domain’s public files. The contents such as group policy, users etc of the sysvol folder are replicated to all domain controllers in the domain.
What are the Windows Server 2003 keyboard shortcuts ?
Winkey opens or closes the Start menu. Winkey + BREAK displays the System Properties dialog box. Winkey + TAB moves the focus to the next application in the taskbar. Winkey + SHIFT + TAB moves the focus to the previous application in the taskbar. Winkey + B moves the focus to the notification area. Winkey + D shows the desktop. Winkey + E opens Windows Explorer showing My Computer. Winkey + F opens the Search panel. Winkey + CTRL + F opens the Search panel with Search for Computers module selected. Winkey + F1 opens Help. Winkey + M minimizes all. Winkey + SHIFT+ M undoes minimization. Winkey + R opens Run dialog. Winkey + U opens the Utility Manager. Winkey + L locks the computer.
Winkey opens or closes the Start menu. Winkey + BREAK displays the System Properties dialog box. Winkey + TAB moves the focus to the next application in the taskbar. Winkey + SHIFT + TAB moves the focus to the previous application in the taskbar. Winkey + B moves the focus to the notification area. Winkey + D shows the desktop. Winkey + E opens Windows Explorer showing My Computer. Winkey + F opens the Search panel. Winkey + CTRL + F opens the Search panel with Search for Computers module selected. Winkey + F1 opens Help. Winkey + M minimizes all. Winkey + SHIFT+ M undoes minimization. Winkey + R opens Run dialog. Winkey + U opens the Utility Manager. Winkey + L locks the computer.
Where are the Windows NT Primary Domain Controller (PDC) and its
Backup Domain Controller (BDC) in Server 2003 ?
The Active Directory replaces them. Now all domain controllers share a multimaster peer-to-peer read and write relationship that hosts copies of the Active Directory.
The Active Directory replaces them. Now all domain controllers share a multimaster peer-to-peer read and write relationship that hosts copies of the Active Directory.
I am trying to create a new universal user group. Why can’t I ?
Universal groups are allowed only in native-mode Windows Server 2003 environments. Native mode requires that all domain controllers be promoted to Windows Server 2003 Active Directory.
Universal groups are allowed only in native-mode Windows Server 2003 environments. Native mode requires that all domain controllers be promoted to Windows Server 2003 Active Directory.
What is LSDOU ?
It’s group policy inheritance model, where the policies are applied toLocal machines, Sites, Domains and Organizational Units.
It’s group policy inheritance model, where the policies are applied toLocal machines, Sites, Domains and Organizational Units.
§ What is Active
Directory?
An active directory is a
directory structure/service used on Microsoft Windows based computers and
servers to store information and data about networks and domains.A directory is
similar to a dictionary; it enables the look up of a name and information
associated with that name.
There is support for the Lightweight Directory Access Protocol (LDAP) to enable inter-directory operability
Distribution: Distribution groups are intended to be used solely as email distribution lists
Security: Security groups allow you to manage user and computer access to shared resources.
In order to synchronize the time on your Windows computer with main Active Directory domain controllers, use the following command at a command prompt: net time \\ads.iu.edu /set /y
There is support for the Lightweight Directory Access Protocol (LDAP) to enable inter-directory operability
Distribution: Distribution groups are intended to be used solely as email distribution lists
Security: Security groups allow you to manage user and computer access to shared resources.
In order to synchronize the time on your Windows computer with main Active Directory domain controllers, use the following command at a command prompt: net time \\ads.iu.edu /set /y
§ What is LDAP?
LDAP is an Internet standard
protocol used by applications to access information in a directory. It runs
directly over TCP, and can be used to access a standalone LDAP directory
service or to access a directory service that is back-ended by X.500.
The LDAP directory service model is based on entries. An entry is a collection of attributes that describing it. Each attribute has a name, type and one or more values.
LDAP based implementations are:
Edirectory,Red Had Directory server,Apples open Directory, Apache Directory Server, Oracle Internet Directory, CA Directory, Sun Java System Directory Server, IBM Tivoli Directory Server ,Windows NT Directory Services (NTDS)
The LDAP directory service model is based on entries. An entry is a collection of attributes that describing it. Each attribute has a name, type and one or more values.
LDAP based implementations are:
Edirectory,Red Had Directory server,Apples open Directory, Apache Directory Server, Oracle Internet Directory, CA Directory, Sun Java System Directory Server, IBM Tivoli Directory Server ,Windows NT Directory Services (NTDS)
§ Can you connect
Active Directory to other 3rd-party Directory Services? Name a few options.
Yes you can connect other vendors
Directory Services with Microsoft’s version.
Yes. Microsoft Identity Integration Server (MIIS) is used to connect Active Directory to other 3rd-party Directory Services (including directories used by SAP, Domino, etc).
Yes. Microsoft Identity Integration Server (MIIS) is used to connect Active Directory to other 3rd-party Directory Services (including directories used by SAP, Domino, etc).
§ Where is Active
Directory database held? What other folders are related to AD?
AD Database is saved in
%systemroot%/ntds. You can see other files also in this folder.
These are the
main files controlling the AD structure
• ntds.dit
• edb.log
• res1.log
• res2.log
• edb.chk
• ntds.dit
• edb.log
• res1.log
• res2.log
• edb.chk
When a change is made to the
Win2K database, triggering a write operation, Win2K records the transaction in
the log file (edb.log). Once written to the log file, the change is then
written to the AD database. System performance determines how fast the system
writes the data to the AD database from the log file. Any time the system is
shut down, all transactions are saved to the database.
During the installation of AD, Windows creates two files: res1.log and res2.log. The initial size of each is 10MB. These files are used to ensure that changes can be written to disk should the system run out of free disk space. The checkpoint file (edb.chk) records transactions committed to the AD database (ntds.dit). During shutdown, a “shutdown” statement is written to the edb.chk file. Then, during a reboot, AD determines that all transactions in the edb.log file have been committed to the AD database. If, for some reason, the edb.chk file doesn’t exist on reboot or the shutdown statement isn’t present, AD will use the edb.log file to update the AD database.
The last file in our list of files to know is the AD database itself, ntds.dit. By default, the file is located in\NTDS, along with the other files we’ve discussed
During the installation of AD, Windows creates two files: res1.log and res2.log. The initial size of each is 10MB. These files are used to ensure that changes can be written to disk should the system run out of free disk space. The checkpoint file (edb.chk) records transactions committed to the AD database (ntds.dit). During shutdown, a “shutdown” statement is written to the edb.chk file. Then, during a reboot, AD determines that all transactions in the edb.log file have been committed to the AD database. If, for some reason, the edb.chk file doesn’t exist on reboot or the shutdown statement isn’t present, AD will use the edb.log file to update the AD database.
The last file in our list of files to know is the AD database itself, ntds.dit. By default, the file is located in\NTDS, along with the other files we’ve discussed
§ What is the SYSVOL
folder?
The Windows Server 2003 System
Volume (SYSVOL) is a collection of folders and reparse points in the file
systems that exist on each domain controller in a domain. SYSVOL provides a
standard location to store important elements of Group Policy objects (GPOs)
and scripts so that the File Replication service (FRS) can distribute them to
other domain controllers within that domain.
You can go to SYSVOL folder by typing : %systemroot%/sysvol
You can go to SYSVOL folder by typing : %systemroot%/sysvol
Name the AD NCs [naming contexts]
and replication issues for each NC
*Schema NC, *Configuration NC, * Domain NC
Schema NC This NC is replicated to every other domain controller in the forest. It contains information about the Active Directory schema, which in turn defines the different object classes and attributes within Active Directory.
Configuration NC Also replicated to every other DC in the forest, this NC contains forest-wide configuration information pertaining to the physical layout of Active Directory, as well as information about display specifiers and forest-wide Active Directory quotas.
Domain NC This NC is replicated to every other DC within a single Active Directory domain. This is the NC that contains the most commonly-accessed Active Directory data: the actual users, groups, computers, and other objects that reside within a particular Active Directory domain.
*Schema NC, *Configuration NC, * Domain NC
Schema NC This NC is replicated to every other domain controller in the forest. It contains information about the Active Directory schema, which in turn defines the different object classes and attributes within Active Directory.
Configuration NC Also replicated to every other DC in the forest, this NC contains forest-wide configuration information pertaining to the physical layout of Active Directory, as well as information about display specifiers and forest-wide Active Directory quotas.
Domain NC This NC is replicated to every other DC within a single Active Directory domain. This is the NC that contains the most commonly-accessed Active Directory data: the actual users, groups, computers, and other objects that reside within a particular Active Directory domain.
§ What are
application partitions? When do I use them
An application directory
partition is a directory partition that is replicated only to specific domain
controllers. A domain controller that participates in the replication of a
particular application directory partition hosts a replica of that partition.
Only domain controllers running Windows Server 2003 can host a replica of an
application directory partition.
Application directory partitions are usually created by the applications that will use them to store and replicate data. For testing and troubleshooting purposes, members of the Enterprise Admins group can manually create or manage application directory partitions using the Ntdsutil command-line tool.
One of the benefits of an application directory partition is that, for redundancy, availability, or fault tolerance, the data in it can be replicated to different domain controllers in a forest
Application directory partitions are usually created by the applications that will use them to store and replicate data. For testing and troubleshooting purposes, members of the Enterprise Admins group can manually create or manage application directory partitions using the Ntdsutil command-line tool.
One of the benefits of an application directory partition is that, for redundancy, availability, or fault tolerance, the data in it can be replicated to different domain controllers in a forest
1. How to check AD configured properly?
Ans: Check NTDS and SYSVOL shared folder at %systemroot%windows\.
2. How to transfer global catalog to another domain?
Ans: We can not transfer the global catalog; we can only remove the global catalog from one server and enable other server as a global catalog.
3. How to configure global catalog server?
Ans: Go to Active directory site and services and expand till your desire server’s NTDS settings and then right click; property and check mark the Global catalog check box.
4. What are the fsmo roles and it gets down what will impact?
Ans: Flexible Single Master Operation, There are five roles.
Domain Naming Master (Forest wide role)
Schema Master (Forest wide role)
PDC Emulator (Domain wide role)
RID Master (Domain wide role)
Infrastructure Master (Domain wide role)
5. What is the RID pool?
Ans: RID Master provides the RID (Relative Identifier) pool to Domain controller of the Domain. When an object is create in a domain, a Unique SID (Security ID) is assigned to it which consisting of a RID (Unique ID) and a SID (Common ID for all Object), A RID pool contain 500 RIDs.
6. How to check FSMO roles running on which server?
Ans: By using “DCdiag /test:Knowsofroleholders /v” command.
ii) Type “Netdom query fsmo”
7. How to transfer FSMO role one domain controller to another domain controller command prompt and GUI?
Ans: Go to Startà Run à dsa.mscà go the property of users and computers and transfer the RID, PDC, and Infrastructure roles.
Go to Start à Runà à go to the property of the active directory domain and trust and transfer the Domain naming master role
For transferring schema master role, first we have to register the schema master by using “regsvr32 schmgmt.dll” command in run. Than Go start à Runà MMCàAdd Active directory schema and transfer the schema master role.
8. What is AD data base file and log file where it stored is and what is the use of log file?
Ans: AD Data base is NTDS.DIT and its location is %system root%\windows\NTDS\ntds.dit. AD Log files are EDB.log ,EDB.chk and REG.log and the location of there files are %system root%\windows\NTDS\ntds.dit.
9. How to recover corrupted AD data base file?
10. Is it possible to rename domain name in windows 2003?
Ans: Yes, We can rename the domain name in windows 2003.
11. What are the two types of replication?
Ans: Inter-site replication, Intra-site replication.
12. What are the protocols used in replication?
13. What is default time for replication?
Ans: KCC (Knowledge Consistency Checker) is the algorithm and the two protocols used are RPC over IP and SMTP over IP. They replicate in every 15 min.
14. What is the difference between the two types of replication i.e. intrasite and intersite?
Intersite replication is for replication with in the site and Intra-site replication is for the replication between the sites.
15. What are replication partition and tell about partition?
Ans: FSMO role Partition
Schema CN=Schema,CN=configuration, DC=
Domain Naming Master CN=configuration,DC=
PDC DC=
RID DC=
Infrastructure DC=
Replication partitions are.
Schema Partition
Configuration Partition
Domain Partition
Application Partition
16. Is application partition available in windows 2003?
Ans: Yes, Windows 2003 contains application partition, mainly application partition contains the application information like: DNS
17. What is the DNS?
Ans: Domain Naming System.
Used to resolve the host name (FQDN) name to IP Address and Vice Versa
18. What are types of DNS and zones?
(i)Primary DNS zone
(ii)Secondary DNS zone
(iii)Active directory integrated zone
(IV)Stub zone
19. What is the authority’s record and is the use?
20. What are records available in dns?
Ans: Address records, Host Records, MX Records, and CNAME records.
21. Explain about SRV, MX and CNAME records?
22. Where DNS file stored and data base of DNS?
Ans: %SYSTEMROOT%\Windows\System32\DNS
23. How do configure DHCP Server and steps?
24. How to reserve IP address?
Ans: We can assign a particular IP address to the MAC address of a machine using IP reservation in DHCP.
25. Why do we need two subnets?
To segment or restrict one type of traffic to one segment.
26. Two different subnet, how to configure it in single DHCP server?
Two different scopes are created for two subnets.
27. What is the use of relay agent?
A router drops the DHCP packet as its a broadcast packet. The relay agent helps in sending it over to the destined subnet.
28. What is the group policy?
Ans: It is way to provide the desirable predefined environment to all users and it is centrally manageable.
29. My requirement is to need disable USB port, how will you do?
Through Group policy.
30. How to take backup group policy?
Ans: We can use GPMC (Group Policy Management Console), right click on the GPO and select backup and take backup on destination folder
31. You are administrator; my requirement is to configure active directory for four different locations. How will you plan it?
Ans: Depending on the requirement I' ll configure one parent domain and three child domains, or One domain with four sites, or four different domains (least preferred).
32. What are the two type’s terminal servers?
User mode and applciation mode.
33. What is the default security group, groups give explanations?
Ans:
34. You are maintaining remote servers that u can take remote but you can’t to ping them, now how to troubleshoot?
35. What is use of Kerberos protocol?
Ans: Kerberos protocol is an authentication protocol.
36. What is the version Kerberos protocol?
Ans: We are using Kerberos V 5.0.
37. What is the authentication protocol in Windows NT?
Ans:Windows NT supported two kinds of challenge/response authentication:
LanManager (LM) challenge/response
Windows NT challenge/response (also known as NTLM challenge/response)
38. What are RAID levels?
Ans: Main RAID levels are RAID-0, RAID-1, RAID-5 and RAID-10.
39. Which RAID you will recommend and why?
Ans: RAID-1 for O.S - mirroring
RAID-5 for DATA partition- Stripe set with parity.
40. What are the different RAID1 and RAID 5?
RAID-1:- In RAID-1 two hard disk are there and the data on one is mirrored to another. So even if one fails other one is there with the same data for service continuity.
RAID-5: We can use minimum three hard disk and maximum depend upon RAID controller card, Data written on disk in stripes with distributed parity set.
41. What are the Different between and disk mirroring and disk duplex?
42. What is the dynamic disk?
43. What is disk striping?
44. What are the backup types?
Ans: (i) Normal or full Backup
(ii) Deferential Backup
(iii)Incremental Backup
(iv)Copy backup
(v)Daily Backup
45. Which type backup reset archive bits?
Ans:- The bit which have checked mark on that folder which have been normal backuped.
46. What is the use of DFS?
Ans: Distributed File System, It is used for the fault tolerance because it makes the duplicate copy of every DFS root. Not only that the domain login process uses DFS to find out the nearest DC to login.
47. Do you know about FRS?
Ans: File Replication Services.
Example: Replication of SYSVOL folder.
48. What are difference between TCP and UDP protocol?
Ans: TCP is a connection orientated protocol while UDP is not a connection orientated protocol.
49. What is different between HUB and Switch?
Ans: HUB broadcast the data packet but Switches multicast the data packet into the network which reduces the collision of data packets.
50. Which layer working in router?
Ans: One layer Three (Network layer)
51. You are going to migrate the domain how to plan?
52. For project requirement you going to share 20 folders what is the step you will take?
53. Why is it requiring VLAN?
Ans: To divide/restrict the traffic to one segment of the network.
54. Right required to transfer FSMO roles?
Ans. logged-on user should be a member of the Enterprise Administrators group to transfer Schema master or Domain naming master roles, or a member of the Domain Administrators group of the domain where the PDC emulator, RID master and the Infrastructure master roles are being transferred.
55. Write down the command line to transfer all the FSMO roles to other server?
Ans: Click Start, click Run, type ntdsutil in the Open box, and then click OK
Type roles, and then press ENTER.
Type connections, and then press ENTER.
Type connect to server servername, and then press ENTER, where servername is the name of the domain controller that you want to assign the FSMO role to.
At the server connections prompt, type q, and then press ENTER.
Type transfer role, where role is the role that you want to transfer. For example,
To transfer the RID master role, type transfer schema master
To transfer the RID master role, type transfer domain naming master
To transfer the RID master role, type transfer rid master
To transfer the RID master role, type transfer pdc
To transfer the RID master role, type transfer infrastructure master
7. At the fsmo maintenance prompt, type q, and then press ENTER to gain access to the ntdsutil prompt.
56. Write down the command line to seize all the FSMO roles to a server?
Ans:
Click Start, click Run, type ntdsutil in the Open box, and then click OK
Type roles, and then press ENTER.
Type connections, and then press ENTER.
Type connect to server servername, and then press ENTER, where servername is the name of the domain controller that you want to assign the FSMO role to.
At the server connections prompt, type q, and then press ENTER.
Type seize role, where role is the role that you want to seize. For example,
To seize the RID master role, type seize schema master
To seize the RID master role, type seize domain naming master
To seize the RID master role, type seize rid master
To seize the RID master role, type seize pdc
To seize the RID master role, type seize infrastructure master.
7. At the fsmo maintenance prompt, type q, and then press ENTER to gain access to the ntdsutil prompt.
57. Command for removing active directory?
Ans: dcpromo /forceremoval
58. How to test whether a domain controller is also a global catalog server:
Click Start, point to Programs, point to Administrative Tools, and then click Active Directory Sites and Services.
Double-click Sites in the left pane, and then locate the appropriate site or click Default-first-site-name if no other sites are available.
Open the Servers folder, and then click the domain controller.
In the domain controller's folder, double-click NTDS Settings.
On the Action menu, click Properties.
On the General tab, view the Global Catalog check box to see if it is selected.
Ans: Check NTDS and SYSVOL shared folder at %systemroot%windows\.
2. How to transfer global catalog to another domain?
Ans: We can not transfer the global catalog; we can only remove the global catalog from one server and enable other server as a global catalog.
3. How to configure global catalog server?
Ans: Go to Active directory site and services and expand till your desire server’s NTDS settings and then right click; property and check mark the Global catalog check box.
4. What are the fsmo roles and it gets down what will impact?
Ans: Flexible Single Master Operation, There are five roles.
Domain Naming Master (Forest wide role)
Schema Master (Forest wide role)
PDC Emulator (Domain wide role)
RID Master (Domain wide role)
Infrastructure Master (Domain wide role)
5. What is the RID pool?
Ans: RID Master provides the RID (Relative Identifier) pool to Domain controller of the Domain. When an object is create in a domain, a Unique SID (Security ID) is assigned to it which consisting of a RID (Unique ID) and a SID (Common ID for all Object), A RID pool contain 500 RIDs.
6. How to check FSMO roles running on which server?
Ans: By using “DCdiag /test:Knowsofroleholders /v” command.
ii) Type “Netdom query fsmo”
7. How to transfer FSMO role one domain controller to another domain controller command prompt and GUI?
Ans: Go to Startà Run à dsa.mscà go the property of users and computers and transfer the RID, PDC, and Infrastructure roles.
Go to Start à Runà à go to the property of the active directory domain and trust and transfer the Domain naming master role
For transferring schema master role, first we have to register the schema master by using “regsvr32 schmgmt.dll” command in run. Than Go start à Runà MMCàAdd Active directory schema and transfer the schema master role.
8. What is AD data base file and log file where it stored is and what is the use of log file?
Ans: AD Data base is NTDS.DIT and its location is %system root%\windows\NTDS\ntds.dit. AD Log files are EDB.log ,EDB.chk and REG.log and the location of there files are %system root%\windows\NTDS\ntds.dit.
9. How to recover corrupted AD data base file?
10. Is it possible to rename domain name in windows 2003?
Ans: Yes, We can rename the domain name in windows 2003.
11. What are the two types of replication?
Ans: Inter-site replication, Intra-site replication.
12. What are the protocols used in replication?
13. What is default time for replication?
Ans: KCC (Knowledge Consistency Checker) is the algorithm and the two protocols used are RPC over IP and SMTP over IP. They replicate in every 15 min.
14. What is the difference between the two types of replication i.e. intrasite and intersite?
Intersite replication is for replication with in the site and Intra-site replication is for the replication between the sites.
15. What are replication partition and tell about partition?
Ans: FSMO role Partition
Schema CN=Schema,CN=configuration, DC=
Domain Naming Master CN=configuration,DC=
PDC DC=
RID DC=
Infrastructure DC=
Replication partitions are.
Schema Partition
Configuration Partition
Domain Partition
Application Partition
16. Is application partition available in windows 2003?
Ans: Yes, Windows 2003 contains application partition, mainly application partition contains the application information like: DNS
17. What is the DNS?
Ans: Domain Naming System.
Used to resolve the host name (FQDN) name to IP Address and Vice Versa
18. What are types of DNS and zones?
(i)Primary DNS zone
(ii)Secondary DNS zone
(iii)Active directory integrated zone
(IV)Stub zone
19. What is the authority’s record and is the use?
20. What are records available in dns?
Ans: Address records, Host Records, MX Records, and CNAME records.
21. Explain about SRV, MX and CNAME records?
22. Where DNS file stored and data base of DNS?
Ans: %SYSTEMROOT%\Windows\System32\DNS
23. How do configure DHCP Server and steps?
24. How to reserve IP address?
Ans: We can assign a particular IP address to the MAC address of a machine using IP reservation in DHCP.
25. Why do we need two subnets?
To segment or restrict one type of traffic to one segment.
26. Two different subnet, how to configure it in single DHCP server?
Two different scopes are created for two subnets.
27. What is the use of relay agent?
A router drops the DHCP packet as its a broadcast packet. The relay agent helps in sending it over to the destined subnet.
28. What is the group policy?
Ans: It is way to provide the desirable predefined environment to all users and it is centrally manageable.
29. My requirement is to need disable USB port, how will you do?
Through Group policy.
30. How to take backup group policy?
Ans: We can use GPMC (Group Policy Management Console), right click on the GPO and select backup and take backup on destination folder
31. You are administrator; my requirement is to configure active directory for four different locations. How will you plan it?
Ans: Depending on the requirement I' ll configure one parent domain and three child domains, or One domain with four sites, or four different domains (least preferred).
32. What are the two type’s terminal servers?
User mode and applciation mode.
33. What is the default security group, groups give explanations?
Ans:
34. You are maintaining remote servers that u can take remote but you can’t to ping them, now how to troubleshoot?
35. What is use of Kerberos protocol?
Ans: Kerberos protocol is an authentication protocol.
36. What is the version Kerberos protocol?
Ans: We are using Kerberos V 5.0.
37. What is the authentication protocol in Windows NT?
Ans:Windows NT supported two kinds of challenge/response authentication:
LanManager (LM) challenge/response
Windows NT challenge/response (also known as NTLM challenge/response)
38. What are RAID levels?
Ans: Main RAID levels are RAID-0, RAID-1, RAID-5 and RAID-10.
39. Which RAID you will recommend and why?
Ans: RAID-1 for O.S - mirroring
RAID-5 for DATA partition- Stripe set with parity.
40. What are the different RAID1 and RAID 5?
RAID-1:- In RAID-1 two hard disk are there and the data on one is mirrored to another. So even if one fails other one is there with the same data for service continuity.
RAID-5: We can use minimum three hard disk and maximum depend upon RAID controller card, Data written on disk in stripes with distributed parity set.
41. What are the Different between and disk mirroring and disk duplex?
42. What is the dynamic disk?
43. What is disk striping?
44. What are the backup types?
Ans: (i) Normal or full Backup
(ii) Deferential Backup
(iii)Incremental Backup
(iv)Copy backup
(v)Daily Backup
45. Which type backup reset archive bits?
Ans:- The bit which have checked mark on that folder which have been normal backuped.
46. What is the use of DFS?
Ans: Distributed File System, It is used for the fault tolerance because it makes the duplicate copy of every DFS root. Not only that the domain login process uses DFS to find out the nearest DC to login.
47. Do you know about FRS?
Ans: File Replication Services.
Example: Replication of SYSVOL folder.
48. What are difference between TCP and UDP protocol?
Ans: TCP is a connection orientated protocol while UDP is not a connection orientated protocol.
49. What is different between HUB and Switch?
Ans: HUB broadcast the data packet but Switches multicast the data packet into the network which reduces the collision of data packets.
50. Which layer working in router?
Ans: One layer Three (Network layer)
51. You are going to migrate the domain how to plan?
52. For project requirement you going to share 20 folders what is the step you will take?
53. Why is it requiring VLAN?
Ans: To divide/restrict the traffic to one segment of the network.
54. Right required to transfer FSMO roles?
Ans. logged-on user should be a member of the Enterprise Administrators group to transfer Schema master or Domain naming master roles, or a member of the Domain Administrators group of the domain where the PDC emulator, RID master and the Infrastructure master roles are being transferred.
55. Write down the command line to transfer all the FSMO roles to other server?
Ans: Click Start, click Run, type ntdsutil in the Open box, and then click OK
Type roles, and then press ENTER.
Type connections, and then press ENTER.
Type connect to server servername, and then press ENTER, where servername is the name of the domain controller that you want to assign the FSMO role to.
At the server connections prompt, type q, and then press ENTER.
Type transfer role, where role is the role that you want to transfer. For example,
To transfer the RID master role, type transfer schema master
To transfer the RID master role, type transfer domain naming master
To transfer the RID master role, type transfer rid master
To transfer the RID master role, type transfer pdc
To transfer the RID master role, type transfer infrastructure master
7. At the fsmo maintenance prompt, type q, and then press ENTER to gain access to the ntdsutil prompt.
56. Write down the command line to seize all the FSMO roles to a server?
Ans:
Click Start, click Run, type ntdsutil in the Open box, and then click OK
Type roles, and then press ENTER.
Type connections, and then press ENTER.
Type connect to server servername, and then press ENTER, where servername is the name of the domain controller that you want to assign the FSMO role to.
At the server connections prompt, type q, and then press ENTER.
Type seize role, where role is the role that you want to seize. For example,
To seize the RID master role, type seize schema master
To seize the RID master role, type seize domain naming master
To seize the RID master role, type seize rid master
To seize the RID master role, type seize pdc
To seize the RID master role, type seize infrastructure master.
7. At the fsmo maintenance prompt, type q, and then press ENTER to gain access to the ntdsutil prompt.
57. Command for removing active directory?
Ans: dcpromo /forceremoval
58. How to test whether a domain controller is also a global catalog server:
Click Start, point to Programs, point to Administrative Tools, and then click Active Directory Sites and Services.
Double-click Sites in the left pane, and then locate the appropriate site or click Default-first-site-name if no other sites are available.
Open the Servers folder, and then click the domain controller.
In the domain controller's folder, double-click NTDS Settings.
On the Action menu, click Properties.
On the General tab, view the Global Catalog check box to see if it is selected.
>What is dhcp ?
Dynamic Host Configuration Protocol (DHCP) is a network protocol that enables a server to automatically assign an IP address to a computer from a defined range of numbers (i.e., a scope) configured for a given network.
Dynamic Host Configuration Protocol (DHCP) is a network protocol that enables a server to automatically assign an IP address to a computer from a defined range of numbers (i.e., a scope) configured for a given network.
>What is the dhcp process for client machine?
1. A user turns on a computer with a DHCP client.
2. The client computer sends a broadcast request (called a DISCOVER or DHCPDISCOVER), looking for a DHCP server to answer.
3. The router directs the DISCOVER packet to the correct DHCP server.
4. The server receives the DISCOVER packet. Based on availability and usage policies set on the server, the server determines an appropriate address (if any) to give to the client. The server then temporarily reserves that address for the client and sends back to the client an OFFER (or DHCPOFFER) packet, with that address information. The server also configures the client's DNS servers, WINS servers, NTP servers, and sometimes other services as well.
5. The client sends a REQUEST (or DHCPREQUEST) packet, letting the server know that it intends to use the address.
6. The server sends an ACK (or DHCPACK) packet, confirming that the client has a been given a lease on the address for a server-specified period of time.
1. A user turns on a computer with a DHCP client.
2. The client computer sends a broadcast request (called a DISCOVER or DHCPDISCOVER), looking for a DHCP server to answer.
3. The router directs the DISCOVER packet to the correct DHCP server.
4. The server receives the DISCOVER packet. Based on availability and usage policies set on the server, the server determines an appropriate address (if any) to give to the client. The server then temporarily reserves that address for the client and sends back to the client an OFFER (or DHCPOFFER) packet, with that address information. The server also configures the client's DNS servers, WINS servers, NTP servers, and sometimes other services as well.
5. The client sends a REQUEST (or DHCPREQUEST) packet, letting the server know that it intends to use the address.
6. The server sends an ACK (or DHCPACK) packet, confirming that the client has a been given a lease on the address for a server-specified period of time.
>What is dhcp scope ?
DHCP scopes are used to define ranges of addresses from which a DHCP server can assign IP addresses to clients.
DHCP scopes are used to define ranges of addresses from which a DHCP server can assign IP addresses to clients.
>Types of scopes in windows dhcp ?
Normal Scope - Allows A, B and C Class IP address ranges to be specified including subnet masks, exclusions and reservations. Each normal scope defined must exist within its own subnet.
Multicast Scope - Used to assign IP address ranges for Class D networks. Multicast scopes do not have subnet masks, reservation or other TCP/IP options.
Multicast scope address ranges require that a Time To Live (TTL) value be specified (essentially the number of routers a packet can pass through on the way to its destination).
Superscope - Essentially a collection of scopes grouped together such that they can be enabled and disabled as a single entity.
Normal Scope - Allows A, B and C Class IP address ranges to be specified including subnet masks, exclusions and reservations. Each normal scope defined must exist within its own subnet.
Multicast Scope - Used to assign IP address ranges for Class D networks. Multicast scopes do not have subnet masks, reservation or other TCP/IP options.
Multicast scope address ranges require that a Time To Live (TTL) value be specified (essentially the number of routers a packet can pass through on the way to its destination).
Superscope - Essentially a collection of scopes grouped together such that they can be enabled and disabled as a single entity.
>What is Authorizing DHCP Servers in Active Directory ?
If a DHCP server is to operate within an Active Directory domain (and is not running on a domain controller) it must first be authorized.
This can be achieved either as part of the DHCP Server role installation, or subsequently using either DHCP console or at the command prompt using the netsh tool.
If the DHCP server was not authorized during installation, invoke the DHCP console (Start -> All Programs -> Administrative Tools -> DHCP),
right click on the DHCP to be authorized and select Authorize. To achieve the same result from the command prompt, enter the following command:
netsh dhcp server serverID initiate auth
In the above command syntax, serverID is replaced by the IP address or full UNC name of system on which the DHCP server is installed.
If a DHCP server is to operate within an Active Directory domain (and is not running on a domain controller) it must first be authorized.
This can be achieved either as part of the DHCP Server role installation, or subsequently using either DHCP console or at the command prompt using the netsh tool.
If the DHCP server was not authorized during installation, invoke the DHCP console (Start -> All Programs -> Administrative Tools -> DHCP),
right click on the DHCP to be authorized and select Authorize. To achieve the same result from the command prompt, enter the following command:
netsh dhcp server serverID initiate auth
In the above command syntax, serverID is replaced by the IP address or full UNC name of system on which the DHCP server is installed.
>What ports are used by DHCP and the DHCP clients ?
Requests are on UDP port 68, Server replies on UDP 67 .
Requests are on UDP port 68, Server replies on UDP 67 .
>Benefits of using DHCP
DHCP provides the following benefits for administering your TCP/IP-based network:
Safe and reliable configuration.DHCP avoids configuration errors caused by the need to manually type in values at each computer. Also, DHCP helps prevent address conflicts caused by a previously assigned IP address being reused to configure a new computer on the network.
Reduces configuration management.
DHCP provides the following benefits for administering your TCP/IP-based network:
Safe and reliable configuration.DHCP avoids configuration errors caused by the need to manually type in values at each computer. Also, DHCP helps prevent address conflicts caused by a previously assigned IP address being reused to configure a new computer on the network.
Reduces configuration management.
Using DHCP servers can greatly decrease time spent to
configuring and reconfiguring computers on your network. Servers can be configured
to supply a full range of additional configuration values when assigning
address leases. These values are assigned using DHCP options. Also, the DHCP
lease renewal process helps assure that where client configurations need to be
updated often (such as users with mobile or portable computers who change
locations frequently), these changes can be made efficiently and automatically
by clients communicating directly with DHCP servers.
The following section covers issues that affect the use of the
DHCP Server service with other services or network configurations. Using DNS
servers with DHCP Using Routing and Remote Access servers with DHCP Multihomed
DHCP servers.
>Describe the process of installing a
DHCP server in an AD infrastructure ?
Open Windows Components Wizard. Under Components , scroll to and click Networking Services. Click Details . Under Subcomponents of Networking Services , click Dynamic Host Configuration Protocol (DHCP) and then click OK .
Click Next . If prompted, type the full
path to the Windows Server 2003 distribution files, and then click Next.
Required files are copied to your hard disk.Open Windows Components Wizard. Under Components , scroll to and click Networking Services. Click Details . Under Subcomponents of Networking Services , click Dynamic Host Configuration Protocol (DHCP) and then click OK .
Windows Server DHCP Interview Questions
Below is
the list of Basic Windows Server DHCP Interview Questions asked in Interviews
for the post of Windows System Administrator/ L1/L2/L3 Windows Support
Engineer.
What is
dhcp ?
Dynamic Host Configuration Protocol (DHCP) is a network protocol that enables a server to automatically assign an IP address to a computer from a defined range of numbers (i.e., a scope) configured for a given network.
Dynamic Host Configuration Protocol (DHCP) is a network protocol that enables a server to automatically assign an IP address to a computer from a defined range of numbers (i.e., a scope) configured for a given network.
What
is the dhcp process for client machine?
1. A user turns on a computer with a DHCP client.
2. The client computer sends a broadcast request (called a DISCOVER or DHCPDISCOVER), looking for a DHCP server to answer.
3. The router directs the DISCOVER packet to the correct DHCP server.
4. The server receives the DISCOVER packet. Based on availability and usage policies set on the server, the server determines an appropriate address (if any) to give to the client. The server then temporarily reserves that address for the client and sends back to the client an OFFER (or DHCPOFFER) packet, with that address information. The server also configures the client’s DNS servers, WINS servers, NTP servers, and sometimes other services as well.
5. The client sends a REQUEST (or DHCPREQUEST) packet, letting the server know that it intends to use the address.
6. The server sends an ACK (or DHCPACK) packet, confirming that the client has a been given a lease on the address for a server-specified period of time.
1. A user turns on a computer with a DHCP client.
2. The client computer sends a broadcast request (called a DISCOVER or DHCPDISCOVER), looking for a DHCP server to answer.
3. The router directs the DISCOVER packet to the correct DHCP server.
4. The server receives the DISCOVER packet. Based on availability and usage policies set on the server, the server determines an appropriate address (if any) to give to the client. The server then temporarily reserves that address for the client and sends back to the client an OFFER (or DHCPOFFER) packet, with that address information. The server also configures the client’s DNS servers, WINS servers, NTP servers, and sometimes other services as well.
5. The client sends a REQUEST (or DHCPREQUEST) packet, letting the server know that it intends to use the address.
6. The server sends an ACK (or DHCPACK) packet, confirming that the client has a been given a lease on the address for a server-specified period of time.
What
is dhcp scope ?
DHCP scopes are used to define ranges of addresses from which a DHCP server can assign IP addresses to clients.
DHCP scopes are used to define ranges of addresses from which a DHCP server can assign IP addresses to clients.
Types of
scopes in windows dhcp ?
Normal Scope – Allows A, B and C Class IP address ranges to be specified including subnet masks, exclusions and reservations. Each normal scope defined must exist within its own subnet.
Multicast Scope – Used to assign IP address ranges for Class D networks. Multicast scopes do not have subnet masks, reservation or other TCP/IP options.
Multicast scope address ranges require that a Time To Live (TTL) value be specified (essentially the number of routers a packet can pass through on the way to its destination).
Superscope – Essentially a collection of scopes grouped together such that they can be enabled and disabled as a single entity.
Normal Scope – Allows A, B and C Class IP address ranges to be specified including subnet masks, exclusions and reservations. Each normal scope defined must exist within its own subnet.
Multicast Scope – Used to assign IP address ranges for Class D networks. Multicast scopes do not have subnet masks, reservation or other TCP/IP options.
Multicast scope address ranges require that a Time To Live (TTL) value be specified (essentially the number of routers a packet can pass through on the way to its destination).
Superscope – Essentially a collection of scopes grouped together such that they can be enabled and disabled as a single entity.
What is
Authorizing DHCP Servers in Active Directory ?
If a DHCP server is to operate within an Active Directory domain (and is not running on a domain controller) it must first be authorized.
This can be achieved either as part of the DHCP Server role installation, or subsequently using either DHCP console or at the command prompt using the netsh tool.
If the DHCP server was not authorized during installation, invoke the DHCP console (Start -> All Programs -> Administrative Tools -> DHCP),
right click on the DHCP to be authorized and select Authorize. To achieve the same result from the command prompt, enter the following command:
netsh dhcp server serverID initiate auth
In the above command syntax, serverID is replaced by the IP address or full UNC name of system on which the DHCP server is installed.
If a DHCP server is to operate within an Active Directory domain (and is not running on a domain controller) it must first be authorized.
This can be achieved either as part of the DHCP Server role installation, or subsequently using either DHCP console or at the command prompt using the netsh tool.
If the DHCP server was not authorized during installation, invoke the DHCP console (Start -> All Programs -> Administrative Tools -> DHCP),
right click on the DHCP to be authorized and select Authorize. To achieve the same result from the command prompt, enter the following command:
netsh dhcp server serverID initiate auth
In the above command syntax, serverID is replaced by the IP address or full UNC name of system on which the DHCP server is installed.
What
ports are used by DHCP and the DHCP clients ?
Requests are on UDP port 68, Server replies on UDP 67 .
Requests are on UDP port 68, Server replies on UDP 67 .
List some
Benefits of using DHCP
DHCP provides the following benefits for administering your TCP/IP-based network:
Safe and reliable configuration.DHCP avoids configuration errors caused by the need to manually type in values at each computer. Also, DHCP helps prevent address conflicts caused by a previously assigned IP address being reused to configure a new computer on the network.
Reduces configuration management.
DHCP provides the following benefits for administering your TCP/IP-based network:
Safe and reliable configuration.DHCP avoids configuration errors caused by the need to manually type in values at each computer. Also, DHCP helps prevent address conflicts caused by a previously assigned IP address being reused to configure a new computer on the network.
Reduces configuration management.
Using
DHCP servers can greatly decrease time spent to configuring and reconfiguring
computers on your network. Servers can be configured to supply a full range of
additional configuration values when assigning address leases. These values are
assigned using DHCP options. Also, the DHCP lease renewal process helps assure
that where client configurations need to be updated often (such as users with
mobile or portable computers who change locations frequently), these changes
can be made efficiently and automatically by clients communicating directly
with DHCP servers.
The
following section covers issues that affect the use of the DHCP Server service
with other services or network configurations. Using DNS servers with DHCP
Using Routing and Remote Access servers with DHCP Multihomed DHCP servers.
Describe
the process of installing a DHCP server in an AD infrastructure ?
Open Windows Components Wizard. Under Components , scroll to and click Networking Services. Click Details . Under Subcomponents of Networking Services , click Dynamic Host Configuration Protocol (DHCP) and then click OK .
Open Windows Components Wizard. Under Components , scroll to and click Networking Services. Click Details . Under Subcomponents of Networking Services , click Dynamic Host Configuration Protocol (DHCP) and then click OK .
Click
Next . If prompted, type the full path to the Windows Server 2003 distribution
files, and then click Next. Required files are copied to your hard disk.
How to
authorize a DHCP server in Active Directory Open DHCP ?.
In the console tree, click DHCP
. On the Action menu, click Manage authorized servers.
. The Manage Authorized Servers dialog box appears. Click Authorize.
. When prompted, type the name or IP address of the DHCP server to be authorized, and then click OK.
In the console tree, click DHCP
. On the Action menu, click Manage authorized servers.
. The Manage Authorized Servers dialog box appears. Click Authorize.
. When prompted, type the name or IP address of the DHCP server to be authorized, and then click OK.
What is
DHCPINFORM?
DHCPInform is a DHCP message used by DHCP clients to obtain DHCP options. While PPP remote access clients do not use DHCP to obtain IP addresses for the remote access connection, Windows 2000 and Windows 98 remote access clients use the DHCPInform message to obtain DNS server IP addresses, WINS server IP addresses, and a DNS domain name.
DHCPInform is a DHCP message used by DHCP clients to obtain DHCP options. While PPP remote access clients do not use DHCP to obtain IP addresses for the remote access connection, Windows 2000 and Windows 98 remote access clients use the DHCPInform message to obtain DNS server IP addresses, WINS server IP addresses, and a DNS domain name.
The
DHCPInform message is sent after the IPCP negotiation is concluded. The
DHCPInform message received by the remote access server is then forwarded to a
DHCP server. The remote access server forwards DHCPInform messages only if it
has been configured with the DHCP Relay Agent.
Describe
the integration between DHCP and DNS?
Traditionally, DNS and DHCP servers have been configured and managed one at a time. Similarly, changing authorization rights for a particular user on a group of devices has meant visiting each one and making configuration changes.
Traditionally, DNS and DHCP servers have been configured and managed one at a time. Similarly, changing authorization rights for a particular user on a group of devices has meant visiting each one and making configuration changes.
DHCP
integration with DNS allows the aggregation of these tasks across devices,
enabling a company’s network services to scale in step with the growth of
network users, devices, and policies, while reducing administrative operations
and costs. This integration provides practical operational efficiencies that
lower total cost of ownership.
Creating
a DHCP network automatically creates an associated DNS zone, for example,
reducing the number of tasks required of network administrators. And
integration of DNS and DHCP in the same database instance provides unmatched
consistency between service and management views of IP address-centric network
services data.
>What is the main purpose of a DNS server?
DNS servers are used to resolve FQDN hostnames into IP addresses and vice versa.
DNS servers are used to resolve FQDN hostnames into IP addresses and vice versa.
>What is the port no of dns ?
53.
53.
>What is a Forward Lookup?
Resolving Host Names to IP Addresses.
Resolving Host Names to IP Addresses.
>What is Reverse Lookup?
It?s a file contains host names to IP mapping information.
It?s a file contains host names to IP mapping information.
>What is a Resource Record?
It is a record provides the information about the resources available in the N/W infrastructure.
It is a record provides the information about the resources available in the N/W infrastructure.
>What are the diff. DNS Roles?
Standard Primary, Standard Secondary, & AD Integrated.
Standard Primary, Standard Secondary, & AD Integrated.
>What is a Zone?
Zone is a sub tree of DNS database.
Zone is a sub tree of DNS database.
>Secure services in your network require reverse name
resolution to make it more difficult to launch successful attacks against the
services. To set this up, you configure a reverse lookup zone and proceed to
add records. Which record types do you need to create?
PTR Records
PTR Records
>SOA records must be included in every zone. What are they
used for ?
SOA records contain a TTL value, used by default in all resource records in the zone. SOA records contain the e-mail address of the person who is responsible for maintaining the zone. SOA records contain the current serial number of the zone, which is used in zone transfers.
SOA records contain a TTL value, used by default in all resource records in the zone. SOA records contain the e-mail address of the person who is responsible for maintaining the zone. SOA records contain the current serial number of the zone, which is used in zone transfers.
>By default, if the name is not found in the cache or local
hosts file, what is the first step the client takes to resolve the FQDN name
into an IP address ?
Performs a recursive search through the primary DNS server based on the network interface configuration .
Performs a recursive search through the primary DNS server based on the network interface configuration .
> What is primary, Secondary, stub & AD Integrated Zone?
Primary Zone: - zone which is saved as normal text file with filename (.dns) in DBS folder. Maintains a read, write copy of zone database.
Primary Zone: - zone which is saved as normal text file with filename (.dns) in DBS folder. Maintains a read, write copy of zone database.
Secondary Zone: - maintains a read only copy of zone database on
another DNS server. Provides fault tolerance and load balancing by acting as
backup server to primary server.
Stub zone: - contains a copy of name server and SOA records used
for reducing the DNS search orders. Provides fault tolerance and load
balancing.
> How do you manually create SRV records in DNS?
This is on windows server go to run ---> dnsmgmt.msc rightclick on the zone you want to add srv record to and choose "other new record" and choose service location(srv).
This is on windows server go to run ---> dnsmgmt.msc rightclick on the zone you want to add srv record to and choose "other new record" and choose service location(srv).
> What is the main
purpose of SRV records ?
SRV records are used in locating hosts that provide certain network services.
SRV records are used in locating hosts that provide certain network services.
> Before installing
your first domain controller in the network, you installed a DNS server and
created a zone, naming it as you would name your AD domain. However, after the
installation of the domain controller, you are unable to locate infrastructure
SRV records anywhere in the zone. What is the most likely cause of this failure
?
The zone you created was not configured to allow dynamic updates. The local interface on the DNS server was not configured to allow dynamic updates.
The zone you created was not configured to allow dynamic updates. The local interface on the DNS server was not configured to allow dynamic updates.
> Which of the
following conditions must be satisfied to configure dynamic DNS updates for
legacy clients ?
The zone to be used for dynamic updates must be configured to allow dynamic updates. The DHCP server must support, and be configured to allow, dynamic updates for legacy clients.
The zone to be used for dynamic updates must be configured to allow dynamic updates. The DHCP server must support, and be configured to allow, dynamic updates for legacy clients.
> At some point during
the name resolution process, the requesting party received authoritative reply.
Which further actions are likely to be taken after this reply ?
After receiving the authoritative reply, the resolution process is effectively over.
After receiving the authoritative reply, the resolution process is effectively over.
> Name 3 benefits of using AD-integrated zones.
Active Directory integrated DNS enables Active Directory storage and replication of DNS zone databases. Windows 2000 DNS server, the DNS server that is included with Windows 2000 Server, accommodates storing zone data in Active Directory.
Active Directory integrated DNS enables Active Directory storage and replication of DNS zone databases. Windows 2000 DNS server, the DNS server that is included with Windows 2000 Server, accommodates storing zone data in Active Directory.
When you configure a computer as a DNS server, zones are usually
stored as text files on name servers that is, all of the zones required by DNS
are stored in a text file on the server computer.
These text files must be synchronized among DNS name servers by
using a system that requires a separate replication topology and schedule
called a zone transfer However, if you use Active Directory integrated DNS when
you configure a domain controller as a DNS name server, zone data is stored as
an Active Directory object and is replicated as part of domain replication.
> Your company uses ten domain controllers, three of which
are also used as DNS servers. You have one companywide AD-integrated zone,
which contains several thousand resource records. This zone also allows dynamic
updates, and it is critical to keep this zone up-to-date. Replication between
domain controllers takes up a significant amount of bandwidth. You are looking
to cut bandwidth usage for the purpose of replication. What should you do?
Change the replication scope to all DNS servers in the domain.
>You are administering a network connected to the Internet.
Your users complain that everything is slow. Preliminary research of the
problem indicates that it takes a considerable amount of time to resolve names
of resources on the Internet. What is the most likely reason for this?
DNS servers are not caching replies.. Local client computers are
not caching replies… The cache.dns file may have been corrupted on the server.
>What are the benefits of using Windows 2003 DNS when using
AD-integrated zones?
If your DNS topology includes Active Directory, use Active
Directory integrated zones. Active Directory integrated zones enable you to
store zone data in the Active Directory database.Zone information about any
primary DNS server within an Active Directory integrated zone is always
replicated.
Because DNS replication is single-master, a primary DNS server
in a standard primary DNS zone can be a single point of failure. In an Active
Directory integrated zone, a primary DNS server cannot be a single point of
failure because Active Directory uses multimaster replication.
Updates that are made to any domain controller are replicated to
all domain controllers and the zone information about any primary DNS server
within an Active Directory integrated zone is always replicated.
Active Directory integrated zones: Enable you to secure zones by using secure dynamic update.
Active Directory integrated zones: Enable you to secure zones by using secure dynamic update.
Provide increased fault tolerance. Every Active Directory
integrated zone can be replicated to all domain controllers within the Active
Directory domain or forest. All DNS servers running on these domain controllers
can act as primary servers for the zone and accept dynamic updates.
Enable replication that propagates changed data only, compresses
replicated data, and reduces network traffic. If you have an Active Directory
infrastructure, you can only use Active Directory integrated zones on Active
Directory domain controllers.If you are using Active Directory integrated
zones, you must decide whether or not to store Active Directory integrated
zones in the application directory partition.
You can combine Active Directory integrated zones and file-based
zones in the same design. For example, if the DNS server that is authoritative
for the private root zone is running on an operating system other than Windows
Server 2003 or Windows 2000, it cannot act as an Active Directory domain
controller. Therefore, you must use file-based zones on that server. However,
you can delegate this zone to any domain controller running either Windows
Server 2003 or Windows 2000.
>You installed a new AD domain and the new (and first) DC has
not registered its SRV records in DNS. Name a few possible causes.
The machine cannot be configured with DNS client her own .
The DNS service cannot be run.
>What are the benefits and scenarios of using Stub zones?
The DNS service cannot be run.
>What are the benefits and scenarios of using Stub zones?
Understanding stub zones
A stub zone is a copy of a zone that contains only those resource records necessary to identify the authoritative Domain Name System (DNS) servers for that zone.
A stub zone is used to resolve names between separate DNS namespaces. This type of resolution may be necessary when a corporate merger requires that the DNS servers for two separate DNS namespaces resolve names for clients in both namespaces.
A stub zone is a copy of a zone that contains only those resource records necessary to identify the authoritative Domain Name System (DNS) servers for that zone.
A stub zone is used to resolve names between separate DNS namespaces. This type of resolution may be necessary when a corporate merger requires that the DNS servers for two separate DNS namespaces resolve names for clients in both namespaces.
A stub zone consists of:
? The start of authority (SOA) resource record, name server (NS) resource records, and the glue A resource records for the delegated zone. The IP address of one or more master servers that can be used to update the stub zone. The master servers for a stub zone are one or more DNS servers authoritative for the child zone, usually the DNS server hosting the primary zone for the delegated domain name.
? The start of authority (SOA) resource record, name server (NS) resource records, and the glue A resource records for the delegated zone. The IP address of one or more master servers that can be used to update the stub zone. The master servers for a stub zone are one or more DNS servers authoritative for the child zone, usually the DNS server hosting the primary zone for the delegated domain name.
Use stub zones to:
? Keep delegated zone information current.
By updating a stub zone for one of its child zones regularly, the DNS server hosting both the parent zone and the stub zone will maintain a current list of authoritative DNS servers for the child zone.
? Keep delegated zone information current.
By updating a stub zone for one of its child zones regularly, the DNS server hosting both the parent zone and the stub zone will maintain a current list of authoritative DNS servers for the child zone.
? Improve name resolution.
Stub zones enable a DNS server to perform recursion using the stub zone's list of name servers without needing to query the Internet or internal root server for the DNS namespace.
Stub zones enable a DNS server to perform recursion using the stub zone's list of name servers without needing to query the Internet or internal root server for the DNS namespace.
? Simplify DNS administration.
By using stub zones throughout your DNS infrastructure, you can distribute a list of the authoritative DNS servers for a zone without using secondary zones. However, stub zones do not serve the same purpose as secondary zones and are not an alternative when considering redundancy and load sharing.
By using stub zones throughout your DNS infrastructure, you can distribute a list of the authoritative DNS servers for a zone without using secondary zones. However, stub zones do not serve the same purpose as secondary zones and are not an alternative when considering redundancy and load sharing.
There are two lists of DNS servers involved in the loading and
maintenance of a stub zone:
? The list of master servers from which the DNS server loads and
updates a stub zone. A master server may be a primary or secondary DNS server
for the zone. In both cases, it will have a complete list of the DNS servers
for the zone.
? The list of the authoritative DNS servers for a zone. This
list is contained in the stub zone using name server (NS) resource records.
When a DNS server loads a stub zone, such as widgets.example.com, it queries
the master servers, which can be in different locations, for the necessary
resource records of the authoritative servers for the zone widgets.example.com.
The list of master servers may contain a single server or multiple servers and
can be changed anytime.
>What are the benefits and scenarios of using Conditional
Forwarding?
Rather than having a DNS server forward all queries it cannot resolve to forwarders, the DNS server can forward queries for different domain names to different DNS servers according to the specific domain names that are contained in the queries. Forwarding according to these domain-name conditions improves conventional forwarding by adding a second condition to the forwarding process.
Rather than having a DNS server forward all queries it cannot resolve to forwarders, the DNS server can forward queries for different domain names to different DNS servers according to the specific domain names that are contained in the queries. Forwarding according to these domain-name conditions improves conventional forwarding by adding a second condition to the forwarding process.
A conditional forwarder setting consists of a domain name and
the IP address of one or more DNS servers. To configure a DNS server for
conditional forwarding, a list of domain names is set up on the Windows Server
2003-based DNS server along with the DNS server IP address. When a DNS client
or server performs a query operation against a Windows Server 2003- based DNS
server that is configured for forwarding, the DNS server looks to see if the
query can be resolved by using its own zone data or the zone data that is
stored in its cache, and then, if the DNS server is configured to forward for
the domain name that is designated in the query (a match), the query is
forwarded to the IP address of a DNS Server that is associated with the domain
name. If the DNS server has no domain name listed for the name that is
designated in the query, it attempts to resolve the query by using standard
recursion.
>What is the 224.0.1.24 address used for?
WINS server group address. Used to support auto discovery and dynamic configuration of replication for WINS servers. For more information, see WINS replication overview WINS server group address. Used to support auto discovery and dynamic configuration of replication for WINS servers.
> Describe the importance of DNS to AD ?WINS server group address. Used to support auto discovery and dynamic configuration of replication for WINS servers. For more information, see WINS replication overview WINS server group address. Used to support auto discovery and dynamic configuration of replication for WINS servers.
When Microsoft began development on Active Directory, full compatibility with the domain name system (DNS) was a critical priority. Active Directory was built from the ground up not just to be fully compatible with DNS but to be so integrated with it that one cannot exist without the other. Microsoft's direction in this case did not just happen by chance, but because of the central role that DNS plays in Internet name resolution and Microsoft's desire to make its product lines embrace the Internet.
While fully conforming to the standards established for DNS,
Active Directory can expand upon the standard feature set of DNS and offer some
new capabilities such as AD-Integrated DNS, which greatly eases the
administration required for DNS environments. In addition, Active Directory can
easily adapt to exist in a foreign DNS environment, such as Unix BIND, as long
as the BIND version is 8.2.x or higher. When Microsoft began development on
Active Directory, full compatibility with the domain name system (DNS) was a
critical priority.
Active Directory was built from the ground up not just to be
fully compatible with DNS but to be so integrated with it that one cannot exist
without the other. Microsoft's direction in this case did not just happen by
chance, but because of the central role that DNS plays in Internet name
resolution and Microsoft's desire to make its product lines embrace the
Internet.
While fully conforming to the standards established for DNS,
Active Directory can expand upon the standard feature set of DNS and offer some
new capabilities such as AD-Integrated DNS, which greatly eases the
administration required for DNS environments. In addition, Active Directory can
easily adapt to exist in a foreign DNS environment, such as Unix BIND, as long
as the BIND version is 8.2.x or higher
> What is the "in-addr.arpa" zone used for? In a Domain Name System (DNS) environment, it is common for a user or an application to request a Reverse Lookup of a host name, given the IP address. This article explains this process. The following is quoted from RFC 1035: "The Internet uses a special domain to support gateway location and Internet address to host mapping. Other classes may employ a similar strategy in other domains. The intent of this domain is to provide a guaranteed method to perform host address to host name mapping, and to facilitate queries to locate all gateways on a particular network on the Internet.
"The domain begins at IN-ADDR.ARPA and has a substructure
which follows the Internet addressing structure. "Domain names in the
IN-ADDR.ARPA domain are defined to have up to four labels in addition to the
IN-ADDR.ARPA suffix. Each label represents one octet of an Internet address,
and is expressed as a character string for a decimal value in the range 0-255
(with leading zeros omitted except in the case of a zero octet which is
represented by a single zero).
"Host addresses are represented by domain names that have
all four labels specified." Reverse Lookup files use the structure
specified in RFC 1035.
For example, if you have a network which is 150.10.0.0, then the
Reverse Lookup file for this network would be 10.150.IN-ADDR.ARPA. Any hosts
with IP addresses in the 150.10.0.0 network will have a PTR (or 'Pointer')
entry in 10.150.IN- ADDR.ARPA referencing the host name for that IP address. A
single IN- ADDR.ARPA file may contain entries for hosts in many domains.
Consider the following scenario. There is a Reverse Lookup file 10.150.IN-ADDR.ARPA
with the following contents: Exp : 1.20 IN PTR WS1.ACME.COM.
> What are the requirements from DNS to support AD? When you install Active Directory on a member server, the member server is promoted to a domain controller. Active Directory uses DNS as the location mechanism for domain controllers, enabling computers on the network to obtain IP addresses of domain controllers. During the installation of Active Directory, the service (SRV) and address (A) resource records are dynamically registered in DNS, which are necessary for the successful functionality of the domain controller locator (Locator) mechanism.
To find domain controllers in a domain or forest, a client queries DNS for the SRV and A DNS resource records of the domain controller, which provide the client with the names and IP addresses of the domain controllers. In this context, the SRV and A resource records are referred to as Locator DNS resource records.
When adding a domain controller to a forest, you are updating a
DNS zone hosted on a DNS server with the Locator DNS resource records and
identifying the domain controller. For this reason, the DNS zone must allow
dynamic updates (RFC 2136) and the DNS server hosting that zone must support
the SRV resource records (RFC 2782) to advertise the Active Directory directory
service. For more information about RFCs, see DNS RFCs.
If the DNS server hosting the authoritative DNS zone is not a
server running Windows 2000 or Windows Server 2003, contact your DNS
administrator to determine if the DNS server supports the required standards.
If the server does not support the required standards, or the authoritative DNS
zone cannot be configured to allow dynamic updates, then modification is
required to your existing DNS infrastructure.
For more information, see Checklist: Verifying DNS before installing Active Directory and Using the Active Directory Installation Wizard.
For more information, see Checklist: Verifying DNS before installing Active Directory and Using the Active Directory Installation Wizard.
Important
The DNS server used to support Active Directory must support SRV resource records for the Locator mechanism to function. For more information, see Managing resource records. It is recommended that the DNS infrastructure allows dynamic updates of Locator DNS resource records (SRV and A) before installing Active Directory, but your DNS administrator may add these resource records manually after installation. After installing Active Directory, these records can be found on the domain controller in the following location: systemroot\System32\Config\Netlogon.dns .
The DNS server used to support Active Directory must support SRV resource records for the Locator mechanism to function. For more information, see Managing resource records. It is recommended that the DNS infrastructure allows dynamic updates of Locator DNS resource records (SRV and A) before installing Active Directory, but your DNS administrator may add these resource records manually after installation. After installing Active Directory, these records can be found on the domain controller in the following location: systemroot\System32\Config\Netlogon.dns .
> What does a zone consist of & why do we require a zone?
Zone consists of resource records and we require zone for representing sites.
Zone consists of resource records and we require zone for representing sites.
> What is Caching Only Server?
When we install 2000 & 2003 server it is configured as caching only server where it maintains the frequently accessed sites information and again when we access the same site for next time it is obtain from cached information instead of going to the actual site.
When we install 2000 & 2003 server it is configured as caching only server where it maintains the frequently accessed sites information and again when we access the same site for next time it is obtain from cached information instead of going to the actual site.
> What is forwarder?
When one DNS server can?t receive the query it can be forwarded to another DNS once configured as forwarder.
When one DNS server can?t receive the query it can be forwarded to another DNS once configured as forwarder.
> What is secondary
DNS Server?
It is backup for primary DNS where it maintains a read only copy of DNS database.
It is backup for primary DNS where it maintains a read only copy of DNS database.
> How to enable
Dynamic updates in DNS?
Start>Program>Admin tools> DNS >Zone properties.
Start>Program>Admin tools> DNS >Zone properties.
>
What are the properties of DNS server?
INTERFACES, FORWARDERS, ADVANCED, ROUTINGS, SECURITY, MONITORING, LOGGING, DEBUG LOGGING.
INTERFACES, FORWARDERS, ADVANCED, ROUTINGS, SECURITY, MONITORING, LOGGING, DEBUG LOGGING.
>
Properties of a Zone ?
General, SOA, NAMESERVER, WINS, Security, and ZONE Transfer.
General, SOA, NAMESERVER, WINS, Security, and ZONE Transfer.
>
What is scavenging?
Finding and deleting unwanted records.
Finding and deleting unwanted records.
>
What are SRV records?
SRV are the service records, there are 6 service records. They are useful for locating the services.
SRV are the service records, there are 6 service records. They are useful for locating the services.
> What are the types of SRV records?
MSDCS:Contains DCs information.
TCP:Contains Global Catalog, Kerberos & LDAP information.
UDP:Contains Sites information.
Sites:Contains Sites information.
Domain DNS Zone:Conations domain?s DNS specific information.
Forest DNS zone:Contains Forest?s Specific Information.
MSDCS:Contains DCs information.
TCP:Contains Global Catalog, Kerberos & LDAP information.
UDP:Contains Sites information.
Sites:Contains Sites information.
Domain DNS Zone:Conations domain?s DNS specific information.
Forest DNS zone:Contains Forest?s Specific Information.
> Where does a Host File Reside?
c:\windows\system32\drivers\etc.
c:\windows\system32\drivers\etc.
> What is SOA?
Start of Authority: useful when a zone starts. Provides the zone startup information.
Start of Authority: useful when a zone starts. Provides the zone startup information.
> What is a query?
A request made by the DNS client to provide the name server information.
A request made by the DNS client to provide the name server information.
> What are the diff. types of Queries?
Recursion, iteration.
Recursion, iteration.
> Tools for troubleshooting DNS?
DNS Console, NSLOOKUP, DNSCMD, IPCONFIG, Logs.
DNS Console, NSLOOKUP, DNSCMD, IPCONFIG, Logs.
> What is WINS server? where we use WINS server? difference
between DNS and WINS?
WINS is windows internet name service used to resolve the NetBIOS(computer name)name to IP address.This is proprietary for Windows.You can use in LAN.DNS is a Domain Naming System, which resolves Host names to IP addresses. It uses fully qualified domain names. DNS is an Internet standard used to resolve host names.
WINS is windows internet name service used to resolve the NetBIOS(computer name)name to IP address.This is proprietary for Windows.You can use in LAN.DNS is a Domain Naming System, which resolves Host names to IP addresses. It uses fully qualified domain names. DNS is an Internet standard used to resolve host names.
> What is new in Windows Server 2003 regarding the DNS management?
When DC promotion occurs with an existing forest, the Active Directory Installation Wizard contacts an existing DC to update the directory and replicate from the DC the required portions of the directory.
When DC promotion occurs with an existing forest, the Active Directory Installation Wizard contacts an existing DC to update the directory and replicate from the DC the required portions of the directory.
If the wizard fails to locate a DC, it performs debugging and
reports what caused the failure and how to fix the problem. In order to be
located on a network, every DC must register in DNS DC locator DNS records. The
Active Directory Installation Wizard verifies a proper configuration of the DNS
infrastructure. All DNS configuration debugging and reporting activity is done
with the Active Directory Installation Wizard.
> SOA records must be included in every zone. What are they
used for?
SOA records contain a TTL value, used by default in all resource records in the zone. SOA records contain the e-mail address of the person who is responsible for maintaining the zone. SOA records contain the current serial number of the zone, which is used in zone transfers.
SOA records contain a TTL value, used by default in all resource records in the zone. SOA records contain the e-mail address of the person who is responsible for maintaining the zone. SOA records contain the current serial number of the zone, which is used in zone transfers.
By default, if the name is not found in the cache or local hosts
file, what is the first step the client takes to resolve the FQDN name into an
IP address? Performs a recursive search through the primary DNS server based on
the network interface configuration.
> How do I clear the DNS cache on the DNS server?
Go to cmd prompt and type ipconfig /flushdns .
Go to cmd prompt and type ipconfig /flushdns .
> What is the main purpose of SRV records?
SRV records are used in locating hosts that provide certain network services.
SRV records are used in locating hosts that provide certain network services.
> Before installing your first domain controller in the
network, you installed a DNS server and created a zone, naming it as you would
name your AD domain. However, after the installation of the domain controller,
you are unable to locate infrastructure SRV records anywhere in the zone. What
is the most likely cause of this failure?
The zone you created was not configured to allow dynamic updates. The local interface on the DNS server was not configured to allow dynamic updates.
The zone you created was not configured to allow dynamic updates. The local interface on the DNS server was not configured to allow dynamic updates.
> What is the "." zone in my forward lookup zone?
This setting designates the Windows 2000 or Windows Server 2003 DNS server to be a root hint server and is usually deleted. If you do not delete this setting, you may not be able to perform external name resolution to the root hint servers on the Internet.
This setting designates the Windows 2000 or Windows Server 2003 DNS server to be a root hint server and is usually deleted. If you do not delete this setting, you may not be able to perform external name resolution to the root hint servers on the Internet.
> Do I need to configure forwarders in DNS?
No. By default, Windows 2000 DNS uses the root hint servers on the Internet; however, you can configure forwarders to send DNS queries directly to your ISP's DNS server or other DNS servers. Most of the time, when you configure forwarders, DNS performance and efficiency increases, but this configuration can also introduce a point of failure if the forwarding DNS server is experiencing problems.
No. By default, Windows 2000 DNS uses the root hint servers on the Internet; however, you can configure forwarders to send DNS queries directly to your ISP's DNS server or other DNS servers. Most of the time, when you configure forwarders, DNS performance and efficiency increases, but this configuration can also introduce a point of failure if the forwarding DNS server is experiencing problems.
The root hint server can provide a level of redundancy in
exchange for slightly increased DNS traffic on your Internet connection.
Windows Server 2003 DNS will query root hints servers if it cannot query the
forwarders.
> Should I point the other Windows 2000-based and Windows
Server 2003-based computers on my LAN to my ISP's DNS servers?
No. If a Windows 2000-based or Windows Server 2003-based server or workstation does not find the domain controller in DNS, you may experience issues joining the domain or logging on to the domain. A Windows 2000-based or Windows Server 2003-based computer's preferred DNS setting should point to the Windows 2000 or Windows Server 2003 domain controller running DNS.
No. If a Windows 2000-based or Windows Server 2003-based server or workstation does not find the domain controller in DNS, you may experience issues joining the domain or logging on to the domain. A Windows 2000-based or Windows Server 2003-based computer's preferred DNS setting should point to the Windows 2000 or Windows Server 2003 domain controller running DNS.
If you are using DHCP, make sure that you view scope option #15
for the correct DNS server settings for your LAN.
> Do I need to point computers that are running Windows NT
4.0 or Microsoft Windows 95, Microsoft Windows 98, or Microsoft Windows 98
Second Edition to the Windows 2000 or Windows Server 2003 DNS server?
Legacy operating systems continue to use NetBIOS for name resolution to find a domain controller; however it is recommended that you point all computers to the Windows 2000 or Windows Server 2003 DNS server for name resolution.
Legacy operating systems continue to use NetBIOS for name resolution to find a domain controller; however it is recommended that you point all computers to the Windows 2000 or Windows Server 2003 DNS server for name resolution.
> What if my Windows 2000 or Windows Server 2003 DNS server
is behind a proxy server or firewall?
If you are able to query the ISP's DNS servers from behind the proxy server or firewall, Windows 2000 and Windows Server 2003 DNS server is able to query the root hint servers. UDP and TCP Port 53 should be open on the proxy server or firewall.
If you are able to query the ISP's DNS servers from behind the proxy server or firewall, Windows 2000 and Windows Server 2003 DNS server is able to query the root hint servers. UDP and TCP Port 53 should be open on the proxy server or firewall.
> What should I do if the domain controller points to itself for
DNS, but the SRV records still do not appear in the zone?
Check for a disjointed namespace, and then run Netdiag.exe /fix.
You must install Support Tools from the Windows 2000 Server or Windows Server 2003 CD-ROM to run Netdiag.exe.
Check for a disjointed namespace, and then run Netdiag.exe /fix.
You must install Support Tools from the Windows 2000 Server or Windows Server 2003 CD-ROM to run Netdiag.exe.
> How do I set up DNS for a child domain?
To set up DNS for a child domain, create a delegation record on the parent DNS server for the child DNS server. Create a secondary zone on the child DNS server that transfers the parent zone from the parent DNS server.
To set up DNS for a child domain, create a delegation record on the parent DNS server for the child DNS server. Create a secondary zone on the child DNS server that transfers the parent zone from the parent DNS server.
Note Windows Server 2003 has additional types of zones, such as
Stub Zones and forest-level integrated Active Directory zones, that may be a
better fit for your environment. Set the child domain controller to point to
itself first. As soon as an additional domain controller is available, set the
child domain controller to point to this domain controller in the child domain
as its secondary.
What is group policy in
active directory ? What are Group Policy objects (GPOs)?
Group Policy objects, other than the local Group Policy object, are virtual objects. The policy setting information of a GPO is actually stored in two locations: the Group Policy container and the Group Policy template.
Group Policy objects, other than the local Group Policy object, are virtual objects. The policy setting information of a GPO is actually stored in two locations: the Group Policy container and the Group Policy template.
The Group Policy container is an Active Directory container that
stores GPO properties, including information on version, GPO status, and a list
of components that have settings in the GPO.
The Group Policy template is a folder structure within the file
system that stores Administrative Template-based policies, security settings,
script files, and information regarding applications that are available for
Group Policy Software Installation.
The Group Policy template is located in the system volume folder (Sysvol) in the \Policies subfolder for its domain.
The Group Policy template is located in the system volume folder (Sysvol) in the \Policies subfolder for its domain.
What is the order in which GPOs are applied ?
Group Policy settings are processed in the following order:
1.Local Group Policy object : Each computer has exactly one Group Policy object that is stored locally. This processes for both computer and user Group Policy processing.
Group Policy settings are processed in the following order:
1.Local Group Policy object : Each computer has exactly one Group Policy object that is stored locally. This processes for both computer and user Group Policy processing.
2.Site : Any GPOs that
have been linked to the site that the computer belongs to are processed next.
Processing is in the order that is specified by the administrator, on the
Linked Group Policy Objects tab for the site in Group Policy
Management Console (GPMC). The GPO with the lowest link order is processed
last, and therefore has the highest precedence.
3.Domain: Processing of
multiple domain-linked GPOs is in the order specified by the administrator, on
the Linked Group Policy Objects tab for the domain in GPMC. The GPO
with the lowest link order is processed last, and therefore has the highest
precedence.
4.Organizational units : GPOs that are
linked to the organizational unit that is highest in the Active Directory
hierarchy are processed first, then POs that are linked to its child
organizational unit, and so on. Finally, the GPOs that are linked to the
organizational unit that contains the user or computer are processed.
At the level of each organizational unit in the Active Directory
hierarchy, one, many, or no GPOs can be linked. If several GPOs are linked to
an organizational unit, their processing is in the order that is specified by
the administrator, on the Linked Group Policy Objects tab for the
organizational unit in GPMC.
The GPO with the lowest link order is processed last, and
therefore has the highest precedence.
This order means that the local GPO is processed first, and GPOs that are linked to the organizational unit of which the computer or user is a direct member are processed last, which overwrites settings in the earlier GPOs if there are conflicts. (If there are no conflicts, then the earlier and later settings are merely aggregated.)
This order means that the local GPO is processed first, and GPOs that are linked to the organizational unit of which the computer or user is a direct member are processed last, which overwrites settings in the earlier GPOs if there are conflicts. (If there are no conflicts, then the earlier and later settings are merely aggregated.)
How to backup/restore Group Policy objects ?
Begin the process by logging on to a Windows Server 2008 domain controller, and opening the Group Policy Management console. Now, navigate through the console tree to Group Policy Management | Forest: | Domains | | Group Policy Objects.
Begin the process by logging on to a Windows Server 2008 domain controller, and opening the Group Policy Management console. Now, navigate through the console tree to Group Policy Management | Forest: | Domains | | Group Policy Objects.
When you do, the details pane should display all of the group
policy objects that are associated with the domain. In Figure A there are only
two group policy objects, but in a production environment you may have many
more. The Group Policy Objects container stores all of the group policy objects
for the domain.
Now, right-click on the Group Policy Objects container, and choose the Back Up All command from the shortcut menu. When you do, Windows will open the Back Up Group Policy Object dialog box.
Now, right-click on the Group Policy Objects container, and choose the Back Up All command from the shortcut menu. When you do, Windows will open the Back Up Group Policy Object dialog box.
As you can see in Figure B, this dialog box requires you to
provide the path to which you want to store the backup files. You can either
store the backups in a dedicated folder on a local drive, or you can place them
in a folder on a mapped network drive. The dialog box also contains a
Description field that you can use to provide a description of the backup that
you are creating.
You must provide the path to which you want to store your backup of the group policy objects.
To initiate the backup process, just click the Back Up button. When the backup process completes, you should see a dialog box that tells you how many group policy objects were successfully backed up. Click OK to close the dialog box, and you're all done.
When it comes to restoring a backup of any Group Policy Object, you have two options. The first option is to right-click on the Group Policy Object, and choose the Restore From Backup command from the shortcut menu. When you do this, Windows will remove all of the individual settings from the Group Policy Object, and then implement the settings found in the backup.
Your other option is to right-click on the Group Policy Object you want to restore, and choose the Import Settings option. This option works more like a merge than a restore.
Any settings that presently reside within the Group Policy Object are retained unless there is a contradictory settings within the file that is being imported.
You must provide the path to which you want to store your backup of the group policy objects.
To initiate the backup process, just click the Back Up button. When the backup process completes, you should see a dialog box that tells you how many group policy objects were successfully backed up. Click OK to close the dialog box, and you're all done.
When it comes to restoring a backup of any Group Policy Object, you have two options. The first option is to right-click on the Group Policy Object, and choose the Restore From Backup command from the shortcut menu. When you do this, Windows will remove all of the individual settings from the Group Policy Object, and then implement the settings found in the backup.
Your other option is to right-click on the Group Policy Object you want to restore, and choose the Import Settings option. This option works more like a merge than a restore.
Any settings that presently reside within the Group Policy Object are retained unless there is a contradictory settings within the file that is being imported.
You want to standardize the desktop environments (wallpaper, My
Documents, Start menu, printers etc.) on the computers in one department. How
would you do that?
go to Start->programs->Administrative tools->Active Directory Users and Computers
Right Click on Domain->click on preoperties
On New windows Click on Group Policy
Select Default Policy->click on Edit
on group Policy console
go to User Configuration->Administrative Template->Start menu and Taskbar
Select each property you want to modify and do the same
go to Start->programs->Administrative tools->Active Directory Users and Computers
Right Click on Domain->click on preoperties
On New windows Click on Group Policy
Select Default Policy->click on Edit
on group Policy console
go to User Configuration->Administrative Template->Start menu and Taskbar
Select each property you want to modify and do the same
What?s the difference between software publishing and assigning?
Assign Users :The software application is advertised when the user logs on. It is installed when the user clicks on the software application icon via the start menu, or accesses a file that has been associated with the software application.
Assign Users :The software application is advertised when the user logs on. It is installed when the user clicks on the software application icon via the start menu, or accesses a file that has been associated with the software application.
Assign Computers :The software application is advertised and
installed when it is safe to do so, such as when the computer is next restarted.
Publish to users : The software application does not appear on
the start menu or desktop. This means the user may not know that the software
is available. The software application is made available via the Add/Remove
Programs option in control panel, or by clicking on a file that has been
associated with the application. Published applications do not reinstall
themselves in the event of accidental deletion, and it is not possible to
publish to computers.
What are administrative templates?
Administrative Templates are a feature of Group Policy, a Microsoft technology for centralised management of machines and users in an Active Directory environment. Administrative Templates facilitate the management of registry-based policy. An ADM file is used to describe both the user interface presented to the Group Policy administrator and the registry keys that should be updated on the target machines.
Administrative Templates are a feature of Group Policy, a Microsoft technology for centralised management of machines and users in an Active Directory environment. Administrative Templates facilitate the management of registry-based policy. An ADM file is used to describe both the user interface presented to the Group Policy administrator and the registry keys that should be updated on the target machines.
An ADM file is a text file with a specific syntax which
describes both the interface and the registry values which will be changed if
the policy is enabled or disabled.
ADM files are consumed by the Group Policy Object Editor (GPEdit). Windows XP Service Pack 2 shipped with five ADM files (system.adm, inetres.adm, wmplayer.adm, conf.adm and wuau.adm). These are merged into a unified "namespace" in GPEdit and presented to the administrator under the Administrative Templates node (for both machine and user policy).
Can I deploy non-MSI software with GPO?
create the fiile in .zap extension.
ADM files are consumed by the Group Policy Object Editor (GPEdit). Windows XP Service Pack 2 shipped with five ADM files (system.adm, inetres.adm, wmplayer.adm, conf.adm and wuau.adm). These are merged into a unified "namespace" in GPEdit and presented to the administrator under the Administrative Templates node (for both machine and user policy).
Can I deploy non-MSI software with GPO?
create the fiile in .zap extension.
Name
some GPO settings in the computer and user parts ?
Group Policy Object (GPO) computer=Computer Configuration, User=User ConfigurationName some GPO settings in the computer and user parts.
Group Policy Object (GPO) computer=Computer Configuration, User=User ConfigurationName some GPO settings in the computer and user parts.
A user claims he did not receive a GPO, yet his user and
computer accounts are in the right OU, and everyone else there gets the GPO.
What will you look for?
make sure user not be member of loopback policy as in loopback policy it doesn't effect user settings only computer policy will applicable. if he is member of gpo filter grp or not?
You may also want to check the computers event logs. If you find event ID 1085 then you may want to download the patch to fix this and reboot the computer.
make sure user not be member of loopback policy as in loopback policy it doesn't effect user settings only computer policy will applicable. if he is member of gpo filter grp or not?
You may also want to check the computers event logs. If you find event ID 1085 then you may want to download the patch to fix this and reboot the computer.
How can I override blocking of inheritance ?
What can I do to prevent inheritance from above?
Name a few benefits of using GPMC.
How frequently is the client policy refreshed ?90 minutes give or take.
Where is secedit ?
It’s now gpupdate.
It’s now gpupdate.
What can be restricted on
Windows Server 2003 that wasn’t there in previous products ?
Group Policy in Windows Server 2003 determines a users right to modify network and dial-up TCP/IP properties. Users may be selectively restricted from modifying their IP address and other network configuration parameters.
Group Policy in Windows Server 2003 determines a users right to modify network and dial-up TCP/IP properties. Users may be selectively restricted from modifying their IP address and other network configuration parameters.
You want to create a new
group policy but do not wish to inherit.
Make sure you check Block inheritance among the options when creating the policy.
Make sure you check Block inheritance among the options when creating the policy.
How does the Group Policy
'No Override' and 'Block Inheritance' work ?
Group Policies can be applied at multiple levels (Sites,
domains, organizational Units) and multiple GP's for each level. Obviously it
may be that some policy settings conflict hence the application order of Site -
Domain - Organization Unit and within each layer you set order for all defined
policies but you may want to force some polices to never be overridden (No
Override) and you may want some containers to not inherit settings from a
parent container (Block Inheritance).
A good definition of each is as follows:
No Override - This prevents child containers from overriding
policies set at higher levels
Block Inheritance - Stops containers inheriting
policies from parent containers
No Override takes precedence over Block Inheritance so if a
child container has Block Inheritance set but on the parent a group policy has
No Override set then it will get applied.
Also the highest No Override takes precedence over lower No
Override's set.
To block inheritance perform the following:
- Start the Active
Directory Users and Computer snap-in (Start - Programs - Administrative
Tools - Active Directory Users and Computers)
- Right click on
the container you wish to stop inheriting settings from its parent and
select
- Select the
'Group Policy' tab
- Check the 'Block
Policy inheritance' option
- Click Apply then
OK
To set a policy to never be overridden perform the following:
- Start the Active
Directory Users and Computer snap-in (Start - - Administrative Tools
- Active Directory Users and Computers)
- Right click on
the container you wish to set a Group Policy to not be overridden and
select Properties
- Select the
'Group Policy' tab
- Click Options
- Check the 'No
Override' option
- Click OK
- Click Apply then
OK
11. 1)
What is the Difference between Win NT and Win 2000?
12. Ans:
13. Win
NT
14. Win
2000
15. No
concept of Active directory
16. Concept
of Active directory
17. PDC,BDC--(read
only copy)
18. DC,ADC--(read
,write copy)
19. Database
stored in SAM(fixed size-40 MB)
20. Database
stored in NTDS.DIT(Not fixed)
21. Not
supported RIS
22. Supported
RIS
23.
24. 2)
What is the Difference between Win 2000 and Win 2003?
25. Ans:
26. Win
2000
27. Win
2003
28. Can’t
rename the Domain
29. Can
rename the Domain
30. No
authorization with DHCP
31. Authorization
with DHCP
32. Can’t
create new domain tree in existing forest
33. Can create
new domain tree in existing forest
34.
35.
36. 3)
What are the versions in Win 2000?
37. Ans:
win 2000 server and win adv 2000 server and win 2000 Data center server.
38.
39. 4)
What are the versions in Win 2003?
40. Ans:
standard version and enterprise version and web version and data center server
41.
42. 5)
How much RAM, Processor supported by Win 2000 versions?
43. Ans:
2000Server: 4GBRAM, 4 Processors, 2000Advanced server: 8GB RAM, 8 Processors,
data center server: 64 GB RAM, 32 Processors
44.
45. 6)
How much RAM, Processors supported by Win 2003 versions?
46. Ans:
standard – 4Gb , Web- 2 Gb,2 Proce, Enterprise-32 Gb,8 Processors, Data Center
– 64 Gb, 32 processors
47.
48. 7)
What is the diff between win 2000server and Advanced server?
49. Ans:
Network load balancing and clustering
50.
51. 8)
Can I rename the win 2003 DC?
52. Ans:
If you have a Windows 2003 DC, you can use the Netdom tool to rename the DC.
The Netdom provides a secure and supported methodology to rename one or more
domains. You can find the tool from the Windows 2003 installation CD-ROM
53.
54. 9)
What is Privilege mode?
55. Ans:
A protected Memory Space Allocated for the win 2000 kernel that cannot be
directly accessed by software applications.
56.
57. 9) In
win2000, what is the partition Size, File Size in FAT 16?
58. Ans:
4 GB partition size and 2 GB File Size.
59.
60. 10) In
win2000, what is the partition Size, File Size in FAT 32?
61. Ans:
2 GB to 2 TB partition size and 4GB file Size
62.
63. 11)
In win2000, what is the Partition Size, File Size in NTFS?
64. Ans:
2 TB Partition size, File size is theoretically 16 Exabytes.
65.
66. 12)what
is the difference between FAT and NTFS?
67. Ans:FAT
does not support Data compression and encryption
68.
69. 13)
what is the difference between win98 and Windows XP?
70. Supports
Fat16 and Fat32
71. Supports
Fat16 and Fat32,NTFS
72. No
disk quotas
73. Disk
quotas
74. Only
Disk compression
75. Supports
Data compression and encryption
76. No
remote assistance and remote desktop
77. remote
assistance and remote desktop
78.
79. 14)What
is System restore?
80.
81. 15)What
is the difference between Basic Disk and dynamic Disk?
82.
83. 16)Can
you convert dynamic to basic?
84.
85. 17)What
is the difference between system restore and last known configuration?
86.
87. 18)What
is the difference between remote assistance and remote desktop?
88.
89. 19)What
is the difference between IP4.0 and IP 6.0?
90.
91. 20)what
is the difference between router and switch?
92.
93. 21)what
is the difference between switch and hub?
94.
95. 22)
Hub works in which layer?
96.
97. 23)
switch works in which Layer?
98.
99. 24)
router works in which Layer?
100.
101.
25) Describe all layers?
102.
103.
26)what is the port numbers of
FTP,SMTP,Telnet,SMTP,DNS,DHCP,POP3,TFTP,SNTP?
104.
L2 Interview
Question for Windows
105. 1) What is the Difference between Win NT and Win 2000?
Ans:
Win NT
Win 2000
No concept of Active directory
Concept of Active directory
PDC,BDC--(read only copy)
DC,ADC--(read ,write copy)
Database stored in SAM(fixed size-40 MB)
Database stored in NTDS.DIT(Not fixed)
Not supported RIS
Supported RIS
2) What is the Difference between Win 2000 and Win 2003?
Ans:
Win 2000
Win 2003
Can’t rename the Domain
Can rename the Domain
No authorization with DHCP
Authorization with DHCP
Can’t create new domain tree in existing forest
Can create new domain tree in existing forest
3) What are the versions in Win 2000?
Ans: win 2000 server and win adv 2000 server and win 2000 Data center server.
4) What are the versions in Win 2003?
Ans: standard version and enterprise version and web version and data center server
5) How much RAM, Processor supported by Win 2000 versions?
Ans: 2000Server: 4GBRAM, 4 Processors, 2000Advanced server: 8GB RAM, 8 Processors, data center server: 64 GB RAM, 32 Processors
6) How much RAM, Processors supported by Win 2003 versions?
Ans: standard – 4Gb , Web- 2 Gb,2 Proce, Enterprise-32 Gb,8 Processors, Data Center – 64 Gb, 32 processors
7) What is the diff between win 2000server and Advanced server?
Ans: Network load balancing and clustering
8) Can I rename the win 2003 DC?
Ans: If you have a Windows 2003 DC, you can use the Netdom tool to rename the DC. The Netdom provides a secure and supported methodology to rename one or more domains. You can find the tool from the Windows 2003 installation CD-ROM
9) What is Privilege mode?
Ans: A protected Memory Space Allocated for the win 2000 kernel that cannot be directly accessed by software applications.
9) In win2000, what is the partition Size, File Size in FAT 16?
Ans: 4 GB partition size and 2 GB File Size.
10) In win2000, what is the partition Size, File Size in FAT 32?
Ans: 2 GB to 2 TB partition size and 4GB file Size
11) In win2000, what is the Partition Size, File Size in NTFS?
Ans: 2 TB Partition size, File size is theoretically 16 Exabytes.
12)what is the difference between FAT and NTFS?
Ans:FAT does not support Data compression and encryption
13) what is the difference between win98 and Windows XP?
Supports Fat16 and Fat32
Supports Fat16 and Fat32,NTFS
No disk quotas
Disk quotas
Only Disk compression
Supports Data compression and encryption
No remote assistance and remote desktop
remote assistance and remote desktop
14)What is System restore?
15)What is the difference between Basic Disk and dynamic Disk?
16)Can you convert dynamic to basic?
17)What is the difference between system restore and last known configuration?
18)What is the difference between remote assistance and remote desktop?
19)What is the difference between IP4.0 and IP 6.0?
20)what is the difference between router and switch?
21)what is the difference between switch and hub?
22) Hub works in which layer?
23) switch works in which Layer?
24) router works in which Layer?
25) Describe all layers?
26)what is the port numbers of FTP,SMTP,Telnet,SMTP,DNS,DHCP,POP3,TFTP,SNTP?
PROFILES
1) What is profile?
Ans: Windows maintains a group of settings for each individual user that logs into he system. This group setting is known as a user ‘profile’.
2) Where are the documents and settings for the roaming profile stored?
Ans: All the documents and environmental settings for the roaming user are stored locally on the system, and, when the user logs off, all changes to the locally stored profile are copied to the shared server folder. Therefore, the first time a roaming user logs on to a new system the logon process may take some time, depending on how large his profile folder is.
3) What is Roaming and Mandatory profile?
Ans: Roaming user profile: A user profile that is copied to a network server so that it can be downloaded each workstation where the user logon
Mandatory profile: A user profile set up by the server administrator that is loaded from the server to the client each times the user logon. Changes that user makes to the profile are not saved
Active directory:
1) What is the organizational unit?
Ans: OU are additional container objects that can store users, computers, groups&other OU’s.
2) What is the use of organizational unit?
Ans: Uses:
1) To control replication traffic
2) To make authentication faster and more efficient.
3) To locate the nearest server providing directory enabled services
3) What is the active directory?
Ans: Active directory is a centralized hierarchical directory database and it’s a directory service which contains information of all user accounts and shared resources on a network.
4) What are the main roles in active directory?
Ans: FSOM stands for flexible Single operation Master
:1)Domain naming master
2)Schema master
3)PDC Emulator
4) RID master
5)Infrastructure master
5) What is the location & file system type where the active directory
Information is installed?
Ans: On NTFS partition, c:\windows\ntds.dit&c:\windows\sysvolv.
6) For the replication between DC&ADC some file are used, what is the location of that Directory?
Ans: c:\windows\sysvolv.
7)What is Kerberos?
Ans: this protocol is an internet standard authentication protocol that provides a higher level of security. More efficient than windows NT LAN Manager
8)What is Win NT LAN Manager (NTLM)?
Ans: This protocol enables users of win95 and win98 and Win NT client’s computers to be authenticated to win 2000 domains. This protocol is only available when win 2000 Active Directory is configured to operate in mixed-mode
9) Which protocol plays the security role for the authentication in 2000&2003?
Ans: KEREBROS
10) What is version of kerebros in 2003 o/s?
Ans: KEREBROS v 5.5
11) What is the protocol used by the active directory to perform it’s function?
Ans: LDAP: Lightweight directory access protocol base on TCP/IP.
12) What is the command, which display the DC? Adc, Member server?
Ans: Net accounts.
13) What is the command to make a server into domain controller in win 2000&2003?
Ans: DCPROMO
14) what is the type of backup is used to take the active directory?
Ans: system state data backup.
15) What command line utility is used on windows 2000 servers domain controllers before they upgrade to plan win2003 domain controllers?
Ans:
1) adprep /forest prep.
(This command must be issued on win 2000server holding schema master role in forest root domain to prepare existing schema to support win2003AD.)
2)adprep /domain prep
(Infrastructure master to be deployed on win 2003 server
Note: adprep tool on win 2003 CD ROM i386 directory
POLICIES :
1) What is group policy?
Ans:
2) Is Win NT supports Group policy?
Ans: NO, Supports only system Policy.
3) What is system policy?
4) What is difference between system policy and group policy?
5) What is policy order?
Ans: Local Group Policy-Site level Policy-Domain level policy-Organizational level policy
6) Will group policy applicable for win 98,win 95 and winNt workstation?
Ans: No, Only applicable for system policy
7) In Win NT, where policies are stored?
Ans: NTCONFIG.POL
8) Suppose your sever is win 2000 and clients are win98and win95 which policy applicable? And where it is stored?
Ans: System policy and policies stored in CONFIG.POL
9) In win 2000, After Assigning policies, which command is to update policies?
Ans: Secedit /refresh policy user-policy/ enforce
Secedit /refresh policy machine-policy/ enforce
10) In win 2003, After Assigning policies, which command is to update policies?
Ans: GPUPDATE
11)what is the order in which group policy is applied?
Ans: Local—Site Level—Domain Level---Organizational Unit
BACKUP:
1)what is user data?
2)what is system state data?
3)what are three primary tasks you can perform using backup?
4)what is emergency repair disk?
5)who can take backup?
6)what are the 2 types of restore you can perform on active directory?
Ans: Authoritative,Non- Authoritative.
7)list 3 win2k tools use to recover a system failure?
8)what is the tool used to create ERD ?
Ans: Backup programme.
9)which type of backup reduce the time In order to take backup daily?
Ans: Incremental backup will take least amount of time.
10)which win2k tool is used to restore of user, data on a DC?
Ans: Backup.
11)what is the command used to add recovery console to the boot loader menu?
Ans: Winnt32 /cmdcons.
12) what is command is used to perform authoritative restore before booting?
Ans: ntdsutil
Authoritative restore
Restore data base
Restore sub tree
13)what is the type of mode in which you try to restore system state data or active directory data base?
Ans: Directory Services restore mode.
14) what is the extension used for a backup file?
Ans: .bkf
15)Name 5 standard types of backups?
Ans: Normal, daily, incremental, differential, copy.
16)Is it possible to backup & restore data on network drive?
Ans: Yes , it is possible.
17)Is it possible to restore system state data on networked pc’s?
Ans: No , It is not possible.
18)what is non authoritative ?
Ans:
19)what is normal backup?
Ans: It is full and complete backup used to backup all selected files and folders. It removes the archive bit form backed up files and folders.
20)what is copy backup?
Ans: A copy backup backs up all selected files and folders .but it does not affect remove or otherwise affect the archive bit.
21) What is incremental?
Ans: It is used to backup all selected files and folders that have changed since last normal backup or incremental backup. It removes archive bit from the backed up file and folders.
It is not cumulative. It takes less time to backup .multiple backup sets are required at the time of restore.
22) What is differential backup?
Ans: It backups all selected files and folders that have changed since last normal backup.
It does not remove the archive bit. It is commulative backup. It takes much time to backup. last backup set is used to restore
23) What is daily backup?
Ans: A daily backup backups all selected files and folders that have changed during the day the back is made.
24) Back utility advanced mode features?
Ans: 1) Backup wizard
2) Restore wizard
3) ERD
25)Backup Wizard
Backup every thing.
Backup selected files, drives.
Only backup system state data.
26) What is non authoritative?
Tape drives & Models
HP DDS3 Dat Tape drive HP DDS3 Dat Tape drive
Model C1537 Model C1537E
SCSI Internal 50 Pin SCSI External 50 Pin
Capacity 12/24 GB Capacity 12/24 GB
Print Management & Administration
1) What is a printer in win2k terminology?
Ans: it is the software interface between win 2k o/s & the device that produces the printer output.
2) Which win2k printing term is defined as a printer that has multiple ports and multiple print devices assigned to it?
Ans: printer Pool
3) Name 3 printer permissions?
Ans: Print, Manage Documents, Manage printers
4) What is EMF?
5) Print Process:
Ans: User starts print process
Using an application ex (Ms word)
Print job (Data & commands to print a document)
Graphical user Interface
Request to drivers
Driver converts file in to EMF or RAW
Backs again into GDI
Win 2k spooler
Determines local or network
Local printer provider Network
Print processor Network local
Print monitor HDD spooler
Communicates Directly to print device Print Processor
Print monitor
Print device
6) What is print spooler?
Ans: printer spooler is a temporary storage area for print jobs waiting to be sent to a print device. Systemroot\system32\spool\printers
7) Who can add printers and manage printer?
Ans: administrators or power users (built in)
8) Adding printer on a remote computer
Ans: start windows explorer>click my network places>entire network>domain or work group>select computer>highlight printer folder> double click printer folder.
9) Adding printers to printer pool
Ans: ports 1) lpt1 2) lpt2 3) lpt3 Enable printer pooling
10) Printer properities
Ans: 99 highest for managers
1 lowest for employees
Note: if managers and employees send print jobs to same print device you can set priorities
11) Print permissions are
Print: send only print jobs to printer
Manage Documents: resume and restart and delete print jobs.
Manage printers: perform all tasks also share printers can change spooler settings and can assign printer permissions.
12)What is a printer?
Ans: printer is software which acts as a interface between the print device and the operating system.
13)What is print device?
Ans: print device is a hardware component which is attached to the system to the print documents.
14)What is local print device?
Ans: print device which is attached to the local system.
15)What is network print device?
Ans:print device which is there in the network.
16) What is print server?
Ans:The computer responsible for managing the print queues for group of printers.
17) What is print queue?
Ans: The collection of print jobs waiting to be printed by a specific printer.
DHCP (Dynamic Host Configuration Protocol) port: 67
1)What is DHCP?
Ans: DHCP is a TCP/IP protocol that provides that provides way to dynamically allocated IP address to computers on the network.
2)Advantages of DHCP?
Ans: Centrally manages IP address allocation
Helps prevent address conflicts
Reduces administrative effort
Help converse IP addresses
3)What is SCOPE?
Ans: It is range of IP Address which is assigned to computers requesting for a Dynamic IP Address.
4)What is authorization?
Ans: It is Security precaution that ensures that only authorized DHCP Servers Can run in the network..
To avoid computers running illegal DHCP Servers in the network.
5) We’ve installed a new Windows-based DHCP server, however, the users do not seem to be getting DHCP leases off of it.
Ans: The server must be authorized first with the Active Directory.
6)How can you force the client to give up the dhcp lease if you have access to the client PC?
Ans: ipconfig /release
7)Cannot find DHCP Server
Ans: Cause: DHCP service is stopped or disable.
8)How to restore or move a DHCP into another computer
Ans:The DHCP database is contained in the Dhcp.mdb file located in the %SystemRoot%\System32\Dhcp folder. The DHCP server uses this file to record and store information concerning active leases and reservations. After you install a new DHCP, you can copy Dhcp.mdb into the above mentioned location.
9) Describe how the DHCP lease is obtained. It’s a four-step process consisting of
Ans(a) IP request, (b) IP offer, © IP selection and (d) acknowledgement.
10) What is super scope?
Ans: the super scope is assigned a range of IP addresses that can be assigned to DHCP clients that reside on multiple subnets.
11) What is multicast scope?
Ans: the multicast scope contains a range of classD multicast IP address ,and is used to assign these addresses to client computers that request them.
12) What is difference between scope and super scope?
Ans: A scope is assigned a range of IP address that can be assigned to DHCP clients that reside on a single subnet. Where the super scope is assigned a range of IP addresses that can be assigned to DHCP clients that reside on multiple subnets.
13) What is BOOTP?
14) What is range of multicast scope?
Ans: Only IP address range from 224.0.0.0 to 239.255.255.255
DNS (Domain Naming Service) port -53
What is the difference between WINS and DNS?
Ans: WINS resolves NETBIOS Names to IP address where DNS resolves Host names to IP address
1)List the types of DNS servers?
Ans: Standard primary, standard secondary, active directory integrated zone, root
4)what is the primary purpose of DNS?
Ans: For host resolution.
5) what is start of authority?
Ans: It contains serial no. , this indicates the modification done to the zone.
6)what is Dynamic DNS?
Ans: Dynamically update the service records
7)what is the maximum character size of DNS?
Ans:63
What is the maximum character size of WINS?
9)what is zone or zone file?
Ans: A zone is a Database for either a DNS domain or for a DNS domain and one or more of it’s Sub domains. This storage database is special text file called zone or zone file.
11)why multiple DNS services are created for the same zone?
Ans: load balancing, fault tolerance.
12)what is caching only server?
Ans: Caching only servers does not stores only zones.it resolves host names
To IP address for client computers and stores the resulting mapping information in it’s cache. this DNS server provides the cached information to the client computer with contacting other DNS servers to resolve the query.
It is the temporary storage of zone information.
13)what is zone transfer?
Ans: The process of copying zone to a standard DNS server is called zone transfer.
14)what is master DNS server?
Ans: As the DNS contains the master copy of the zone information is called Master DNS.
15)what is forwarders?
Ans: The queries of one server will be forwarded to other DNS act as forwarder by internal name resolution.
17)which protocol is supported by DNS server?
Ans: Dynamic Updated protocol.
18)what are four service records?
Ans: _msdcs,_sites,_tcp,_udp
19) what are six service records in win 2003?
Ans: -msdcs: (Microsoft Domain controller service)
It contains the information which domain controller is hosting the zone.
Site: In which site the zone has been configured.
Tcp& Udp: These are two protocols that are responsible for communicating with active directory.
Domain DNS Zones & Forest DNS Zones:
In which domain & Forest, DNS has be configured the information.
19) What is Resource record?
Ans: The entries are in zone is called Resource record. The entry may be host name IP address mapping entry.
20) What is the primary thing you have to do on a DNS server before it starts resolution of host name?
21) When will you configure root DNS server?
Ans: : A root server should be used only when a network is not connected to the internet or when a network is connected to the internet or when a network is connected to the internet by using a proxy server
22)what is forward lookup zone?
Ans:Resolves hostnames to ip address.
23)what is reverse look up zone?
Ans: Resolves ip address to hostnames.
24)what is standard primary zone?
Ans: Standard primary DNS server stores DNS entries(IP address to host mapping and other DNS resource records ) in zone file that is maintained on the server. The primary server maintains the master copy of zone file. When changes need to be the zone they should be made only standard primary server.
25)what is standard secondary zone?
Ans: Standard secondary DNS server stores copies of zones from the standard primary.
26) what is root server?
Ans:Root server contains a copy of a zone for the root domain – either the root domain for the internet, or the root domain for a company private, internal network. the purpose of the root server is to enable other DNS servers on a network to access the second level domains on the internet.
Note: A root server should be used only when a network is not connected to the internet or when a network is connected to the internet or when a network is connected to the internet by using a proxy server
27)what is round robin?
Ans: Round robin is used when multiple servers (such as web servers) have identical configurations and identical host names ,but different IP addresses.
28) can you configure root server to use a forwarder?
Ans: NO.
29)what are Root hints?
Ans:Root hints are server names and ip address combination that point to the root servers located either on the internet or on your organization private network.
Root hint tab contains list of DNS Servers can contract to resolve client DNS queries.
Maintains all the information of 13 root servers.
32)what is Active Directory integrated zone?
Ans: Active directory integrated DNS server just like standard primary except DNS entries stored in active directory data store rather than in a zone file. Active directory supports multi master replication when changes need to be made to the zone. They can be on any active directory –integrated DNS server that containg the zone.
33)what is simple query?
Ans: A simple query is a query that DNS server can resolve without contacting any other DNS servers.
34) what is recursive query?
Ans: a recursive is a query that can’t resolve it self it must be contract one or more additional DNS servers to resolve the query.
35) what is scavenging?
Ans: Scavenging is the process of searching for and Deletes stele resource records in a zone
PTR: Pointer resource record
SRV: Service locator resource record
36)What is SRV?
Ans: Used to map specific service (tcp/ip) to list of servers that provide that service.
37) What is CNAME?
Ans: Alias resource record .used to map an additional host name to the actual name of the host.
38) What is stub zone in 2003?
Ans: stub zone contains the information of Name Server & start of authority. It gives the information in which system, in which server, in which domain DNS has been configured
The properties of DNS in Advanced Tab
(Disable Recursion or disable forwarder)
By default this option is unchecked telling that recursive property
is present.
BIND Secondaries:
The zone transfers between the primary & secondary (replication between primary and secondary) BIND is responsible.
Fail on load if bad zone data:
This option is unchecked telling that even if the zone contains some errors it will be loaded if it is checked the zone will not be loaded.
Enable Round Robin:
If the same zone is present in the same subnet the query will be passed on round robin passion until it gets resolved.
Enable Net Mask ordering:
This option is utilized for DNS Server maintained on multihome pc (A pc having multiple NIC cards) and solving the queries of diff clients subnets
Ans:
Win NT
Win 2000
No concept of Active directory
Concept of Active directory
PDC,BDC--(read only copy)
DC,ADC--(read ,write copy)
Database stored in SAM(fixed size-40 MB)
Database stored in NTDS.DIT(Not fixed)
Not supported RIS
Supported RIS
2) What is the Difference between Win 2000 and Win 2003?
Ans:
Win 2000
Win 2003
Can’t rename the Domain
Can rename the Domain
No authorization with DHCP
Authorization with DHCP
Can’t create new domain tree in existing forest
Can create new domain tree in existing forest
3) What are the versions in Win 2000?
Ans: win 2000 server and win adv 2000 server and win 2000 Data center server.
4) What are the versions in Win 2003?
Ans: standard version and enterprise version and web version and data center server
5) How much RAM, Processor supported by Win 2000 versions?
Ans: 2000Server: 4GBRAM, 4 Processors, 2000Advanced server: 8GB RAM, 8 Processors, data center server: 64 GB RAM, 32 Processors
6) How much RAM, Processors supported by Win 2003 versions?
Ans: standard – 4Gb , Web- 2 Gb,2 Proce, Enterprise-32 Gb,8 Processors, Data Center – 64 Gb, 32 processors
7) What is the diff between win 2000server and Advanced server?
Ans: Network load balancing and clustering
8) Can I rename the win 2003 DC?
Ans: If you have a Windows 2003 DC, you can use the Netdom tool to rename the DC. The Netdom provides a secure and supported methodology to rename one or more domains. You can find the tool from the Windows 2003 installation CD-ROM
9) What is Privilege mode?
Ans: A protected Memory Space Allocated for the win 2000 kernel that cannot be directly accessed by software applications.
9) In win2000, what is the partition Size, File Size in FAT 16?
Ans: 4 GB partition size and 2 GB File Size.
10) In win2000, what is the partition Size, File Size in FAT 32?
Ans: 2 GB to 2 TB partition size and 4GB file Size
11) In win2000, what is the Partition Size, File Size in NTFS?
Ans: 2 TB Partition size, File size is theoretically 16 Exabytes.
12)what is the difference between FAT and NTFS?
Ans:FAT does not support Data compression and encryption
13) what is the difference between win98 and Windows XP?
Supports Fat16 and Fat32
Supports Fat16 and Fat32,NTFS
No disk quotas
Disk quotas
Only Disk compression
Supports Data compression and encryption
No remote assistance and remote desktop
remote assistance and remote desktop
14)What is System restore?
15)What is the difference between Basic Disk and dynamic Disk?
16)Can you convert dynamic to basic?
17)What is the difference between system restore and last known configuration?
18)What is the difference between remote assistance and remote desktop?
19)What is the difference between IP4.0 and IP 6.0?
20)what is the difference between router and switch?
21)what is the difference between switch and hub?
22) Hub works in which layer?
23) switch works in which Layer?
24) router works in which Layer?
25) Describe all layers?
26)what is the port numbers of FTP,SMTP,Telnet,SMTP,DNS,DHCP,POP3,TFTP,SNTP?
PROFILES
1) What is profile?
Ans: Windows maintains a group of settings for each individual user that logs into he system. This group setting is known as a user ‘profile’.
2) Where are the documents and settings for the roaming profile stored?
Ans: All the documents and environmental settings for the roaming user are stored locally on the system, and, when the user logs off, all changes to the locally stored profile are copied to the shared server folder. Therefore, the first time a roaming user logs on to a new system the logon process may take some time, depending on how large his profile folder is.
3) What is Roaming and Mandatory profile?
Ans: Roaming user profile: A user profile that is copied to a network server so that it can be downloaded each workstation where the user logon
Mandatory profile: A user profile set up by the server administrator that is loaded from the server to the client each times the user logon. Changes that user makes to the profile are not saved
Active directory:
1) What is the organizational unit?
Ans: OU are additional container objects that can store users, computers, groups&other OU’s.
2) What is the use of organizational unit?
Ans: Uses:
1) To control replication traffic
2) To make authentication faster and more efficient.
3) To locate the nearest server providing directory enabled services
3) What is the active directory?
Ans: Active directory is a centralized hierarchical directory database and it’s a directory service which contains information of all user accounts and shared resources on a network.
4) What are the main roles in active directory?
Ans: FSOM stands for flexible Single operation Master
:1)Domain naming master
2)Schema master
3)PDC Emulator
4) RID master
5)Infrastructure master
5) What is the location & file system type where the active directory
Information is installed?
Ans: On NTFS partition, c:\windows\ntds.dit&c:\windows\sysvolv.
6) For the replication between DC&ADC some file are used, what is the location of that Directory?
Ans: c:\windows\sysvolv.
7)What is Kerberos?
Ans: this protocol is an internet standard authentication protocol that provides a higher level of security. More efficient than windows NT LAN Manager
8)What is Win NT LAN Manager (NTLM)?
Ans: This protocol enables users of win95 and win98 and Win NT client’s computers to be authenticated to win 2000 domains. This protocol is only available when win 2000 Active Directory is configured to operate in mixed-mode
9) Which protocol plays the security role for the authentication in 2000&2003?
Ans: KEREBROS
10) What is version of kerebros in 2003 o/s?
Ans: KEREBROS v 5.5
11) What is the protocol used by the active directory to perform it’s function?
Ans: LDAP: Lightweight directory access protocol base on TCP/IP.
12) What is the command, which display the DC? Adc, Member server?
Ans: Net accounts.
13) What is the command to make a server into domain controller in win 2000&2003?
Ans: DCPROMO
14) what is the type of backup is used to take the active directory?
Ans: system state data backup.
15) What command line utility is used on windows 2000 servers domain controllers before they upgrade to plan win2003 domain controllers?
Ans:
1) adprep /forest prep.
(This command must be issued on win 2000server holding schema master role in forest root domain to prepare existing schema to support win2003AD.)
2)adprep /domain prep
(Infrastructure master to be deployed on win 2003 server
Note: adprep tool on win 2003 CD ROM i386 directory
POLICIES :
1) What is group policy?
Ans:
2) Is Win NT supports Group policy?
Ans: NO, Supports only system Policy.
3) What is system policy?
4) What is difference between system policy and group policy?
5) What is policy order?
Ans: Local Group Policy-Site level Policy-Domain level policy-Organizational level policy
6) Will group policy applicable for win 98,win 95 and winNt workstation?
Ans: No, Only applicable for system policy
7) In Win NT, where policies are stored?
Ans: NTCONFIG.POL
8) Suppose your sever is win 2000 and clients are win98and win95 which policy applicable? And where it is stored?
Ans: System policy and policies stored in CONFIG.POL
9) In win 2000, After Assigning policies, which command is to update policies?
Ans: Secedit /refresh policy user-policy/ enforce
Secedit /refresh policy machine-policy/ enforce
10) In win 2003, After Assigning policies, which command is to update policies?
Ans: GPUPDATE
11)what is the order in which group policy is applied?
Ans: Local—Site Level—Domain Level---Organizational Unit
BACKUP:
1)what is user data?
2)what is system state data?
3)what are three primary tasks you can perform using backup?
4)what is emergency repair disk?
5)who can take backup?
6)what are the 2 types of restore you can perform on active directory?
Ans: Authoritative,Non- Authoritative.
7)list 3 win2k tools use to recover a system failure?
8)what is the tool used to create ERD ?
Ans: Backup programme.
9)which type of backup reduce the time In order to take backup daily?
Ans: Incremental backup will take least amount of time.
10)which win2k tool is used to restore of user, data on a DC?
Ans: Backup.
11)what is the command used to add recovery console to the boot loader menu?
Ans: Winnt32 /cmdcons.
12) what is command is used to perform authoritative restore before booting?
Ans: ntdsutil
Authoritative restore
Restore data base
Restore sub tree
13)what is the type of mode in which you try to restore system state data or active directory data base?
Ans: Directory Services restore mode.
14) what is the extension used for a backup file?
Ans: .bkf
15)Name 5 standard types of backups?
Ans: Normal, daily, incremental, differential, copy.
16)Is it possible to backup & restore data on network drive?
Ans: Yes , it is possible.
17)Is it possible to restore system state data on networked pc’s?
Ans: No , It is not possible.
18)what is non authoritative ?
Ans:
19)what is normal backup?
Ans: It is full and complete backup used to backup all selected files and folders. It removes the archive bit form backed up files and folders.
20)what is copy backup?
Ans: A copy backup backs up all selected files and folders .but it does not affect remove or otherwise affect the archive bit.
21) What is incremental?
Ans: It is used to backup all selected files and folders that have changed since last normal backup or incremental backup. It removes archive bit from the backed up file and folders.
It is not cumulative. It takes less time to backup .multiple backup sets are required at the time of restore.
22) What is differential backup?
Ans: It backups all selected files and folders that have changed since last normal backup.
It does not remove the archive bit. It is commulative backup. It takes much time to backup. last backup set is used to restore
23) What is daily backup?
Ans: A daily backup backups all selected files and folders that have changed during the day the back is made.
24) Back utility advanced mode features?
Ans: 1) Backup wizard
2) Restore wizard
3) ERD
25)Backup Wizard
Backup every thing.
Backup selected files, drives.
Only backup system state data.
26) What is non authoritative?
Tape drives & Models
HP DDS3 Dat Tape drive HP DDS3 Dat Tape drive
Model C1537 Model C1537E
SCSI Internal 50 Pin SCSI External 50 Pin
Capacity 12/24 GB Capacity 12/24 GB
Print Management & Administration
1) What is a printer in win2k terminology?
Ans: it is the software interface between win 2k o/s & the device that produces the printer output.
2) Which win2k printing term is defined as a printer that has multiple ports and multiple print devices assigned to it?
Ans: printer Pool
3) Name 3 printer permissions?
Ans: Print, Manage Documents, Manage printers
4) What is EMF?
5) Print Process:
Ans: User starts print process
Using an application ex (Ms word)
Print job (Data & commands to print a document)
Graphical user Interface
Request to drivers
Driver converts file in to EMF or RAW
Backs again into GDI
Win 2k spooler
Determines local or network
Local printer provider Network
Print processor Network local
Print monitor HDD spooler
Communicates Directly to print device Print Processor
Print monitor
Print device
6) What is print spooler?
Ans: printer spooler is a temporary storage area for print jobs waiting to be sent to a print device. Systemroot\system32\spool\printers
7) Who can add printers and manage printer?
Ans: administrators or power users (built in)
8) Adding printer on a remote computer
Ans: start windows explorer>click my network places>entire network>domain or work group>select computer>highlight printer folder> double click printer folder.
9) Adding printers to printer pool
Ans: ports 1) lpt1 2) lpt2 3) lpt3 Enable printer pooling
10) Printer properities
Ans: 99 highest for managers
1 lowest for employees
Note: if managers and employees send print jobs to same print device you can set priorities
11) Print permissions are
Print: send only print jobs to printer
Manage Documents: resume and restart and delete print jobs.
Manage printers: perform all tasks also share printers can change spooler settings and can assign printer permissions.
12)What is a printer?
Ans: printer is software which acts as a interface between the print device and the operating system.
13)What is print device?
Ans: print device is a hardware component which is attached to the system to the print documents.
14)What is local print device?
Ans: print device which is attached to the local system.
15)What is network print device?
Ans:print device which is there in the network.
16) What is print server?
Ans:The computer responsible for managing the print queues for group of printers.
17) What is print queue?
Ans: The collection of print jobs waiting to be printed by a specific printer.
DHCP (Dynamic Host Configuration Protocol) port: 67
1)What is DHCP?
Ans: DHCP is a TCP/IP protocol that provides that provides way to dynamically allocated IP address to computers on the network.
2)Advantages of DHCP?
Ans: Centrally manages IP address allocation
Helps prevent address conflicts
Reduces administrative effort
Help converse IP addresses
3)What is SCOPE?
Ans: It is range of IP Address which is assigned to computers requesting for a Dynamic IP Address.
4)What is authorization?
Ans: It is Security precaution that ensures that only authorized DHCP Servers Can run in the network..
To avoid computers running illegal DHCP Servers in the network.
5) We’ve installed a new Windows-based DHCP server, however, the users do not seem to be getting DHCP leases off of it.
Ans: The server must be authorized first with the Active Directory.
6)How can you force the client to give up the dhcp lease if you have access to the client PC?
Ans: ipconfig /release
7)Cannot find DHCP Server
Ans: Cause: DHCP service is stopped or disable.
8)How to restore or move a DHCP into another computer
Ans:The DHCP database is contained in the Dhcp.mdb file located in the %SystemRoot%\System32\Dhcp folder. The DHCP server uses this file to record and store information concerning active leases and reservations. After you install a new DHCP, you can copy Dhcp.mdb into the above mentioned location.
9) Describe how the DHCP lease is obtained. It’s a four-step process consisting of
Ans(a) IP request, (b) IP offer, © IP selection and (d) acknowledgement.
10) What is super scope?
Ans: the super scope is assigned a range of IP addresses that can be assigned to DHCP clients that reside on multiple subnets.
11) What is multicast scope?
Ans: the multicast scope contains a range of classD multicast IP address ,and is used to assign these addresses to client computers that request them.
12) What is difference between scope and super scope?
Ans: A scope is assigned a range of IP address that can be assigned to DHCP clients that reside on a single subnet. Where the super scope is assigned a range of IP addresses that can be assigned to DHCP clients that reside on multiple subnets.
13) What is BOOTP?
14) What is range of multicast scope?
Ans: Only IP address range from 224.0.0.0 to 239.255.255.255
DNS (Domain Naming Service) port -53
What is the difference between WINS and DNS?
Ans: WINS resolves NETBIOS Names to IP address where DNS resolves Host names to IP address
1)List the types of DNS servers?
Ans: Standard primary, standard secondary, active directory integrated zone, root
4)what is the primary purpose of DNS?
Ans: For host resolution.
5) what is start of authority?
Ans: It contains serial no. , this indicates the modification done to the zone.
6)what is Dynamic DNS?
Ans: Dynamically update the service records
7)what is the maximum character size of DNS?
Ans:63
What is the maximum character size of WINS?
9)what is zone or zone file?
Ans: A zone is a Database for either a DNS domain or for a DNS domain and one or more of it’s Sub domains. This storage database is special text file called zone or zone file.
11)why multiple DNS services are created for the same zone?
Ans: load balancing, fault tolerance.
12)what is caching only server?
Ans: Caching only servers does not stores only zones.it resolves host names
To IP address for client computers and stores the resulting mapping information in it’s cache. this DNS server provides the cached information to the client computer with contacting other DNS servers to resolve the query.
It is the temporary storage of zone information.
13)what is zone transfer?
Ans: The process of copying zone to a standard DNS server is called zone transfer.
14)what is master DNS server?
Ans: As the DNS contains the master copy of the zone information is called Master DNS.
15)what is forwarders?
Ans: The queries of one server will be forwarded to other DNS act as forwarder by internal name resolution.
17)which protocol is supported by DNS server?
Ans: Dynamic Updated protocol.
18)what are four service records?
Ans: _msdcs,_sites,_tcp,_udp
19) what are six service records in win 2003?
Ans: -msdcs: (Microsoft Domain controller service)
It contains the information which domain controller is hosting the zone.
Site: In which site the zone has been configured.
Tcp& Udp: These are two protocols that are responsible for communicating with active directory.
Domain DNS Zones & Forest DNS Zones:
In which domain & Forest, DNS has be configured the information.
19) What is Resource record?
Ans: The entries are in zone is called Resource record. The entry may be host name IP address mapping entry.
20) What is the primary thing you have to do on a DNS server before it starts resolution of host name?
21) When will you configure root DNS server?
Ans: : A root server should be used only when a network is not connected to the internet or when a network is connected to the internet or when a network is connected to the internet by using a proxy server
22)what is forward lookup zone?
Ans:Resolves hostnames to ip address.
23)what is reverse look up zone?
Ans: Resolves ip address to hostnames.
24)what is standard primary zone?
Ans: Standard primary DNS server stores DNS entries(IP address to host mapping and other DNS resource records ) in zone file that is maintained on the server. The primary server maintains the master copy of zone file. When changes need to be the zone they should be made only standard primary server.
25)what is standard secondary zone?
Ans: Standard secondary DNS server stores copies of zones from the standard primary.
26) what is root server?
Ans:Root server contains a copy of a zone for the root domain – either the root domain for the internet, or the root domain for a company private, internal network. the purpose of the root server is to enable other DNS servers on a network to access the second level domains on the internet.
Note: A root server should be used only when a network is not connected to the internet or when a network is connected to the internet or when a network is connected to the internet by using a proxy server
27)what is round robin?
Ans: Round robin is used when multiple servers (such as web servers) have identical configurations and identical host names ,but different IP addresses.
28) can you configure root server to use a forwarder?
Ans: NO.
29)what are Root hints?
Ans:Root hints are server names and ip address combination that point to the root servers located either on the internet or on your organization private network.
Root hint tab contains list of DNS Servers can contract to resolve client DNS queries.
Maintains all the information of 13 root servers.
32)what is Active Directory integrated zone?
Ans: Active directory integrated DNS server just like standard primary except DNS entries stored in active directory data store rather than in a zone file. Active directory supports multi master replication when changes need to be made to the zone. They can be on any active directory –integrated DNS server that containg the zone.
33)what is simple query?
Ans: A simple query is a query that DNS server can resolve without contacting any other DNS servers.
34) what is recursive query?
Ans: a recursive is a query that can’t resolve it self it must be contract one or more additional DNS servers to resolve the query.
35) what is scavenging?
Ans: Scavenging is the process of searching for and Deletes stele resource records in a zone
PTR: Pointer resource record
SRV: Service locator resource record
36)What is SRV?
Ans: Used to map specific service (tcp/ip) to list of servers that provide that service.
37) What is CNAME?
Ans: Alias resource record .used to map an additional host name to the actual name of the host.
38) What is stub zone in 2003?
Ans: stub zone contains the information of Name Server & start of authority. It gives the information in which system, in which server, in which domain DNS has been configured
The properties of DNS in Advanced Tab
(Disable Recursion or disable forwarder)
By default this option is unchecked telling that recursive property
is present.
BIND Secondaries:
The zone transfers between the primary & secondary (replication between primary and secondary) BIND is responsible.
Fail on load if bad zone data:
This option is unchecked telling that even if the zone contains some errors it will be loaded if it is checked the zone will not be loaded.
Enable Round Robin:
If the same zone is present in the same subnet the query will be passed on round robin passion until it gets resolved.
Enable Net Mask ordering:
This option is utilized for DNS Server maintained on multihome pc (A pc having multiple NIC cards) and solving the queries of diff clients subnets
106.
>What new attributes
support the RODC Password Replication Policy?
Password Replication Policy is the mechanism for determining whether a user or computer’s credentials are allowed to replicate from a writable domain controller to an RODC. The Password Replication Policy is always set on a writable domain controller running SERVER 2008.
The following attributes have been added to the Active Directory schema to expedite the functionality that is required for RODC caching operations:
Password Replication Policy is the mechanism for determining whether a user or computer’s credentials are allowed to replicate from a writable domain controller to an RODC. The Password Replication Policy is always set on a writable domain controller running SERVER 2008.
The following attributes have been added to the Active Directory schema to expedite the functionality that is required for RODC caching operations:
- msDS-Reveal-OnDemandGroup. This attribute
points to the distinguished name (DN) of the Allowed List. The credentials
of the members of the Allowed List are permitted to replicate to the RODC.
- msDS-NeverRevealGroup. This attribute
points to the distinguished names of security principals whose credentials
are denied replication to the RODC. This has no impact on the ability of
these security principals to authenticate using the RODC. The RODC never
caches the credentials of the members of the Denied List. A default list
of security principals whose credentials are denied replication to the
RODC is provided. This improves the security of RODCs that are deployed
with default settings.
- msDS-RevealedList. This attribute
is a list of security principals whose current passwords have been
replicated to the RODC.
- msDS-AuthenticatedToAccountList. This attribute
contains a list of security principals in the local domain that have
authenticated to the RODC. The purpose of the attribute is to help an
administrator determine which computers and users are using the RODC for
logon. This enables the administrator to refine the Password Replication
Policy for the RODC.
>How can you clear a
password that is cached on an RODC?
There is no mechanism to erase passwords after they are cached on an RODC. If you want to clear a password that is stored on an RODC, an administrator should reset the password in the hub site. This way, the password that is cached in the branch will no longer be valid for accessing any resources in the hub site or other branches.
There is no mechanism to erase passwords after they are cached on an RODC. If you want to clear a password that is stored on an RODC, an administrator should reset the password in the hub site. This way, the password that is cached in the branch will no longer be valid for accessing any resources in the hub site or other branches.
In the branch that contains the RODC on which the password may
have been compromised, the password will still be valid for authentication
purposes until the next replication cycle, at which time its value that is
stored on the RODC will be changed to Null. The new password will be cached
only after the user authenticates with it—or the new password is prepopulated on
the RODC—and if the PRP has not been changed.In the event that an RODC is
compromised, you should reset the passwords for all accounts that have cached
passwords and then rebuild the RODC.
>Can an RODC replicate to other RODCs?
No, an RODC can only replicate from a writable Windows Server 2008 domain controller. In addition, two RODCs for the same domain in the same site do not share cached credentials. You can deploy multiple RODCs for the same domain in the same site, but it can lead to inconsistent logon experiences for users if the WAN to the writeable domain controller in a hub site is offline.
This is because the credentials for a user might be cached on
one RODC but not the other. If the WAN to a writable domain controller is
offline and the user tries to authenticate with an RODC that does not have the
user’s credentials cached, then the logon attempt will fail.
>What operations fail if the WAN is offline, but the RODC is online in the branch office?
If the RODC cannot connect to a writable domain controller running Windows Server 2008 in the hub, the following branch office operations fail:
- Password changes
- Attempts to join
a computer to a domain
- Computer rename
- Authentication
attempts for accounts whose credentials are not cached on the RODC
- Group Policy
updates that an administrator might attempt by running the gpupdate
/forcecommand.
>What operations
succeed if the WAN is offline, but the RODC is online in the branch office?
If the RODC cannot connect to a writable domain controller running Windows Server 2008 in the hub, the following branch office operations succeed:
If the RODC cannot connect to a writable domain controller running Windows Server 2008 in the hub, the following branch office operations succeed:
- Authentication
and logon attempts, if the credentials for the resource and the requester
are already cached.
- Local RODC
server administration performed by a delegated RODC server administrator.
>Will RODC support my
Active Directory–integrated application?
Yes, RODC supports an Active Directory–integrated application if the application conforms to the following rules:
Yes, RODC supports an Active Directory–integrated application if the application conforms to the following rules:
- If the
application performs write operations, it must support referrals (enabled
by default on clients).
- The application
must tolerate Write outages when the hub is offline.
>Does an RODC contain
all of the objects and attributes that a writable domain controller contains?
Yes, an RODC contains all the objects that a writable domain controller contains. If you compare the LDAP store on a writable domain controller to the LDAP store of an RODC, they are identical, except that the RODC does not contain all of the credentials or attributes that are defined in the RODC filtered attribute set.
Yes, an RODC contains all the objects that a writable domain controller contains. If you compare the LDAP store on a writable domain controller to the LDAP store of an RODC, they are identical, except that the RODC does not contain all of the credentials or attributes that are defined in the RODC filtered attribute set.
>Why
does the RODC not have a relative ID (RID) pool?
All writable domain controllers can allocate RIDs from their respective RID pools to create security principals as needed. Because an RODC cannot create security principals, it cannot provide any RIDs, and it is never allocated a RIDpool.
All writable domain controllers can allocate RIDs from their respective RID pools to create security principals as needed. Because an RODC cannot create security principals, it cannot provide any RIDs, and it is never allocated a RIDpool.
>Can
I list the krbtgt account that is used by each RODC in the domain?
Yes. To list the krbtgt account that is used by each RODC in the domain, type the following command at a command line, and then press ENTER:
Repadmin /showattr <WritableDcName> <distinguished name of the domain partition> /subtree /filter:”(&(objectclass=computer)(msDS-Krbtgtlink=*))” /atts:msDS-krbtgtlink
Yes. To list the krbtgt account that is used by each RODC in the domain, type the following command at a command line, and then press ENTER:
Repadmin /showattr <WritableDcName> <distinguished name of the domain partition> /subtree /filter:”(&(objectclass=computer)(msDS-Krbtgtlink=*))” /atts:msDS-krbtgtlink
>How does the client DNS update referral
mechanism work?
Because the DNS server that runs on an RODC cannot directly register client updates, it has to refer the client to a DNS server that hosts a primary or Active Directory-integrated copy of the zone file. This server is sometimes referred to as a “writable DNS server.” When a client presents a Find Authoritative Query, which is the precursor to an update request, the DNS server on the RODC uses the domain controller Locator to find domain controllers in the closest site.
The RODC then compares the list of domain controllers that is returned with the list of name server (NS) resource records that it has. The RODC returns to the client the NS resource record of a writable DNS server that the client can use to perform the update. The client can then perform its update.
If no domain controller in the closest site matches an entry in the list of NS records for the zone, the RODC attempts to discover any domain controller in the forest that matches an entry in the list.
Suppose that a new client is introduced to a site that has a DNS server running only on an RODC. In this case, the RODC DNS server tries to replicate the DNS record that the client has tried to update on the writable DNS server. This occurs approximately five minutes after the RODC provides a response to the original Find Authoritative Query.
If the DNS client on the RODC attempts a DNS update, a writable domain controller running Windows Server 2008 is returned so that the RODC can perform the update.
Because the DNS server that runs on an RODC cannot directly register client updates, it has to refer the client to a DNS server that hosts a primary or Active Directory-integrated copy of the zone file. This server is sometimes referred to as a “writable DNS server.” When a client presents a Find Authoritative Query, which is the precursor to an update request, the DNS server on the RODC uses the domain controller Locator to find domain controllers in the closest site.
The RODC then compares the list of domain controllers that is returned with the list of name server (NS) resource records that it has. The RODC returns to the client the NS resource record of a writable DNS server that the client can use to perform the update. The client can then perform its update.
If no domain controller in the closest site matches an entry in the list of NS records for the zone, the RODC attempts to discover any domain controller in the forest that matches an entry in the list.
Suppose that a new client is introduced to a site that has a DNS server running only on an RODC. In this case, the RODC DNS server tries to replicate the DNS record that the client has tried to update on the writable DNS server. This occurs approximately five minutes after the RODC provides a response to the original Find Authoritative Query.
If the DNS client on the RODC attempts a DNS update, a writable domain controller running Windows Server 2008 is returned so that the RODC can perform the update.
>Why doesn’t the KCC on writable domain controllers try to build connections from an RODC?
To build the replication topology, the Knowledge Consistency Checker (KCC) examines the following:
- All the sites that contain domain controllers
- The directory partitions that each domain controller
holds
- The cost that is associated with the site links to build
a least-cost spanning tree
The KCC determines if there is a domain
controller in a site by querying AD DS for objects of the NTDS-DSA category—the objectcategory attribute value of the NTDS Settings object. The NTDS
Settings objects for RODCs do not have this object category. Instead, they
support a new objectcategory value named NTDS-DSA-RO.
As a result, the KCCs on writable domain
controllers never consider an RODC as part of the replication topology. This is
because the NTDS Settings objects are not returned in the query.
However, the KCC on an RODC also needs to consider the local domain controller (itself) to be part of the replication topology to build inbound connection objects. This is achieved by a minor logic change to the algorithm that the KCC uses on all domain controllers running Windows Server 2008 that forces it to add the NTDS Settings object of the local domain controller to the list of potential domain controllers in the topology. This makes it possible for the KCC on an RODC to add itself to the topology. However, the KCC on an RODC does not add any other RODCs to the list of domain controllers that it generates.
However, the KCC on an RODC also needs to consider the local domain controller (itself) to be part of the replication topology to build inbound connection objects. This is achieved by a minor logic change to the algorithm that the KCC uses on all domain controllers running Windows Server 2008 that forces it to add the NTDS Settings object of the local domain controller to the list of potential domain controllers in the topology. This makes it possible for the KCC on an RODC to add itself to the topology. However, the KCC on an RODC does not add any other RODCs to the list of domain controllers that it generates.
>How does the KCC build inbound connections locally on an RODC when the RODC is supposed to be read-only?
An RODC is completely read-only from the perspective of external clients, but it can internally originate changes for a limited set of objects. It permits replicated write operations and a limited set of originating write operations.
Both the KCC and the replication engine
are special “writers” on an RODC. The replication engine performs replicated
write operations on an RODC in exactly the same way as it does on the read-only
partitions of a global catalog server that runs Windows Server 2003.
The KCC is permitted to perform originating write operations of the objects
that are required to perform Active Directory replication, such as connection
objects.
>Why does an RODC have two inbound connection objects?
This is because File Replication Service (FRS) requires its own pair of connection objects in order to function correctly. In previous versions of Windows Server, FRS was able to utilize the existing connection objects between two domain controllers to support its replication of SYSVOL content.
However, because an RODC only performs
inbound replication of Active Directory data, a reciprocal connection object on
the writable replication partner is not needed.
Consequently, the Active Directory Domain Services Installation Wizard generates a special pair of connection objects to support FRS replication of SYSVOL when you install an RODC. The FRS connection objects are not required by DFS Replication.
Consequently, the Active Directory Domain Services Installation Wizard generates a special pair of connection objects to support FRS replication of SYSVOL when you install an RODC. The FRS connection objects are not required by DFS Replication.
>How does RODC connection failover work?
If the bridgehead replication partner of an RODC becomes unavailable, the KCC on the RODC builds a connection to another partner. By default, this happens after about two hours, which is the same for a writable domain controller. However, the FRS connection object on an RODC must use the same target as the connection object that the KCC generates on the RODC for Active Directory replication. To achieve this, the fromServer value on the two connections is synchronized.
However, the trigger for changing the fromServer value on the FRS connection object is not the creation of the
new connection; instead, it is the removal of the old connection. The removal
step happens some hours after the new connection object is created.
Consequently, the fromServer value continues to reference the original partner until the
old connection is removed by the KCC.
A side effect of this is that while Active Directory replication works successfully against the new partner, FRS replication fails during this period. The additional delay is by design—it avoids causing FRS to perform an expensive VVJoin operation against the new partner, which is unnecessary if the outage of the original partner is only temporary.
A side effect of this is that while Active Directory replication works successfully against the new partner, FRS replication fails during this period. The additional delay is by design—it avoids causing FRS to perform an expensive VVJoin operation against the new partner, which is unnecessary if the outage of the original partner is only temporary.
>How can an administrator delete a connection object locally on an RODC?
The KCC on an RODC will build inbound connection objects for Active Directory replication. These objects cannot be seen on other writeable domain controllers because they are not replicated from the RODC.
You cannot use the Active Directory
Sites and Services snap-in to remove these connection objects, but you can use
Ldp.exe or Adsiedit.msc. The KCC on the RODC will then rebuild a connection.
This way, you can trigger redistribution of connection objects across a set of
RODCs that have site links to a single hub site that has multiple bridgehead
servers.
>How can an administrator trigger replication to an RODC?
You can use the following methods:
- By running the repadmin /replicate or repadmin /syncall operations.
- By using the Active Directory Sites and Services
snap-in. In this case, you can right-click the connection object and click Replicate Now.
- You can use Active Directory Sites and Services on a
writable domain controller to create an inbound replication connection
object on any domain controller, including an RODC, even if no inbound
connection exists on the domain controller.This is similar to running a repadmin /add operation.
>How
are writable directory partitions differentiated from read-only directory
partitions?
This comes from an attribute on the directory partition head called instancetype. This is a bit mask. If bit 3 (0×4) is set, the directory partition is writable. If the bit is not set, the directory partition is read only.
This comes from an attribute on the directory partition head called instancetype. This is a bit mask. If bit 3 (0×4) is set, the directory partition is writable. If the bit is not set, the directory partition is read only.
>Why can an RODC only replicate the domain directory partition from a domain controller running Windows Server 2008 in the same domain?
This is how the filtering of secrets is enforced during inbound replication to an RODC. A domain controller running Windows Server 2008 is programmed not to send secret material to an RODC during replication, unless the Password Replication Policy permits it. Because a domain controller running Windows Server 2003 has no concept of the Password Replication Policy, it sends all secrets, regardless of whether they are permitted.
>How does the KCC differentiate between domain controllers running Windows Server 2003 and domain controllers running Windows Server 2008?
The NTDS-DSA object has an msDS-Behavior-Version attribute. A value of 2 indicates that the domain controller is running Windows Server 2003. A value of 3 indicates that it is running Windows Server 2008.
>Why are built-in groups such as Account Operators and Server Operators specified separately in the Denied List attribute, but not in the Denied RODC Password Replication Group?
The Allowed RODC Password Replication Group and the Denied RODC Password Replication Group are domain local groups. Domain local groups cannot contain built-in groups.
>What actually happens when you add a user to an Administrator Role Separation role?
The configuration adds entries to the following registry subkey:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\control\lsa\rodcroles
- Name: 544
- Data type: REG_MULTI_SZ
- Value: S-1-5-21-760266474-1386482297-4237089879-1107
The role is denoted by the entry
name—544, for example, is the well known RID for the builtin\administrators
group. Then, each value represents the security identifier (SID) of a user who
has been assigned to the role.
>How can an administrator determine the closest site for any given site?
- Look at the site link costs that appear in Active
Directory Sites and Services.-or-
- After an RODC is installed successfully in an Active
Directory site, run the nltest command against the RODC.
The following example shows the command
and the results:
C:\>nltest /dsgetdc:rodc /server:rodc-dc-02 /try_next_closest_site /avoidself
DC: \\HUB-DC-01
Address: \\2001:4898:28:4:5e1:903a:7987:eea5
Dom Guid: 00e80237-c5ce-4143-b0b8-cfa5c83a5654
Dom Name: RODC
Forest Name: rodc.nttest.contoso.com
Dc Site Name: Hub
Flags: PDC GC DS LDAP KDC TIMESERV GTIMESERV WRITABLE DNS_FOREST CLOSE_SITE FULL_SECRET
The command completed successfully.
C:\>nltest /dsgetdc:rodc /server:rodc-dc-02 /try_next_closest_site /avoidself
DC: \\HUB-DC-01
Address: \\2001:4898:28:4:5e1:903a:7987:eea5
Dom Guid: 00e80237-c5ce-4143-b0b8-cfa5c83a5654
Dom Name: RODC
Forest Name: rodc.nttest.contoso.com
Dc Site Name: Hub
Flags: PDC GC DS LDAP KDC TIMESERV GTIMESERV WRITABLE DNS_FOREST CLOSE_SITE FULL_SECRET
The command completed successfully.
>Why does %logonserver% have the name of a domain controller in my hub site rather than the RODC in my site?
If your user account password cannot be replicated to the RODC in your site or if the RODC does not currently have your password, the Kerberos AS_REQ is forwarded to a hub domain controller that provides your TGT.
The process that updates the environment variables uses the hub domain controller as the logon server for the environment variable. The %logonserver% environment variable is not updated for the duration of that logon session, even though the user is forced to reauthenticate against the RODC.
>Password changes are not always “chained” by an RODC. Why?
Some password-change operations, such as a user initiating a password-change request by pressing Ctrl+Alt+Del, specifically require a writable domain controller. When the client computer detects that the RODC is not writable, it locates a writable domain controller instead. Other password-change operations, such as a user’s password expiring and when the user is prompted to change it at logon, do not specifically require a writable domain controller.
>How does a hub domain controller recognize that a request to replicate a password is coming from an RODC?
The RODC does a bind and calls the “replicate single object” application programming interface (API). The binding handle shows that it is an RODC account.
>Why does an RODC replicate in a cached password both by RSO operation and normal replication?
When a single object is replicated to the RODC in the branch site, the update sequence number (USN) and the high-water mark are not updated. As a result, the object is replicated to the branch site again at a later time.
>Does an RODC perform password validation forwarding even when it has a password for a user?
Yes, in the case where a user presents a password that does not match what the RODC has stored locally, the RODC will forward the authentication request. The RODC forwards the request to the writable Windows Server 2008 domain controller that is its replication partner, which in turn forwards the request to the PDC emulator if required. If the authentication is validated at the writable Windows Server 2008 domain controller or the PDC emulator, the RODC will purge the currently stored password and replicate the new password by RSO operation.
>Can you remove the last domain controller in a domain if there are unoccupied (or disabled) RODC accounts in the domain?
As for all previous versions of Windows Server, it is a requirement that all other domain controllers have been removed from the domain before you can remove the last domain controller. For Windows Server 2008, this requirement includes the removal of all RODCs and the removal of any precreated but unused RODC accounts.
>What relevant RODC event log entries are there?
If an RODC attempts a Replicate Single Object (RSO) operation to cache a password that the Password Replication Policy prevents from replicating to the RODC, the hub domain controller that the RODC contacts logs event ID 1699.
The details for event ID 1699 include:
Log Name: Directory Service
Source: NTDS Replication
Date: 5/2/2006 2:37:39 PM
Event ID: 1699
Task Category: Replication
Level: Error
Keywords: Classic
User: RODC\RODC-DC-02$
Computer: HUB-DC-01
Description:
This directory service failed to retrieve the changes requested for the following directory partition. As a result, it was unable to send change requests to the directory service at the following network address.
Directory partition:
CN=test10,OU=Branch1,OU=Branches,DC=rodc,DC=nttest,DC=contoso,DC=com
Network address:
c6ef8d14-f015-4cd0-94cc-c7f5c9c834ba._msdcs.rodc.nttest.contoso.com
Extended request code:
7
Additional Data
Error value:
8453 Replication access was denied.
A successful logon logs event ID 4768 on the hub domain controller and on the RODC.
The details of event ID 4768 on the hub domain controller include the following:
Log Name: Security
Source: Microsoft-Windows-Security-Auditing
Date: 5/2/2006 3:58:05 PM
Event ID: 4768
Task Category: Kerberos Ticket Events
Level: Information
Keywords: Audit Success
User: N/A
Computer: hub-dc-01.rodc.nttest.contoso.com
Description:
Authentication Ticket Request:
Account Name: test10
Supplied Realm Name: RODC
User ID: S-1-5-21-3503915162-2421288034-2003080229-1128
Service Name: krbtgt
Service ID: S-1-5-21-3503915162-2421288034-2003080229-502
Ticket Options: 0×40810010
Result Code: 0×0
Ticket Encryption Type: 0×17
Pre-Authentication Type: 2
Client Address: 2001:4898:28:4:6182:4acd:65c9:283a
Client Port: 55763
Certificate Issuer Name:
Certificate Serial Number:
Certificate Thumbprint:
At the default Event log settings, no replication event shows that the password has replicated to the RODC.
DHCP : Dynamic Host
Configuration Protocol
Hi Friends,
Let’s support our organizations using simple way of IP Management. DHCP stands for Dynamic Host Configuration Protocol.
Dynamic = Automatic
Host Configuration = Basic Network Configuration
Protocol = Rules which needs to be followed to make this happen.
DHCP is an application which is either installed on Windows Server Operating system or on UNIX OS to service an enterprise in the aspect of IP configuration and management. Its main goal is to provide & configure the client computers with specific ip configuration to enable identification and communication in the network. Prior to DHCP another protocol have been used, it is called BOOTP. BOOTP(Boot Protocol) has only one future that is Reservation. So the administrators who are worked with BOOTP, need to get all the MAC addresses and write them on a notepad to enable the use of BOOTP. After writing all the MAC addresses, the same need to be added to BOOTP table with corresponding IP addresses. That makes lot of work for administrators, even though its an automated process, but admin’s need to work a lot to get the MAC addresses of all the machines in the network. Later it has gained lot of improvements to serve the network and became DHCP.
How to Install and Configure DHCP?
It very simple and straight forward process. First you need to install the application from Add/Remove Windows Components. After installing you will have a console in the Administrative Tools. I think instead of giving lot of steps.. i will post a simple video of 7mins, just watch it for better understanding of this concept.
Video Link
Now you are ready with your DHCP server installed and configured. so lets talk about why and how it is used? As i said previously it is used for Automatic assignment of IP addresses to client computers which are in the same network with DHCP server. This is the way it will be used. Whenever a computer powered on, it will check itself for the network configuration, if it is configured with manual ip address, the machine broadcasts a message that it was powered on. If it is configured to get the ip automatically, then the machine broadcast a message in search of DHCP server. Then starts the process. It is simply called as “DORA” process.
D = Discovery – Request for discovering DHCP server from client machine.
O = Offer – Respective DHCP server Offers the IP Configuration.
R = Received – Client receives the IP configuration.
A = Acknowledgement - Client Acknowledges that it has received the IP configuration.
Once the client gets the IP configuration, it will then broadcasts another message to all other clients in the network with its identity.
Interview Questions related to DHCP
1. Explain the DORA process
2. What is an exclusion range and reservation?
An exclusion range is a range of IP addresses which needs to be excluded from DHCP scope, so that these IP’s never assigned automatically. A reservation is an IP address will be reserved for a server every time it boots up and it has been done using the MAC address of that server. Before configuring reservations, we need to exclude them from DHCP scope.
3. How do you configure the AD Server, DNS Server, IIS Server and FTP Server using the DHCP server?
Using the reservations only, so that every time the same address will be assigned to the server. If you take a DNS server, it should have same IP all the time, because it is responsible for name resolutions in that network. If the IP address getting changed every time, its very difficult to the clients which are requesting name resolutions. That is the reason, it should have same IP all the time, we can do that automatically using reservations.
4. What is DHCP relay agent?
DHCP relay agent, is an option configured on DHCP server. Which enables the client machine requests to go through the routers. That means, if the DHCP server is in one network and the client is in another network, these networks are connected by routers. By default the routes will never allow the DHCP packets through them, by configuring this option, these requests will pass between two networks.
Let’s support our organizations using simple way of IP Management. DHCP stands for Dynamic Host Configuration Protocol.
Dynamic = Automatic
Host Configuration = Basic Network Configuration
Protocol = Rules which needs to be followed to make this happen.
DHCP is an application which is either installed on Windows Server Operating system or on UNIX OS to service an enterprise in the aspect of IP configuration and management. Its main goal is to provide & configure the client computers with specific ip configuration to enable identification and communication in the network. Prior to DHCP another protocol have been used, it is called BOOTP. BOOTP(Boot Protocol) has only one future that is Reservation. So the administrators who are worked with BOOTP, need to get all the MAC addresses and write them on a notepad to enable the use of BOOTP. After writing all the MAC addresses, the same need to be added to BOOTP table with corresponding IP addresses. That makes lot of work for administrators, even though its an automated process, but admin’s need to work a lot to get the MAC addresses of all the machines in the network. Later it has gained lot of improvements to serve the network and became DHCP.
How to Install and Configure DHCP?
It very simple and straight forward process. First you need to install the application from Add/Remove Windows Components. After installing you will have a console in the Administrative Tools. I think instead of giving lot of steps.. i will post a simple video of 7mins, just watch it for better understanding of this concept.
Video Link
Now you are ready with your DHCP server installed and configured. so lets talk about why and how it is used? As i said previously it is used for Automatic assignment of IP addresses to client computers which are in the same network with DHCP server. This is the way it will be used. Whenever a computer powered on, it will check itself for the network configuration, if it is configured with manual ip address, the machine broadcasts a message that it was powered on. If it is configured to get the ip automatically, then the machine broadcast a message in search of DHCP server. Then starts the process. It is simply called as “DORA” process.
D = Discovery – Request for discovering DHCP server from client machine.
O = Offer – Respective DHCP server Offers the IP Configuration.
R = Received – Client receives the IP configuration.
A = Acknowledgement - Client Acknowledges that it has received the IP configuration.
Once the client gets the IP configuration, it will then broadcasts another message to all other clients in the network with its identity.
Interview Questions related to DHCP
1. Explain the DORA process
2. What is an exclusion range and reservation?
An exclusion range is a range of IP addresses which needs to be excluded from DHCP scope, so that these IP’s never assigned automatically. A reservation is an IP address will be reserved for a server every time it boots up and it has been done using the MAC address of that server. Before configuring reservations, we need to exclude them from DHCP scope.
3. How do you configure the AD Server, DNS Server, IIS Server and FTP Server using the DHCP server?
Using the reservations only, so that every time the same address will be assigned to the server. If you take a DNS server, it should have same IP all the time, because it is responsible for name resolutions in that network. If the IP address getting changed every time, its very difficult to the clients which are requesting name resolutions. That is the reason, it should have same IP all the time, we can do that automatically using reservations.
4. What is DHCP relay agent?
DHCP relay agent, is an option configured on DHCP server. Which enables the client machine requests to go through the routers. That means, if the DHCP server is in one network and the client is in another network, these networks are connected by routers. By default the routes will never allow the DHCP packets through them, by configuring this option, these requests will pass between two networks.
DHCP Server - Core Interview Questions and Answers
Define
DHCP process.
DHCP Discovery:
The client broadcasts on the local physical subnet to find available servers. Network administrators can configure a local router to forward DHCP packets to a DHCP server on a different subnet. This client-implementation creates a UDP packet with the broadcast
destination of 255.255.255.255 or subnet broadcast address and also requests its last-known IP address (in the example below, 192.168.1.100) although the server may ignore this optional parameter....
The client broadcasts on the local physical subnet to find available servers. Network administrators can configure a local router to forward DHCP packets to a DHCP server on a different subnet. This client-implementation creates a UDP packet with the broadcast
destination of 255.255.255.255 or subnet broadcast address and also requests its last-known IP address (in the example below, 192.168.1.100) although the server may ignore this optional parameter....
DHCP Offers:
When a DHCP server receives an IP lease request from a client, it extends an IP lease offer.
This is done by reserving an IP address for the client and broadcasting a DHCPOFFER message across the network. This message contains the client's MAC address, followed by the IP address that the server is offering, the subnet mask, the lease duration, and the IP address of the DHCP server making the offer.
The server determines the configuration, based on the client's hardware address as specified in the CHADDR field. Here the server, 192.168.1.1, specifies the IP address in the YIADDR field.
When a DHCP server receives an IP lease request from a client, it extends an IP lease offer.
This is done by reserving an IP address for the client and broadcasting a DHCPOFFER message across the network. This message contains the client's MAC address, followed by the IP address that the server is offering, the subnet mask, the lease duration, and the IP address of the DHCP server making the offer.
The server determines the configuration, based on the client's hardware address as specified in the CHADDR field. Here the server, 192.168.1.1, specifies the IP address in the YIADDR field.
DHCP Requests:
Whenever a computer comes on line, it checks to see if it currently has an IP address leased. If it does not, it requests a lease from a DHCP server. Because the client computer does not know the address of a DHCP server, it uses 0.0.0.0 as its own IP address and 255.255.255.255 as the destination address. Doing so allows the client to broadcast a DHCPDISCOVER message
across the network. Such a message consists of the client computer's Media Access Control (MAC) address (the hardware address built into the network card) and its NetBIOS name.
The client selects a configuration out of the DHCP "Offer" packets it has received and broadcasts it on the local subnet. Again, this client requests the 192.168.1.100 address that the server specified. In case the client has received multiple offers it specifies the server from which it has accepted the offer.
Whenever a computer comes on line, it checks to see if it currently has an IP address leased. If it does not, it requests a lease from a DHCP server. Because the client computer does not know the address of a DHCP server, it uses 0.0.0.0 as its own IP address and 255.255.255.255 as the destination address. Doing so allows the client to broadcast a DHCPDISCOVER message
across the network. Such a message consists of the client computer's Media Access Control (MAC) address (the hardware address built into the network card) and its NetBIOS name.
The client selects a configuration out of the DHCP "Offer" packets it has received and broadcasts it on the local subnet. Again, this client requests the 192.168.1.100 address that the server specified. In case the client has received multiple offers it specifies the server from which it has accepted the offer.
DHCP Acknowledgement:
When the DHCP server receives the DHCPREQUEST message from the client, it initiates the final phase of the configuration process. This acknowledgement phase involves sending a DHCPACK packet to the client. This packet includes the lease duration and any other configuration information that the client might have requested. At this point, the TCP/IP configuration process is complete.
The server acknowledges the request and sends the acknowledgement to the client. The system as a whole expects the client to configure its network interface with the supplied options.
When the DHCP server receives the DHCPREQUEST message from the client, it initiates the final phase of the configuration process. This acknowledgement phase involves sending a DHCPACK packet to the client. This packet includes the lease duration and any other configuration information that the client might have requested. At this point, the TCP/IP configuration process is complete.
The server acknowledges the request and sends the acknowledgement to the client. The system as a whole expects the client to configure its network interface with the supplied options.
What is DNS?
DNS stands for Domain Naming
Server, it is a standard of naming domains in any operational environment
(Windows,Linux,Solaris,Any environment). It is a server which contains a
database of all the domains and all the servers which are associated with those
domains.
Why it is Used?
Its a service dedicated to
identify all the machines (domains & member servers) in a network. To make
this possible, every machine has to be registered in the authoritative DNS
server of that network. That means every operational network should have a
dedicated DNS server to enable identification and communication between the
machines.
How it works?
As i said, it is dedicatedly used
for identification, in technical words for “name resolution”.
Every machine in a network has a dedicated IP address & hostname as its
identity. Whenever a machine tries to communicate with another machine on the
network it should first identify the second machine, that means it should know
the ip address of that particular machine. After knowing the identity (i.e ip
address), it will directly communicates with the second machine. So to speak, a
machine should know the ip address of the another machine, with which its going
to communicate before it starts. Another question… Why the hostnames are used,
if the machine already have an identity in the terms of IP address? Hostname is
an English word which is useful for Human remembrance. It is impossible for a
human being to remember lots of IP addresses, but it is possible to
remember English names of the same hosts (as we configure the hostnames
generally with employee name or department name or location name etc). For
example we can rememberwww.yahoo.com but not its ip address, because we are not having only one website
on the internet. To sum up Hostnames and IP addresses both are used to
identification and communication between two machines in a network. But
machines are only able to communicate with the IP addresses and which are
impossible to remember for Humans (Keep in mind machines never communicate with
hostnames). To solve this situation DNS was implemented. It basically contains
a database of host records in a network. A host record contains “Hostname : IP address”,
see the image below for better under standing. Out Internet is purely depended
on DNS, when we access a particular website we will give its English name, when
we press ENTER immediately the machines starts finding the IP address of the
website using the DNS server configured on it. I will explain the name resolution
process in details. And one more thing about the DNS is, it is the only largest
database on the internet which changes every second. If this database goes down
by a chance, we must remember all the ip addresses to access the internet.
hahaha it will not happen, why because we have so many backup solutions already
implemented.
How the name resolution
takes place?
I will explain this concept with
internet as an example. Before that i want you to check some settings on your
machine. Check the TCP/IP properties and see whether DNS server is configured
or not. If you are seeing obtain automatically option, open command prompt and
type “ipconfig /all”
and press Enter. You will get DNS servers information along with your machine’s
IP address. Now lets talk about the scenario, When you try to open a website
like www.google.com, what happens next? how your
machine gets IP address of the www.google.com. Here it goes….
1. The request sent to the DNS
server which is configured on your machine.
2. The DNS server checks for the
host record of www.google.com in its
database, if it contains a record forwww.google.com, it will
directly send response with the IP address of www.google.com. Otherwise it starts requesting
another DNS server.
3. Before it goes to another DNS
server, how it identifies which DNS server is responsible for this request ? It
checks the entire hostname (it is called as FQDN : Fully Qualified Domain
Name), i.e in google’s case www.google.com. (note the FQDN ends with a
period, and this period is called as root domain).
5. So in your case, the domain is
.com, DNS server sends request to .com master DNS server (for ex: assume it as
198.41.0.4), the .com master DNS server contains name server records for all
machines ending with .com . That means it definitely contains DNS server IP
address for google.com. In the same way it contains all .com servers yahoo.com,
microsoft.com & so on.
6. It does not contain the IP
address of google.com, it contains DNS server IP of google.com.
7. So then the request is
forwarded to google.com DNS server, in that server you will have a host record
with the name www and its IP address. Finally you reached it. With the found IP
address the request comes back as a response in the same reverse way to the DNS
server which is configured in your machine, that DNS server tells the IP
address ofwww.google.com to your machine.
8. This process happens in
milliseconds in the background. i.e by the time you will get “Website found
waiting for reply” message in the status bar of your internet explorer.
9. Oh my god!!!! Is that simple?
Yes it is. The same process occurs in corporate networks also. But the requests
are handled by their local DNS servers only.
10. See the below animation for
better understanding.
Understanding DNS : Part
- II
Hi
Guys,
DNS Records
There
are so many records associated with a DNS Server. Name resolution process does
not happen in a proper way with out these records.
As
you know the DNS server main purpose is to resolve the host names to IP's and
vice versa.
·
A Record : Contains
information about IP address. It is helpful in resolving host names to IP
addresses.
·
PTR Record : Pointer
record, contains information about host name. It is helpful in resolving IP
address to hostname.
·
CNAME Record : Alias of
A Record. It is helpful in giving multiple names to a single host. Which means,
the same host is able to provide multiple services. In that case, for
segregation of service and to communicate with that service we need to give
different names to each service. Even though these services are hosted on a
single server, but we can send our request to the target service. CNAME record
was helpful in identifying and communicating with that service on that server.
·
MX Record : It is a
record helpful in identifying the mail server in a DNS domain (for that
organization)
·
NS Record : It is a
record helpful in identifying the DNS server in a DNS domain (for that
organization)
·
SRV Record : This record
is created when we install a service which is DNS dependent. It is
automatically generated and will be associated with a specific IP address. It
is called as Service record.
·
SOA Record : Start of
Authority record, this is not a record associated with any IP address. But it
is associated with a number, which determines the update number. What ever the
update, when ever it is done this number will be incremented.
These
are the records associated with each and every server in this world. A fact is
that "
DNS is the biggest database in the world and that is the only one which gets
updated every second " And this database is not located at a single place, it is spread
across the world in different places like, different companies, different
ISP's, different homes etc. And the name resolution process is explained in my
previous post Understanding DNS. That is the reason why, a DNS request goes to
different location to get the correct answer.
>What is Active Directory ? Active Directory is a Meta Data. Active Directory is a data base which store a data base like your user information, computer information and also other network object info. It has capabilities to manage and administor the complite Network which connect with AD.
>What is domain ?
Windows NT and Windows 2000, a domain is a set of network resources (applications, printers, and so forth) for a group of users. The user need only to log in to the domain to gain access to the resources, which may be located on a number of different servers in the network. The 'domain' is simply your computer address not to confused with an URL. A domain address might look something like 211.170.469.
Windows NT and Windows 2000, a domain is a set of network resources (applications, printers, and so forth) for a group of users. The user need only to log in to the domain to gain access to the resources, which may be located on a number of different servers in the network. The 'domain' is simply your computer address not to confused with an URL. A domain address might look something like 211.170.469.
>What is domain controller ?
A Domain controller (DC) is a server that responds to security authentication requests (logging in, checking permissions, etc.) within the Windows Server domain. A domain is a concept introduced in Windows NT whereby a user may be granted access to a number of computer resources with the use of a single username and password combination.
A Domain controller (DC) is a server that responds to security authentication requests (logging in, checking permissions, etc.) within the Windows Server domain. A domain is a concept introduced in Windows NT whereby a user may be granted access to a number of computer resources with the use of a single username and password combination.
>What is LDAP ?
Lightweight Directory Access Protocol LDAP is the industry standard directory access protocol, making Active Directory widely accessible to management and query applications. Active Directory supports LDAPv3 and LDAPv2.
Lightweight Directory Access Protocol LDAP is the industry standard directory access protocol, making Active Directory widely accessible to management and query applications. Active Directory supports LDAPv3 and LDAPv2.
>What is KCC ?
KCC ( knowledge consistency checker ) is used to generate replication topology for inter site replication and for intrasite replication.with in a site replication traffic is done via remote procedure calls over ip, while between site it is done through either RPC or SMTP.
KCC ( knowledge consistency checker ) is used to generate replication topology for inter site replication and for intrasite replication.with in a site replication traffic is done via remote procedure calls over ip, while between site it is done through either RPC or SMTP.
>Where is the AD database held? What other folders are
related to AD?
The AD data base is store in c:\windows\ntds\NTDS.DIT.
The AD data base is store in c:\windows\ntds\NTDS.DIT.
>What is the SYSVOL folder?
The sysVOL folder stores the server's copy of the domain's public files. The contents such as group policy, users etc of the sysvol folder are replicated to all domain controllers in the domain.
The sysVOL folder stores the server's copy of the domain's public files. The contents such as group policy, users etc of the sysvol folder are replicated to all domain controllers in the domain.
>What are the Windows Server 2003 keyboard shortcuts ?
Winkey opens or closes the Start menu. Winkey + BREAK displays the System Properties dialog box. Winkey + TAB moves the focus to the next application in the taskbar. Winkey + SHIFT + TAB moves the focus to the previous application in the taskbar. Winkey + B moves the focus to the notification area. Winkey + D shows the desktop. Winkey + E opens Windows Explorer showing My Computer. Winkey + F opens the Search panel. Winkey + CTRL + F opens the Search panel with Search for Computers module selected. Winkey + F1 opens Help. Winkey + M minimizes all. Winkey + SHIFT+ M undoes minimization. Winkey + R opens Run dialog. Winkey + U opens the Utility Manager. Winkey + L locks the computer.
>Where are the Windows NT Primary Domain Controller (PDC) and its Backup Domain Controller (BDC) in Server 2003 ?
The Active Directory replaces them. Now all domain controllers share a multimaster peer-to-peer read and write relationship that hosts copies of the Active Directory.
Winkey opens or closes the Start menu. Winkey + BREAK displays the System Properties dialog box. Winkey + TAB moves the focus to the next application in the taskbar. Winkey + SHIFT + TAB moves the focus to the previous application in the taskbar. Winkey + B moves the focus to the notification area. Winkey + D shows the desktop. Winkey + E opens Windows Explorer showing My Computer. Winkey + F opens the Search panel. Winkey + CTRL + F opens the Search panel with Search for Computers module selected. Winkey + F1 opens Help. Winkey + M minimizes all. Winkey + SHIFT+ M undoes minimization. Winkey + R opens Run dialog. Winkey + U opens the Utility Manager. Winkey + L locks the computer.
>Where are the Windows NT Primary Domain Controller (PDC) and its Backup Domain Controller (BDC) in Server 2003 ?
The Active Directory replaces them. Now all domain controllers share a multimaster peer-to-peer read and write relationship that hosts copies of the Active Directory.
>I am trying to create a new universal user group. Why can’t
I ?
Universal groups are allowed only in native-mode Windows Server 2003 environments. Native mode requires that all domain controllers be promoted to Windows Server 2003 Active Directory.
Universal groups are allowed only in native-mode Windows Server 2003 environments. Native mode requires that all domain controllers be promoted to Windows Server 2003 Active Directory.
>What is LSDOU ?
It’s group policy inheritance model, where the policies are applied toLocal machines, Sites, Domains and Organizational Units.
It’s group policy inheritance model, where the policies are applied toLocal machines, Sites, Domains and Organizational Units.
>Why doesn’t LSDOU work under Windows NT ?
If the NTConfig.pol file exist, it has the highest priority among the numerous policies.
If the NTConfig.pol file exist, it has the highest priority among the numerous policies.
>What’s the number of permitted unsuccessful logons on
Administrator account? Unlimited. Remember, though, that
it’s the Administrator account, not any account that’s part of the
Administrators group.
> What’s the difference between guest accounts in Server 2003
and other editions?
More restrictive in Windows Server 2003.
More restrictive in Windows Server 2003.
> How many passwords by default are remembered when you check
"Enforce Password History Remembered"?
User’s last 6 passwords.
User’s last 6 passwords.
> Can GC Server and Infrastructure place in single server If
not explain why ?
No, As Infrastructure master does the same job as the GC. It does not work together.
No, As Infrastructure master does the same job as the GC. It does not work together.
> Which is service in your windows is responsible for
replication of Domain controller to another domain controller.
KCC generates the replication topology.
Use SMTP / RPC to replicate changes.
KCC generates the replication topology.
Use SMTP / RPC to replicate changes.
> What Intrasite and Intersite Replication ?
Intrasite is the replication with in the same site & intersite the replication between sites.
Intrasite is the replication with in the same site & intersite the replication between sites.
> What is lost & found folder in ADS ?
It’s the folder where you can find the objects missed due to conflict.
Ex: you created a user in OU which is deleted in other DC & when replication happed ADS didn’t find the OU then it will put that in Lost & Found Folder.
It’s the folder where you can find the objects missed due to conflict.
Ex: you created a user in OU which is deleted in other DC & when replication happed ADS didn’t find the OU then it will put that in Lost & Found Folder.
> What is Garbage collection ?
Garbage collection is the process of the online defragmentation of active directory. It happens every 12 Hours.
Garbage collection is the process of the online defragmentation of active directory. It happens every 12 Hours.
> What System State data contains ?
Contains Startup files,
Registry
Com + Registration Database
Memory Page file
System files
AD information
Cluster Service information
SYSVOL Folder
>What is the difference between Windows 2000 Active Directory
and Windows 2003 Active Directory? Is there any difference in 2000 Group
Polices and 2003 Group Polices? What is meant by ADS and ADS services in
Windows 2003?Contains Startup files,
Registry
Com + Registration Database
Memory Page file
System files
AD information
Cluster Service information
SYSVOL Folder
Windows 2003 Active Directory introduced a number of new security features, as well as convenience features such as the ability to rename a domain controller and even an entire domain
Windows Server 2003 also introduced numerous changes to the default settings that can be affected by Group Policy - you can see a detailed list of each available setting and which OS is required to support it by downloading the Group Policy Settings Reference.
ADS stands for Automated Deployment Services, and is used to quickly roll out identically-configured servers in large-scale enterprise environments. You can get more information from the ADS homepage.
>I want to setup a DNS server and Active Directory domain.
What do I do first? If I install the DNS service first and name the zone
'name.org' can I name the AD domain 'name.org' too?
Not only can you have a DNS zone and an Active Directory domain with the same name, it's actually the preferred way to go if at all possible. You can install and configure DNS before installing Active Directory, or you can allow the Active Directory Installation Wizard (dcpromo) itself install DNS on your server in the background.
Not only can you have a DNS zone and an Active Directory domain with the same name, it's actually the preferred way to go if at all possible. You can install and configure DNS before installing Active Directory, or you can allow the Active Directory Installation Wizard (dcpromo) itself install DNS on your server in the background.
>How do I determine if user accounts have local
administrative access?
You can use the net localgroup administrators command on each workstation (probably in a login script so that it records its information to a central file for later review). This command will enumerate the members of the Administrators group on each machine you run it on. Alternately, you can use the Restricted Groups feature of Group Policy to restrict the membership of Administrators to only those users you want to belong.
You can use the net localgroup administrators command on each workstation (probably in a login script so that it records its information to a central file for later review). This command will enumerate the members of the Administrators group on each machine you run it on. Alternately, you can use the Restricted Groups feature of Group Policy to restrict the membership of Administrators to only those users you want to belong.
>Why am I having trouble printing with XP domain users?
In most cases, the inability to print or access resources in situations like this one will boil down to an issue with name resolution, either DNS or WINS/NetBIOS. Be sure that your Windows XP clients' wireless connections are configured with the correct DNS and WINS name servers, as well as with the appropriate NetBIOS over TCP/IP settings. Compare your wireless settings to your wired LAN settings and look for any discrepancies that may indicate where the functional difference may lie.
In most cases, the inability to print or access resources in situations like this one will boil down to an issue with name resolution, either DNS or WINS/NetBIOS. Be sure that your Windows XP clients' wireless connections are configured with the correct DNS and WINS name servers, as well as with the appropriate NetBIOS over TCP/IP settings. Compare your wireless settings to your wired LAN settings and look for any discrepancies that may indicate where the functional difference may lie.
>What is the ISTG? Who has that role by default?
Windows 2000 Domain controllers each create Active Directory Replication connection objects representing inbound replication from intra-site replication partners. For inter-site replication, one domain controller per site has the responsibility of evaluating the inter-site replication topology and creating Active Directory Replication Connection objects for appropriate bridgehead servers within its site. The domain controller in each site that owns this role is referred to as the Inter-Site Topology Generator (ISTG).
Windows 2000 Domain controllers each create Active Directory Replication connection objects representing inbound replication from intra-site replication partners. For inter-site replication, one domain controller per site has the responsibility of evaluating the inter-site replication topology and creating Active Directory Replication Connection objects for appropriate bridgehead servers within its site. The domain controller in each site that owns this role is referred to as the Inter-Site Topology Generator (ISTG).
>What is difference between Server
2003 vs 2008?
1. Virtualization. (Windows Server 2008 introduces Hyper-V (V for Virtualization) but only on 64bit versions. More and more companies are seeing this as a way of reducing hardware costs by running several 'virtual' servers on one physical machine.)
2. Server Core (provides the minimum installation required to carry out a specific server role, such as for a DHCP, DNS or print server)
3. Better security.
4. Role-based installation.
5. Read Only Domain Controllers (RODC).
6. Enhanced terminal services.
7. Network Access Protection - Microsoft's system for ensuring that clients connecting to Server 2008 are patched, running a firewall and in compliance with corporate security policies.
8. PowerShell - Microsoft's command line shell and scripting language has proved popular with some server administrators.
9. IIS 7 .
10. Bitlocker - System drive encryption can be a sensible security measure for servers located in remote branch offices. >br> The main difference between 2003 and 2008 is Virtualization, management. 2008 has more in-build components and updated third party drivers.
11. Windows Aero.
1. Virtualization. (Windows Server 2008 introduces Hyper-V (V for Virtualization) but only on 64bit versions. More and more companies are seeing this as a way of reducing hardware costs by running several 'virtual' servers on one physical machine.)
2. Server Core (provides the minimum installation required to carry out a specific server role, such as for a DHCP, DNS or print server)
3. Better security.
4. Role-based installation.
5. Read Only Domain Controllers (RODC).
6. Enhanced terminal services.
7. Network Access Protection - Microsoft's system for ensuring that clients connecting to Server 2008 are patched, running a firewall and in compliance with corporate security policies.
8. PowerShell - Microsoft's command line shell and scripting language has proved popular with some server administrators.
9. IIS 7 .
10. Bitlocker - System drive encryption can be a sensible security measure for servers located in remote branch offices. >br> The main difference between 2003 and 2008 is Virtualization, management. 2008 has more in-build components and updated third party drivers.
11. Windows Aero.
>What are the requirements for
installing AD on a new server?
1 The Domain structure.
2 The Domain Name .
3 storage location of the database and log file.
4 Location of the shared system volume folder.
5 DNS config Methode.
6 DNS configuration.
>What is LDP? 1 The Domain structure.
2 The Domain Name .
3 storage location of the database and log file.
4 Location of the shared system volume folder.
5 DNS config Methode.
6 DNS configuration.
LDP : Label Distribution Protocol (LDP) is often used to establish MPLS LSPs when traffic engineering is not required. It establishes LSPs that follow the existing IP routing, and is particularly well suited for establishing a full mesh of LSPs between all of the routers on the network
>What are the Groups
types available in active directory ?
Security groups: Use Security groups for granting permissions to gain access to resources. Sending an e-mail message to a group sends the message to all members of the group. Therefore security groups share the capabilities of distribution groups.
Security groups: Use Security groups for granting permissions to gain access to resources. Sending an e-mail message to a group sends the message to all members of the group. Therefore security groups share the capabilities of distribution groups.
Distribution groups: Distribution
groups are used for sending e-main messages to groups of users. You cannot
grant permissions to security groups. Even though security groups have all the
capabilities of distribution groups, distribution groups still requires,
because some applications can only read distribution groups.
>Explain about the
groups scope in AD ?
Domain Local Group: Use this scope to grant permissions to domain resources that are located in the same domain in which you created the domain local group. Domain local groups can exist in all mixed, native and interim functional level of domains and forests. Domain local group memberships are not limited as you can add members as user accounts, universal and global groups from any domain. Just to remember, nesting cannot be done in domain local group. A domain local group will not be a member of another Domain Local or any other groups in the same domain.
Domain Local Group: Use this scope to grant permissions to domain resources that are located in the same domain in which you created the domain local group. Domain local groups can exist in all mixed, native and interim functional level of domains and forests. Domain local group memberships are not limited as you can add members as user accounts, universal and global groups from any domain. Just to remember, nesting cannot be done in domain local group. A domain local group will not be a member of another Domain Local or any other groups in the same domain.
Global Group: Users
with similar function can be grouped under global scope and can be given
permission to access a resource (like a printer or shared folder and files)
available in local or another domain in same forest. To say in simple words,
Global groups can be use to grant permissions to gain access to resources which
are located in any domain but in a single forest as their memberships are
limited. User accounts and global groups can be added only from the domain in
which global group is created. Nesting is possible in Global groups within
other groups as you can add a global group into another global group from any
domain. Finally to provide permission to domain specific resources (like
printers and published folder), they can be members of a Domain Local group.
Global groups exist in all mixed, native and interim functional level of
domains and forests.
Universal Group Scope: These groups are precisely used for email distribution and
can be granted access to resources in all trusted domain as these groups can
only be used as a security principal (security group type) in a windows 2000
native or windows server 2003 domain functional level domain. Universal group
memberships are not limited like global groups. All domain user accounts and
groups can be a member of universal group. Universal groups can be nested under
a global or Domain Local group in any domain.
>What is REPLMON ?
The Microsoft definition of the Replmon tool is as follows; This GUI tool enables administrators to view the low-level status of Active Directory replication, force synchronization between domain controllers, view the topology in a graphical format, and monitor the status and performance of domain controller replication.
The Microsoft definition of the Replmon tool is as follows; This GUI tool enables administrators to view the low-level status of Active Directory replication, force synchronization between domain controllers, view the topology in a graphical format, and monitor the status and performance of domain controller replication.
>What is ADSIEDIT ?
ADSIEDIT :ADSIEdit is a Microsoft Management Console (MMC) snap-in that acts as a low-level editor for Active Directory. It is a Graphical User Interface (GUI) tool. Network administrators can use it for common administrative tasks such as adding, deleting, and moving objects with a directory service. The attributes for each object can be edited or deleted by using this tool. ADSIEdit uses the ADSI application programming interfaces (APIs) to access Active Directory. The following are the required files for using this tool: ADSIEDIT.DLL ADSIEDIT.
ADSIEDIT :ADSIEdit is a Microsoft Management Console (MMC) snap-in that acts as a low-level editor for Active Directory. It is a Graphical User Interface (GUI) tool. Network administrators can use it for common administrative tasks such as adding, deleting, and moving objects with a directory service. The attributes for each object can be edited or deleted by using this tool. ADSIEdit uses the ADSI application programming interfaces (APIs) to access Active Directory. The following are the required files for using this tool: ADSIEDIT.DLL ADSIEDIT.
>What is NETDOM ?
NETDOM is a command-line tool that allows management of Windows domains and trust relationships. It is used for batch management of trusts, joining computers to domains, verifying trusts, and secure channels.
NETDOM is a command-line tool that allows management of Windows domains and trust relationships. It is used for batch management of trusts, joining computers to domains, verifying trusts, and secure channels.
>What is REPADMIN?
This command-line tool assists administrators in diagnosing replication problems between Windows domain controllers.Administrators can use Repadmin to view the replication topology (sometimes referred to as RepsFrom and RepsTo) as seen from the perspective of each domain controller. In addition, Repadmin can be used to manually create the replication topology (although in normal practice this should not be necessary), to force replication events between domain controllers, and to view both the replication metadata and up-to-dateness vectors.
This command-line tool assists administrators in diagnosing replication problems between Windows domain controllers.Administrators can use Repadmin to view the replication topology (sometimes referred to as RepsFrom and RepsTo) as seen from the perspective of each domain controller. In addition, Repadmin can be used to manually create the replication topology (although in normal practice this should not be necessary), to force replication events between domain controllers, and to view both the replication metadata and up-to-dateness vectors.
>How to take backup of AD ?
For taking backup of active directory you have to do this : first go START -> PROGRAM ->ACCESORIES -> SYSTEM TOOLS -> BACKUP OR Open run window and ntbackup and take systemstate backup when the backup screen is flash then take the backup of SYSTEM STATE it will take the backup of all the necessary information about the syatem including AD backup , DNS ETC.
For taking backup of active directory you have to do this : first go START -> PROGRAM ->ACCESORIES -> SYSTEM TOOLS -> BACKUP OR Open run window and ntbackup and take systemstate backup when the backup screen is flash then take the backup of SYSTEM STATE it will take the backup of all the necessary information about the syatem including AD backup , DNS ETC.
>What are the DS* commands ?
The following DS commands: the DS family built in utility .
DSmod - modify Active Directory attributes.
DSrm - to delete Active Directory objects.
DSmove - to relocate objects
DSadd - create new accounts
DSquery - to find objects that match your query attributes.
DSget - list the properties of an object
The following DS commands: the DS family built in utility .
DSmod - modify Active Directory attributes.
DSrm - to delete Active Directory objects.
DSmove - to relocate objects
DSadd - create new accounts
DSquery - to find objects that match your query attributes.
DSget - list the properties of an object
>What are the requirements
for installing AD on a new server?
An NTFS partition with enough free space.
An Administrator's username and password.
The correct operating system version.
A NIC Properly configured TCP/IP (IP address, subnet mask and - optional - default gateway).
A network connection (to a hub or to another computer via a crossover cable) .
An operational DNS server (which can be installed on the DC itself) .
A Domain name that you want to use .
The Windows 2000 or Windows Server 2003 CD media (or at least the i386 folder) .
An NTFS partition with enough free space.
An Administrator's username and password.
The correct operating system version.
A NIC Properly configured TCP/IP (IP address, subnet mask and - optional - default gateway).
A network connection (to a hub or to another computer via a crossover cable) .
An operational DNS server (which can be installed on the DC itself) .
A Domain name that you want to use .
The Windows 2000 or Windows Server 2003 CD media (or at least the i386 folder) .
- Active
Directory enables single sign on to access resources on the network such
as desktops, shared files, printers etc. Active Directory provides
advanced security for the entire network and network resources.
Active Directory is more scalable and flexible for administration.
- Functional
levels help the coexistence of Active Directory versions such as, Windows
NT, Windows 2000 Server, Windows Server 2003 and Windows Server 2008. The
functional level of a domain or forest controls which advanced features
are available in the domain or forest. Although lowest functional levels
help to coexist with legacy Active Directory, it will disable some of the
new features of Active Directory. But if you are setting up a new Active
Directory environment with latest version of Windows Server and AD, you
can set to the highest functional level, thus all the new AD functionality
will be enabled.
- Windows
Server 2003 Domain Functional Levels: Windows 2000 mixed (Default),
Windows 2000 native, Windows Server 2003 interim, and Windows Server 2003.
Forest Functional Levels: Windows 2000 (default), Windows Server 2003 interim, Windows Server. - Windows
Server 2008 Domain Functional Levels: Windows 2000 Native, Windows Server
2003, Windows Server 2008, Windows Server 2008 R2.
Forest Functional Levels: Windows 2000, Windows Server 2008, Windows Server 2008 R2. - It
is possible to take a backup copy of existing Domain Controller, and
restore it in Windows Server machine in the remote locations with slower
WAN link.
- Active
Directory is designed for Server Operating System, and it cannot be
installed on Windows 7.
- Windows
Server Operating System. Free hard disk space with NTFS partition.
Administrator's privilege on the computer. Network connection with IP
address, Subnet Mask, Gateway and DNS address. A DNS server, that can be
installed along with first Domain Controller. Windows Server intallation
CD or i386 folder.
- Flexible
Single-Master Operation (FSMO) roles,manage an aspect of the domain or
forest, to prevent conflicts, which are handled by Single domain
controllers in domain or forest. The tasks which are not suited to
multi-master replication, There are 5 FSMO roles, and Schema Master and
Domain naming master roles are handled by a single domain controller in a forest,
and PDC, RID master and Infrastructure master roles are handled by a
single domain controller in each domain.
- Infrastrcture
master role is a domain-specific role and its purpose is to ensure that
cross-domain object references are correctly handled. For example, if you
add a user from one domain to a security group from a different domain,
the Infrastructure Master makes sure this is done properly.Intrastrcuture
master does not have any functions to do in a single domain environment.If
the Domain controller with Infrastructure master role goes down in a
single domain environemt, there will be no impact at all. Where as, in a
complex environment with multiple domains, it may imact creation and
modification of groups and group authentication.
- Schema
Master role and Domain Naming Master role.
- PDC
Emulator
- You
should be a member of Enterprise Admins group or the Domain Admins group.
Also you should be member of local Administrators group of the member
server which you are going to promote as additional Domain Controller.
- Use netdom
query /domain:YourDomain FSMO command. It will list all the FSMO role
handling domain controllers.
- No,
there should be only one Domain Controller handling RID master role in a
Domain.
- There
should be only one Domain Controller handling Infrastructure master role
in a domain. Hence if you have two domains in a forest, you can configure
two Infrastructure masters, one in each domain.
- If
PDC emulator crashes, there will be immediate impact on the environment.
User authentication will fail as password changes wont get effected, and
there will be frequent account lock out issues. Network time
synchronization will be impacted. It will also impact DFS consistency and
Group policy replication as well.
- Domain
controllers and Sites. Domain controllers are physical computers which is
running Windows Server operating system and Active Directory data base.
Sites are a network segment based on geographical location and which
contains multiple domain controllers in each site.
- Domains,
Organizational Units, trees and forests are logical components of Active
Directory.
- Active
Directory database is divided into different partitions such as Schema
partition, Domain partition, and Configuration partition. Apart from these
partitions, we can create Application partition based on the requirement.
- Adding
one group as a member of another group is called 'group nesting'. This
will help for easy administration and reduced replication traffic.
- Group
types are categorized based on its nature. There are two group types:
Security Groups and Distribution Groups. Security groups are used to apply
permissions to resources where as distribution groups are used to create
Exchange server email communication groups. Group scopes are categorized
based on the usage. There are three group types: Domain Local Group,
Global Group and Universal Group.
- Domain
local groups are mainly used for granting access to network resources.A
Domain local group can contain accounts from any domain, global groups
from any domain and universal groups from any domain. For example, if you
want to grant permission to a printer located at Domain A, to 10 users
from Domain B, then create a Global group in Domain B and add all 10 users
into that Global group. Then, create a Domain local group at Domain A, and
add Global group of Domain B to Domain local group of Domain A, then, add
Domain local group of Domain A to the printer(of Domain A) security ACL.
- Active
Directory is backed up along with System State data. System state data
includes Local registry, COM+, Boot files, NTDS.DIT and SYSVOL folder.
System state can be backed up either using Microsoft's default NTBACKUP
tool or third party tools such as Symantech NetBackup, IBM Tivoli Storage
Manager etc.
- There
are two types of Active Directory restores, Authoritative restore and
Non-Authoritative restore.
- Non-Authoritative
means, a normal restore of a single Domain controller in case that
particular domain controller OS or hardware crashed. After
non-authoritative restoration completed, compares its data base with peer
domain controllers in the network and accepts all the directory changes
that have been made since the backup. This is done through multi master
replication.
Where as, in Authoritative restore, a restored data base of a Domain controller forcefully replicated to all the other domain controllers. Authoritative restore is performed to recover an active directory resource or object(eg. an Organizational Unit) which accidentally deleted and it needs to be restored. - We
can use NTDSUTIL command line to perform Authoritative restore of Active
Directory. First, start a domain controller in 'Directory Service Restore
Mode'. Then, restore the System State data of Domain controller using
NTBACKUP tool. This is non-authoritative restore. Once non-authoritative
restore is completed, we have to perform authoritative restore immediately
before restarting the Domain Controller.
Open command prompt and type NTDSUTIL and enter, then type authoritative restore and press enter, then type restore database and press enter, click OK and then click Yes. This will restore all the data in authoritative restore mode. If you want to restore only a specific object or sub-tree, you can type below command instead of 'restore database'.
restore subtree ou=OU_Name,dc=Domain_Name,dc=xxx - Authoritative
restore, Configurable settings, Partition management, Set DSRM Password
etc.
- A
tombstone is a container object for deleted items from Active Directory
database, even if objects are deleted, it will be kept hidden in the
active directory data base for a specific period. This period is known as
tombstone lifetime. Tombstone lifetime is 180 days on Windows Server 2003
SP1 and later versions of Windows Server.
- Garbage
collection is a process of Active Directory. This process starts by removing
the remains of previously deleted objects from the database. These objects
are known as tombstones. Then, the garbage collection process deletes
unnecessary log files. And the process starts a defragmentation thread to
claim additional free space. The garbage collection process is running on
all the domain controllers in an interval of 12 hours.
- In
multimaster replication method, replication conflicts can happen. Objects
with replication conflicts will be stored in a container called 'Lost and
Found' container. This container also used to store orphaned user accounts
and other objects.
- Lost
and Found container can be viewed by enabling advanced features from View
menu of Active Directory User and Computers MMC.
- Yes,
it is included.
- [Never
say no] We had set up an additional domain for a new subsidiary of the
firm, and I was a member of the team who handled installation and
configuration of domain controllers for the sub domain.[or] I was
supporting an existing Active Directory network environment of the
company, but I have installed and configured Active Directory in test
environment several occasions.
- No
one installs Active Directory in a cluster. There is no need of clustering
a domain controller. Because Active Directory provides total redundancy with
two or more servers.
- Active
Directory Recycle bin is a feature of Windows Server 2008 AD. It
helps to restore accidentally deleted Active Directory objects without
using a backed up AD database, rebooting domain controller or restarting
any services.
- Read
only domain controller (RODC) is a feature of Windows Server 2008
Operating System. RODC is a read only copy of Active Directory database
and it can be deployed in a remote branch office where physical security
cannot be guaranteed. RODC provides more improved security and faster log
on time for the branch office.
- To
find out forest and domain functional levels in GUI mode, open ADUC, right
click on the domain name and take properties. Both domain and forest
functional levels will be listed there. TO find out forest and domain
functional levels, you can use DSQUERY command.
- KCC
can be expanded as Knowledge Consistency Checker. It is a protocol
procecss running on all domain controllers, and it generates and maintains
the replication topology for replication within sites and between sites.
- We
can use command line tools such as repadmin and dcdiag. GUI tool REPLMON
can also be used for replication monitoring and troubleshooting.
- SYSVOL
is a folder exits on each domain controller, which contains Actvie Directory
related files and folders. SYSVOL mainly stores important elements of
Group Policy Objects and scripts, and it is being replicated among domain
controllers using File Replication Service (FRS).
- Kerberos
is a network authentication protocol. Active Directory uses Kerberos for
user and resource authentication and trust relationship functionality.
Kerberos uses port number 88.
- All
versions of Windows Server Active Directory use Kerberos 5.
- Kerberos
88, LDAP 389, DNS 53, SMB 445.
- FQDN
can be expanded as Fully Qualified Domain Name.It is a hierarchy of a
domain name system which points to a device in the domain at its left most
end. For example in system.
- Dsadd
- to add an object to the directory, Dsget - displays requested properties
of an object in AD, Dsmove - Used to move one object from one location to
another in the directory, DSquery - To query specific objects.
- A
tree in Active Directory is a collection of one or more domains which are
interconnected and sharing global resources each other. If a tree has more
than one domain, it will have contiguous namespace. When we add a new
domain in an existing tree, it will be called a child domain.
A forest is a collection of one or more trees which trust each other and sharing a common schema.It also shares common configuration and global catalog. When a forest contains more than one tree, the trees will not form a contiguous namespace. - Replication
between domain controllers inside a single site is called Intrasite
replication, where as replication between domain controllers located in
different sites is called Intersite replication. Intrasite replication
will be very frequent, where as Intersite replication will be with
specific interval and in a controlled fashion just to preserve network
bandwidth.
- Shortcut
trust is a manually created transitive trust which is configured to enable
fast and optimized authentication process.For example, If we create short
cut trust between two domains of different trees, they can quickly
authenticate each other without traveling through the entire parent
domains. short cut trust can be either one-way or two-way.
- Selective
authentication is generally used in forest trust and external trusts.
Selective authentication is a security setting which allows administrators
to grant access to shared resources in their organization’s forest to a
limited set of users in another organization’s forest. Selective
authentication method can decide which groups of users in a trusted forest
can access shared resources in the trusting forest.
- Trusts
can be categorized by its nature. There can be two-way trust or one-way
trust,implicit or explicit trust, transitive or non transitive trust.
Trust can be categorized by types, such as parent and child, tree root
trust, external trust, realm trust forest trust and shortcut trust.
- ADAC-
Active Directory Administrative Center is a new GUI tool came with Windows
Server 2008 R2, which provides enhanced data management experience to the
admin. ADAC helps administrators to perform common Active Directory object
management task across multiple domains with the same ADAC instance.
- ADSIEDIT-
Active Directory Service Interfaces Editor is a GUI tool which is used to
perform advanced AD object and attribute management. This Active Directory
tool helps us to view objects and attributes that are not visible through
normal Active Directory Management Consoles. ADSIEDIT can be
downloaded and installed along with Windows Server 2003 Support Tools.
- This
is due to domain functional level. If domain functional level of Windows Server
2003 AD is Windows 2000 Mixed, Universal Group option will be greyed out.
You need to raise domain functional level to Windows 2000 native or above.
- ADMT
- Active Directory Migration Tool, is a tool which is used for migrating
Active Directory objects from one domain to another. ADMT is an effective
tool that simplifies the process of migrating users, computers, and groups
to new domains.
- When
a domain controller is disconnected for a period that is longer than the
tombstone life time, one or more objects that are deleted from Active
Directory on all other domain controllers may remain on the disconnected
domain controller. Such objects are called lingering objects. Lingering
objects can be removed from Windows Server 2003 or 2008 using REPADMIN utility.
- The
Global catalog is a container which contains a searchable partial replica
of all objects from all domains of the forest, and full replica of all
objects from the domain where it is situated. The global catalog is stored
on domain controllers that have been designated as global catalog servers
and is distributed through multimaster replication. Global catalogs are
mostly used in multidomain, multisite and complex forest environment,
where as Global catalog does not function in a single domain forest.
- In
a forest that contains only a single Active Directory domain, there is no
harm in placing both GC and Infrastructure master in same DC, because
Infrastructure master does not have any work to do in a single domain
environment. But in a forest with multiple and complex domain structure,
the infrastructure master should be located on a DC which is not a Global
Catalog server. Because the global catalog server holds a partial replica
of every object in the forest, the infrastructure master, if placed on a global
catalog server, will never update anything, because it does not contain
any references to objects that it does not hold.
- Command
line method: nslookup gc._msdcs.<forest root DNS Domain Name>,
nltest /dsgetdc:corp /GC. GUI method: Open DNS management, and under
‘Forward Lookup Zone’, click on GC container. To check if a server is GC
or not, go to Active Directory Sites and Services MMC and under ‘Servers’
folder, take properties of NTDS settings of the desired DC and find Global
Catalog option is checked.
- As
per Microsoft, a single AD domain controller can create around
2.15 billion objects during its lifetime.
- When
a user enters a user name and password, the computer sends the user name
to the KDC. The KDC contains a master database of unique long term keys
for every principal in its realm. The KDC looks up the user's master key
(KA), which is based on the user's password. The KDC then creates two
items: a session key (SA) to share with the user and a Ticket-Granting
Ticket (TGT). The TGT includes a second copy of the SA, the user name, and
an expiration time. The KDC encrypts this ticket by using its own master
key (KKDC), which only the KDC knows. The client computer receives the
information from the KDC and runs the user's password through a one-way
hashing function, which converts the password into the user's KA. The
client computer now has a session key and a TGT so that it can securely
communicate with the KDC. The client is now authenticated to the domain
and is ready to access other resources in the domain by using the Kerberos
protocol.
- Lightweight
Directory Access Protocol (LDAP) is an Internet standard protocol which is
used as a standard protocol for Active Directory functions. It runs
directly over TCP, and can be used to access a standalone LDAP directory
service or to access a directory service that is back-ended by X.500.
- Active
Directory related files are by default located at %SystemRoot%\ntds
folder. NTDS.DIT is the main Active Directory database file. Apart from
this other files such as EDB.LOG, EDB.CHK, RES1.LOG, TEMP.EDB etc. are
also located at the same folder.
- Global
Catalog servers produce huge traffic related to the replication
process.There for making all the domain controllers in the forest as
Global Catalog servers will cause network bandwidth poroblem. GCs should
be placed based on Network bandwidth and user or application requirement.
What is DNS?
DNS stands for Domain Naming
Server, it is a standard of naming domains in any operational environment
(Windows,Linux,Solaris,Any environment). It is a server which contains a
database of all the domains and all the servers which are associated with those
domains.
Why it is Used?
Its a service dedicated to
identify all the machines (domains & member servers) in a network. To make
this possible, every machine has to be registered in the authoritative DNS
server of that network. That means every operational network should have a
dedicated DNS server to enable identification and communication between the
machines.
How it works?
As i said, it is dedicatedly used
for identification, in technical words for “name resolution”.
Every machine in a network has a dedicated IP address & hostname as its
identity. Whenever a machine tries to communicate with another machine on the
network it should first identify the second machine, that means it should know
the ip address of that particular machine. After knowing the identity (i.e ip
address), it will directly communicates with the second machine. So to speak, a
machine should know the ip address of the another machine, with which its going
to communicate before it starts. Another question… Why the hostnames are used,
if the machine already have an identity in the terms of IP address? Hostname is
an English word which is useful for Human remembrance. It is impossible for a
human being to remember lots of IP addresses, but it is possible to
remember English names of the same hosts (as we configure the hostnames
generally with employee name or department name or location name etc). For
example we can rememberwww.yahoo.com but not its ip address, because we are not having only one website
on the internet. To sum up Hostnames and IP addresses both are used to
identification and communication between two machines in a network. But
machines are only able to communicate with the IP addresses and which are
impossible to remember for Humans (Keep in mind machines never communicate with
hostnames). To solve this situation DNS was implemented. It basically contains
a database of host records in a network. A host record contains “Hostname : IP address”,
see the image below for better under standing. Out Internet is purely depended
on DNS, when we access a particular website we will give its English name, when
we press ENTER immediately the machines starts finding the IP address of the
website using the DNS server configured on it. I will explain the name
resolution process in details. And one more thing about the DNS is, it is the
only largest database on the internet which changes every second. If this
database goes down by a chance, we must remember all the ip addresses to access
the internet. hahaha it will not happen, why because we have so many backup
solutions already implemented.
How the name resolution
takes place?
I will explain this concept with
internet as an example. Before that i want you to check some settings on your
machine. Check the TCP/IP properties and see whether DNS server is configured
or not. If you are seeing obtain automatically option, open command prompt and
type “ipconfig /all”
and press Enter. You will get DNS servers information along with your machine’s
IP address. Now lets talk about the scenario, When you try to open a website
like www.google.com, what happens next? how your
machine gets IP address of the www.google.com. Here it goes….
1. The request sent to the DNS
server which is configured on your machine.
2. The DNS server checks for the
host record of www.google.com in its
database, if it contains a record forwww.google.com, it will
directly send response with the IP address of www.google.com. Otherwise it starts requesting
another DNS server.
3. Before it goes to another DNS
server, how it identifies which DNS server is responsible for this request ? It
checks the entire hostname (it is called as FQDN : Fully Qualified Domain
Name), i.e in google’s case www.google.com. (note the FQDN ends with a
period, and this period is called as root domain).
5. So in your case, the domain is
.com, DNS server sends request to .com master DNS server (for ex: assume it as
198.41.0.4), the .com master DNS server contains name server records for all
machines ending with .com . That means it definitely contains DNS server IP
address for google.com. In the same way it contains all .com servers yahoo.com,
microsoft.com & so on.
6. It does not contain the IP
address of google.com, it contains DNS server IP of google.com.
7. So then the request is
forwarded to google.com DNS server, in that server you will have a host record
with the name www and its IP address. Finally you reached it. With the found IP
address the request comes back as a response in the same reverse way to the DNS
server which is configured in your machine, that DNS server tells the IP
address ofwww.google.com to your machine.
8. This process happens in
milliseconds in the background. i.e by the time you will get “Website found
waiting for reply” message in the status bar of your internet explorer.
9. Oh my god!!!! Is that simple?
Yes it is. The same process occurs in corporate networks also. But the requests
are handled by their local DNS servers only.
10. See the below animation for better
understanding.
Understanding DNS : Part
- II
Hi
Guys,
DNS Records
There
are so many records associated with a DNS Server. Name resolution process does
not happen in a proper way with out these records.
As
you know the DNS server main purpose is to resolve the host names to IP's and
vice versa.
·
A Record : Contains
information about IP address. It is helpful in resolving host names to IP
addresses.
·
PTR Record : Pointer
record, contains information about host name. It is helpful in resolving IP
address to hostname.
·
CNAME Record : Alias of
A Record. It is helpful in giving multiple names to a single host. Which means,
the same host is able to provide multiple services. In that case, for
segregation of service and to communicate with that service we need to give
different names to each service. Even though these services are hosted on a
single server, but we can send our request to the target service. CNAME record
was helpful in identifying and communicating with that service on that server.
·
MX Record : It is a
record helpful in identifying the mail server in a DNS domain (for that organization)
·
NS Record : It is a
record helpful in identifying the DNS server in a DNS domain (for that
organization)
·
SRV Record : This record
is created when we install a service which is DNS dependent. It is
automatically generated and will be associated with a specific IP address. It
is called as Service record.
·
SOA Record : Start of
Authority record, this is not a record associated with any IP address. But it
is associated with a number, which determines the update number. What ever the
update, when ever it is done this number will be incremented.
These
are the records associated with each and every server in this world. A fact is
that "
DNS is the biggest database in the world and that is the only one which gets
updated every second " And this database is not located at a single place, it is spread
across the world in different places like, different companies, different
ISP's, different homes etc. And the name resolution process is explained in my
previous post Understanding DNS. That is the reason why, a DNS request goes to
different location to get the correct answer.
No comments:
Post a Comment