Documenti di Didattica
Documenti di Professioni
Documenti di Cultura
The KCC is a built-in process that runs on all domain controllers and generates
replication topology for the Active Directory forest. The KCC creates separate
replication topologies depending on whether replication is occurring within a
site (intrasite) or between sites (intersite). The KCC also dynamically adjusts
the topology to accommodate new domain controllers, domain controllers
moved to and from sites, changing costs and schedules, and domain controllers
that are temporarily unavailable.
Group Types
* Security groups: Use Security groups for granting permissions to gain access
to resources. Sending an e-mail message to a group sends the message to all
members of the group. Therefore security groups share the capabilities of
distribution groups.
* Distribution groups: Distribution groups are used for sending e-main
messages to groups of users. You cannot grant permissions to security groups.
Even though security groups have all the capabilities of distribution groups,
distribution groups still requires, because some applications can only read
distribution groups.
Group Scopes
Group scope normally describe which type of users should be clubbed together
in a way which is easy for there administration. Therefore, in domain, groups
play an important part. One group can be a member of other group(s) which is
normally known as Group nesting. One or more groups can be member of any
group in the entire domain(s) within a forest.
* Domain Local Group: Use this scope to grant permissions to domain resources
that are located in the same domain in which you created the domain local
group. Domain local groups can exist in all mixed, native and interim functional
level of domains and forests. Domain local group memberships are not limited
as you can add members as user accounts, universal and global groups from any
domain. Just to remember, nesting cannot be done in domain local group. A
domain local group will not be a member of another Domain Local or any other
groups in the same domain.
* Global Group: Users with similar function can be grouped under global scope
and can be given permission to access a resource (like a printer or shared
folder and files) available in local or another domain in same forest. To say in
simple words, Global groups can be use to grant permissions to gain access to
resources which are located in any domain but in a single forest as their
memberships are limited. User accounts and global groups can be added only
from the domain in which global group is created. Nesting is possible in Global
groups within other groups as you can add a global group into another global
group from any domain. Finally to provide permission to domain specific
resources (like printers and published folder), they can be members of a
Domain Local group. Global groups exist in all mixed, native and interim
functional level of domains and forests.
* Universal Group Scope: these groups are precisely used for email distribution
and can be granted access to resources in all trusted domain as these groups
can only be used as a security principal (security group type) in a windows 2000
native or windows server 2003 domain functional level domain. Universal group
memberships are not limited like global groups. All domain user accounts and
groups can be a member of universal group. Universal groups can be nested
under a global or Domain Local group in any domain.
Differential
A cumulative backup of all changes made after the last full backup. The
advantage to this is the quicker recovery time, requiring only a full backup and
the latest differential backup to restore the system. The disadvantage is that
for each day elapsed since the last full backup, more data needs to be backed
up, especially if a majority of the data has been changed.
15 Netstat
21 FTP
23 Telnet
25 SMTP
42 WINS
53 DNS
67 Bootp
68 DHCP
80 HTTP
88 Kerberos
101 HOSTNAME
110 POP3
119 NNTP
123 NTP (Network time protocol)
139 NetBIOS
161 SNMP
180 RIS
389 LDAP (Lightweight Directory Access Protocol)
443 HTTPS (HTTP over SSL/TLS)
520 RIP
79 FINGER
37 Time
3389 Terminal services
443 SSL (https) (http protocol over TLS/SSL)
220 IMAP3
3268 AD Global Catalog
3269 AD Global Catalog over SSL
500 Internet Key Exchange, IKE (IPSec) (UDP 500)
diskpart.exe This command is used for disk management in Windows 2003.
nltest /dsgetdc:domainname
replacing domainname with the name of the domain that you are trying to log
on to. This
command verifies that a domain controller can be located. Nltest is included in
Support
Tools
What are the icons that don’t get delete option on the Desktop (up to 2000
O. S.)?
My Computer
My Network Places
Recycle Bin
Note: In Windows 2003 you can delete My computer, My network places. You
can also get back them.
Right click on Desktop Properties Click on Desktop tab click on
customize desktop select the appropriate check boxes.
Even in 2003 you cannot delete Recycle bin.
Note: You can delete any thing (even Recycle bin) from the desktop by using
registry settings in 2000/2003.
After creating the root zone then create another zone with Domain Name
Right click on Forward Lookup zone New zone Active Directory
Integrated (you can choose any one) DNS Name [___]Next Finish
If you want to create an Active Directory integrated zone, the server must be
Domain Controller.
If you want to create the Primary DNS, you can create on Domain Controller or
Member server. But if create on member you could not get 4 options under the
domain which are meant for Active directory.
You can create Secondary zone on a Member Server or on a Domain Controller.
There is no difference between them.
What is BIND?
What are the ports numbers used for Kerberos, LDAP etc in DNS?
What is a zone?
A database of records is called a zone.
Also called a zone of authority, a subset of the Domain Name System (DNS)
namespace that is managed by a name server.
Or
Go to Registry then search for lanmanNt then change it as serverNt
You have to follow the same procedure as same as primary DNS configuration.
But at the time selection, select Secondary zone instead of primary zone. After
that it asks the primary DNS zone address provide that address.
Then it asks for Primary DNS zone details, provide those details then
click on finish.
Select anyone and give the details of secondary zone (only in case of second
and third option).
Click on apply, then OK
Note: In zone transfers tab you can find another option Notify, this is to
automatically notify secondary severs when the zone changes. Here also you
can select appropriate options.
Note: In secondary zone you cannot modify any information. Every one has
read only permission.
Whenever Primary DNS is in down click on “change” tab on general tab of
properties, to change as primary, then it acts as primary, there you can write
permission also.
What is the default time setting in primary zone to refresh, Retry, Expire
intervals for secondary zone?
The default settings are
Suppose the Secondary zone is Expired then, how to solve the problem?
Go to the properties of the zone click on general tab, there you can find the
option called “Change” click on it then select appropriate option.
Then click on OK
Iterative query
The query that has been sent to my DNS server from my computer.
Recursive query
The query that has been sent to other DNS servers to know the IP address of a
particular server from my DNS server.
When you install a Windows 2000 DNS server, you immediately get all of the
records of root DNS servers. So every windows 2000 DNS server installed on
Internet has pre configured with the address of root DNS servers. So every
single DNS server in the Internet can get root servers.
DNS requirements:
First and foremost has to support SRV records (SRV record identifies a
particular service in a particular computer) (in windows 2000 we use SRV
records to identify Domain controllers, identifying Global Catalogue, etc.
Note: Most DNS servers support AXFR (i.e., Entire zone transfer)
In incremental we transfer only changes, but in AXFR we transfer whole.
How does DNS server know the root domain server addresses?
Every DNS server that has installed on Internet has pre configured with root
DNS server addresses.
Every single server can get to the root. So that only every DNS server on the
Internet first contacts root DNS servers for name resolution.
Where can you find the address of root servers in the DNS server?
Open the DNS console Right click on the domain name drag down to
properties click on Root hints. Here you can find different root server
addresses.
Note: When you install DNS service in a 2000 server operating system (still you
have not configured anything on DNS server), then it starts its functionality as
caching only DNS server.
What is caching only DNS server?
What is a forwarder?
(Open DNS console Right click on Domain name Click on forwarder tab)
A forwarder is server, which has more access than the present DNS server. May
be our present DNS server is located in internal network and it cannot resolve
the Internet names. May be it is behind a firewall or may it is using a proxy
server or NAT server to get to the Internet. Then this server forwards the query
to another DNS server that can resolve the Internet names.
What is DHCP?
Dynamic Host Configuration Protocol (DHCP) is a network protocol that enables
a server to automatically assign an IP address to a computer from a defined
range of numbers (i.e., a scope) configured for a given network.
2) Independently
Note: When you have installed DHCP a icon will appear in Administrative Tools
(DHCP)
DHCP
This server
[________________] BROWSE
OK
DHCP
Servername.domain.com [IP address]
Note: Some time the window comes automatically with creating the “Add
Server”. Such cases check the IP address whether it is correct or not. If it is
wrong delete it and recreate it.
Now you have DHCP server.
Now you have to authorize the DHCP Server to provide IP addresses to the
clients.
Note: If it is not authorized a red symbol (down red arrow) will appear, if u
authorize it then a green up arrow will appear.
Click on Next.
Click on Next
aaaaaaaaaaaaaaaaaaaaaaaaaaa
aaaaa
Add
Remov
e
What is the default lease duration, minimum lease duration and maximum
lease duration?
By default any system will get 8 lease days to use IP address.
Note: You can increase or decrease the Lease duration, You have assign at
least minimum duration of 1 second and you can assign Maximum duration of
999 days 23 hours 59 minutes.
Note: If you haven’t log on for 50% of the duration continuously the IP address
will be released.
Click Next
Now you will get a Window asking whether you want to configure the options
(DNS, WINS, and Router etc.)
You can configure the options now itself or you can authorize after completion
of this.
Select any one then click Next.
Click Finish.
Note: If u have selected “NO” in the above window you can configure above
things anytime like below
Note: You can reserve IP address for specific Clients. Or You can Exclude IP
address (without allocation) for future purpose.
Go to Client System
In that select “assign IP address automatically” and select “assign DNS address
automatically”
Click on “More” delete the DNS suffix if anything is there.
Click OK
Note: The DHCP server assigns IP address to the clients. But apart from that it
also provides DNS address, default gateway, WINS address and so on, which are
configured in DHCP server.
DHCP Discover:
When ever client has to obtain an IP address from a DHCP server it will
broadcast a message called “DHCP discover” , which contains destination
address 255.255.255.255 and source IP address as 0.0.0.0 and its MAC address.
DHCP offer:
The DHCP server on the network will respond to DHCP discover by
sending a DHCP offer message to the client requesting an IP address.
DHCP request:
The client after receiving offer message will send a “DHCP request”
message asking the DHCP server to confirm the IP address it has offered to it
through DHCP offer message.
DHCP Acknowledge:
DHCP server will respond to the “DHCP request” message by sending
acknowledge message through which it confirms the IP address to other
machine.
Note: You can also enable DHCP in work group for dynamic allocation of IP
addresses.
Configure the server operating system in work group as a DHCP then go for
client in TCP/IP properties select obtain IP address automatically. Then the
client gets IP address from the DHCP server.
Note: You need not to configure DNS or anything.
Using APIPA
On occasion, a network PC boots up and finds that the DHCP server is not
available. When this happens, the PC continues to poll for a DHCP server using
different wait periods.
The Automatic Private IP Addressing (APIPA) service allows the DHCP client to
automatically configure itself until the DHCP server is available and the client
can be configured to the network. APIPA allows the DHCP client to assign itself
an IP address in the range of 169.254.0.1 to 169.254.254.254 and a Class B
subnet mask of 255.255.0.0. The address range that is used by APIPA is a Class
B address that Microsoft has set aside for this purpose.
What is the difference between windows 2000 server and Windows 2000
advanced server, Data center server?
In Windows 2000 server we don’t have Clustering, Network load balancing.
Where as in Windows 2000 advanced server and in Data center server we have
Clustering and Network load balancing.
In 2000-Advanced server and Data center server we have more RAM and more
Processors.
What are the minimum and Maximum configurations for Windows family?
What are the differences between windows 2000 professional and server
versions?
In professional we don’t have fault tolerance (Mirroring, RAID5) where as in all
server versions we have.
In professional we cannot load Active Directory where as in all server versions
we can.
In professional and 2000 server we don’t clustering and network load balancing
where as in 2000 advanced server and in Data centre server we have Clustering
and NLB.
As you move from server to advanced server, advanced server to data centre
server we get more RAM and more Processors.
What roles does a Main Domain Controller (the first domain controller in the
entire forest) will have by default?
By default it gets 5 roles.
• Schema Master
• Domain Naming Master
• PDC Emulator
• Relative Identifier (RID)
• Infrastructure Master (IM)
What are the roles an Additional Domain controller will have by default?
By default you cannot get any role. But if you want to assign any role you can
transfer from master.
What are the roles a Child Main Domain Controller will have by default?
By default it gets only three roles.
• PDC Emulator
• Relative Identifier (RID)
• Infrastructure Master (IM)
What are the roles a Child additional Domain controller will have by default?
By default it won’t get any role. But if want to assign you can transfer from
main child domain controller.
What are the roles those must not be on the same Domain Controller?
Infrastructure Master and Global Catalogue
Note: If you have only one domain then you won’t get any problem even if you
have both of them in the same server.
If you have two or more domains in a forest then they shouldn’t be in the same
server.
How to check the above roles to which server they have assigned?
Install support tools from CD
Programssupport toolstoolscmd prompt (Go to the command prompt in
this way only)
At command prompt type “netdom query fsmo”
What is FSMO?
Flexible Single Master Operations
Note: The above five roles are called FSMO roles.
What is a client?
A client is any device, such as personal computer, printer or any other server,
which requests services or resources from a server. The most common clients
are workstations.
What is a server?
A server is a computer that provides network resources and services to
workstations and other clients.
2) By My computer Properties
On Network Identification tab, the Properties button will be
disabled.
3) By typing DCPROMO
If it is already a Domain Controller you will uninstallation wizard
for Active Directory.
If it is not a Domain Controller you will get installation wizard for
Active Directory.
4. You should see the share of netlog and sysvol … just type netshare
at the cmd prompt
5. You should be able o see the ntds setting in the winnt directory
6. You should see the ntds folder in regedit ..
What is a forest?
Collection of one or more domain trees that do not form a contiguous
namespace. Forests allow organizations to group divisions that operate
independently but still need to communicate with one another.
All trees in a forest share common Schema, configuration partitions and Global
Catalog. All trees in a give forest trust each other with two way transitive trust
relations.
What is a Domain?
A group of computers that are part of a network and shares a common
directory and security policies. In Windows 2000 a domain is a security
boundary and permissions that are granted in one domain are not carried over
to other domains
What is a partition?
Disk Partition is a way of dividing your Physical Disk so that each section
functions as a separate unit. A partition divides a disk into sections that
function as separate units and that can be formatted for use by a file system.
How many partitions can you create maximum? (Among that how many
primary and how many Extended?)
Maximum we can create 4 partitions in basic disk. Among that we can create
maximum 1 extended partition. You can create 4 primary partitions if you do
not have Extended.
What is a volume?
Disk volume is a way of dividing your Physical Disk so that each section
functions as a separate unit.
Note: In Windows NT and Windows 2000 by default the system files will be
copied to winnt directory and in Windows 2003 by default they are copied into
Windows directory.
1. I have a file to which the user has access, but he has no folder
permission to read it. Can he access it? It is possible for a user to
navigate to a file for which he does not have folder permission. This
involves simply knowing the path of the file object. Even if the user
can’t drill down the file/folder tree using My Computer, he can still gain
access to the file using the Universal Naming Convention (UNC). The best
way to start would be to type the full path of a file into Run… window.
What is BIOS?
A computer's basic input/output system (BIOS) is a set of software through
which the operating system (or Setup) communicates with the computer's
hardware devices.
Note: When you format the operating system with NTFS then Windows NT and
Windows 2000 are only the operating systems that can read the data.
Note: The only reason to use FAT or FAT32 is for dual booting with previous
versions windows 2000 O. S.
What are the features will you get when you upgrade from Windows NT to
Windows 2000?
Active Directory includes the following features:
* Management tools:
Microsoft Management Console Plug and
Play Device Manager Add/Remove Hardware wizard (in Control
Panel) Support for universal serial bus New Backup utility
* Application services:
Win32 Driver Model DirectX 5.0 Windows Script Host
* Security:
Encrypting file system
Note: For anything other than a situation with multiple operating systems,
however, the recommended file system is NTFS.
NTFS
Some of the features you can use when you choose NTFS are:
* Active Directory, which you can use to view and control network resources
easily.
* Domains, which are part of Active Directory, and which you can use to fine-
tune security options while keeping administration simple. Domain controllers
require NTFS.
* File encryption, which greatly enhances security.
* Permissions that can be set on individual files rather than just folders.
* Sparse files. These are very large files created by applications in such a way
that only limited disk space is needed. That is, NTFS allocates disk space only
to the portions of a file that are written to.
* Remote Storage, which provides an extension to your disk space by making
removable media such as tapes more accessible.
* Recovery logging of disk activities, which helps you restore information
quickly in the event of power failure or other system problems.
* Disk quotas, which you can use to monitor and control the amount of disk
space used by individual users.
* Better scalability to large drives. The maximum drive size for NTFS is much
greater than that for FAT, and as drive size increases, performance with NTFS
doesn't degrade as it does with FAT.
Note:
It is recommended that you format the partition with NTFS rather than
converting from FAT or FAT32. Formatting a partition erases all data on the
partition, but a partition that is formatted with NTFS rather than converted
from FAT or FAT32 will have less fragmentation and better performance.
What are the options do u get when you are shut downing?
Log off
Restart
Shut down
Stand by
Hibernate
Disconnect
Standby: Turns off your monitor and hard disks, and your computer use
less power.
A state, in which your computer consumes less electric power when it is
idle, but remains available for immediate use. Typically, you’d put your
computer on stand by to save power instead of leaving it on for extended
periods.
In stand by mode, information in computer memory is not saved on your
hard disk. If the computer loses power, the information in memory will be lost.
This option appears only if your computer supports this feature and you
have selected this option in Power Options. See Power Options overview in
Help.
Hibernation: Turns off your monitor and hard disk, saves everything in memory
on disk, and turns off your computer. When you restart your computer, your
desktop is restored exactly as you left it.
A state in which your computer saves any Windows settings that you
changed, writes any information that is currently stored in memory to your
hard disk, and turns off your computer. Unlike shutting down, when you restart
your computer, your desktop is restored exactly as it was before hibernation.
Hibernate appears only if your computer supports this feature and you
have selected the Enable hibernate support option in Power Options. See
Power Options overview in Help.
Disconnect
A state, in which your Terminal Services session is disconnected, but
remains active on the server. When you reconnect to Terminal Services, you
are returned to the same session, and everything looks exactly as it did before
you disconnected.
Disconnect appears only if you are connected to a Windows 2000 Server
running Terminal Services.
Shut down
A state in which your computer saves any Windows settings that you
changed and writes any information that is currently stored in memory to your
hard disk. This prepares your computer to be turned off.
Restart
A state in which your computer saves any Windows settings that you
changed, writes any information that is currently stored in memory to your
hard disk, and then restarts your computer.
Log off
A state in which your computer closes all your programs, disconnects
your computer from the network, and prepares your computer to be used by
someone else.
When connected to a Windows 2000 Server running Terminal Services,
Log off closes all programs running in your Terminal Services session,
disconnects your session, and returns you to your Windows desktop.
What are the setup files that are used to install windows 2000?
If you are installing from the Operating system DOS the setup file is winnt.
If you are installing from Operating system windows 95/98, Win NT, Win 2000,
the setup file is winnt32.
What is the error message do u get when you run “winnt” instead of
winnt32 on 32 bit windows operating system (like Win 95/98, Win NT, and
Win 2000)?
How do you install the Windows 2000 deployment tools, such as the Setup
Manager Wizard and the System Preparation tool?
To install the Windows 2000 Setup Tools, display the contents of the Deploy.
cab file, which is located in the Support\Tools folder on the Windows 2000 CD-
ROM. Select all the files you want to extract, right-click a selected file, and
then select Extract from the menu. You will be prompted for a destination, the
location and name of a folder, for the extracted files.
What is Desktop?
The desktop, which is the screen that you see after you log on to
Windows 2000, is one of the most important features on your computer. The
desktop can contain shortcuts to your most frequently used programs,
documents, and printers.
Suppose if your CD is auto play CD. Then what is the key that is used to stop
the auto play of the CD?
Hold the shift key for some time immediately after inserting the CD.
What is Netware?
Netware is a computer network operating system developed by Novell.
What is Network?
A network is a group of computers that can communicate with each other,
share resources such as hard disks and printers, and access remote hosts or
other networks.
Drive Letters:
Each workstation can assign up to 26 letters to regular drive mappings.
Drive letters that are not used by local devices are available for network
drives.
Generally the Drive letters A and B represents floppy disk drives and C
represents the local hard disk.
What do you call the right hand side portion (i.e., where the clock and
other icons exist) of task bar?
System Tray or Notification area
2) Boot from the floppy, insert the CD, and install the O.S.
3) Install over the network or install over the Hard disk. For this you have to
run the files WinNT or winnt32.
Note: WinNT is used when you r installing from the operating system other than
Windows NT or 2000. (I.e., DOS, windows 95/98 or any other)
Winnt32 is used if you are installing from O.S. Windows NT or Windows 2000.
What is WINS and what it does?
WINS stands for Windows Internet Naming Service. It resolves NETBIOS
names to IP addresses. WINS is used only when you need to access the NETBIOS
resources.
What is NETBIOS?
NETBIOS stands for Network Basic Input Output System. It is a naming
interface, it is interface by which client can connect to access the lower level
of the TCP/IP model to be able to communicate and access those resources.
We share resources with the NETBIOS interface in windows NT. This
means that we are using NetBIOS name to connect the client to the server.
What is the location of lmhost file (LAN Manager Host file) in windows 2000?
Winnt/system32/drivers/etc/lmhost.sam
Note: Extension represents that it is a sample file. You can create lmhost file
with out that extension.
What are Windows 2000 WINS enhancements when compare to the previous
versions?
• Better Management interface
• Better clients
• Replication can maintain persistent connections.
• Supports automatic partner discovery
• Integrates with DNS and DHCP
• Supports burst mode handling
What is the port used for Terminal Services?
3389
When a user logs on the start up options will be loaded. How to stop them?
(The notification area icons)
When a user types user name and password, and presses enter immediately
hold down Shift key. Then the above things will not be loaded.
Note: Class A, Class B, Class C are used to assign IP addresses. Class D is used
for Multicasting. Class E is reserved for the future (Experimental).
Note: If you want to restore the system state backup on a domain controller
you have to restart the computer in Directory Services restore mode, because
you are restoring Active Directory when it is in active. If you want to restore
Active Directory it should not be in active. If you restart the computer in
Directory services restore mode the Active directory is not in active, so you can
restore the Active directory.
You can restore Active Directory in two ways
Authoritative restore
Non Authoritative restore
Local policy
Site Policy
Domain Policy
OU Policy
Sub OU Policy (If any are there)
Configuration Partition
The configuration partition, which contains replication configuration
information (and other information) for the forest
Schema Partition
The schema partition contains all object types and their attributes that
can be created in Active Directory. This data is common to all domain
controllers in the domain tree or forest, and is replicated by Active Directory to
all the domain controllers in the forest.
2) Start Run Type netdom query fsmo The computer names that have
been listed there are Domain Controller.
3) Search for NTDS and Sysvol folder in system directory, if they are there
then it is a Domain Controller.
6) In 2000 you cannot change the name of the Domain Controller so Right click
on My computer Properties Network Identification There Change
button is grayed out.
Diagnostic Utilities
a) PING b) finger c) hostname d) Nslookup e) ipconfig f)
Netstat
g) NBTStat h) Route i) Tracer j) ARP
PING:
Verifies that TCP/IP is configured and another host is available.
FINGER:
Retrieves system information from a remote computer that supports
TCP/IP finger services
HOSTNAME:
It displays the host name.
NSLOOKUP:
Examines Entries in the DNS database, which pertains to a particular
host or domain
NETSTAT:
Displays protocol statistics and the current state of TCP/IP concepts.
NBTSTAT:
Checks the state of current NetBIOS over TCP/IP connections, updates
LMhost’s cache or determines your registered name or scope ID.
Route:
Views or modifies the local routing table.
TRACERT
Verifies the route from the local host to remote host
ARP
Displays a cache of local resolved IP address to MAC address
The root domain has a null label and is not expressed in the FQDN
How to know port 3389 (Terminal services) is working or not?
netstat -a (Displays all connections and listening of ports)
What is a host?
Any device on a TCP/IP network that has an IP address. Example includes
severs, clients, network interface print devices, routers.
Note: The ports 0-1023 are called well known ports and all other ports are
called Dynamic or private ports (i.e., 1024-65535)
Note: When you are formatting the disk, if you set the block size as default,
windows 2000/XP/2003 divides the partition into 4 KB blocks. When you are
creating a file or folder it allocates space to that file or folder in multiples of 4
KB. When you create a new file first time it allocates 4 KB, after 4 KB is filled
up it allocates another 4 KB size, it goes on like this until the disk space is
completed.
Note: With windows 2000 advanced server and data centre server we can NLB
cluster 2 to 32 servers. It supports clustering up to 2 nodes.
Note: With disk quotas we can track the usage of disk space for each user. We
can limit each user to use certain amount of space.
What is latency?
The required time for all updates to be completed throughout all domain
controllers on the network domain or forest.
What is convergence?
The state at which all domain controllers have the same replica contents
of the Active Directory database.
What are the file names that we cannot create in Windows operating
system?
The file names that cannot be created in Windows operating system are
Con
Prn
Lpt1, Lpt2, Lpt3, Lpt4, ….., Lpt9
Com1, com2 com3, com4, com5,….., com9
Nul
Aux
Note: The file name clock$ cannot be created in DOS 6.22 or earlier versions of
DOS.
What is QoS?
QoS stands for Quality of Service. With QoS we can reserve bandwidth to
certain applications.
What is NAT?
NAT stands for Network Address Translation. It is a device between the
Internet (i.e., public network) and our private network. On one NIC card it has
valid Internet address; on the other NIC it has our private (internal) network
address.
NAT is a device that translates one valid public IP address to more tuple
internal private address.
We load Windows 2000 RRAS (Routing and Remote Access service)
service into this Windows 2000 server and we turn in to a router. Now we add
NAT protocol, so now onwards our internal clients sends their traffic through
this router to the internet, when it passing through this NAT server it stripes off
the internal network IP address and assigns a valid public IP address. So goes
out and communicates with that valid public IP address, comes back in the NAT
server stripes off the public IP address and replaces private IP address, sends
the traffic back to that particular client.
For client perspective they don’t know any thing except they are surfing
internet.
We load RRAS in to windows 2000 server; we turn this server as router. Now we
add NAT protocol, so that now on our clients can send traffic to internet
through this router , as it passes through the NAT server this server stripes off
the internal IP address and replaces with a valid public IP address. Then it goes
to the internet surf the internet when it comes back through the NAT server,
now NAT server stripes off the valid public IP address and replaces it with its
internal IP address sends the traffic to that particular client.
Note: Windows 2000 NAT can acts as a DHCP server. So it is possible to give IP
address with our NAT server. When you are doing this make sure that you don’t
have DHCP server in your network.
If you have less clients (5 or 6) then there is no harm assigning IP address
through NAT, but if your network is big then best is to use DHCP.
Note: NAT server contains at least two NIC, because one for internal IP address
and another one for external (Public IP).
What is proxy?
NAT server helps the client to access Internet, where as proxy server
does every thing for client. When a request comes from the client the proxy
server surfs the internet and caches the results to its local disk, sends that
result to the client.
With proxy we have performance improvement, because results are
cached to the local hard disk.
With proxy we have security, because only one system in the internal
network communicating with the Internet.
Rather than allowing clients to access internet by changing IP address,
the proxy server does all the surfing for clients and caches to its local disk and
gives to the clients.
Note: an IP address is assigned to every device that you want access on the
network, and each have unique IP address. A client, server, every interface of
router, printer and all devices on the network should have an IP address to
communicate in the network.
Note: Tracrt command traces the root (path) for which we are connecting.
Pathping is combination of tracert and ping. It displays path and some
other information.
Note: with RIP version 1 we cannot do CIDR /VLSM. To transfer the route table
to the all routers RIP version 1 uses broad cast. With RIP version 2 we can do
CIDR. To transfer the route table to all routers RIP version 2 uses multicast.
Also with version 2 we have password authentication to transfer router table.
What is VPN?
VPN stands for Virtual Private Network. By using public media we are
establishing a private secure connection. To communicate through VPN we use
PPTP (Point to Point Tunneling Protocol) or L2TP (Layer2 Tunneling Protocol).
Most cases we use L2TP because this is more secure. The only one case
that we use PPTP is only when we are trying to use VPN through a NAT server,
another reason to use is if don’t have windows clients that have capability to
establish L2TP VPN connection.
RADIUS
RADIUS stands for Remote Authentication Dial in User Service. It
is used to authenticate remote users. Instead of authenticating users at
individual RAS server, we pass a request to central server (RADIUS server), and
let the authentication happen there. All RAS servers pass authentication
requests to this central server (RADIUS server) that is doing the authentication.
It is authenticating users based on Active Directory. It is also doing reporting,
so it is doing .accounting and authentication. With RADIUS authentication will
takes place at a central location. Now there is no need to maintain a local
database of users for each RAS server. When ever authentication needed RAS
server forwards query to RADIUS server.
Accounting means we keep tracking who is connected, how long, why they
failed to connect etc., the information is all centralized here.
By centralizing accountability and authentication we are doing our RAS
servers as dumb devices. So when RAS server fails then there is no need to
worry about the 100 or 1000 accounts we manually created on the RAS server,
so that we can authenticate. All you need to do is swap out this device with
another and configure it to pass the authentication to RADIUS server.
Note: Terminology wise the central server is RADIUS server. Clients for RADIUS
are RAS servers.
Note: Put your RAS server close to the clients. Put your RADIUS server close to
the Active Directory database.
Note: If you install DCPROMO in member server then it will become Domain
Controller, if you uninstall DCPROMO in Domain Controller then it will become
Member server, if you are uninstalling DCPROMO on last domain controller then
it will become standalone server.
Note: Always file size is less than or equal to file size on disk except when file
compressed. If file is compressed file size greater than file size on disk.
The data replicated between domain controllers is called data and also
called naming context. Once a domain controller has been established only
changes are replicated.
Note: Each domain controller keeps a list of other known domain controllers
and the last USN received from each controller.
The DNS IP address and computer name is stored in Active Directory for
Active Directory integrated DNS zones and replicated to all local domain
controllers. DNS information is not replicated to domain controllers outside the
domain.
Note: If you want you can change the port number, but generally we don’t
change the port number. If you have changed the port number, then when
typing URL you have to type the port number followed by the URL.
Ex: www.google.com:83
If you haven’t typed any thing by default it takes the port number as 80.
What is NetBIOS?
NetBIOS stands for Network Basic Input Output System. It is naming interface
by which client can access network resources. It manages data transfer
between nodes on a network.
What is NETBIOS?
NETBIOS stands for Network Basic Input Output System. It is a naming
interface, it is interface by which client can connect to access the lower level
of the TCP/IP model to be able to communicate and access those resources.
We share resources with the NETBIOS interface in Windows NT. This
means that we are using NetBIOS name to connect the client to the server.
Note: Computer names are not the only names that are registered as a NetBIOS
names, a domain name can be registered as NetBIOS name, any service on the
network can be registered as the NetBIOS names, for example messenger
service.
Note: Communication in the network happen IP address to IP address,
ultimately MAC address to MAC address.
Note: A UNIX does not have ability to register into WINS database. But if a UNIX
server is there in network and you need to resolve it, then for this you need to
configure manually the entry of that UNIX server in the WINS server.
What is the location of lmhost file (LAN Manager Host file) in windows
2000?
Winnt/system32/drivers/etc/lmhost.sam
Note: Extension represents that it is a sample file. You can create lmhost file
with out that extension.
What are Windows 2000 WINS enhancements when compare to the previous
versions?
• Better Management interface
• Better clients
• Replication can maintain persistent connections.
• Supports automatic partner discovery
• Integrates with DNS and DHCP
• Supports burst mode handling
Note: Windows 2000 doesn’t use WINS for its naming structure. Windows 2000
uses DNS for its naming structure. The only time that you need WINS in
Windows 2000 environment is when you want resolve NETBIOS based resources
such as NT file server. In native Windows 2000 environment there is no need to
use WINS.
Note: You can configure as many as WINS servers as you want on the network.
No matter that which client is using which WINS server, but all WINS server
should be configured to replicate the data with each other.
How to configure the WINS servers to replicate database with other WINS
servers on the network?
Open WINS MMC Right click on Replication partners Select New
replication partner Give the IP address of the other WINS server click OK
First create a shared folder and put installation files on that shared folder.
What is the program that is used to create .msi files when .msi files are not
available?
Wininstall
Note: With assign we install a package in 3 ways where as with publish we can
install in 2 ways.
Note: With assign you will get the more functionality than publish. So when it
is possible for assign, choose assign only.
Note: When ever you have a .msi file then only you can repair or upgrade that
application. With .zap you cannot do them.
Note: For Disk Management in Windows 2003 you can use command line tool
diskpart.exe (New feature in Windows 2003). For more details type
diskpart.exe at command prompt and then type “?”.
Note: By default search doesn’t displays hidden files. But if you want to search
hidden files also you can search by modifying the following key in registry.
Mycomputer\HKEY_CURRENT_USER\SOFTWARE\MICROSOFT\WINDOWS\CURRENT
VERSION\EXPLORER\
Here you can search hidden attribute. Click on this and change value from 0 to
1.
Read Users can see the names of files and subfolders in a folder and view
folder attributes, ownership, and permissions. Users can open and view files,
but they cannot change files or add new files.
List Folder Contents Users can see the names of files and subfolders in the
folder. However, users cannot open files to view their contents.
Read & Execute Users have the same rights as those assigned through the
Read permission, as well as the ability to traverse folders. Traverse folders
rights allow a user to reach files and folders located in subdirectories, even if
the user does not have permission to access portions of the directory path.
How do determine the Operating system type that you are working on?
Right click on My computer Select properties on general tab you can see
operating system type and version.
ADSI edit:
When you open ADSI edit you can see 3 database partitions, i.e., domain
partition, configuration partition, and schema partition. Under this you can
see CN, and Distinguished names of different objects.
Note: By using cluster Administrator you can configure, control, manage and
monitor clusters.
Suppose you have deleted Active Directory Users and Computers from
Administrative tools, how to restore it?
Start Programs Right click on Administrative tools Select All Users
Right click in the window drag down to New Select short cut click on
Browse My computer C:\Windows\System32 Select dsa.msc Click OK
Give the name as Active Directory Users and Computers Click OK.
Note: You can add all snap ins in Administrative tools like this only.
Note: The same procedure applied for any thing to place in start menu, just
right click on the parent folder select open all users, and create a short cut
there, that’s all.
How can I quickly find all the listening or open ports on my computer?
Usually, if you want to see all the used and listening ports on your computer,
you'd use the NETSTAT command.
Open Command Prompt and type: C:\WINDOWS>netstat -an |find /i "listening"
This command displays all listening ports.
C:\netstat -an |find /i "listening" > c:\openports.txt
This command redirects the output to a file openport.txt in C drive.
C:\netstat -an |find /i "listening" > c:\openports.txt
This command is used to see what ports your computer actually communicates
with.
Note: Suppose you have some roles on a domain controller. With out
transferring the roles to other domain controller you have demoted the domain
controller to a member server by the command dcpromo. Then what will
happen?
When you demote a domain controller which has roles by the command
dcpromo, during the demotion the roles will be transferred to the nearest
domain controller.
How to change the Priority for DNS SRV Records in the Registry?
To prevent Clients from sending all requests to a single domain controller, the
domain controllers are assigned a priority value. Client always send requests to
the domain controller that has the lowest priority value. If more than one
domain controller has the same value, The clients randomly choose from the
group of domain controllers with the same value. If no domain controllers with
the lowest priority value are available, then the clients send requests to the
domain controller with the next highest priority. A domain Controller’s priority
value is stored in registry. When the domain controller starts, the Net Logon
service registers domain controller, the priority value is registered with the
rest of its DNS information. When a client uses DNS to discover a domain
controller, the priority for a given domain controller is returned to the client
with the rest of the DNS information. The client uses the priority values to help
determine to which domain controller to send requests.
The value is stored in the LdapSrvPriority registry entry. The default value is
0 and it can be range from 0 through 65535.
Note: A lower value entered for LdapSrvPriority indicates a higher priority. A
domain controller with an LdapSrvPriority setting of 100 has a lower priority
than a domain controller with a setting of 10. Therefore, client attempts to use
the domain controller with the setting of 100 first.
To change priority for DNS SRV records in the registry
Log on as Domain Admin Start Run Regedit HKLM\SYSTEM|
CurrentControlSet\Services\Netlogon\Parameters Click Edit Click New
Click DWORD value For the New value name, type LdapSrvPriority Click
Enter Double click the value name that just you typed to open the Edit
DWORD Value dialogue box Enter a value from 0 through 65535. The default
value is 0 Choose Decimal as the Base option Click OK Close the
Registry editor.
What is the switch that is used to restart in Directory service Restore mode
in boot.ini file?
Use the following switch along with the path.
/safeboot:dsrepair (I hope this switch is available in Windows 2003 only)
Note: If the functional level is windows server 2003 then you will get all the
features that are available with 2003. When Windows NT or Windows 2000
domain controllers are included in your domain or forest with domain
controller running Windows server 2003, Active Directory features are limited.
Note: Once if you raise the domain or forest functional level you cannot revert
back.
Advantages of different functional levels:
When ever you are in Windows 2000 mixed mode the advantage is you can use
Windows NT, 2000, 2003 domain controllers. The limitations are
you cannot create universal groups
You cannot nest groups
You cannot convert groups (i.e., conversion between security groups and
distribution groups)
some additional dial in features will be disabled
you cannot rename the domain controller.
SID history disabled.
What is teaming?
Teaming is the concept of combing two or more LAN cards for more speed. For
n number of LAN cards there will be only one IP address. By teaming you can
increase speed. For example if you are teaming 5 LAN cards of 100 MBPS now
your network speed is 500 MBPS.
Note: You can assign one IP address to n number of LAN cards and at the same
you can assign n number of IP addresses to LAN card.
ADMT 2.0 has many new features such as a command-line interface and a
better interface to work with Microsoft Exchange Server. ADMT also supports a
user-account password migration.
How to restart Active Directory Domain Services? Take the following steps to
restart Active Directory Domain Services:
Start the Services console through Start > Administrative Tools > Services.
Configuration partition: This partition stores the logical structure of the forest
deployment. It includes the domain structure and replication topology. Changes
made in this partition are replicated to all the domain controllers in all the
domains in the forest.
Domain partition: This partition stores all the objects in a domain. Changes
made in this partition are replicated to all the domain controllers within the
domain.
What is GPO?
Group policy object (GPO) is a collection of group policy settings. It can be
created using a Windows utility known as the Group Policy snap-in. GPO affects
the user and computer accounts located in sites, domains, and organizational
units (OUs). The Windows 2000/2003 operating systems support two types of
GPOs, local and non-local (Active Directory-based) GPOs.
Local GPOs
Local GPOs are used to control policies on a local server running Windows
2000/2003 Server. On each Windows 2000/2003 server, a local GPO is stored.
The local GPO affects only the computer on which it is stored. By default, only
Security Settings nodes are configured. The rest of the settings are either
disabled or not enabled. The local GPO is stored in the %systemroot
%SYSTEM32GROUPPOLICY folder.
Non-local GPOs
Non-local GPOs are used to control policies on an Active Directory-based
network. A Windows 2000/2003 server needs to be configured as a domain
controller on the network to use a non-local GPO. The non-local GPOs must be
linked to a site, domain, or organizational unit (OU) to apply group policies to
the user or computer objects. The non-local GPOs are stored in %systemroot
%SYSVOL<domain name>POLICIES<GPO GUID>ADM, where <GPO GUID> is the
GPO's globally unique identifier. Two non-local GPOs are created by default
when the Active Directory is installed:
Default Domain Policy: This GPO is linked to the domain and it affects all users
and computers in the domain.
Default Domain Controllers Policy: This GPO is linked to the Domain Controllers
OU and it affects all domain controllers placed in this OU.
What is GPMC tool? The Group Policy Management Console (GPMC) is a tool
for managing group policies in Windows Server 2003. It provides
administrators a single consolidated environment for working on group policy-
related tasks. GPMC provides a single interface with drag-and-drop
functionality to allow an administrator to manage group policy settings across
multiple sites, domains, or even forests. GPMC is used to back up, restore,
import, and copy group policy objects. It also provides a reporting interface
on how group policy objects (GPOs) have been deployed.
System Monitor can also be used to monitor the resource use of specific
components and program processes.
What is the SQL Server: General Statistics: User Connections counter? The
SQL Server: General Statistics: User Connections counter displays the number
of user connections in SQL Server. Its maximum value is 255. An increase in
the value of the counter causes performance problems and affects
throughput. A Database Administrator should monitor this counter to resolve
performance issues.
What is Simple Mail Transfer Protocol (SMTP)? Simple Mail Transfer Protocol
(SMTP) is a protocol used for sending e-mail messages between servers. It is
mostly used to send messages from a mail client such as Microsoft Outlook to
a mail server. Most of the e-mail systems that send mails over the Internet
use SMTP to send messages from one server to another. Due to its limitations
in queuing messages at the receiving end, it is generally used with either the
POP3 or IMAP protocol, which enables a user to save and download messages
from the server.
Failback When the failed node returns back to the network, other nodes take
notice and the cluster begins to use the restored node again. This
phenomenon is called failback.
• Server clusters
• Network Load Balancing (NLB)
Server Clusters In server clusters, all nodes are connected to a common data
set, such as a storage area network. All nodes have access to the same
application data. Any of these nodes can process a request from a client at any
time. Nodes can be configured as either active or passive. Only an active node
can process requests from clients. In the event of a failure of the active node,
the passive node takes charge and becomes active. Otherwise, the passive
node remains idle.
Server clusters are created for running applications that have frequently
changing data sets and have long-running in-memory states. The applications
such as database servers, e-mail and messaging servers, and file and print
services can be included in server clusters.
A server cluster is treated as a single destination for a client. It has its own
name and IP address. This address is different from the individual IP addresses
of the servers in the cluster. Hence, when any server fails in the cluster, the
passive server becomes active. Clients send their requests to the server cluster
address. Therefore, this change over does not affect the functionality of the
cluster.
Windows Server 2003 supports eight nodes in a cluster. However, Windows 2000
Server supports only two nodes in a cluster.
In the NLB cluster, all nodes are active and have separate identical data sets.
Multiple servers (or nodes) are used to distribute the load of processing data.
Clients send the requests to the cluster, and then the clustering software
distributes incoming client requests among the nodes. If a node fails, the
clients' requests are served by other nodes. Network Load Balancing is highly
scaleable. Both Windows 2003 and Windows 2000 operating systems support
NLB clusters of up to thirty-two nodes.
What is Task Manager Utility? The Task Manager utility provides information
about programs and processes running on a computer. By using Task Manager,
a user can end or run programs, end processes, and display a dynamic
overview of his computer's performance. Task Manager provides an
immediate overview of system activity and performance.
What is DNS namespace? DNS namespace is the hierarchical structure of the
domain name tree. It is defined such that the names of all similar
components must be similarly structured, but similarly identifiable. The full
DNS name must point to a particular address. Consider the following image of
DNS namespace of the Internet:
The salessrv1 and salessrv2 are host names of the hosts configured in the
sales.ucertify.com domain. The fully qualified domain name (FQDN) of the
host salessrv1 is salessrv1.sales.ucertify.com. No two hosts can have the
same FQDN.
• ADSIEDIT.DLL
• ADSIEDIT.MSC
Regarding system requirements, a connection to an Active Directory
environment and Microsoft Management Console (MMC) is necessary.
What are group scopes? The scope of a group defines two characteristics:
Domain Local: Domain local groups are used to assign permissions to local
resources such as files and printers. Members can come from any domain.
Global: Members of this group can access resources in any domain. Members
can only come from the local domain.
Universal: Members can be added from any domain in the forest. Members can
access resources from any domain. Universal groups are used for managing the
security across domains. Universal groups can also contain global groups.
Universal groups are only available in the domains having functional level
Windows 2000 native or Windows Server 2003.
What is System File Checker utility? The System File Checker utility is used
to verify the integrity of the operating system files, to restore them if they
are corrupt, and to extract compressed files (such as drivers) from
installation disks. It can also be used to backup the existing files before
restoring the original files.
PATHPING: PATHPING is a command-line utility that pings each hop along the
route for a set period of time and shows the delay and packet loss along with
the tracing functionality of TRACERT, which helps determine a weak link in the
path.
• Memory: Pages/sec
• Memory: Available Bytes
• SQL Server: Buffer Manager: Buffer Cache Hit Ratio
• Physical Disk: Disk Reads/sec
• Physical Disk: Disk Writes/sec
• Physical Disk: %Disk Time
• Physical Disk: Avg: Disk Queue Length
• Physical Disk: % Free Space
• Logical Disk: %Free Space
• Processor: %Processor Time
• System: Processor Queue Length
• Network Interface: Bytes Received/sec
• Network Interface: Bytes Sent/sec
• Network Interface: Bytes/sec
• Network Interface: Output Queue Length
• SQL Server: General: User Connection
Tip for server roles. There are eight server roles. These roles are as follows:
• sysadmin
• dbcreator
• bulkadmin
• diskadmin
• processadmin
• serveradmin
• setupadmin
• securityadmin
Network Protocols
Protocol is a set of rules and conventions by which two computers pass
messages across a network. Sets of standard protocols facilitate communication
between the computers in a network having different types of hardware and
software. Both the sender and the receiver computers must use exactly the
same set of protocols in order to communicate with each other. A protocol can
lay down the rules for the message format, timing, sequencing, and error
handling.
Protocol Description
Name
IP Internet Protocol (IP) is a connectionless network-layer protocol that
is the primary carrier of data on a TCP/IP network.
TCP Transmission Control Protocol (TCP) is a reliable, connection-oriented
protocol operating at the transport layer. This protocol can transmit
large amounts of data. Application-layer protocols, such as HTTP and
FTP, utilize the services of TCP to transfer files between clients and
servers.
UDP User Datagram Protocol (UDP) is a connectionless, unreliable
transport-layer protocol. UDP is used primarily for brief exchange of
requests and replies.
Telnet Telnet is a protocol that enables an Internet user to log onto and
enter commands on a remote computer linked to the Internet, as if
the user were using a text-based terminal directly attached to that
computer.
FTP File Transfer Protocol (FTP) is a primary protocol of the TCP/IP
protocol suite, used to transfer text and binary files between
computers over a TCP/IP network.
SMTP Simple Mail Transfer Protocol (SMTP) is used for transferring or
sending e-mail messages between servers.
POP3: Post Office Protocol version 3 (POP3) is a protocol used for retrieving e-
mail messages. The POP3 servers allow access to a single Inbox in contrast to
IMAP servers that provide access to multiple server-side folders.
IMAP: Internet Message Access Protocol (IMAP) is a protocol for receiving e-mail
messages. It allows an e-mail client to access and manipulate a remote e-mail
file without downloading it to the local computer. It is used mainly by the users
who want to read their e-mails from remote locations.
PPTP: Point-to-Point Tunneling Protocol (PPTP) is an encryption protocol used
to provide secure, low-cost remote access to corporate networks through
public networks such as the Internet. Using PPTP, remote users can use PPP-
enabled client computers to dial a local ISP and connect securely to the
corporate network through the Internet.
• IMAP4 can be used to download only specific mails from the mail server,
while POP3 downloads all the mails from the mail server at a time.
• IMAP4 can download only a part of the message (e.g., the header)
initially. Then depending upon the user, the entire message can be
downloaded afterwards. However, POP3 downloads the entire message
at a time.
• IMAP4 only marks a message as deleted as soon as it is being read. The
message will then be deleted as soon as the user logs off, or sends the
EXPUNGE command to the mail server.
• IMAP4 supports server side storage. Hence, the location of the user is
insignificant. However, POP3 uses a local client application to read the
mails.
• Since IMAP4 stores messages on the server side, the user does not have
to bother about fault tolerance and system crashes. When the POP3
protocol is used, the messages once downloaded from the server are
stored locally and can be lost if the local system crashes.
• IMAP4 allows a user to create multiple mailboxes on multiple servers
under the same user name. The user can personalize these mailboxes for
receiving specific kinds of mails in each mailbox. However, POP3 allows
only a single user account to be configured.
• Changes made to a mail are propagated to the IMAP4 server. This
feature is not available under POP3 protocol.
However, there are some disadvantages of IMAP4 over the POP3 protocol,
which are as follows:
• If the connection with the mail server drops while reading a mail, it has
to be re-established. On the other hand, POP3 downloads the entire mail
at a time. Hence, if the connection with the mail server is dropped at
the time of reading a mail, it does not affect the reading.
• The POP3 protocol is mostly supported by the commercially available
mail servers.
• Since the mails in IMAP4 are stored on the server, the space storage
management is a primary concern on such mail servers.
There are two versions of IP addressing, the commonly used IPv4 and the latest
version known as IPv6. They have been discussed in detail in the following
paragraphs.
IPv4
IP Address In this version of IP addressing, an IP address is of 32 bits in length,
and is divided into four 8 bit decimal values known as octets. In these types of
IP addresses, the leftmost bit has the value of 128, which is followed by 64, 32,
16, 8, 4, 2, and 1. An IP address can have values from 0 to 255 because each
bit can be either a 0 or a 1. So if all the bits are 1, the value will be 255; and if
all the bits are 0, the value will be 0.
Subnet Mask A subnet mask determines which part of the IP address denotes
the network id and which part is the host id. It is also a 32-bit number, which is
expressed in decimal format. The subnet mask is assigned according to the
class of IP address used.
• In class A addresses, only the first octet is used to define the network id,
and the rest are used for the host id. It has the address range from 1 to
126 and so it can have only 126 numbers of networks. The number of
hosts possible in these types of networks is 16,777,214. It uses the
subnet mask 255.0.0.0.
• In class B networks, the first two octets represent the network id and
the rest are the host id. It has a range of 128-191 and can have 16384
networks with 65,534 hosts. The standard subnet mask assigned to these
IP addresses is 255.255.0.0.
• In class C addresses, the first three octets are used to represent the
network id. It has a range of 192-223 and can have 2,097,152 networks
with 253 hosts. The subnet mask associated with it is 255.255.255.0.
IPv6 The current version of IP addressing (i.e., IPv4) has its limitations. With
the fast increasing number of the networks and the expansion of the World
Wide Web, the IP addresses allotted are finishing fast and the need for more
network addresses has arisen. IPv6 can solve this problem, as it uses a 128-bit
address that can produce a lot more IP addresses. These addresses are
hexadecimal numbers, made up of eight octet pairs. An example of an IPv6
address can be 45CF: 6D53: 12CD: AFC7: E654: BB32: 543C.
Suppose that a company has been assigned a Class C IP address 200.1.1.0, and
the standard subnet mask is 255.255.255.0. This means that the network id will
be 200.1.1 and the total number of hosts will be 254. The company has two
departments: production and sales. Members of the production department do
not need to access the computers of the sales department. So it is better to
have separate networks for both the departments for better security and
manageability. Through subnetting, the bits from the host id portion can be
used to create more networks, which will work as separate networks.
Some addresses from each of the classes A, B, and C have been assigned for use
by private networks. The address range for class A addresses is from 10.0.0.0 to
255.255.255, for class B addresses it is from 172.6.0.0 to 172.31.255.255, and
for class C addresses, it is from 192.168.0.0 to 192.168.255.255.
IP Addressing Methods:
Static Addressing In static addressing, every computer is assigned an IP address
manually. It is not preferred in large networks, which have lots of hosts,
because the chance of assigning duplicate addresses will be more. This will
result in a conflict of IP addresses and deterioration of the speed. Also it is
time consuming, as every system is configured manually and if some changes
are to be made afterwards, it will consume a lot of time doing it manually for
every computer.
TCP/UDP Ports The default TCP/UDP ports associated with TCP/IP protocol or
applications are as under:
Protocol Port
HTTP 80
HTTPS 443
POP3 110
FTP 20
FTP 21
IMAP4 143
SMTP 25
NNTP 119
NTP 123
DNS 53
TFTP 69
Telnet 23
SSH 22
What are cluster configurations? Server clusters using the Cluster service
can be set up as one of the following three different cluster configurations:
However, server clusters using the Cluster service are set up depending on the
specific needs for failovers, in which application services are moved to another
node in the cluster.
What is N+I Hot Standby Server? N+I Hot Standby Server is one of the
failover models. It is commonly referred to as an Active/Passive mode. In an
active/passive mode, the active nodes handle all client requests, whereas
the passive nodes monitor the active nodes. In N+I Hot Standby Server, N
denotes the number of active nodes, and I refers to the number of passive
nodes. This model has a drawback that the server resources remain idle for a
long time and are utilized only when another server fails. However, it is the
most scalable and reliable model.
In a large complex network, the Active Directory service provides a single point
of management for the administrators by placing all the network resources at a
single place. It allows administrators to effectively delegate administrative
tasks as well as facilitate fast searching of network resources. It is easily
scalable, i.e., administrators can add a large number of resources to it without
having additional administrative burden. It is accomplished by partitioning the
directory database, distributing it across other domains, and establishing trust
relationships, thereby providing users with benefits of decentralization, and at
the same time, maintaining the centralized administration.
However, there are some operations that do not follow the multimaster
model. Active Directory handles these operations and assigns them to a
single domain controller to be accomplished. Such a domain controller is
referred to as operations master. The operations master performs
several roles, which can be forest-wide as well as domain-wide.
What are domain functional levels? The domain functional levels are the
various states of a domain, which enable domain-wide Active Directory
features within a network environment. Domain levels are the same as
domain modes in Windows 2000. Windows supports four types of functional
levels:
1. Windows 2000 Mixed: This is the default domain functional level. When
a first domain controller is installed or upgraded to Windows 2003, the
domain controller is configured to run in the Windows 2000 mixed
functional level. In this mode, domain controllers running the following
operating systems are supported:
o Windows NT Server 4.0
o Windows 2000 Server
o Windows Server 2003
2. Windows 2000 Native: In this level, domain controllers running Windows
2000 and Windows 2003 can interact with each other. No domain
controller running a pre-Windows 2000 version is supported in this
functional level of the domain.
Note: Windows Server 2003 interim functional level does not support
domain controllers running Windows 2000.
• Connectivity
• Replication
• Integrity of topology
• Permissions on directory partition heads
• Permissions of users
• Functionality of the domain controller locator
• Consistency among domain controllers in the site
• Verification of trusts
• Diagnosis of replication latencies
• Replication of trust objects
• Verification of File Replication service
• Verification of critical services
Note: DCDIAG is an analyzing tool, which is mostly used for the reporting
purposes. Although this tool allows specific tests to be run individually, it is not
intended as a general toolbox of commands for performing specific tasks.
Windows 2003 system services? Windows Server 2003 comes with many
system services that have different functionalities in the operating system.
When Windows Server 2003 is first installed, the default system services are
created and are configured to run when the system starts
Alerter
Automatic Updates
Cluster Service
DHCP
Distributed File System
DNS Client service
DNS Server service
Event Log service
Remote Installation
Remote Procedure Call (RPC)
Routing and Remote Access
What is a paging file? A paging file is a hidden file on the hard disk used by
Windows operating systems to hold parts of programs and data that do not fit
in the computer's memory. The paging file and the physical memory, or
random access memory (RAM), comprise the virtual memory. Windows
operating systems move data from the paging file to the memory as required
and move data from the memory to the paging file to make room for new
data. A paging file is also known as a swap file.
What is ADPREP tool? The ADPREP tool is used to prepare Windows 2000
domains and forests for an upgrade to Windows Server 2003. It extends the
schema, updates default security descriptors of selected objects, and adds
new directory objects as required by some applications.
Parameter Description
/forestprep Prepares a Windows 2000 forest for an upgrade to a Windows
Server 2003 forest.
/domainprep Prepares a Windows 2000 domain for an upgrade to a Windows
Server 2003 domain.
/? Displays help for the command.
Which files are included in the System State data? Following are the files
included in the System State data:
• Boot files, including the system files and all files protected by Windows
File Protection (WFP)
• Active Directory (on domain controller only)
• SYSVOL (on domain controller only)
• Certificate Services (on certification authority only)
• Cluster database (on cluster node only)
• Registry
• IIS metabase
• Performance counter configuration information
• Component Services Class registration database
What are Performance Logs and Alerts? Performance Logs and Alerts is an
MMC snap-in that is used to establish performance baselines, diagnose
system problems, and anticipate increased system resource demands. It is
used to obtain useful data for detecting system bottlenecks and changes in
system performance. The alerting functionality of this tool is extremely
useful for troubleshooting intermittent and difficult-to-reproduce problems.
It uses the same performance counters as the System Monitor for capturing
information to log files over a period of time. The prime benefit of this tool
is the ability to capture performance counter information for further
analysis. Performance Logs and Alerts runs as a service and loads during
computer startup. It does not require a user to log on to a computer.
Copy Backups A copy backup copies all selected files and folders. It
neither uses nor clears the archive attribute of the files. It is generally
not a part of a planned scheduled backup.
Daily Backups A daily backup backs up all selected files and folders that
have changed during the day. It backs up data by using the modified date
of the files. It neither uses nor clears the archive attribute of the files.
The most common solutions for the needs of different organizations include the
combination of normal, differential, and incremental backups.
Combination of Normal and Differential Backups An administrator can use a
combination of a normal backup and a differential backup to save time in
taking a backup as well as for a restoration of data. In this plan, a normal
backup can be taken on Sunday, and differential backups can be taken on
Monday through Friday every night. If data becomes corrupt at any time, only a
normal and last differential backup are required to be restored. Although this
combination is easier and takes lesser time for restoration, it takes more time
to take backup, if data changes frequently.
• Boot files, including the system files and all files protected by Windows
File Protection (WFP)
• Active Directory (on domain controller only)
• SYSVOL (on domain controller only)
• Certificate Services (on certification authority only)
• Cluster database (on cluster node only)
• Registry
• IIS metabase
• Performance counter configuration information
• Component Services Class registration database
The sites are created to physically group the computers and resources to
optimize network traffic. Administrators can configure Active Directory
access and replication technology to take advantage of the physical
network by configuring sites. When a user logs on to the network, the
authentication request searches for the domain controllers in the same
site as the user. A site prevents the network traffic from traveling on
slow wide area network (WAN) links.
Note: Windows Server 2003 supports a new type of directory partition named
Application directory partition. This partition is available only to Windows 2003
domain controllers. The applications and services use this partition to store
application-specific data.
For intrasite replication to take place, connection objects are required. The
Active Directory automatically creates and deletes connection objects as and
when required. Connection objects can be created manually to force
replication.
What are Site Links? Site links are logical, transitive connections between two
or more sites. For intersite replication to take place, site links are required to
be configured. Once a site link has been configured, the knowledge consistency
checker (KCC) then automatically generates the replication topology by
creating the appropriate connection objects. Site links are used to determine
the paths between two sites. They must be created manually.
Site links are transitive in nature. For example, if Site 1 is linked with Site 2
and Site 2 is linked with Site 3, then Site 1 and Site 3 are linked transitively.
The administrators can control transitivity of the site link. By default,
transitivity is enabled. Site link transitivity can be enabled or disabled through
a bridge.
What is Site Link Bridge? A site link bridge is created to build a transitive and
logical link between two sites that do not have an explicit site link. The site
link bridge is created only when the transitivity of the site link is disabled.
What is Site Link Cost? Site link cost is an attribute of a site link. Each site link
has been assigned a default cost of 100. The knowledge consistency checker
(KCC) uses the site link cost to determine which site links should be preferred
for replication. It should be remembered that the lower the site link cost, the
more preferred is the link.
For example, an administrator has to configure the site link cost of links
between Site 1 and Site 2. There are two site links available as shown in the
image below:
S1S2 is a T1 site link that uses T1 lines for replication, whereas S1S2DU uses a
dial-up connection for replication. If the administrator requires that the KCC
should prefer the S1S2 site link to the S1S2DU site link for replication, he will
have to configure the SIS2 link with a lower cost than that of the S1S2DU link.
Any site link configured with the site link cost of one (1) will always get
preference over the other site links with a higher cost.
What are Performance Logs and Alerts? Performance Logs and Alerts is an
MMC snap-in that is used to establish performance baselines, diagnose
system problems, and anticipate increased system resource demands. It is
used to obtain useful data for detecting system bottlenecks and changes in
system performance. The alerting functionality of this tool is extremely
useful for troubleshooting intermittent and difficult-to-reproduce problems.
It uses the same performance counters as the System Monitor for capturing
information to log files over a period of time. The prime benefit of this tool
is the ability to capture performance counter information for further
analysis. Performance Logs and Alerts runs as a service and loads during
computer startup. It does not require a user to log on to a computer
Which installation modes are available with ISA Server? The following
modes are available as a part of the ISA Server setup process:
How do you double-boot a Win 2003 server box? The Boot.ini file is set
as read-only, system, and hidden to prevent unwanted editing. To
change the Boot.ini timeout and default settings, use the System option
in Control Panel from the Advanced tab and select Startup.
Where are the Windows NT Primary Domain Controller (PDC) and its
Backup Domain Controller (BDC) in Server 2003? The Active Directory
replaces them. Now all domain controllers share a multimaster peer-to-
peer read and write relationship that hosts copies of the Active
Directory.
How long does it take for security changes to be replicated among the
domain controllers? Security-related modifications are replicated within
a site immediately. These changes include account and individual user
lockout policies, changes to password policies, changes to computer
account passwords, and modifications to the Local Security Authority
(LSA).
If I delete a user and then create a new account with the same
username and password, would the SID and permissions stay the
same? No. If you delete a user account and attempt to recreate it with
the same user name and password, the SID will be different.
What do you do with secure sign-ons in an organization with many
roaming users? Credential Management feature of Windows Server 2003
provides a consistent single sign-on experience for users. This can be
useful for roaming users who move between computer systems. The
Credential Management feature provides a secure store of user
credentials that includes passwords and X.509 certificates.
Anything special you should do when adding a user that has a Mac?
"Save password as encrypted clear text" must be selected on User
Properties Account Tab Options, since the Macs only store their
passwords that way.
What remote access options does Windows Server 2003 support? Dial-
in, VPN, dial-in with callback.
Where are the documents and settings for the roaming profile stored?
All the documents and environmental settings for the roaming user are
stored locally on the system, and, when the user logs off, all changes to
the locally stored profile are copied to the shared server folder.
Therefore, the first time a roaming user logs on to a new system the
logon process may take some time, depending on how large his profile
folder is.
Where are the settings for all the users stored on a given machine?
\Document and Settings\All Users
What languages can you use for log-on scripts? JavaScipt, VBScript,
DOS batch files (.com, .bat, or even .exe)
What is LSDOU? It’s group policy inheritance model, where the policies
are applied to Local machines, Sites, Domains and Organizational Units.
Why doesn’t LSDOU work under Windows NT? If the NTConfig.pol file
exist, it has the highest priority among the numerous policies.
What is GPT and GPC? Group policy template and group policy
container.
Where is GPT stored? %SystemRoot
%\SYSVOL\sysvol\domainname\Policies\GUID
You change the group policies, and now the computer and user
settings are in conflict. Which one has the highest priority? The
computer settings take priority.
You need to automatically install an app, but MSI file is not available.
What do you do? A .zap text file can be used to add applications using
the Software Installer, rather than the Windows Installer.
You want to create a new group policy but do not wish to inherit.
Make sure you check Block inheritance among the options when
creating the policy.
What is "tattooing" the Registry? The user can view and modify user
preferences that are not stored in maintained portions of the Registry. If
the group policy is removed or changed, the user preference will persist
in the Registry.
How do FAT and NTFS differ in approach to user shares? They don’t,
both have support for sharing.
I have a file to which the user has access, but he has no folder
permission to read it. Can he access it? It is possible for a user to
navigate to a file for which he does not have folder permission. This
involves simply knowing the path of the file object. Even if the user
can’t drill down the file/folder tree using My Computer, he can still gain
access to the file using the Universal Naming Convention (UNC). The best
way to start would be to type the full path of a file into Run… window.
What problems can you have with DFS installed? Two users opening the
redundant copies of the file at the same time, with no file-locking
involved in DFS, changing the contents and then saving. Only one file
will be propagated through DFS.
What hashing algorithms are used in Windows 2003 Server? RSA Data
Security’s Message Digest 5 (MD5), produces a 128-bit hash, and the
Secure Hash Algorithm 1 (SHA-1), produces a 160-bit hash.
What is ARP Cache Poisoning? ARP stands for Address Resolution Protocol.
Every computer in a LAN has 2 identifiers: IP and MAC address. IP is either
entered by the user or dynamically allocated by a server. But the MAC address
is unique for any Ethernet card. For example, if you have 2 ethernet cards, one
for wired and the other for WiFi, you have 2 MAC addresses on your machine.
The MAC address is a hardware code for your ethernet card.
The communications between computers is done on the IP level. Means that if
you want to send a file to a computer, you need to know the other computer
IP.
Now, ARP is the protocol that matches every IP with a certain MAC address in
ARP table that is saved on your switch in your LAN.
ARP cache poisoning is changing this ARP table on the switch.
For Normal case, when a machine tries to connect to another machine. The
first machine goes to the ARP table with the other machine IP, the ARP table
provide the MAC address for the other machine and the communication starts.
But if someone plays with the table, the first machine goes with the IP and the
ARP table will provide a faulty MAC address to a 3rd machine who wants to
intrude through your communication.
This Kind of attach is known as "Man in the Middle".
When it's time to send a packet, your computer delivers a packet a) directly to
the destination computer or b) sends it to the router for ultimate delivery.
But how does your computer know whether the packet's destination is within its
subnet? The answer is that your computer uses the subnet mask to determine
the members of the subnet. If your computer's address and the destination
computer's IP addresses are in the same subnet address range, then they can
send packets directly to each other. If they're not in the same range, then they
must send their data through a router for delivery.The chart below associates
the number of IP addresses in a subnet to the subnet mask. For example, the
subnet mask "255.255.255.0" represents 254 consecutive IP addresses.
As the client is unable to connect with the server, APIPA will automatically try
to configure itself with an IP address from an specially reserved range. (This
reserved IP address range goes from 169.254.0.0 to 169.254.255.255).
What is an RFC? Name a few if possible (not necessarily the numbers, just
the ideas behind them) A Request For Comments (RFC) document defines a
protocol or policy used on the Internet. An RFC can be submitted by anyone.
Eventually, if it gains enough interest, it may evolve into an Internet Standard
Each RFC is designated by an RFC number. Once published, an RFC never
changes. Modifications to an original RFC are assigned a new RFC number.
What is RFC 1918? RFC 1918 is Address Allocation for Private Internets The
Internet Assigned Numbers Authority (IANA) has reserved the following three
blocks of the IP address space for private internets: 10.0.0.0 - 10.255.255.255
(10/8 prefix) 172.16.0.0 - 172.31.255.255 (172.16/12 prefix) 192.168.0.0 -
192.168.255.255 (192.168/16
prefix) We will refer to the first block as "24-bit block", the second as "20-bit
block", and to the third as "16-bit" block. Note that (in pre-CIDR notation) the
first block is nothing but a single class A network number, while the second
block is a set of 16 contiguous class B network numbers, and third block is a set
of 256 contiguous class C network numbers.
192.30.250.00/18
The "192.30.250.00" is the network address itself and the "18" says that the first
18 bits are the network part of the address, leaving the last 14 bits for specific
host addresses. CIDR lets one routing table entry represent an aggregation of
networks that exist in the forward path that don't need to be specified on that
particular gateway, much as the public telephone system uses area codes to
channel calls toward a certain part of the network. This aggregation of
networks in a single address is sometimes referred to as a supernet.
CIDR is supported by the Border Gateway Protocol, the prevailing exterior
(interdomain) gateway protocol. (The older exterior or interdomain gateway
protocols, Exterior Gateway Protocol and Routing Information Protocol, do not
support CIDR.) CIDR is also supported by the OSPF interior or intradomain
gateway protocol.
You have the following Network ID: 131.112.0.0. You need at least 500
hosts per network. How many networks can you create? What subnet mask
will you use? Subnet mask is 255.255.252.0, we can create 4 subnet and at
least we can connect 500host per network
You need to view at network traffic. What will you use? Name a few tools
Depends what type of traffic I want to monitor and the network design. I really
liked using Fluke Networks OptiView Network Analyzer. Software though I
would say wireshark, sitrace, Iris Network Traffic Analyzer, Airsnare,
Packetcapsa. Backtrack (a linux live CD) has tons of different applications that
you can use to monitor and view network traffic
How do I know the path that a packet takes to the destination? use "tracert"
command-line
What is DHCP? What are the benefits and drawbacks of using it?
Benefits:
Disadvantage
Your machine name does not change when you get a new IP address. The DNS
(Domain Name System) name is associated with your IP address and therefore
does change. This only presents a problem if other clients try to access your
machine by its DNS name.
Benefits:
Disadvantage
Your machine name does not change when you get a new IP address. The DNS
(Domain Name System) name is associated with your IP address and therefore
does change. This only presents a problem if other clients try to access your
machine by its DNS name.
Describe the steps taken by the client and DHCP server in order to obtain an
IP address. At least one DHCP server must exist on a network. Once the DHCP
server software is installed, you create a DHCP scope, which is a pool of IP
addresses that the server manages. When clients log on, they request an IP
address from the server, and the server provides an IP address from its pool of
available addresses. DHCP was originally defined in RFC 1531 (Dynamic Host
Configuration Protocol, October 1993) but the most recent update is RFC 2131
(Dynamic Host Configuration Protocol, March 1997). The IETF Dynamic Host
Configuration (dhc) Working Group is chartered to produce a protocol for
automated allocation, configuration, and management of IP addresses and
TCP/IP protocol stack parameters.
What is the DHCPNACK and when do I get one? Name 2 scenarios. Recently I
saw a lot of queries regarding when the Microsoft DHCP server issues a NAK to
DHCP clients. For simplification purposes, I am listing down the possible
scenarios in which the server should NOT issue a NAK. This should give you a
good understanding of DHCP NAK behavior.
DHCP server will issue a NAK to the client ONLY IF it is sure that the client, "on
the local subnet", is asking for an address that doesn't exist on that subnet.
1. Requested address from possibly the same subnet but not in the address pool
of the server:-
This can be the failover scenario in which 2 DHCP servers are serving the same
subnet so that when one goes down, the other should not NAK to clients which
got an IP from the first server.
What ports are used by DHCP and the DHCP clients? Requests are on UDP port
68, Server replies on UDP 67 double check. These are reversed.
• Installing DHCP
• Understanding the DHCP lease process
• Creating scopes, superscopes, and multicast scopes
• Configuring the lease duration
• Configuring optional IP parameters that can be assigned to DHCP clients
• Understanding how DHCP interacts with DNS
• Configuring DHCP for DNS integration
• Authorizing a DHCP server in Active Directory
• Managing a DHCP server
• Monitoring a DHCP server
Introduction
The TCP/IP protocol is an Active Directory operational requirement. This means
that all computers on Windows 2000 network require a unique IP address to
communicate with the Active Directory. Static IP addresses can add a lot of
administrative overhead. Not only can management of static IP addresses
become time consuming, but such management also increases the chances of
misconfigured parameters. Imagine having to manually type 10,000 IP
addresses and not make a single error. The Dynamic Host Configuration
Protocol (DHCP) can be implemented to centralize the administration of IP
addresses. Through DHCP, many of the tasks associated with IP addressing can
be automated. However, implementing DHCP also introduces some security
issues because anyone with physical access to the network can plug in a laptop
and obtain IP information about the internal network.
In this chapter, you'll learn how to implement a DHCP server, including the
installation process, authorization of the server, and the configuration of DHCP
scopes. The chapter ends by looking at how to manage a DHCP server and
monitor its performance.
Describe the integration between DHCP and DNS. Traditionally, DNS and
DHCP servers have been configured and managed one at a time. Similarly,
changing authorization rights for a particular user on a group of devices has
meant visiting each one and making configuration changes. DHCP integration
with DNS allows the aggregation of these tasks across devices, enabling a
company's network services to scale in step with the growth of network users,
devices, and policies, while reducing administrative operations and costs.
This integration provides practical operational efficiencies that lower total cost
of ownership. Creating a DHCP network automatically creates an associated
DNS zone, for example, reducing the number of tasks required of network
administrators. And integration of DNS and DHCP in the same database instance
provides unmatched consistency between service and management views of IP
address-centric network services data.
Windows Server 2003 DNS supports DHCP by means of the dynamic update of
DNS zones. By integrating DHCP and DNS in a DNS deployment, you can provide
your network resources with dynamic addressing information stored in DNS. To
enable this integration, you can use the Windows Server 2003 DHCP service.
The dynamic update standard, specified in RFC 2136: Dynamic Updates in the
Domain Name System (DNS
UPDATE), automatically updates DNS records. Both Windows Server 2003 and
Windows 2000 support dynamic update, and both clients and DHCP servers can
send dynamic updates when their IP addresses change.
Dynamic update enables a DHCP server to register address (A) and pointer
(PTR) resource records on behalf of a DHCP client by using DHCP Client FQDN
option 81. Option 81 enables the DHCP client to provide its FQDN to the DHCP
server. The DHCP client also provides instructions to the DHCP server
describing how to process DNS dynamic updates on behalf of the DHCP client.
The DHCP server can dynamically update DNS A and PTR records on behalf of
DHCP clients that are not capable of sending option 81 to the DHCP server. You
can also configure the DHCP server to discard client A and PTR records when
the DHCP client lease is deleted. This reduces the time needed to manage
these records manually and provides support for DHCP clients that cannot
perform dynamic updates. In addition, dynamic update simplifies the setup of
Active Directory by enabling domain controllers to dynamically register SRV
resource records.
If the DHCP server is configured to perform DNS dynamic updates, it performs
one of the following actions:
The DHCP server updates resource records at the request of the client. The
client requests the DHCP server to update the DNS PTR record on behalf of the
client, and the client registers A.
The DHCP server updates DNS A and PTR records regardless of whether the
client requests this action or not.
By itself, dynamic update is not secure because any client can modify DNS
records. To secure dynamic updates, you can use the secure dynamic update
feature provided in Windows Server 2003. To delete outdated records, you can
use the DNS server aging and scavenging feature.
What are User Classes and Vendor Classes in DHCP? Microsoft Vendor Classes
ipconfig /setclassid "<Name of your Network card>" <Name of the class you
created on DHCP and you want to join (Name is case sensitive)>
Eg:
Apple OS X 10.* Server supports BootP (albeit) renamed as NetBoot. The facility
allows the Admin to maintain a selected set of configurations as boot images
and then assign sets of client systems to share(or boot from) that image. For
example Accounting, Management, and Engineering departments have
elements in common, but which can be unique from other departments.
Performing upgrades and maintenance on three images is far more productive
that working on all client systems individually.
Startup is obviously network intensive, and beyond 40-50 clients, the Admin
needs to carefully subnet the infrastructure, use gigabit switches, and host the
images local to the clients to avoid saturating the network. This will expand
the number of BootP servers and multiply the number of images, but the
productivity of 1 BootP server per 50 clients is undeniable :)
DNS zones – describe the differences between the 4 types. Dns zone is actual
file which contains all the records for a specific domain.
i) Forward Lookup Zones: - This zone is responsible to resolve host name to ip.
iii) Stub Zone: - Stubzone is read only copy of primary zone, but it contains
only 3 records viz the SOA for the primary zone, NS record and a Host (A)
record.
Authoritative Name Server [NS] Record:-A Zone should contain one NS Record
for each of its own DNS servers (primary and secondary). This mostly is used for
Zone Transfer purposes (notify). These NS Records have the same name as the
Zone in which they are located.
If you host Web sites on this server and have a standalone DNS server acting as
a primary (master) name server for your sites, you may want to set up your
control panel's DNS server to function as a secondary (slave) name server:
To make the control panel's DNS server act as a secondary name server:
Go to Domains > domain name > DNS Settings (in the Web Site group).
Click Add.
Repeat steps from 1 to 5 for each Web site that needs to have a secondary
name server on this machine.
To make the control panel's DNS server act as a primary for a zone:
Go to Domains > domain name > DNS Settings (in the Web Site group).
Click Switch DNS Service Mode. The original resource records for the zone will
be restored.
If you host Web sites on this server and rely entirely on other machines to
perform the Domain Name Service for your sites (there are two external name
servers - a primary and a secondary), switch off the control panel's DNS service
for each site served by external name servers.
To switch off the control panel's DNS service for a site served by an external
name server:
Go to Domains > domain name > DNS Settings (in the Web Site group).
Click Switch Off the DNS Service in the Tools group. Turning the DNS service
off for the zone will refresh the screen, so that only a list of name servers
remains.
Note: The listed name server records have no effect on the system. They are
only presented on the screen as clickable links to give you a chance to validate
the configuration of the zone maintained on the external authoritative name
servers.
Repeat the steps from 1 to 3 to switch off the local domain name service for
each site served by external name servers.
Go to Domains > domain name > DNS Settings (in the Web Site group).
Add to the list the entries pointing to the appropriate name servers that are
authoritative for the zone: click Add, specify a name server, and click OK.
Repeat this for each name server you would like to test.
Click the records that you have just created. Parallels Plesk Panel will retrieve
the zone file from a remote name server and check the resource records to
make sure that domain's resources are properly resolved.
Describe the importance of DNS to AD. When you install Active Directory on a
server, you promote the server to the role of a domain controller for a
specified domain. When completing this process, you are prompted to specify a
DNS domain name for the Active Directory domain for which you are joining
and promoting the server.If during this process, a DNS server authoritative for
the domain that you specified either cannot be located on the network or does
not support the DNS dynamic update protocol, you are prompted with the
option to install a DNS server. This option is provided because a DNS server is
required to locate this server or other domain controllers for members of an
Active Directory domain
What does "Disable Recursion" in DNS mean? In the Windows 2000/2003 DNS
console (dnsmgmt.msc), under a server's Properties -> Forwarders tab is the
setting Do not use recursion for this domain. On the Advanced tab you will find
the confusingly similar option Disable recursion (also disables forwarders).
Recursion refers to the action of a DNS server querying additional DNS servers
(e.g. local ISP DNS or the root DNS servers) to resolve queries that it cannot
resolve from its own database. So what is the difference between these
settings?
The DNS server will attempt to resolve the name locally, then will forward
requests to any DNS servers specified as forwarders. If Do not use recursion for
this domain is enabled, the DNS server will pass the query on to forwarders,
but will not recursively query any other DNS servers (e.g. external DNS servers)
if the forwarders cannot resolve the query.
If Disable recursion (also disables forwarders) is set, the server will attempt to
resolve a query from its own database only. It will not query any additional
servers.
If neither of these options is set, the server will attempt to resolve queries
normally:
... the local database is queried
... if an entry is not found, the request is passed to any forwarders that are set
... if no forwarders are set, the server will query servers on the Root Hints tab
to resolve queries beginning at the root domains.
What could cause the Forwarders and Root Hints to be grayed out? Win2K
configured your DNS server as a private root server
What is a "Single Label domain name" and what sort of issues can it cause?
Single-label names consist of a single word like "contoso".
• Single-label DNS names cannot be registered by using an Internet registrar.
• Client computers and domain controllers that joined to single-label domains
require additional configuration to dynamically register DNS records in single-
label DNS zones. • Client computers and domain controllers may require
additional configuration to resolve DNS queries in single-label DNS zones.
• By default, Windows Server 2003-based domain members, Windows XP-based
domain members, and Windows 2000-based domain members do not perform
dynamic updates to single-label DNS zones.
• Some server-based applications are incompatible with single-label domain
names. Application support may not exist in the initial release of an
application, or support may be dropped in a future release. For example,
Microsoft Exchange Server 2007 is not supported in environments in which
single-label DNS is used.
• Some server-based applications are incompatible with the domain rename
feature that is supported in Windows Server 2003 domain controllers and in
Windows Server 2008 domain controllers. These incompatibilities either block
or complicate the use of the domain rename feature when you try to rename a
single-label DNS name to a fully qualified domain name.
What is the "in-addr.arpa" zone used for? When creating DNS records for your
hosts, A records make sense. After all, how can the world find your mail server
unless the IP address of that server is associated with its hostname within a
DNS database? However, PTR records aren't as easily understood. If you already
have a zone file, why does there have to be a separate in-addr.arpa zone
containing PTR records matching your A records? And who should be making
those PTR records--you or your provider? Let's start by defining in-addr.arpa.
.arpa is actually a TLD like .com or .org. The name of the TLD comes from
Address and Routing Parameter Area and it has been designated by the IANA to
be used exclusively for Internet infrastructure purposes. In other words, it is an
important zone and an integral part of the inner workings of DNS. The RFC for
DNS (RFC 1035) has an entire section on the in-addr.arpa domain. The first two
paragraphs in that section state the purpose of the domain: "The Internet uses
a special domain to support gateway location and Internet address to host
mapping. Other classes may employ a similar strategy in other domains. The
intent of this domain is to provide a guaranteed method to perform host
address to host name mapping, and to facilitate queries to locate all gateways
on a particular network in the Internet. Note that both of these services are
similar to functions that could be performed by inverse queries; the difference
is that this part of the domain name space is structured according to address,
and hence can guarantee that the appropriate data can be located without an
exhaustive search of the domain space." In other words, this zone provides a
database of all allocated networks and the DNS reachable hosts within those
networks. If your assigned network does not appear in this zone, it appears to
be unallocated. And if your hosts don't have a PTR record in this database, they
appear to be unreachable through DNS. Assuming an A record exists for a host,
a missing PTR record may or may not impact on the DNS reachability of that
host, depending upon the applications running on that host. For example, a
mail server will definitely be impacted as PTR records are used in mail header
checks and by most anti-SPAM mechanisms. Depending upon your web server
configuration, it may also depend upon an existing PTR record. This is why the
DNS RFCs recommend that every A record has an associated PTR record. But
who should make and host those PTR records? Twenty years ago when you
could buy a full Class C network address (i.e. 254 host addresses) the answer
was easy: you. Remember, the in-addr.arpa zone is concerned with delegated
network addresses. In other words, the owner of the network address is
authoritative (i.e. responsible) for the host PTR records associated with that
network address space. If you only own one or two host addresses within a
network address space, the provider you purchased those addresses from needs
to host your PTR records as the provider is the owner of (i.e. authoritative for)
the network address. Things are a bit more interesting if you have been
delegated a CIDR block of addresses. The in-addr.arpa zone assumes a classful
addressing scheme where a Class A address is one octet (or /8), a Class B is 2
octets (or /16) and a Class C is 3 octets (or /24). CIDR allows for delegating
address space outside of these boundaries--say a /19 or a /28. RFC 2317
provides a best current practice for maintaining in-addr.arpa with these types
of network allocations. Here is a summary regarding PTR records: • Don't wait
until users complain about DNS unreachability--be proactive and ensure there is
an associated PTR record for every A record. • If your provider hosts your A
records, they should also host your PTR records. • If you only have one or two
assigned IP addresses, your provider should host your PTR records as they are
authoritative for the network those hosts belong to. • If you own an entire
network address (e.g. a Class C address ending in 0), you are responsible for
hosting your PTR records. • If you are configuring an internal DNS server within
the private address ranges (e.g. 10.0.0.0 or 192.168.0.0), you are responsible
for your own internal PTR records. • Remember: the key to PTR hosting is
knowing who is authoritative for the network address for your domain. When in
doubt, it probably is not you.
When you install Active Directory on a member server, the member server is
promoted to a domain controller. Active Directory uses DNS as the location
mechanism for domain controllers, enabling computers on the network to
obtain IP addresses of domain controllers.
During the installation of Active Directory, the service (SRV) and address (A)
resource records are dynamically registered in DNS, which are necessary for the
successful functionality of the domain controller locator (Locator) mechanism.
To find domain controllers in a domain or forest, a client queries DNS for the
SRV and A DNS resource records of the domain controller, which provide the
client with the names and IP addresses of the domain controllers. In this
context, the SRV and A resource records are referred to as Locator DNS
resource records.
When adding a domain controller to a forest, you are updating a DNS zone
hosted on a DNS server with the Locator DNS resource records and identifying
the domain controller. For this reason, the DNS zone must allow dynamic
updates (RFC 2136) and the DNS server hosting that zone must support the SRV
resource records (RFC 2782) to advertise the Active Directory directory service.
For more information about RFCs, see DNS RFCs.
If the DNS server hosting the authoritative DNS zone is not a server running
Windows 2000 or Windows Server 2003, contact your DNS administrator to
determine if the DNS server supports the required standards. If the server does
not support the required standards, or the authoritative DNS zone cannot be
configured to allow dynamic updates, then modification is required to your
existing DNS infrastructure.
For more information, see Checklist: Verifying DNS before installing Active
Directory and Using the Active Directory Installation Wizard.
Important
• The DNS server used to support Active Directory must support SRV resource
records for the Locator mechanism to function. For more information, see
Managing resource records.
After installing Active Directory, these records can be found on the domain
controller in the following location: systemroot\System32\Config\Netlogon.dns
How do you manually create SRV records in DNS? this is on windows server
right click on the zone you want to add srv record to and choose "other new
record"
What are the benefits of using Windows 2003 DNS when using AD-integrated
zones?
Advantages:
You installed a new AD domain and the new (and first) DC has not registered
its SRV records in DNS. Name a few possible causes. The machine cannot be
configured with DNS client her own The DNS service cannot be run
What are the benefits and scenarios of using Stub zones? One of the new
features introduced in the Windows Server 2003-based implementation of DNS
are stub zones. Its main purpose is to provide name resolution in domains, for
which a local DNS server is not authoritative. The stub zone contains only a few
records: - Start of Authority (SOA) record pointing to a remote DNS server that
is considered to be the best source of information about the target DNS
domain, - one or more Name Server (NS) records (including the entry associated
with the SOA record), which are authoritative for the DNS domain represented
by the stub zone, - corresponding A records for each of the NS entries
(providing IP addresses of the servers). While you can also provide name
resolution for a remote domain by creating a secondary zone (which was a
common approach in Windows Server 2000 DNS implementation) or delegation
(when dealing with a contiguous namespace), such approach forces periodic
zone transfers, which are not needed when stub zones are used. Necessity to
traverse network in order to obtain individual records hosted on the remote
Name Servers is mitigated to some extent by caching process, which keeps
them on the local server for the duration of their Time-to-Live (TTL)
parameter. In addition, records residing in a stub zone are periodically
validated and refreshed in order to avoid lame delegations.
What are the benefits and scenarios of using Conditional Forwarding? The
benefits are speed up name resolution in certain scenarios. According to
research that is forwarded to the correct server or with specific speed. And
down where DNS queries are sent in specific areas.
• Start
• Run
• Type "cmd" and press enter
• In the command window type "ipconfig /flushdns"
• A. If done correctly it should say "Successfully flushed the DNS Resolver
Cache."
• B. If you receive an error "Could not flush the DNS Resolver Cache:
Function failed during execution.", follow the Microsoft KB Article
919746 to enable the cache. The cache will be empty however this will
allow successful cache-flush in future.
What is the 224.0.1.24 address used for? WINS server group address. Used to
support autodiscovery and dynamic configuration of replication for WINS
servers. For more information, see WINS replication overview
What is WINS and when do we use it? WINS is windows internet name service
who is use for resolved the NetBIOS (computer name) name to IP address. This
is proprietary for Windows. You can use in LAN.
A push partner is a WINS server that sends a message to its pull partners,
notifying them that it has new WINS database entries. When a WINS server's
pull partner responds to the message with a replication request, the WINS
server sends (pushes) copies of its new WINS database entries (also known as
replicas) to the requesting pull partner.
A pull partner is a WINS server that pulls WINS database entries from its push
partners by requesting any new WINS database entries that the push partners
have. The pull partner requests the new WINS database entries that have a
higher version number than the last entry the pull partner received during the
most recent replication.
Simple deletion removes the records that are selected in the WINS console
only from the local WINS server you are currently managing. If the WINS
records deleted in this way exist in WINS data replicated to other WINS servers
on your network, these additional records are not fully removed. Also, records
that are simply deleted on only one server can reappear after replication
between the WINS server where simple deletion was used and any of its
replication partners.
replicated, the tombstone status is updated and applied by other WINS servers
that store replicated copies of these records. Each replicating WINS server then
updates and tombstones
Name the NetBIOS names you might expect from a Windows 2003 DC that is
registered in WINS. 54 name the NetBIOS names you might expect from a
windows 2003 dc that is registered in wins
Routers can have many different types of connectors; from Ethernet, Fast
Ethernet, and Token Ring to Serial and ISDN ports. Some of the available
configurable items are logical addresses (IP,IPX), media types, bandwidth, and
administrative commands. Interfaces are configured in interface mode which
you get to from global configuration mode after logging in.
Depending on the port you're using, you might have to press enter to get the
prompt to appear (console port). The first prompt will look like Routername>
the greater than sign at the prompt tell you that you are in user mode. In user
mode you can only view limited statistics of the router in this mode. To change
configurations you first need to enter privileged EXEC mode. This is done by
typing enable at the Routername> prompt, the prompt then changes to
Routername#. This mode supports testing commands, debugging commands,
and commands to manage the router configuration files. To go back to user
mode, type disable at the Routername# prompt. If you want to leave
completely, type logout at the user mode prompt. You can also exit from the
router while in privileged mode by typing exit or logout at the Routername#
prompt.
Enter this mode from the privileged mode by typing configure terminal or
(conf t for short). The prompt will change to Routername(config)#. Changes
made in this mode change the running-config file in DRAM. Use configure
memory to change the startup-config in NVRAM. Using configure network
allows you to change the configuration file on a TFTP server. If you change the
memory or network config files, the router has to put them into memory
(DRAM) in order to work with them, so this will change your router's current
running-config file.
Interfaces mode
While in global configuration mode you can make changes to individual
interfaces with the command Routername(config)#interface ethernet 0 or
Routername(config)#int e0 for short, this enters the interface configuration
mode for Ethernet port 0 and changes the prompt to look like
Routername(config-if)#.
Bringing Up Interfaces
If an interface is shown administratively down when the show interface
command is given in privileged EXEC mode, use the command no shutdown to
enable the interface while in interface configuration mode.
Setting IP Addresses
You can add another IP address to an interface with the secondary command.
The syntax is the same as setting an IP address except you add secondary to
the end of it. Using secondary interfaces, it allows you to specify 2 IP
addresses for 1 interface. Use subinterfaces instead, since they allow for more
than 2 IP addresses on an interface and secondaries will probably be replaced
soon.
Interface Problems
When using the command show interface [type #] interface problems can be
seen and appropriate action taken.
Message Solution
Ethernet0 is up, line protocol
None needed, interface working properly
is up
Ethernet0 is up, line protocol Clocking or framing problem, check clock
is down rate and encapsulation type on both routers
Ethernet0 is down, line Cable or interface problem, check interfaces
protocol is down on both ends to ensure they aren't shutdown
The interface has been shutdown, use the
Ethernet0 is administratively
no shutdown command in the interface's
down, line protocol is down
configuration mode
Serial Interfaces
The serial interface is usually attached to a line that is attached to a CSU/DSU
that provides clocking rates for the line. However, if two routers are
connected together, one of the serial interfaces must act as the DCE device
and provide clocking. The DCE end of the cable is the side of the cable that
has a female connector where it connects to the other cable. The clocking
rate on the DCE device is set in interface configuration mode with the
commands:
Router3(config)#int s0
Router3(config-if)#clock rate ?
Bandwidth Cisco routers ship with T1 (1.544 mbps) bandwidth rates on their
serial interfaces. Some routing protocols use the bandwidth of links to
determine the best route. The bandwidth setting is irrelevant with RIP
routing. Bandwidth is set with the bandwidth command and ranges from 1 -
10000000 kilobits per second.
Router3(config)#int s0
Router3(config-if)#bandwidth ?
<1-10000000> Bandwidth in kilobits
Router3(config-if)#bandwidth 10000000
Saving Changes
Any time you make changes and want them saved over the next reboot, you
need to copy the running-config to the startup-config in NVRAM. Use the
command:
Show Controllers Tells you information about the physical interface itself, it
also gives you the cable type and whether it is a DTE or DCE interface. Syntax
is:
Router_2#show controllers s 1
What is the real difference between NAT and PAT? NAT is a feature of a
router that will translate IP addresses. When a packet comes in, it will be
rewritten in order to forward it to a host that is not the IP destination. A router
will keep track of this translation, and when the host sends a reply, it will
translate back the other way.
PAT translates ports, as the name implies, and likewise, NAT translates
addresses. Sometimes PAT is also called Overloaded NAT
How do you configure NAT on Windows 2003? To configure the Routing and
Remote Access and the Network Address Translation components, your
computer must have at least two network interfaces: one connected to the
Internet and the other one connected to the internal network. You must also
configure the network translation computer to use Transport Control
Protocol/Internet Protocol (TCP/IP).
Use the following data to configure the TCP/IP address of the network adapter
that connects to the internal network:
Click Start, point to All Programs, point to Administrative Tools, and then
click Routing and Remote Access.
Right-click your server, and then click Configure and Enable Routing and
Remote Access.
In the Routing and Remote Access Setup Wizard, click Next, click Network
address translation (NAT), and then click Next.
Click Use this public interface to connect to the Internet, and then click the
network adapter that is connected to the Internet. At this stage you have the
option to reduce the risk of unauthorized access to your network. To do so,
click to select the Enable security on the selected interface by setting up
Basic Firewall check box.
Examine the selected options in the Summary box, and then click Finish.
Click Start, point to All Programs, point to Administrative Tools, and then
click Routing and Remote Access.
In the NAT/Basic Firewall Properties dialog box, click the Address Assignment
tab.
Click Exclude.
In the Exclude Reserved Addresses dialog box, click Add, type the IP address,
and then click OK.
Click OK.
Click Start, point to All Programs, point to Administrative Tools, and then
click Routing and Remote Access. Right-click NAT/Basic Firewall, and then
click Properties.
In the NAT/Basic Firewall Properties dialog box, click the Name Resolution
tab.
Click to select the Clients using Domain Name System (DNS) check box. If you
use a demand-dial interface to connect to an external DNS server, click to
select the Connect to the public network when a name needs to be resolved
check box, and then click the appropriate dial-up interface in the list.
How do you allow inbound traffic for specific hosts on Windows 2003 NAT?
You can use the Windows Server 2003 implementation of IPSec to compensate
for the limited protections provided by applications for network traffic, or as a
network-layer foundation of a defense-in-depth strategy. Do not use IPSec as a
replacement for other user and application security controls, because it cannot
protect against attacks from within established and trusted communication
paths. Your authentication strategy must be well defined and implemented for
the potential security provided by IPSec to be realized, because authentication
verifies the identity and trust of the computer at the other end of the
connection.
What is VPN? What types of VPN does Windows 2000 and beyond work with
natively? The virtual private network (VPN) technology included in Windows
Server 2003 helps enable cost-effective, secure remote access to private
networks. VPN allows administrators to take advantage of the Internet to help
provide the functionality and security of private WAN connections at a lower
cost. In Windows Server 2003, VPN is enabled using the Routing and Remote
Access service. VPN is part of a comprehensive network access solution that
includes support for authentication and authorization services, and advanced
network security technologies.
There are two main strategies that help provide secure connectivity between
private networks and enabling network access for remote users.
Note
Using VPN, administrators can connect remote or mobile workers (VPN clients)
to private networks. Remote users can work as if their computers are physically
connected to the network. To accomplish this, VPN clients can use a
Connection Manager profile to initiate a connection to a VPN server. The VPN
server can communicate with an Internet Authentication Service (IAS) server to
authenticate and authorize a user session and maintain the connection until it
is terminated by the VPN client or by the VPN server. All services typically
available to a LAN-connected client (including file and print sharing, Web
server access, and messaging) are enabled by VPN.
VPN clients can use standard tools to access resources. For example, clients
can use Windows Explorer to make drive connections and to connect to
printers. Connections are persistent: Users do not need to reconnect to
network resources during their VPN sessions. Because drive letters and
universal naming convention (UNC) names are fully supported by VPN, most
commercial and custom applications work without modification.
VPN Scenarios
Virtual private networks are point-to-point connections across a private or
public network such as the Internet. A VPN client uses special TCP/IP-based
protocols, called tunneling protocols, to make a virtual call to a virtual port on
a VPN server. In a typical VPN deployment, a client initiates a virtual point-to-
point connection to a remote access server over the Internet. The remote
access server answers the call, authenticates the caller, and transfers data
between the VPN client and the organization’s private network.
A VPN Connection
Site-to-site VPN
Site-to-Site VPN
Site-to-site VPN connections (also known as router-to-router VPN connections)
enable organizations to have routed connections between separate offices or
with other organizations over a public network while helping to maintain
secure communications. A routed VPN connection across the Internet logically
operates as a dedicated WAN link. When networks are connected over the
Internet, as shown in the following figure, a router forwards packets to another
router across a VPN connection. To the routers, the VPN connection operates as
a data-link layer link.
Encapsulation
VPN technology provides a way of encapsulating private data with a header
that allows the data to traverse the network.
Authentication
There are three types of authentication for VPN connections:
Data Encryption
Data can be encrypted for protection between the endpoints of the VPN
connection. Data encryption should always be used for VPN connections where
private data is sent across a public network such as the Internet. Data that is
not encrypted is vulnerable to unauthorized interception. For VPN connections,
Routing and Remote Access uses Microsoft Point-to-Point Encryption (MPPE)
with PPTP and IPSec encryption with L2TP.
The virtual interfaces of the VPN client and the VPN server must be assigned IP
addresses. The assignment of these addresses is done by the VPN server. By
default, the VPN server obtains IP addresses for itself and VPN clients using the
Dynamic Host Configuration Protocol (DHCP). Otherwise, a static pool of IP
addresses can be configured to define one or more address ranges, with each
range defined by an IP network ID and a subnet mask or start and end IP
addresses.
Name server assignment, the assignment of Domain Name System (DNS) and
Windows Internet Name Service (WINS) servers to the VPN connection, also
occurs during the process of establishing the VPN connection.
Tunneling Overview
Tunneling is a method of using a network infrastructure to transfer data for one
network over another network. The data (or payload) to be transferred can be
the frames (or packets) of another protocol. Instead of sending a frame as it is
produced by the originating node, the tunneling protocol encapsulates the
frame in an additional header. The additional header provides routing
information so that the encapsulated payload can traverse the intermediate
network.
The encapsulated packets are then routed between tunnel endpoints over the
network. The logical path through which the encapsulated packets travel
through the network is called a tunnel. After the encapsulated frames reach
their destination on the network, the frame is de-encapsulated (the header is
removed) and the payload is forwarded to its final destination. Tunneling
includes this entire process (encapsulation, transmission, and de-encapsulation
of packets).
Tunneling
Tunneling Protocols
Tunneling enables the encapsulation of a packet from one type of protocol
within the datagram of a different protocol. For example, VPN uses PPTP to
encapsulate IP packets over a public network such as the Internet. A VPN
solution based on either PPTP or L2TP can be configured.
PPTP and L2TP depend heavily on the features originally specified for PPP. PPP
was designed to send data across dial-up or dedicated point-to-point
connections. For IP, PPP encapsulates IP packets within PPP frames and then
transmits the encapsulated PPP-packets across a point-to-point link. PPP was
originally defined as the protocol to use between a dial-up client and a network
access server (NAS).
PPTP
PPTP allows multiprotocol traffic to be encrypted and then encapsulated in an
IP header to be sent across an organization’s IP network or a public IP network
such as the Internet. PPTP encapsulates Point-to-Point Protocol (PPP) frames in
IP datagrams for transmission over the network. PPTP can be used for remote
access and site-to-site VPN connections. PPTP is documented in RFC 2637 in the
IETF RFC Database.
PPTP uses a TCP connection for tunnel management and a modified version of
Generic Routing Encapsulation (GRE) to encapsulate PPP frames for tunneled
data. The payloads of the encapsulated PPP frames can be encrypted,
compressed, or both. The following figure shows the structure of a PPTP packet
containing an IP datagram.
When using the Internet as the public network for VPN, the PPTP server is a
PPTP-enabled VPN server with one interface on the Internet and a second
interface on the intranet.
L2TP
L2TP allows multiprotocol traffic to be encrypted and then sent over any
medium that supports point-to-point datagram delivery, such as IP, X.25, frame
relay, or asynchronous transfer mode (ATM). L2TP is a combination of PPTP and
Layer 2 Forwarding (L2F), a technology developed by Cisco Systems, Inc. L2TP
represents the best features of PPTP and L2F. L2TP encapsulates PPP frames to
be sent over IP, X.25, frame relay, or ATM networks. When configured to use IP
as its datagram transport, L2TP can be used as a tunneling protocol over the
Internet. L2TP is documented in RFC 2661 in the IETF RFC Database.
L2TP over IP networks uses User Datagram Protocol (UDP) and a series of L2TP
messages for tunnel management. L2TP also uses UDP to send L2TP-
encapsulated PPP frames as tunneled data. The payloads of encapsulated PPP
frames can be encrypted, compressed, or both, although the Microsoft
implementation of L2TP does not use MPPE to encrypt the PPP payload. The
following figure shows the structure of an L2TP packet containing an IP
datagram.
Default Routing
The preferred method for directing packets to a remote network is to create a
default route on the remote access client that directs packets to the remote
network (the default configuration for VPN remote access clients). Any packet
that is not intended for the neighboring LAN segment is sent to the remote
network. When a connection is made, the remote access client, by default,
adds a default route to its routing table and increases the metric of the
existing default route to ensure that the newest default route is used. The
newest default route points to the new connection, which ensures that any
packets that are not addressed to the local LAN segment are sent to the
remote network.
Under this configuration, when a VPN client connects and creates a new
default route, Internet sites that have been accessible are no longer accessible
(unless Internet access is available through the organization’s intranet). This
poses no problem for remote VPN clients that require access only to the
organization’s network. However, it is not acceptable for remote clients that
need access to the Internet while they are connected to the organization’s
network.
Split Tunneling
Split tunneling enables remote access VPN clients to route corporate-based
traffic over the VPN connection while sending Internet-based traffic using the
user’s local Internet connection. This prevents the use of corporate bandwidth
for access to Internet sites.
With the advent of the Internet, packets can now be routed between routers
that are connected to the Internet across a virtual connection that emulates
the properties of a dedicated, private, point-to-point connection. This type of
connection is known as a site-to-site VPN connection. Site-to-site VPN
connections can be used to replace expensive long-haul WAN links with short-
haul WAN links to a local Internet service provider (ISP).
To facilitate routing between the sites, each VPN server and the routing
infrastructure of its connected site must have a set of routes that represent the
address space of the other site. These routes can be added manually, or
routing protocols can be used to automatically add and maintain a set of
routes.
1.1.1.1.6 RIP
RIP is designed for exchanging routing information within a small to medium-
size network. RIP routers dynamically exchange routing table entries.
The Windows Server 2003 implementation of RIP has the following features:
The ability to select which RIP version to run on each interface for incoming
and outgoing packets.
1.1.1.1.7 OSPF
OSPF is designed for exchanging routing information within a large or very large
network. Instead of exchanging routing table entries like RIP routers, OSPF
routers maintain a map of the network that is updated after any change to the
network topology. This map, called the link state database, is synchronized
between all the OSPF routers and is used to compute the routes in the routing
table. Neighboring OSPF routers form an adjacency, which is a logical
relationship between routers to synchronize the link state database.
For inbound traffic, when the tunneled data is decrypted by the VPN server, it
is forwarded to the firewall. Through the use of its filters, the firewall allows
the traffic to be forwarded to intranet resources. Because the only traffic that
crosses the VPN server is generated by authenticated VPN clients, in this
scenario, firewall filtering can be used to prevent VPN users from accessing
specific intranet resources. Because Internet traffic allowed on the intranet
must pass through the VPN server, this approach also prevents the sharing of
FTP or Web intranet resources with non-VPN Internet users.
• Connection Manager
• DHCP
• EAP-RADIUS
• IAS
• Name Server Assignment (DNS and WINS)
• NAT
Connection Manager
Connection Manager is a service profile that can be used to provide customized
remote access to a network through a VPN connection. The advanced features
of Connection Manager are a superset of basic dial-up networking. Connection
Manager provides support for local and remote connections by using a network
of points of presence (POPs), such as those available worldwide through ISPs.
Windows Server 2003 includes a set of tools that enable a network manager to
deliver pre-configured connections to network users. These tools are:
CPS
Connection Point Services (CPS) automatically distributes and updates custom
phone books. These phone books contain one or more Point of Presence (POP)
entries, with each POP supplying a telephone number that provides dial-up
access to an Internet access point for VPN connections. The phone books give
users complete POP information, so when they travel they can connect to
different Internet POPs rather than being restricted to a single POP.
Without the ability to update phone books (a task CPS handles automatically),
users would have to contact their organization’s technical support staff to be
informed of changes in POP information and to reconfigure their client-dialer
software. CPS has two components:
DHCP
For both PPTP and L2TP connections, the data being tunneled is a PPP frame. A
PPP connection must be established before data can be sent. The VPN server
must have IP addresses available in order to assign them to a VPN server’s
virtual interface and to VPN clients during the IP Control Protocol (IPCP)
negotiation phase that is part of the process of establishing a PPP connection.
The IP address assigned to a VPN client is also assigned to the virtual interface
of that VPN client.
For Windows Server 2003-based VPN servers, the IP addresses assigned to VPN
clients are obtained through DHCP by default. A static IP address pool can also
be configured. DHCP is also used by remote access VPN clients to obtain
additional configuration settings after the PPP connection is established.
EAP-RADIUS
EAP-RADIUS is the passing of EAP messages of any EAP type by an authenticator
to a Remote Authentication Dial-In User Service (RADIUS) server for
authentication. For example, for a remote access server that is configured for
RADIUS authentication, the EAP messages sent between the remote access
client and remote access server are encapsulated and formatted as RADIUS
messages between the remote access server (the authenticator) and the
RADIUS server (the authenticator).
IAS
The VPN server can be configured to use either Windows or RADIUS as an
authentication provider. If Windows is selected as the authentication provider,
the user credentials sent by users attempting VPN connections are
authenticated using typical Windows authentication mechanisms, and the
connection attempt is authorized using local remote access policies.
RADIUS can respond to authentication requests based on its own user account
database, or it can be a front end to another database server, such as a
Structured Query Language (SQL) server or a Windows domain controller (DC).
The DC can be located on the same computer as the RADIUS server, or
elsewhere. In addition, a RADIUS proxy can be used to forward requests to a
remote RADIUS server.
The VPN server must be configured with DNS and WINS server addresses to
assign to the VPN client during IPCP negotiation. For NetBIOS name resolution,
you do not have to use WINS and can enable the NetBIOS over TCP/IP (NetBT)
proxy on the VPN server.
NAT
A network address translator (NAT) translates the IP addresses and
Transmission Control Protocol/User Datagram Protocol (TCP/UDP) port numbers
of packets that are forwarded between a private network and the Internet. The
NAT on the private network can also provide IP address configuration
information to the other computers on the private network.
PPTP-based VPN clients can be located behind a NAT if the NAT includes an
editor that can translate PPTP packets. PPTP-based VPN servers can be located
behind a NAT if the NAT is configured with static mappings for PPTP traffic. If
the L2TP/IPSec-based VPN clients or servers are positioned behind a NAT, both
client and server must support IPSec NAT traversal (NAT-T).
What are Conditions and Profile in RRAS Policies? Remote access policies are
an ordered set of rules that define whether remote access connection attempts
are either authorized or rejected. Each rule includes one or more conditions
(which identifies the criteria), a set of profile settings (to be applied on the
connection attempt), and a permission setting (grant or deny) for remote
access. This can be compared like a brain of the door-keeper (VPN server)
which allows entry to your network from outside. Remote access policy decides
who can access what resources from where using what tunnel settings. So
configuring proper set of policies are important.
How does SSL work? Secure Sockets Layer uses a cryptographic system that
encrypts data with two keys.
When a SSL Digital Certificate is installed on a web site, users can see a
padlock icon at the bottom area of the navigator. When an Extended Validation
Certificates is installed on a web site, users with the latest versions of Firefox,
Internet Explorer or Opera will see the green address bar at the URL area of
the navigator.
How does IPSec work? IPSec is an Internet Engineering Task Force (IETF)
standard suite of protocols that provides data authentication, integrity, and
confidentiality as data is transferred between communication points across IP
networks. IPSec provides data security at the IP packet level. A packet is a data
bundle that is organized for transmission across a network, and it includes a
header and payload (the data in the packet). IPSec emerged as a viable
network security standard because enterprises wanted to ensure that data
could be securely transmitted over the Internet. IPSec protects against possible
security exposures by protecting data while in transit
How do I deploy IPSec for a large number of computers? Just use this
program Server and Domain Isolation Using IPsec and Group Policy
Forward secrecy has been used as a synonym for perfect forward secrecy [1],
since the term perfect has been controversial in this context. However, at least
one reference [2] distinguishes perfect forward secrecy from forward secrecy
with the additional property that an agreed key will not be compromised even
if agreed keys derived from the same long-term keying material in a
subsequent run are compromised.
How do I monitor IPSec? To test the IPSec policies, use IPSec Monitor. IPSec
Monitor (Ipsecmon.exe) provides information about which IPSec policy is active
and whether a secure channel between computers is established.
What can you do with NETSH? Netsh is a command-line scripting utility that
allows you to, either locally or remotely, display, modify or script the
network configuration of a computer that is currently running.
To view help for a command, type the command, followed by a space, and
then type?
* Restrict visibility – Users can view only the objects for which they have
access.
The DNS system is, in fact, its own network. If one DNS server doesn’t know
how to translate a particular domain name, it asks another one, and so on,
until the correct IP address is returned.
1. In the DHCP console, right-click the server you want to back up, and then
click Backup.
2. In the Browse For Folder dialog box, select the folder that will contain the
backup DHCP database, and then click OK.
Explain APIPA.
A Windows-based computer that is configured to use DHCP can automatically
assign itself an Internet Protocol (IP) address if a DHCP server is not available
or does not exist. The Internet Assigned Numbers Authority (IANA) has reserved
169.254.0.0-169.254.255.255 for Automatic Private IP Addressing(APIPA).
What is the default time for group policy refresh interval time?
The default refresh interval for policies is 90 minutes. The default refresh
interval for domain controllers is 5 minutes. Group policy object’s group policy
refresh intervals may be changed in the group policy object.
You can use one of the three methods to restore Active Directory from
backup media: Primary Restore, Normal Restore (i.e. Non Authoritative), and
Authoritative Restore.
Primary Restore: This method rebuilds the first domain controller in a domain
when there is no other way to rebuild the domain. Perform a primary restore
only when all the domain controllers in the domain are lost, and you want to
rebuild the domain from the backup. Members of the Administrators group can
perform the primary restore on local computer. On a domain controller, only
members of the Domain Admins group can perform this restore.
Normal Restore: This method reinstates the Active Directory data to the state
before the backup, and then updates the data through the normal replication
process. Perform a normal restore for a single domain controller to a previously
known good state.
How do you change the DS Restore admin password? Microsoft Windows 2000
uses the Setpwd utility to reset the DS Restore Mode password. In Microsoft
Windows Server 2003, that functionality has been integrated into the NTDSUTIL
tool. Note that you cannot use the procedure if the target server is running in
DSRM.
How can you forcibly remove AD from a server? In run use the command
->dcpromo /forceremoval
What is the SYSVOL folder? The sysvol folder stores the server’s copy of the
domain’s public files. The contents such as group policy, users etc of the sysvol
folder are replicated to all domain controllers in the domain. The sysvol folder
must be located on an NTFS volume
What is the entire problem if DNS Server fails? If your DNS server fails, you
can’t resolve host names. You can’t resolve domain controller IP Address.
How can you restrict running certain applications on a machine? The Group
Policy Object Editor and the Software Restriction Policies extension of Group
Policy Object Editor are used to restrict running certain applications on a
machine. For Windows XP computers that are not participating in a domain,
you can use the Local Security Settings snap-in to access Software Restriction
Policies.
How will map a folder through AD? Navigate domain user properties->give
path in profile tab in the format \\servername\sharename.
Explain Quotas. Disk Quota is a feature or service of NTFS which helps to
restrict or manage the disk usage from the normal user. It can be implemented
per user user per volume basis.By default it is disabled. Administrative
privilege is required to perform the task. In 2003server we can control only
drive but in 2008server we can establish quota in folder level.
* Normal Backup:-This is default backup in which all files are backed up even if
it was backed up before.
*Incremental Backup:-In this type of backup only the files that haven’t been
backed up are taken care of or backed up.
*Differential Backup:-This backup is similar to incremental backup because it
does not take backup of those files backed up by normal
backup but different from incremental because it will take backup of
differentially backed up files at next time of differential backup.
*Copy Backup:-This type of backup is which is used during system state backup
and asr backup. It is used in special conditions only.
*Daily Backup:-This type of backup takes backup of only those files that are
created on that particular day.
*System Backup:-This type of backup takes backup of files namely, Boot file,
COM+Class Registry, Registry. But in server it takes
backup of ads.
*ASR Backup:-This type of backup takes backup of entire boot partition
including OS and user data. This should be the last
troubleshooting method to recover an os from disaster.
Specify the Port Number for AD, DNS, DHCP, HTTP, HTTPS, SMTP, POP3 &
FTP
AD- uses LDAP Udp 389 and UDP 135,DNS- 53,DHCP-67,68,HTTP-
80,HTTPS-,SMTP-25,POP3-110 & FTP-20,21.
What connector type would you use to connect to the Internet, and what
are the two methods of sending mail over that connector?
SMTP Connector: Forward to smart host or use DNS to route to each address
What are the standard port numbers for SMTP, POP3, IMAP4, RPC, LDAP and
Global Catalog?
- 25 SMTP
- 110 POP3
- 143 IMAP4
- 135 RPC
- 389 LDAP
- 636 LDAP (SSL)
- 3268 Global Catalog
- 465 SMTP/SSL,
- 993 IMAP4/SSL
- 563 IMAP4/SSL
- 53 DNS ,
- 80 HTTP
- 88 Kerberos
- 110 POP3
- 119 NNTP
ASP.NET
What is the use of NNTP with exchange? This protocol is used the news group
in exchange
Disaster Recovery Plan? Ans: Deals with the restoration of computer system
with all attendent software and connections to full functionality under a
variety of damaging or interfering external condtions.
What would a rise in remote queue length generally indicate? This means
mail is not being sent to other servers. This can be explained by outages or
performance issues with the network or remote servers.
What would a rise in the Local Delivery queue generally mean? This indicates
a performance issue or outage on the local server. Reasons could be slowness
in consulting AD, slowness in handing messages off to local delivery or SMTP
delivery. It could also be databases being dismounted or a lack of disk space.
What are the disadvantages of circular logging? In the event of a corrupt
database, data can only be restored to the last backup.
What is the maximum storage capacity for Exchange standard version? What
would you do if it reaches maximum capacity?” 16GB.Once the store
dismounts at the 16GB limit the only way to mount it again is to use the 17GB
registry setting. And even this is a temporary solution. if you apply Exchange
2003 SP2 to your Standard Edition server, the database size limit is initially
increased to 18GB. Whilst you can go on to change this figure to a value up to
75GB, it’s important to note that 18GB is the default setting
HKLM\System\CurrentControlSet\Services\MSExchangeIS\{server name}\Private-
{GUID It therefore follows that for registry settings that relate to making
changes on a public store, you’ll need to work in t he following registry key:
HKLM\System\CurrentControlSet\Services\MSExchangeIS\{server name}\Public-
{GUID}
Under the relevant database, create the following registry information: Value
type: REG_DWORD
Set the value data to be the maximum size in gigabytes that the database is
allowed to grow to. For the Standard Edition of Exchange, you can enter
numbers between 1 and 75. For the Enterprise Edition, you can enter numbers
between 1 and 8000. Yes, that’s right, between 1GB and 8000GB or 8TB.
Therefore, even if you are running the Enterprise Edition of Exchange, you can
still enforce overall database size limits of, say, 150GB if you so desire..
The non text elements will be encoded from the sender of the message and
will be decoded by the message recipient. Coding of non ASCII characters is
often based on “quoted printable” coding, binary data typically using Base64-
coding.
List the services of Exchange Server 2003? There are several services
involved with Exchange Server, and stopping different services will accomplish
different things. The services are interdependent, so when you stop or start
various services you may see a message about having to stop dependent
services. If you do stop dependent services, don’t forget to restart them again
when you restart the service that you began with.
To shut down Exchange completely on a given machine, you need to stop all of
the following services:
Microsoft Exchange Routing Engine (RESvc):-This service is used for routing and
topology information for routing SMTP based messages. This service is started
by default.
Microsoft Exchange System Attendant (MSExchangeSA):-This service handles
various cleanup and monitoring functions. One of the most important functions
of the System Attendant is the Recipient Update Service (RUS), which is
responsible for mapping attributes in Active Directory to the Exchange
subsystem and enforcing recipient policies. When you create a mailbox for a
user, you simply set some attributes on a user object. The RUS takes that
information and does all of the work in the background with Exchange to really
make the mailbox. If you mailbox-enable or mail-enable objects and they don’t
seem to work, the RUS is
One of the first places you will look for an issue. If you need to enable
diagnostics for the RUS, the parameters are maintained in a separate service
registry entry called MSExchangeAL. This isn’t a real service; it is simply the
supplied location to modify RUS functionality. This service is started by
default.
How can you recover a deleted mail box? In Exchange, if you delete a
mailbox, it is disconnected for a default period of 30 days (the mailbox
retention period), and you can reconnect it at any point during that time.
Deleting a mailbox does not mean that it is permanently deleted (or purged)
from the information store database right away, only that it is flagged for
deletion. At the end of the mailbox retention period, the mailbox is
permanently deleted from the database. You can also permanently delete the
mailbox by choosing to purge it at any time.
This also means that if you mistakenly delete a mail-enabled user account, you
can recreate that user object, and then reconnect that mailbox during the
mailbox retention period.
Configure the deleted mailbox retention period at the mailbox store object
level.
The mailbox is now flagged for deletion and will be permanently deleted at the
end of the mailbox retention period unless you recover it.
1. In Exchange System Manager, locate the mailbox store that contains the
disconnected mailbox.
4. Right-click the disconnected mailbox, click Reconnect, and then select the
appropriate user from the dialog box that appears.
5. Click OK.
Note Only one user may be connected to a mailbox because all globally unique
identifiers (GUIDs) are required to be unique across an entire forest
1. In Active Directory Users and Computers, create a new user object. When
you create the new user object, click to clear the Create an Exchange Mailbox
check box.
2. On the Limits tab, change the Keep deleted mailboxes for (days) default
setting of 30 to the number of days you want.
3. Click OK.
If you have deleted the user, after you recreated the same user. How you
will give the access of previous mail box? Reconnect the Deleted user’ s
mailbox to the recreated user. Provided the recreated user doesn’t have
mailbox
Which protocol is used for Public Folder? NNTP Network News Transfer
Protocol, both nntp and imap helps clients to access the public folder. But
actually, Smtp send the mails across the public folder.
IIS
Automatic Process Recycling— IIS 6.0 automatically stops and restarts faulty
Web sites and applications based on a flexible set of criteria, including CPU
utilization and memory consumption, while queuing requests
Edit-While-Running
Difference between PDC & BDC PDC contains a write copy of SAM database
where as BDC contains read only copy of SAM database. It is not possible to
reset a password or create objects without PDC in Windows NT.
What is DNS & WINS? DNS is a Domain Naming System, which resolves Host
names to IP addresses. It uses fully qualified domain names. DNS is a Internet
standard used to resolve host names
What is the process of DHCP for getting the IP address to the client?
What are the port numbers for FTP, Telnet, HTTP, DNS FTP-21, Telnet – 23,
HTTP-80, DNS-53, Kerberos-88, LDAP- 389
What is the database files used for Active Directory? The key AD database
files—edb.log, ntds.dit, res1.log, res2.log, and edb.chk—all of which reside in \
%systemroot%\ntds on a domain controller (DC) by default. During AD
installation, Dcpromo lets you specify alternative locations for these log files
and database file NTDS.DIT.
What is the use of terminal services Terminal services can be used as Remote
Administration mode to administer remotely as well asApplication Server Mode
to run the application in one server and users can login to that server to user
that application.
How to monitor replication We can user Replmon tool from support tools
• Normal Backup
• Incremental Backup
• Differential Backup
• Daily Backup
• Copy Backup
• 1.Configuration partition
• 2. Schema Partition
• 3. Domain partition
• 4. Application Partition (only in windows 2003 not available in windows
2000)
What are the port numbers for Kerberos, LDAP and Global Catalog? Kerberos
– 88, LDAP – 389, Global Catalog – 3268
What are the problems that are generally come across DHCP? Scope is full
with IP addresses no IP’s available for new machines If scope options are not
configured properly eg default gateway Incorrect creation of scopes etc
What is TTL & how to set TTL time in DNS TTL is Time to Live setting used for
the amount of time that the record should remain in cache when name
resolution happened. We can set TTL in SOA (start of authority record) of DNS.
What is RIS and what are its requirements? RIS is a remote installation
service, which is used to install operation system remotely.
Client requirements
Software Requirements
• Below network services must be active on RIS server or any server in the
network
• Domain Name System (DNS Service)
• Dynamic Host Configuration Protocol (DHCP)
• Active directory “Directory” service
What is FSMO Roles? Flexible single master operation (FSMO) roll are
Domain Naming master and schema master are forest level roles. PDC
emulator, Infrastructure master and RID master are Domain level roles; First
server in the forest performs all 5 roles by default. Later we can transfer the
roles.
PDC Emulator: Server, which is performing this role, acts as a PDC in a mixed
mode to synchronize directory information between windows 2000 DC to
Windows NT BDC. Server, which is performing thisrole, will contain latest
password information. This role is also responsible for time synchronization in
the forest.
Infrastructure Master: It is responsible for managing group membership
information in the domain. This role is responsible for updating DN when name
or location of the object is modified.
RID Master: Server, which is performing this role, will provide pool of RID to
other domain controllers in the domain. SID is the combination of SID and RID
SID=SID+RID where SID is Security identifier common for all objects in the
domain and RID is relative identifier unique for each object
Through MMC
We can configure Domain Naming Master role through Active directory domains
and trusts we can configure Schema Master Role through Active Directory
schema Other Three roles we can configure by Active directory users and
computers.
How to deploy the patches and what are the software’s used for this
process Using SUS (Software update services) server we can deploy patches to
all clients in the network. We need to configure an option called “Synchronize
with Microsoft software update server” option and schedule time to
synchronize in server. We need to approve new update based on the
requirement. Then approved update will be deployed to clients we can
configure clients by changing the registry manually or through Group policy by
adding WUAU administrative template in group policy.
NLB (network load balancing) cluster for balancing load between servers. This
cluster will not provide any high availability. Usually preferable at edge servers
like web or proxy.
Quorum: A shared storage need to provide for all servers which keeps
information about clustered application and session state and is useful in
FAILOVER situation. This is very important if Quorum disk fails entire cluster
will fails.
Is it possible to rename the Domain name & how? In Windows 2000 it is not
possible. In windows 2003 it is possible. On Domain controller by going to
MYCOMPUTER properties we can change
What is SOA Record SOA is a Start of Authority record, which is a first record
in DNS, which controls the startup behavior of DNS. We can configure TTL,
refresh, and retry intervals in this record.
What is a Stub zone and what is the use of it. Stub zones are a new feature of
DNS in Windows Server 2003 that can be used to streamline name resolution,
especially in a split namespace scenario. They also help reduce the amount of
DNS traffic on your network, making DNS more efficient especially over slow
WAN links.
What is ASR (Automated System Recovery) and how to implement it? ASR is a
two-part system; it includes ASR backup and ASR restore. The ASR Wizard,
located in Backup, does the backup portion. The wizard backs up the system
state, system services, and all the disks that are associated with the operating
system components. ASR also creates a file that contains information about the
backup, the disk configurations (including basic and dynamic volumes), and
how to perform a restore.
You can access the restore portion by pressing F2 when prompted in the text-
mode portion of setup. ASR reads the disk configurations from the file that it
creates. It restores all the disk signatures, volumes, and partitions on (at a
minimum) the disks that you need to start the computer. ASR will try to restore
all the disk configurations, but under some circumstances it might not be able
to. ASR then installs a simple installation of Windows and automatically starts a
restoration using the backup created by the ASR Wizard.
What are the different levels that we can apply Group Policy? We can apply
group policy at SITE level—Domain Level—OU level
What is Domain Policy, Domain controller policy, Local policy and Group
Policy? Domain Policy will apply to all computers in the domain, because by
default it will be associated with domain GPO, Where as Domain controller
policy will be applied only on domain controller. By default domain controller
security policy will be associated with domain controller GPO. Local policy will
be applied to that particular machine only and effects to that computer only
What is the use of SYSVOL FOLDER? Policies and scripts saved in SYSVOL
folder will be replicated to all domain controllers in the domain. FRS (File
replication service) is responsible for replicating all policies and scripts.
What is folder redirection? Folder Redirection is a User group policy. Once you
create the group policy and link it to the appropriate folder object, an
administrator can designate which folders to redirect and where To do this, the
administrator needs to navigate to the following location in the Group Policy
Object:
In the Properties of the folder, you can choose Basic or Advanced folder
redirection and you can designate the server file system path to which the
folder should be redirected.
The %USERNAME% variable may be used as part of the redirection path, thus
allowing the system to dynamically create a newly redirected folder for each
user to whom the policy object applies
Features of windows2003
Internet Information Service 6.0 (By default will not install) Highly secured and
locked down by default, new architectural model that includes features such as
process isolation and a met abase stored in XML format.
Saved Queries: Active Directory Users and Computers now includes a new node
named Saved Queries, which allows an administrator to create a number of
predefined queries that are saved for future access.
Group Policy Management Console (GPMC) is a new a new tool for managing
Group Policy in Windows Server 2003. While Group Policy–related elements
have typically been found across a range of tools—such as Active Directory
Users And Computers, the Group Policy MMC snap-in, and others—GPMC acts as
a single consolidated environment for carrying out Group Policy–related tasks.
RSoP tool, the administrator could generate a query that would process all the
applicable Group Policy settings for that user for the local computer or another
computer on the network. After processing the query, RSoP would present the
exact Group Policy settings that apply to that user, as well as the source Group
Policy object that was responsible for the setting.
Distributed File System: DFS is enhanced for Windows Server 2003, Enterprise
Edition and Windows Server, Datacenter Edition by allowing multiple DFS roots
on a single server. You can use this feature to host multiple DFS roots on a
single server, reducing administrative and hardware costs of managing multiple
namespaces and multiple replicated namespaces.
Improvements in Clustering:
In Datacenter Edition, the maximum supported cluster size has been increased
from 4-nodes in Windows 2000, to 8-nodes in Windows Server 2003.
In Enterprise Edition, the maximum supported cluster size has been increased
from 2-nodes in Windows 2000 Advanced Server to 8-nodes in Windows Server
2003.
Server clusters are fully supported on computers running the 64-bit versions of
Windows Server 2003. Windows Server 2003 supports Encrypting File System
(EFS) on clustered (shared) disks.
Internet Connection Firewall (ICF): ICF, designed for use in a small business,
provides basic protection on computers directly connected to the Internet or
on local area network (LAN) segments. ICF is available for LAN, dial-up, VPN, or
PPPoE connections. ICF integrates with ICS or with the Routing and Remote
Access service.
Open File Backup: The backup utility included with Windows Server 2003 now
supports “open file backup”. In Windows 2000, files had to be closed before
initiating backup operations. Backup now uses shadow copies to ensure that
any open files being accessed by users are also backed up.(Need to modify
some registry keys)
Stub Zones: This is introduced in windows 2003 DNS. A stub zone is like a
secondary zone in that it obtains its resource records from other name servers
(one or more master name servers). A stub zone is also read-only like a
secondary zone, so administrators can’t manually add, remove, or modify
resource records on it. First, while secondary zones contain copies of all the
resource records in the corresponding zone on the master name server, stub
zones contain only three kinds of resource records:
a. A copy of the SOA record for the zone.
b. Copies of NS records for all name servers authoritative for the zone.
c. Copies of (glue)A records for all name servers authoritative for the zone.
That’s it–no CNAME records, MX records, SRV records, or A records for other
hosts in the zone. So while a secondary zone can be quite large for a big
company’s network, a stub zone is always very small, just a few records. This
means replicating zone information from master to stub zone adds almost nil
DNS traffic to your network as the records for name servers rarely change
unless you decommission an old name server or deploy a new one.
Difference between NT & 2000
In Windows NT only PDC is having writable copy of SAM database but the BDC is
only having read only database. In case of Windows 2000 both DC and ADC is
having write copy of the database.
Windows NT will not support FAT32 file system. Windows 2000 supports FAT32.
Default authentication protocol in NT is NTLM (NT LAN manager). In windows
2000 default authentication protocol is Kerberos V5.
Difference between PDC & BDC PDC contains a write copy of SAM database
where as BDC contains read only copy of SAM database. It is not possible to
reset a password without PDC in Windows NT. But both can participate in the
user authentication. If PDC fails, we have to manually promote BDC to PDC
from server manger.
What is DNS & WINS DNS is a Domain Naming System/Server, use for resolve
the Host names to IP addresses and also do the IP address to host name. It uses
fully qualified domain names. DNS is a Internet standard used to resolve host
names. Support up to 256 characters.
If DHCP server is not available what happens to the client First time client is
trying to get IP address DHCP server, If DHCP server is not found. C IP address
from APIPA (Automatic Private I P Address) range 169.254.0.0 -169.254.255.255
If client already got the IP and having lease duration it use the IP till the lease
duration expires.
Windows Server 2003 Active Directory supports the following types of trust
relationships:
Tree-root trust Tree-root trust relationships are automatically established
when you add a new tree root domain to an existing forest. This trust
relationship is transitive and two-way.
By default implicit two way transitive trust relationships establish between all
domains in the windows 2000/2003 forest.
What is the process of DHCP for getting the IP address to the client?
NACK ——– If client not get the IP address after server given offer, then Server
sends the Negative
Acknowledgement.
A volume is a storage unit made from free space on one or more disks. It can
be formatted with a file system and assigned a drive letter. Volumes on
dynamic disks can have any of the following layouts: simple, spanned,
mirrored, striped, or RAID-5.
A simple volume uses free space from a single disk. It can be a single region
on a disk or consist of multiple, concatenated regions. A simple volume can be
extended within the same disk or onto additional disks. If a simple volume is
extended across multiple disks, it becomes a spanned volume.
A spanned volume is created from free disk space that is linked together from
multiple disks. You can extend a spanned volume onto a maximum of 32 disks.
A spanned volume cannot be mirrored and is not fault-tolerant.
The system volume contains the hardware-specific files that are needed to
load Windows (for example, Ntldr, Boot.ini, and Ntdetect.com). The system
volume can be, but does not have to be, the same as the boot volume.
The boot volume contains the Windows operating system files that are
located in the
RAID 0 – Striping
Can GC Server and Infrastructure place in single server? If not explain why?
No, As Infrastructure master does the same job as the GC. It does not work
together.
What is the size of log file which created before updating into ntds.dit and
the total number of files?
Three Log files Names
Edb.log
Res1.log
Res2.log
Each initially 10 MB
What does SYSVOL contains? SysVol Folder contains the public information of
the domain & the information for replication
Ex: Group policy object & scripts can be found in this directory.
What is the port number for SMTP, Kerberos, LDAP, and GC Server??
SMTP 25, Kerberos 88, GC 3128, LDAP 53
What are the new features in Windows 2003 related to ADS, Replication,
and Trust? ADS: Can more than 5000 users in the groups
What are the different types of Terminal Services? User Mode & Application
Mode
What does mean by root DNS servers? Public DNS servers Hosted in the
Internet which registers the DNS
How does the down level clients register it names with DNS server?
Enable the WINS integration with DNS.
What is RsOP?
RsOP is the resultant set of policy applied on the object (Group Policy)
What is default lease period for DHCP Server? 8 days Default
• The Windows 2000 loader switches the processor to the 32-bit flat
memory model.
• The Windows 2000 loader starts a mini-file system.
• The Windows 2000 loader reads the BOOT.INI file and displays the
operating system selections (boot loader menu).
• The Windows 2000 loader loads the operating system selected by the
user. If Windows 2000 is selected, NTLDR runs NTDETECT.COM. For other
operating systems, NTLDR loads BOOTSECT.DOS and gives it control.
• NTDETECT.COM scans the hardware installed in the computer, and
reports the list to NTLDR for inclusion in the Registry under the
HKEY_LOCAL_MACHINE_HARDWARE hive.
• NTLDR then loads the NTOSKRNL.EXE, and gives it the hardware
information collected by NTDETECT.COM. Windows NT enters the
Windows load phases.
What is WINS hybrid & mixed mode? Systems that are configured to use WINS
are normally configured as a hybrid (H-node) client, meaning they attempt to
resolve NetBIOS names via a WINS server and then try a broadcast (B-node) if
WINS is unsuccessful. Most systems can be configured to resolve NetBIOS names
in one of four modes:
What is Disk Quota? Disk Quota is the specifying the limits of usage on the
disks.
What is the port number for SMTP, Kerberos, LDAP, and GC Server? SMTP 25,
Kerberos 88, GC 3268, LDAP 389
What are some of the new tools and features provided by Windows Server
2008?
Windows Server 2008 now provides a desktop environment similar to Microsoft
Windows Vista and includes tools also found in Vista, such as the new backup
snap-in and the BitLocker drive encryption feature. Windows Server 2008 also
provides the new IIS7 web server and the Windows Deployment Service.
What are the different editions of Windows Server 2008? The entry-level
version of Windows Server 2008 is the Standard Edition. The Enterprise Edition
provides a platform for large enterprisewide networks. The Datacenter Edition
provides support for unlimited Hyper-V virtualization and advanced clustering
services. The Web Edition is a scaled-down version of Windows Server 2008
intended for use as a dedicated web server. The Standard, Enterprise, and
Datacenter Editions can be purchased with or without the Hyper-V
virtualization technology.
How do you configure and manage a Windows Server 2008 core installation?
This stripped-down version of Windows Server 2008 is managed from the
command line.
Which Control Panel tool enables you to automate the running of server
utilities and other applications?
The Task Scheduler enables you to schedule the launching of tools such as
Windows Backup and Disk Defragmenter.
What are some of the items that can be accessed via the System Properties
dialog box?
You can access virtual memory settings and the Device Manager via the System
Properties dialog box.
Which Windows Server utility provides a common interface for tools and
utilities and provides access to server roles, services, and monitoring and
drive utilities?
The Server Manager provides both the interface and access to a large number
of the utilities and tools that you will use as you manage your Windows server.
When a child domain is created in the domain tree, what type of trust
relationship exists between the new child domain and the tree’s root
domain?
Child domains and the root domain of a tree are assigned transitive trusts. This
means that the root domain and child domain trust each other and allow
resources in any domain in the tree to be accessed by users in any domain in
the tree.
What are some of the other roles that a server running Windows Server
2008 could fill on the network?
A server running Windows Server 2008 can be configured as a domain
controller, a file server, a print server, a web server, or an application server.
Windows servers can also have roles and features that provide services such as
DNS, DHCP, and Routing and Remote Access.
Which Windows Server 2008 tools make it easy to manage and configure a
server’s roles and features?
The Server Manager window enables you to view the roles and features
installed on a server and also to quickly access the tools used to manage these
various roles and features. The Server Manager can be used to add and remove
roles and features as needed.
What utility is provided by Windows Server 2008 for managing disk drives,
partitions, and volumes?
The Disk Manager provides all the tools for formatting, creating, and managing
drive volumes and partitions.
What is the difference between a basic and dynamic drive in the Windows
Server 2008 environment?
A basic disk embraces the MS-DOS disk structure; a basic disk can be divided
into partitions (simple volumes).
Dynamic disks consist of a single partition that can be divided into any number
of volumes. Dynamic disks also support Windows Server 2008 RAID
implementations.
What is the most foolproof strategy for protecting data on the network?
A regular backup of network data provides the best method of protecting you
from data loss.
What protocol stack is installed by default when you install Windows Server
2008 on a network server?
TCP/IP (v4 and v6) is the default protocol for Windows Server 2008. It is
required for Active Directory implementations and provides for connectivity on
heterogeneous networks.
What term is used to refer to the first domain created in a new Active
Directory tree?
The first domain created in a tree is referred to as the root domain. Child
domains created in the tree share the same namespace as the root domain.
What are some of the tools used to manage Active Directory objects in a
Windows Server 2008 domain?
When the Active Directory is installed on a server (making it a domain
controller), a set of Active Directory snap-ins is provided. The Active Directory
Users and Computers snap-in is used to manage Active Directory objects such as
user accounts, computers, and groups. The Active Directory Domains and Trusts
snap-in enables you to manage the trusts that are defined between domains.
The Active Directory Sites and Services snap-in provides for the management of
domain sites and subnets.
What type of group is not available in a domain that is running at the mixed-
mode functional level?
Universal groups are not available in a mixed-mode domain. The functional
level must be raised to Windows 2003 or Windows 2008 to make these groups
available.
Can servers running Windows Server 2008 provide services to clients when
they are not part of a domain?
Servers running Windows Server 2008 can be configured to participate in a
workgroup. The server can provide some services to the workgroup peers but
does not provide the security and management tools provided to domain
controllers.
What does the use of Group Policy provide you as a network administrator?
Group Policy provides a method of controlling user and computer configuration
settings for Active Directory containers such as sites, domains, and OUs. GPOs
are linked to a particular container, and then individual policies and
administrative templates are enabled to control the environment for the users
or computers within that particular container.
How can you make sure that network clients have the most recent Windows
updates installed and have other important security features such as the
Windows Firewall enabled before they can gain full network access?
You can configure a Network Policy Server (a service available in the Network
Policy and Access Services role). The Network Policy Server can be configured
to compare desktop client settings with health validators to determine the
level of network access afforded to the client.
What types of zones would you want to create on your DNS server so that
both queries to resolve hostnames to IP addresses and queries to resolve IP
addresses to hostnames are handled successfully?
You would create both a forward lookup zone and a reverse lookup zone on
your Windows Server 2008 DNS server.
What tool enables you to manage your Windows Server 2008 DNS server?
The DNS snap-in enables you to add or remove zones and to view the records in
your DNS zones. You can also use the snap-in to create records such as a DNS
resource record.
How the range of IP addresses is defined for a Windows Server 2008 DHCP
server?
The IP addresses supplied by the DHCP server are held in a scope. A scope that
contains more than one subnet of IP addresses is called a superscope. IP
addresses in a scope that you do not want to lease can be included in an
exclusion range.
How can you configure the DHCP server so that it provides certain devices
with the same IP address each time the address is renewed?
You can create a reservation for the device (or create reservations for a
number of devices). To create a reservation, you need to know the MAC
hardware address of the device. You can use the ipconfig or nbstat command-
line utilities to determine the MAC address for a network device such as a
computer or printer.
To negate rogue DHCP servers from running with a domain, what is required
for your DHCP server to function?
The DHCP server must be authorized in the Active Directory before it can
function in the domain.
What is DHCP? DHCP stands for "Dynamic Host Configuration Protocol". DHCP
(Dynamic Host Configuration Protocol) is a communications protocol that lets
network administrators centrally manage and automate the assignment of
Internet Protocol (IP) addresses in an organization's network.
DHCP assigns IP address to computers and other devices that are enabled as
DHCP Clients. Deploying DHCP servers on the network automatically provides
computers and other TCP/IP based network devices with valid IP addresses and
the additional configuration parameters these devices need, called DHCP
options, which allow them to connect to other network resources, such as DNS
Servers, WINS servers and routers. Dynamic Host Configuration Protocol (DHCP)
automatically assigns IP addresses and other network configuration information
(subnet mask, broadcast address, etc) to computers on a network. A client
configured for DHCP will send out a broadcast request to the DHCP server
requesting an address. The DHCP server will then issue a "lease" and assign it to
that client. The time period of a valid lease can be specified on the server.
DHCP reduces the amount of time required to configure clients and allows one
to move a computer to various networks and be configured with the ppropriate
IP address, gateway and subnet mask.
At what layer of OSI it functions? DHCP works at Data link Layer. (Layer 2)
What is DORA? Finally, the chosen DHCP server sends the lease information
(the IP address, potentially a subnet mask, DNS server, WINS server, WINS node
type, domain name, and default gateway) to the workstation in a message
called the DHCP ACK (data communications jargon for acknowledge). You can
remember the four parts of a DHCP message by the mnemonic DORA - Discover,
Offer, Request, and ACK.
There are certain situations however when you might want to lengthen this
lease period to several weeks or months or even longer. These situations
include (a) when you have a stable network where computers neither join or
are removed or relocated; (b) when you have a large pool of available IP
addresses to lease from; or (c) when your network is almost saturated with
very little available bandwidth and you want to reduce DHCP traffic to increase
available bandwidth (not by much, but sometimes every little bit helps).
What is TCP/IP port no. used for DHCP service? DHCP uses the same two IANA
assigned ports as BOOTP: 67/udp for the server side, and 68/udp for the client
side.
What is VLAN?
A virtual LAN, commonly known as a vLAN or as a VLAN, is a method of
creating independent logical networks within a physical network.
A VLAN consists of a network of computers that behave as if connected to the
same wire – even though they may actually be physically connected to different
segments of a LAN. Network administrators configure VLANs through software
rather than hardware, which make them extremely flexible.
Option Classes
The two option class types: User Class and Vendor Class. User Classes assign
DHCP options to a group of clients that require similar configuration; Vendor
Classes typically assign vendor-specific options to clients that share a common
vendor type. For example, with Vendor Classes you can assign all Dell
computers DHCP options that are common to those machines. The purpose of
option classes is to group DHCP options for similar clients within a DHCP scope.
What is Multicast?
A range of class D addresses from 224.0.0.0 to 239.255.255.255 that can be
assigned to computers when they ask for them. A multicast group is assigned to
one IP address. Multicasting can be used to send messages to a group of
computers at the same time with only one copy of the message.
The Multicast Address Dynamic Client Allocation Protocol (MADCAP) is used to
request a multicast address from a DHCP server.
What is WSUS?
It is Microsoft Software Update Server, and it is designed to automate the
process of distributing Windows operating system patches. It works by
controlling the Automatic Updates applet already present on all Windows
machines. Instead of many machines at UVA all going to Microsoft's website to
download updates, the SUS server downloads all updates to an ITC-owned
server and workstations then look there for updates.
What is DNS?
DNS stands for Domain Naming System which provides name resolution for
TCP/IP network. In addition it is a distributed database and hierarchal
structure which ensures that each hostname is unique across a local and wide
area network.
DNS is the name resolution system of the Internet. Using DNS allows clients to
resolve names of hosts to IP addresses so that communication can take place.
DNS is the foundation upon which Active Directory is built.
What is WINS?
WINS (Windows Internet Naming Service) resolves’ Windows network computer
names (also known as NetBIOS names) to Internet IP addresses, allowing
Windows computers on a network to easily find and communicate with each
other.
What is the TCP/IP port no. used for WINS services? 137
What is Firewall? What are the essential settings are used in Firewall?
A system designed to prevent unauthorized access to or from a private
network. Firewalls can be implemented in both hardware and software, or a
combination of both. Firewalls are frequently used to prevent unauthorized
internet users from accessing private networks connected to the internet,
especially intranets. All messages entering or leaving the intranet pass through
the firewall, which examines each message and blocks those that do not meet
the specified security criteria.
There are several types of firewall techniques; the 3 basic are as given below:
· Packets filter: Looks at each packet entering or leaving the network and
accepts or rejects it based on user-defined rules. Packet filtering is fairly
effective and transparent to users, but it is difficult to configure. In addition, it
is susceptible to IP spoofing.
· Application gateway: Applies security mechanisms to specific applications,
such as FTP and Telnet servers. This is very effective, but can impose
performance degradation.
· Circuit-level gateway: Applies security mechanisms when a TCP or UDP
connection is established. Once the connection has been made, packets can
flow between the hosts without further checking.
· Proxy server: Intercepts all messages entering and leaving the network. The
proxy server effectively hides the true network addresses.
What is VPN?
VPN gives extremely secure connections between private networks linked
through the Internet. It allows remote computers to act as though they were on
the same secure, local network.
What is Object?
Active Directory objects are the entities that make up a network. An object is a
distinct, named set of attributes that represents something concrete, such as a
user, a printer, or an application. For example, when we create a user object,
Active Directory assigns the globally unique identifier (GUID), and we provide
values for such attributes as the user's given name, surname, the logon
identifier, and so on.
What is Schema?
The schema defines the type of objects and the attributes that each object
has. The schema is what defines a user account for example. A user account
must have a name, a password, and a unique SID. A user account can also have
many additional attributes, such as location, address, phone number, e-mail
addresses, terminal services profiles, and so on.
What is LDAP?
LDAP stands for Lightweight Directory Access Protocol is a networking protocol
for querying and modifying directory services running over TCP/IP. And the TCP
port for LDAP is 389. LDAP Version 5.
What is GROUPS?
Groups are Active Directory (or local computer) objects that can contain users,
contacts, computers, and other groups. In Windows 2003, groups are created in
domains, using the Active Directory Users and Computers tool. You can create
groups in the root domain, in any other domain in the forest, in any
organizational unit, or in any container class object (such as the default Users
container). Like user and computer accounts, groups are Windows 2000 security
principals; they are directory objects to which SID’s are assigned at creation.
What is the difference between FAT, FAT32 & NTFS & what is it?
Following are Microsoft's Windows Glossary definitions for each of the 3 file
systems:
1. File Allocation Table (FAT): A file system used by MS-DOS and other
Windows-based operating systems to organize and manage files. The file
allocation table (FAT) is a data structure that Windows creates when you
format a volume by using the FAT or FAT32 file systems. Windows stores
information about each file in the FAT so that it can retrieve the file later.
2. FAT32: A derivative of the File Allocation Table (FAT) files system. FAT32
supports smaller cluster sizes and larger volumes than FAT, which results in
more efficient space allocation on FAT32 volumes.
3. NTFS: An advanced file system that provides performance, security,
reliability, and advanced features that are not found in any version of FAT. For
example, NTFS guarantees volume consistency by using standard transaction
logging and recovery techniques. If a system fails, NTFS uses its log file and
checkpoint information to restore the consistency of the file system. In
Windows 2000 and Windows XP, NTFS also provides advanced features such as
file and folder permissions, encryption, disk quotas, and compression.
NTFS File System:
1. NTFS is the best file system for large drives. Unlike FAT and FAT32,
performance with NTFS isn't corrupted as drive size increases.
2. One of the major security features in NTFS is encryption or, in other words,
the process of disguising a message or data in such a way as to hide its
substance.
3. Another feature in NTFS is disk quotas. It gives you the ability to monitor
and control the amount of disk space used by each user.
4. Using NTFS, you can keep access control on files and folders and support
limited accounts. In
FAT and FAT32, all files and folders are accessible by all users no matter what
their account type is.
5. Domains can be used to tweak security options while keeping administration
simple.
6. Compression available in NTFS enables you to compress files, folders, or
whole drives when you're running out of disk space.
7. Removable media (such as tapes) are made more accessible through the
Remote Storage feature.
8. Recovery logging helps you restore information quickly if power failures or
other system problems occur.
9. In NTFS we can convert the file system through:
1. Back up all your data before formatting:
So you want to start with a 'clean' drive but can't afford losing your precious
files? Very simple, all you need to do is back up your files to an external hard-
drive or a partition other than the one you want to convert, or burn the data
onto CDs. After you're done you can format a drive with NTFS.
2. Use the convert command from command prompt:
This way, you don't need to back up. All files are preserved as they are.
However, I recommend a backup. You don't know what might go wrong and
besides what would you lose if you do back-up? When I converted to NTFS using
convert.exe, everything went smooth. Chances are your conversion will be
equally smooth.
IMPORTANT NOTE: This is a one-way conversion. Once you've converted to
NTFS, you can't go back to FAT or FAT32 unless you format the drive.
1. Open Command Prompt
Start | All Programs | Accessories | Command Prompt
OR
Start | Run | type "cmd" without quotes | OK
2. Type "convert drive letter: /fs:ntfs" and press Enter. For example, type
"convert C:
/fs:ntfs" (without quotes) if you want to convert drive C.
2. If you're asked whether you want to dismount the drive, agree.
What is Backup?
To copy files to a second medium (a disk or tape) as a precaution in case the
first medium fails.
What is a Cluster?
A cluster is a group of independent computers that work together to run a
common set of applications and provide the image of a single system to the
client and application. The computers are physically connected by cables and
programmatically connected by cluster software. These connections allow
computers to use problem-solving features such as failover in Server clusters
and load balancing in Network Load Balancing (NLB) clusters.
What is RAID?
RAID (Redundant Array of Independent Disks). A collection of disk drives that
offers increased performance and fault tolerance. There are a number of
different RAID levels. The three most commonly used are 0, 1, and 5: Level 0:
striping without parity (spreading out blocks of each file across multiple disks).
Level 1: disk mirroring or duplexing. Level 2: bit-level striping with parity Level
3: byte-level striping with dedicated parity.
What is Raid-0?
RAID Level 0 is not redundant, hence does not truly fit the "RAID" acronym. In
level 0, data is split across drives, resulting in higher data throughput. Since no
redundant information is stored, performance is very good, but the failure of
any disk in the array results in data loss. This level is commonly referred to as
striping.
What is RAID-1?
RAID Level 1 provides redundancy by writing all data to two or more drives.
The performance of a level 1 array tends to be faster on reads and slower on
writes compared to a single drive, but if either drive fails, no data is lost. This
is a good entry-level redundant system, since only two drives are required;
however, since one drive is used to store a duplicate of the data, the cost per
megabyte is high. This level is commonly referred to as mirroring.
What is RAID-5?
RAID Level 5 is similar to level 4, but distributes parity among the drives. This
can speed small writes in multiprocessing systems, since the parity disk does
not become a bottleneck. Because parity data must be skipped on each drive
during reads, however, the performance for reads tends to be considerably
lower than a level 4 array. The cost per megabyte is the same as for level 4.
What is IP?
The Internet Protocol (IP) is a data-oriented protocol used for communicating
data across a packet switched internet-work. IP is a network layer protocol in
the internet protocol suite and is encapsulated in a data link layer protocol
(e.g., Ethernet).
What is TCP?
Transmission Control Protocol, and pronounced as separate letters. TCP is one
of the main protocols in TCP/IP networks. Whereas the IP protocol deals only
with packets, TCP enables two hosts to establish a connection and exchange
streams of data. TCP guarantees delivery of data and also guarantees that
packets will be delivered in the same order in which they were sent.
What is UDP?
UDP, a connectionless protocol that, like TCP, runs on top of IP networks.
Unlike TCP/IP, UDP/IP provides very few error recovery services, offering
instead a direct way to send and receive datagram’s over an IP network. It's
used primarily for broadcasting messages over a network.
How can we assign Static IP & dynamic IP using command prompt utility?
Yes. Through netsh command
What is Gateway?
A gateway is either hardware or software that acts as a bridge between two
networks so that data can be transferred between a numbers of computers.
What is Difference between Windows NT, Windows 2000 & Windows 2003?
The major difference between in NT, 2000 & 2003 are as follows:
1) In winnt server concept pdc and bdc but there is no concept in 2000.
2) In winnt server sam database r/w format in pdc and read only format in bdc,
but in 2000 domain and every domain controller sam database read/writer
format.
3) 2000 server can any time any moment become server or member of server
simple add/remove dcpromo. But in winnt you have to reinstall operating
system.
A) In 2000 we cannot rename domain whereas in 2003 we can rename Domain
B) In 2000 it supports of 8 processors and 64 GB RAM (In 2000 Advance Server)
whereas in 2003 supports up to 64 processors and max of 512GB RAM
C) 2000 Supports IIS 5.0 and 2003 Supports IIS6.0
D) 2000 doesn't support Dot net whereas 2003 Supports Microsoft .NET 2.0
E) 2000 has Server and Advance Server editions whereas 2003 has Standard,
Enterprise, Datacentre and Web server Editions.
F) 2000 doesn't have any 64 bit server operating system whereas 2003 has 64 bit
server operating systems (Windows Server 2003 X64 STD and Enterprise Edition)
G) 2000 has basic concept of DFS (Distributed File systems) with defined roots
whereas 2003 has Enhanced DFS support with multiple roots.
H) In 2000 there is complexality in administering Complex networks whereas
2003 is easy administration in all & Complex networks
I) in 2000 we can create 1 million users and in 2003 we can create 1 billion
users.
J) In 2003 we have concept of Volume shadow copy service which is used to
create hard disk snap shot which is used in Disaster recovery and 2000 doesn't
have this service.
K) In 2000 we don't have end user policy management, whereas in 2003 we
have a End user policy management which is done in GPMC (Group policy
management console).
L) In 2000 we have cross domain trust relation ship and 2003 we have Cross
forest trust relationship.
M) 2000 Supports 4-node clustering and 2003 supports 8-node clustering.
N) 2003 has High HCL Support (Hardware Compatibility List) issued by Microsoft
O) Code name of 2000 is Win NT 5.0 and Code name of 2003 is Win NT 5.1
P) 2003 has service called ADFS (Active Directory Federation Services) which is
used to communicate between branches with safe authentication.
In 2003 there is improved storage management using service File Server
Resource Manager (FSRM)
R) 2003 has service called Windows Share point Services (It is an integrated
portfolio of collaboration and communication services designed to connect
people, information, processes, and systems both within and beyond the
organizational firewall.)
S) 2003 has Improved Print management compared to 2000 server
T) 2003 has telnet sessions available.
U) 2000 supports IPV4 whereas 2003 supports IPV4 and IPV6
In windows 2003 support SHADOW COPIES. A NEW TOOLTO RECOVER FILES
Window 2003 server includes IIS server in it. That is the biggest advantage on
top of better file system management
In 2003 server u can change the domain name at any time without rebuilding
the domain where as in 2000 u have to rebuild the entire domain to change the
domain name
In windows 2000 support maximum 10 users’ access shared folder at a time
through network.
But in win2003 no limitation
What is domain?
A collection of computer, user, and group objects defined by the administrator.
These objects share a common directory database, security policies, and
security relationships with other domains.
What is forest?
One or more Active Directory domains that share the same class and attribute
definitions (schema), site, and replication information (configuration), and
forest-wide search capabilities (global catalog). Domains in the same forest are
linked with two-way, transitive trust relationships.
What is site?
One or more well-connected (highly reliable and fast) TCP/IP subnets. A site
allows administrators to configure Active Directory access and replication
topology to take advantage of the physical network.
Why should you strive to create only one forest for your organization?
Using more than one forest requires administrators to maintain multiple
schemas, configuration containers, global catalogs, and trusts, and requires
users to take complex steps to use the directory.
Why should you try to minimize the number of domains in your
organization?
Adding domains to the forest increases management and hardware costs.
Why should you define the forest root domain with caution?
Define your forest root domain with caution; because once you’ve named the
forest root domain you cannot change it without renaming and reworking the
entire Active Directory tree.
Which tool helps assign roles to a server, including the role of domain
controller?
Configure Your Server Wizard
What are the reasons to create more than one child domain under a
dedicated root domain?
The reasons to create more than one child domain under the dedicated root
are to meet required security policy settings, which are linked to domains; to
meet special administrative requirements, such as legal or privacy concerns; to
optimize replication traffic; to retain Windows NT domains; and to establish a
distinct namespace.
For best performance and fault tolerance, where should you store the
database and log files?
For best performance and fault tolerance, it’s recommended that you place the
database and the log file on separate hard disks that are NTFS drives, although
NTFS is not required.
What is the function of the shared system volume folder and where is the
default storage location of the folder?
The shared system volume folder stores public files that must be replicated to
other domain controllers, such as logon scripts and some of the GPOs, for both
the current domain and the enterprise. The default location for the shared
system volume folder is %Systemroot%\Sysvol. The shared system folder must
be placed on an NTFS drive.
What command must you use to install Active Directory using the Active
Directory Installation Wizard?
Use the Dcpromo command to install Active Directory using the Active
Directory Installation Wizard. 2-62 Chapter 2 Installing and Configuring Active
Directory
What items are installed when you use the Active Directory Installation
Wizard to install Active Directory?
The Active Directory Installation Wizard installs Active Directory, creates the
full domain name, assigns the NetBIOS name for the domain, sets the Active
Directory database and log folder location, sets the shared system volume
folder location, and installs DNS and a preferred DNS server if you requested
DNS installation.
Explain the two ways you can use an answer file to install Active Directory.
An answer file that is used to install Windows Server 2003 can also include the
installation of Active Directory. Or, you can create an answer file that installs
only Active Directory and is run after Windows Server 2003 Setup is complete
and you have logged on to the system.
What command must you use to install Active Directory using the network
or backup media?
Use the Dcpromo /adv command to install Active Directory using the network
or backup media.
Which of the following commands is used to demote a domain controller?
a. Dcdemote
b. Dcinstall
c. Dcpromo
d. Dcremove
The correct answer is c. You use the Dcpromo command to demote a domain
controller.
After Active Directory has been installed, how can you verify the domain
configuration?
You can verify the domain configuration in three steps by using the Active
Directory Users and Computers console. First, you verify that your domain is
correctly named by finding it in the con-sole tree. Second, you double-click the
domain, click the Domain Controllers container, and verify that your domain
controller appears and is correctly named by finding it in the details pane.
Third, you double-click the server and verify that all information is correct on
the tabs in the Properties dialog box for the server.
After Active Directory has been installed, how can you verify the DNS
configuration?
You can verify DNS configuration by viewing the set of default SRV resource
records on the DNS server in the DNS console.
After Active Directory has been installed, how can you verify DNS
integration with Active Directory?
You can verify DNS integration by viewing the Type setting and the Dynamic
Updates setting in the General tab in the Properties dialog box for the DNS
zone and the Load Zone Data on Startup setting in the Advanced tab in the
Properties dialog box for the DNS server.
After Active Directory has been installed, how can you verify installation of
the shared system volume?
You can verify installation of the shared system volume by opening
%Systemroot%\Sysvol or the location you specified during Active Directory
installation and verifying that the Sysvol folder contains a shared Sysvol folder
and that the shared Sysvol folder contains a folder for the domain, which
contains a shared Scripts and a Policies folder.
How can you fix data left behind after an unsuccessful removal of Active
Directory?
First, you must remove the orphaned metadata—NTDS Settings objects—using
Ntdsutil. Then you must remove the domain controller object in the Active
Directory Sites And Services con-sole. You can safely delete the domain
controller object only after all services have been removed and no child
objects exist.
What is the purpose of the Active Directory Domains And Trusts console?
The Active Directory Domains And Trusts console provides the interface to
manage domains and manage trust relationships between forests and domains.
What is the purpose of the Active Directory Sites And Services console?
The Active Directory Sites And Services console contains information about the
physical structure of your network.
What is the purpose of the Active Directory Users And Computers console?
The Active Directory Users And Computers console allows you to add, modify,
delete, and organize Windows Server 2003 user accounts, computer accounts,
security and distribution groups, and published resources in your organization’s
directory. It also allows you to manage domain controllers and OUs.
Can you restrict who can gain access to a completed backup file or tape? If
so, how?
You can restrict who can gain access to a completed backup file or tape by
selecting the Replace The Data On The Media With This Backup option and the
Allow Only The Owner And The Administrator Access To The Backup Data And
To Any Backups Appended To This Medium option on the Backup Options page
in the Backup Or Restore Wizard.
When you specify the items you want to back up in the Backup Or Restore
Wizard, which of the following should you select to successfully back up
Active Directory data?
a. System state data
b. Shared system volume folder
c. Database and log files
d. Registry
The correct answer is a. When you specify the items you want to back up in the
Backup Or Restore Wizard, you must specify system state data to successfully
back up Active Directory data.
Which of the following Ntdsutil command parameters should you use if you
want to restore the entire directory?
a. Restore database
b. Restore subtree
c. Database restore
d. Subtree restore
The correct answer is a. Database restore and subtree restore are not Ntdsutil
command parameters. Restore subtree is used to restore a portion or a subtree
of the directory.
Why would you need to create additional trees in your Active Directory
forest?
You might need to define more than one tree if your organization has more
than one DNS name.
Under what domain and forest functional levels can you rename or
restructure domains in a forest?
You can rename or restructure the domains in a forest only if all domain
controllers in the forest are running Windows Server 2003, all domain
functional levels in the forest have been raised to Windows Server 2003, and
the forest functional level has been raised to Windows Server 2003.
Under what domain functional level can you rename a domain controller?
You can rename a domain controller only if the domain functionality of the
domain to which the domain controller is joined is set to Windows Server 2003.
What preliminary tasks must you complete before you can create a forest
trust?
Before you can create a forest trust, you must
1. Configure a DNS root server that is authoritative over both forest DNS
servers that you want to form a trust with, or configure a DNS forwarder on
both of the DNS servers that are authoritative for the trusting forests.
2. Ensure that the forest functionality for both forests is Windows Server 2003.
Which of the following trust types are created implicitly? Choose all that
apply.
a. Tree-root
b. Parent-child
c. Shortcut
d. Realm
e. External
f. Forest
The correct answers are a and b. Shortcut, realm, external, and forest trusts
must all be created manually (explicitly).
What site is created automatically in the Sites container when you install
Active Directory on the first domain controller in a domain?
The Default-First-Site-Name site.
How many subnets must each site have? To how many sites can a subnet be
assigned?
Each site must have at least one subnet, but a subnet can be assigned to only
one site.
You specified a preferred bridgehead server for your network. It fails and
there are no other preferred bridgehead servers available. What is the
result?
If no other preferred bridgehead servers are specified or no other preferred
bridgehead servers are available, replication does not occur to that site even if
there are servers that can act as bridgehead servers.
You have a high-speed T1 link and a dial-up network connection in case the
T1 link is unavailable. You assign the T1 link to have a cost of 100. What
cost value should you assign to the dial-up link?
a. 0
b. 50
c. 100
d. 150
The correct answer is d. Higher costs are used for slow links (the dialup
connection), and lower costs are used for fast links (the T1 connection).
Because Active Directory always chooses the connection on a per-cost basis,
the less expensive connection (T1) is used as long as it is available.
For optimum network response time, how many domain controllers in each
site should you designate as a global catalog server?
For optimum network response time and application availability, designate at
least one domain controller in each site as the global catalog server.
The universal group membership caching feature is set for which of the
following?
a. Forest
b. Domain
c. Site
d. Domain controller
The correct answer is c. The universal group membership caching feature must
be set for each site and requires a domain controller to run a Windows Server
2003 operating system.
Which of the following tools can you use to delete an application directory
partition? (Choose all that apply.)
a. Ntdsutil command-line tool
b. Application-specific tools from the application vendor
c. Active Directory Installation Wizard
d. Active Directory Domains And Trusts console
e. Active Directory Sites And Services console
The correct answers are a, b, and c. To delete the application directory
partition, you can use the Active Directory Installation Wizard to remove all
application directory partition replicas from the domain controller, the tools
provided with the application, or the Ntdsutil command-line tool.
You received Event ID 1265 with the error “DNS Lookup Failure.” What are
some actions you might take to remedy the error? (Choose all that apply.)
a. Manually force replication.
b. Reset the domain controller’s account password on the PDC emulator
master.
c. Check the domain controller’s CNAME record.
d. Make sure ―Bridge All Site Links‖ is set correctly.
e. Check the domain controller’s A record.
The correct answers are c and e. This message is often the result of DNS
configuration problems. Each domain controller must register its CNAME record
for the DsaGuid._msdcs.Forestname. Each domain controller must register its A
record in the appropriate zone. So, by checking the domain controller’s CNAME
and A records, you may be able to fix the problem
What action must you take to be able to view the Security tab in the
Properties dialog box for an OU?
You must select Advanced Features from the View menu on the Active
Directory Users And Computers console.
How does the icon used for an OU differ from the icon used for a container?
The icon used for an OU is a folder with a book. The icon used for a container is
a folder.
What are the three ways to move Active Directory objects between OUs?
There are three ways to move Active Directory objects between OUs:
■ Use drag and drop
■ Use the Move option on the Active Directory Users And Computers console
■ Use the Dsmove command
What is authentication?
The process by which the system validates the user’s logon information. A
user’s name and password are compared against the list of authorized users. If
the system detects a match, access is granted to the extent specified in the
permissions list for that user.
What is the purpose of the Guest account? What is the default condition of
the Guest account?
The purpose of the built-in Guest account is to provide users who do not have
an account in the domain with the ability to log on and gain access to
resources. By default, the Guest account does not require a password (the
password can be blank) and is disabled. You should enable the Guest account
only in low-security networks and always assign it a password.
Why should you always require new users to change their passwords the
first time that they log on?
Requiring new users to change their passwords means that only they know the
password, which makes the system more secure.
From which tab on a user’s Properties dialog box can you set logon hours?
a. General tab
b. Account tab
c. Profile tab
d. Security tab
The correct answer is b. You set logon hours by clicking the Logon Hours button
on the Account tab in a user’s Properties dialog box.
How can you ensure that a user has a centrally located home folder?
First, create a shared folder on a network server that will contain the user’s
home folder. Second, in the Profiles tab in the Properties dialog box for the
user, provide a path to the shared folder on the server. The next time that the
user logs on, the home folder is available from the My Computer window.
why would you rename a user account and what is the advantage of doing
so?
Rename a user account if you want a new user to have all of the properties of a
former user, including permissions, desktop settings, and group membership.
The advantage of renaming an account is that you do not have to rebuild all of
the properties as you do for a new user account.
Why would you disable a user account and what is the advantage of doing
so?
Disable a user account when a user does not need an account for an extended
period, but will need it again. The advantage of disabling a user account is that
when the user returns, you can enable the user account so that the user can
log on to the network again without having to rebuild a new account.
How is a disabled user account designated in the Active Directory Users And
Computers console?
A disabled user account is designated by a red ―X.‖
Why should you select the User Must Change Password At Next Logon check
box when you reset a user’s password?
Select User Must Change Password At Next Logon to force the user to change
his or her pass-word the next time he or she logs on. This way, only the user
knows the password.
When should you use security groups rather than distribution groups?
Use security groups to assign permissions. Use distribution groups when the
only function of the group is not security related, such as an e-mail distribution
list. You cannot use distribution groups to assign permissions.
What strategy should you apply when you use domain and local groups?
Place user accounts into global groups, place global groups into domain local
groups, and then assign permissions to the domain local group.
Why is replication an issue with universal groups?
Universal groups and their members are listed in the global catalog. Therefore,
when member-ship of any universal group changes, the changes must be
replicated to every global catalog in the forest, unless the forest functional
level is set to Windows Server 2003.
In what domain functional level is changing the group scope allowed? What
scope changes are permitted in this domain functional level?
You can change the scope of domains with the domain functional level set to
Windows 2000 native or Windows Server 2003. The following scope changes are
permitted:
■ Global to universal, as long as the group is not a member of another group
having global scope
■ Domain local to universal, as long as the group being converted does not have
another group with a domain local scope as its member
■ Universal to global, as long as the group being converted does not have
another universal group as its member
■ Universal to domain local
The name you select for a group must be unique to which of the following
Active Directory components?
a. forest
b. tree
c. domain
d. site
e. OU
The correct answer is c. The name you select for a group must be unique to the
domain in which the group is created.
What is delegation?
An assignment of administrative responsibility that allows users without
administrative credentials to complete specific administrative tasks or to
manage specific directory objects. Responsibility is assigned through
membership in a security group, the Delegation Of Control Wizard, or Group
Policy settings.
What is permission?
A rule associated with an object to regulate which users can gain access to the
object and in what manner. Permissions are assigned or denied by the object’s
owner.
Which Dsquery command should you use to find users in the directory who
have been inactive for two weeks? Dsquery user –inactive 2
Which Dsquery command should you use to find computers in the directory
that have been disabled?
Dsquery computer –disabled
The permissions check boxes for a security principal are shaded. What does
this indicate?
If permission is inherited, its check boxes (located in the Security tab in the
Properties dialog box for an object, and in the Permission Entry dialog box for
an object) are shaded. However, shaded special permissions check boxes do
not indicate inherited permissions. These shaded check boxes merely indicate
that a special permission exists.
How can you remove permissions you set by using the Delegation Of Control
Wizard?
Although the Delegation Of Control Wizard can be used to grant administrative
permissions to containers and the objects within them, it cannot be used to
remove those privileges. If you need to remove permissions, you must do so
manually in the Security tab in the Properties dialog box for the container and
in the Advanced Security Settings dialog box for the container.
For which of the following Active Directory objects can you delegate
administrative control by using the Delegation Of Control Wizard? (Choose
all that apply.)
a. Folder
b. User
c. Group
d. Site
e. OU
f. Domain
g. Shared folder
The correct answers are a, d, e, and f. Folders, sites, OUs, and domains are all
objects for which administrative control can be delegated by using the
Delegation Of Control Wizard.
What is a GPO?
A GPO is a Group Policy Object. Group Policy configuration settings are
contained within a GPO. Each computer running Windows Server 2003 has one
local GPO and can, in addition, be sub ject to any number of nonlocal (Active
Directory–based) GPOs.
What are the two types of Group Policy settings and how are they used?
The two types of Group Policy settings are computer configuration settings and
user configura tion settings. Computer configuration settings are used to set
group policies applied to com puters, regardless of who logs on to them, and
are applied when the operating system initializes. User configuration settings
are used to set group policies applied to users, regardless of which computer
the users logs on to, and are applied when users log on to the computer.
If you want to create a GPO for a site, what administrative tool should you
use?
Use the Active Directory Sites And Services console to create a GPO for a site.
Besides Read permission, what permission must you assign to allow a user
or administrator to see the settings in a GPO?
Write permission. A user or administrator who has Read access but not Write
access to a GPO cannot use the Group Policy Object Editor to see the settings
that it contains.
What’s the difference between removing a GPO link and deleting a GPO?
When you remove a GPO link to a site, domain, or OU, the GPO still remains in
Active Directory. When you delete a GPO, the GPO is removed from Active
Directory, and any sites, domains, or OUs to which it is linked are not longer
affected by it.
You want to deflect all Group Policy settings that reach the North OU from
all of the OU’s parent objects. To accomplish this, which of the following
exceptions do you apply and where do you apply it?
a. Block Policy Inheritance applied to the OU
b. Block Policy Inheritance applied to the GPO
c. Block Policy Inheritance applied to the GPO link
d. No Override applied to the OU
e. No Override applied to the GPO
f. No Override applied to the GPO link
The correct answer is a. You use the Block Policy Inheritance exception to
deflect all Group Pol-icy settings from the parent objects of a site, domain, or
OU. Block Policy Inheritance can only be applied directly to a site, domain, or
OU, not to a GPO or a GPO link.
You want to ensure that none of the South OU Desktop settings applied to
the South OU can be overridden. To accomplish this, which of the following
exceptions do you apply and where do you apply it?
a. Block Policy Inheritance applied to the OU
b. Block Policy Inheritance applied to the GPO
c. Block Policy Inheritance applied to the GPO link
d. No Override applied to the OU
e. No Override applied to the GPO
f. No Override applied to the GPO link
The correct answer is f. You use the No Override exception to ensure that none
of a GPO’s set things can be overridden by any other GPO during the processing
of group policies. No Override can only be applied directly to a GPO link.
What is SharePoint?
A centralized location for key folders on a server or servers, which provides
users with an access point for storing and finding information and
administrators with an access point for managing information.
What are the three tools available for generating RSoP queries?
Windows Server 2003 provides three tools for generating RSoP queries: the
Resultant Set Of Policy Wizard, the Gpresult command-line tool, and the
Advanced System Information– Policy tool.
What is the difference between saving an RSoP query and saving RSoP
query data?
By saving an RSoP query, you can reuse it for processing another RSoP query
later. By saving RSoP query data, you can revisit the RSoP as it appeared for a
particular query when the query was created.
Which RSoP query generating tool provides RSoP query results on a console
similar to a Group Policy Object Editor console?
a. Resultant Set Of Policy Wizard
b. Group Policy Wizard
c. Gpupdate command-line tool
d. Gpresult command-line tool
e. Advanced System Information–Policy tool
f. Advanced System Information–Services tool
The correct answer is a. The Resultant Set Of Policy Wizard provides RSoP
query results on a console similar to a Group Policy Object Editor console.
There is no Group Policy Wizard. Gpupdate and Gpresult are command-line
tools. The Advanced System Information tools provide results in an HTML report
that appears in the Help And Support Center window.
Q In which Event Viewer log can you find Group Policy failure and warning
messages?
What type of event log records should you look for?
You can find Group Policy failure and warning messages in the application
event log. Event log records with the Userenv source pertain to Group Policy
events.
What diagnostic log file can you generate to record detailed information
about Group Policy processing and in what location is this file generated?
You can generate a diagnostic log to record detailed information about Group
Policy processing to a log file named Userenv.log in the hidden folder
%Systemroot%\Debug\Usermode.
Which of the following actions should you take if you attempt to open a
Group Policy Object Editor console for an OU GPO and you receive the
message Failed To Open The Group Policy Object?
a. Check your permissions for the GPO.
b. Check network connectivity.
c. Check that the OU exists.
d. Check that No Override is set for the GPO.
e. Check that Block Policy Inheritance is set for the GPO.
The correct answer is b. The message Failed To Open The Group Policy Object
indicates a net-working problem, specifically a problem with the Domain Name
System (DNS) configuration.
Which of the following actions should you take if you attempt to edit a GPO
and you receive the message Missing Active Directory Container?
a. Check your permissions for the GPO.
b. Check network connectivity.
c. Check that the OU exists.
d. Check that No Override is set for the GPO.
e. Check that Block Policy Inheritance is set for the GPO.
The correct answer is c. The message Missing Active Directory Container is
caused by Group Policy attempting to link a GPO to an OU that it cannot find.
The OU might have been deleted, or it might have been created on another
domain controller but not replicated to the domain controller that you are
using.
What is Assign?
To deploy a program to members of a group where acceptance of the pro-gram
is mandatory.
What is publish?
To deploy a program to members of a group where acceptance of the pro-gram
is at the discretion of the user.
What are the hardware requirements for deploying software by using Group
Policy?
To deploy software by using Group Policy, an organization must be running
Windows 2000 Server or later, with Active Directory and Group Policy on the
server, and Windows 2000 Professional or later on the client computers.
Describe the tools provided for software deployment.
The Software Installation extension in the Group Policy Object Editor console
on the server is used by administrators to manage software. Add Or Remove
Programs in Control Panel is used by users to manage software on their own
computers.
Which of the following file extensions allows you to deploy software using
the Software Installation extension? (Choose two.)
a. .mst
b. .msi
c. .zap
d. .zip
e. .msp
f. .aas
The correct answers are b and c. Files with the extension .msi are either native
Windows Installer packages or repackaged Windows Installer packages, while
files with the extension .zap are application files. Files with the extensions
.mst and .msp are modifications and do not allow you to deploy software on
their own. Files with the extension .aas are application assignment scripts,
which contain instructions associated with the assignment or publication of a
package.
You want to ensure that all users of the KC23 workstation can run
FrontPage 2000. What action should you perform?
a. Assign the application to the computer.
b. Assign the application to users.
c. Publish the application to the computer.
d. Publish the application to users.
The correct answer is a. Assigning the application to the KC23 workstation is
the only way to ensure that all users of the workstation can run FrontPage
2000.
Attributes for which logs are defined in the Event Log security area?
The Event Log security area defines attributes related to the application,
security, and system event logs in the Event Viewer console.
In which of the following security areas would you find the settings for
determining which security events are logged in the security log on the
computer?
a. Event Log
b. Account Policies
c. Local Policies
d. Restricted Groups
The correct answer is c. You determine which security events are logged in the
security log on the computer in the Audit Policy settings in the Local Policies
security area.
In which of the following file formats can you archive a security log? Choose
three.
a. .txt
b. .doc
c. .rtf
d. .bmp
e. .evt
f. .csv
g. .crv
The correct answers are a, e, and f. Logs can be saved as text (*.txt), event log
(*.evt), or comma-delimited (*.csv) file format.
In which of the following archived file formats can you reopen the file in the
Event Viewer console?
a. .txt
b. .doc
c. .rtf
d. .bmp
e. .evt
f. .csv
g. .crv
The correct answer is e. If you archive a log in log-file (*.evt) format, you can
reopen it in the Event Viewer console.
You filtered a security log to display only the events with Event ID 576.
Then you archived this log. What information is saved?
a. The entire log is saved
b. The filtered log is saved
c. The entire log and the filtered log are each saved separately
d. No log is saved
The correct answer is a. When you archive a log, the entire log is saved,
regardless of filtering options.
In the security analysis results, which icon represents a difference from the
data-base configuration?
a. A red X
b. A red exclamation point
c. A green check mark
d. A black question mark
The correct answer is a. A red X indicates a difference from the database
configuration.
In which locations can you view performance data logged in a counter log?
You can view logged counter data using System Monitor or export the data to a
file for analysis and report generation.
What registry subkey contains the entries for which you can increase the
logging level to retrieve more detailed information in the directory service
log?
HKEY_LOCAL_MACHINE SYSTEM\CurrentControlSet\Services\NTDS\Diagnostics
Why should you leave logging levels set to 0 unless you are investigating a
problem?
You should leave logging levels set to 0 unless you are investigating a problem
because increasing the logging level increases the detail of the messages and
the number of messages emitted and can degrade server performance.
What are the four steps in the process of analyzing and interpreting
performance-monitoring results?
The four steps are (1) establish a baseline, (2) analyze performance-monitoring
results, (3) plan and implement changes to meet the baseline, and (4) repeat
steps 2 and 3 until performance is optimized.
Installation Facts
Active Directory requires the following:
o TCP/IP running on the servers and clients.
o A DNS server with SRV support.
o Windows 2000 or 2003 operating systems.
After installing Windows 2003, you can install Active Directory using the
Dcpromo command.
Members of the Domain Admins group can add domain controllers to a
domain.
Members of the Enterprise Admins group can perform administrative tasks
across the entire network, including:
o Change the Active Directory forest configuration by adding/removing
domains. (New domains are created when the first domain controller is
installed. Domains are removed when the last domain controller is uninstalled.)
o Add/remove sites.
o Change the distribution of subnets or servers in a site.
o Change site link configuration
You should know the following facts about Active Directory advanced
installations:
Installing from a replica media set will create the initial Active Directory
database using a backup copy and then replicate in any changes since the
backup. This prevents a lot of the replication traffic that is normally created
on a network when a server is promoted to a domain controller.
To rename domain controllers, the domain functional level must be at least
Windows 2003 (this means all domain controllers must be running Windows
2003).
Installation Tools
You can use the following tools to Description
troubleshoot an Active Directory
installation: Tool
Directory Services log Use Event Viewer to examine the log.
The log lists informational, warning,
and error events.
Netdiag Run from the command line. Test for
domain controller connectivity (in some
cases, it can make repairs).
DCDiag Analyzes domain controller states and
tests different functional levels of
Active Directory.
Dcpromo log files Located in %Systemroot%/Debug folder.
Dcpromoui gives a detailed progress
report of Active Directory installation
and removal. Dcpromos is created when
a Windows 3.x or NT 4 domain
controller is promoted.
Ntdsutil Can remove orphaned data or a domain
controller object from Active Directory.
You can also check the following settings to begin troubleshooting an Active
Directory installation:
Make sure the DNS name is properly registered.
Check the spelling in the configuration settings.
PING the computer to verify connectivity.
Verify the domain name to which you are authenticating.
Verify that the username and password are correct.
Verify the DNS settings.
Microsoft gives the following as the best practice procedure for restoring Active
Directory from backup media:
1. Reboot into Active Directory restore mode. Log in using the password you
specified during setup (not a domain account).
2. Restore the System State data from backup to its original and to an alternate
location.
3. Run Ntdsutil to mark the entire Active Directory database (if you're restoring
the entire database) or specific Active Directory objects (if you're only
restoring selected Active Directory objects) as authoritative.
4. Reboot normally.
5. Restore Sysvol contents by copying the Sysvol directory from the alternate
location to the original location to overwrite the existing Sysvol directory (if
you're restoring the entire database). Or, copy the policy folders (identified by
GUID) from the alternate location to the original location to overwrite the
existing policy folders.
Security Facts
A security principal is an account holder who has a security identifier.
The Active Directory migration tool allows you to move objects between
domains.
Objects moved to a new domain get a new SID.
The Active Directory migration tool creates a SID history.
The SID history allows an object moved to a new domain to keep its original
SID.
You should know the following information pertaining to identifiers:
Identifier Description
GUID Globally Unique Identifier. 128-
bit number guaranteed to be
unique across the network.
Assigned to objects when they
are created. An object's GUID
never changes (even if object is
renamed or moved).
SID Security Identifier. Unique
number assigned when an
account is created. Every
account is given a unique SID.
System uses the SID to track
the account rather than the
account's user or group. A
deleted account that is
recreated will be given a
different SID. The SID is
composed of the domain SID
and a unique RID.
RID Relative Identifier. Unique to
all the SIDs in a domain. Passed
out by the RID master.
Group Facts
Active Directory defines three scopes Description
that describe the domains on the
network from which you can assign
members to the group; where the
group's permissions are valid; and which
groups you can nest. Scope
Global groups Are used to group users from the local
domain. Typically, you assign users who
perform similar job functions to a global
group. A global group can contain user
and computer accounts and global
groups from the domain in which the
global group resides. Global groups can
be used to grant permissions to
resources in any domain in the forest.
Domain local groups Are used to grant access to resources in
the local domain. They have open
membership, so they may contain user
and computer accounts, universal
groups, and global groups from any
domain in the forest. A domain local
group can also contain other domain
local groups from its domain. Domain
local groups can be used to grant
permissions to resources in the domain
in which the domain local group resides.
Trust Types
The following table shows the types of Characteristics and Uses
trusts you can create in Active
Directory. Trust Type
Tree root Automatically established between two
trees in the same forest. Trusts are
transitive and two-way.
Parent/child Automatically created between child
and parent domains. Trusts are
transitive and two-way.
Shortcut Manually created between two domains
in the same forest. Trusts are
transitive, and can be either one-way
or two-way. Create a shortcut trust to
reduce the amount of Kerberos traffic
on the network due to authentication.
External Manually created between domains in
different forests. Typically used to
create trusts between Active Directory
and NT 4.0 domains. Trusts are not
transitive, and can be either one-way
or two-way.
Forest root Manually created between the two root
domains or two forests. Transitive
within the two forests. Can be either
one-way or two-way.
Realm Manually created between Active
Directory and non-Windows Kerberos
realms.
Trusts have a direction that indicates which way trust flows in the relationship.
The direction of the arrow identifies the direction of trust. For example, if
Domain A trusts Domain B, the arrow would point from Domain A to Domain B.
Domain A is the trusting domain, and Domain B is the trusted domain.
Resource access is granted opposite of the direction of trust. For example, if
Domain A trusts Domain B, users in Domain B have access to resources in
Domain A (remember that users in the trusted domain have access to resources
in the trusting domain).
A two-way trust is the same as two one-way trusts in opposite directions.
Functional Level Types
The table below shows Domain Controller Features
the domain functional Operating Systems
levels. Domain
Functional Level
2000 Mixed NT 2000 2003 The following features
are available in 2000
Mixed:
Universal groups are
available for distribution
groups.
Group nesting is
available for distribution
groups.
To manually refresh group policy settings, use the Gpupdate command with the
following switches:
Switch Function
No switch Refresh user and
computer-related
group policy.
/target:user Refresh user-related
group policy.
/target:computer Refresh computer-
related group policy.
Editing GPO Facts
Group Policy Object Editor has two nodes:
o Computer Configuration to set Group Policies for computers.
o User Configuration to set Group Policies for users.
You can extend each node's capabilities by using snap-ins.
Use an Administrative Template file (.adm) to extend registry settings
available in the Group Policy Editor.
Use the Software setting to automate installation, update, repair, and
removal of software for users or computers.
The Windows setting automates tasks that occur during startup, shutdown,
logon, or logoff.
Security settings allow administrators to set security levels assigned to a
local or non-local GPO.
Block Inheritance
You can prevent Active Directory child objects from inheriting GPOs that are
linked to the parent objects. To block GPO inheritance,
1. Click the Group Policy tab for the domain or OU for which you want to block
GPO inheritance.
2. Select the Block Policy inheritance check box.
WMI Filtering
You should know the following facts about WMI filtering:
You can use WMI queries to filter the scope of GPOs.
WMI filtering is similar to using security groups to filter the scope of GPOs.
WMI queries are written in WMI query language (WQL).
Loopback Processing
By default, Group Policy configuration applies Computer Configuration GPOs
during startup and User Configuration GPOs during logon. User Configuration
settings take precedence in the event of a conflict.
You can control how Group Policy is applied by enabling loopback processing.
Following are some circumstances when you might use loopback processing:
If you want Computer Configuration settings to take precedence over User
Configuration settings.
If you want to prevent User Configuration settings from being applied.
If you want to apply User Configuration settings for the computer, regardless
of the location of the user account in Active Directory.
RSoP
RSoP (Resultant Set of Policy) is the accumulated results of the group policies
applied to a user or computer. You should know the following facts about RSoP:
The RSoP wizard reports on how GPO settings affect users and computers.
The wizard runs in two modes: logging and planning.
The RSoP wizard logging mode reports on existing group policies applied
against computers or users.
The RSoP wizard planning mode simulates the effects policies would have if
applied to computers or users.
RSoP Access
You can access the Resultant Set of Policy (RSoP) wizard in various ways. Here
are some common ways:
Install the RSoP wizard as an MMC snap-in
Use the Start > Run sequence and run Rsop.msc.
You can also select an object in Active Directory Users and Computer and
select Resultant Set of Policy (in planning or logging mode) from the All Tasks
menu.
Delegation Facts
You should know the following facts about trust delegating control of group
policies:
Decentralized administrative delegation means that administration is
delegate to OU level administrators. In decentralized administrative
delegation, assign full-control permission to the OU administrators for GPOs.
Centralized administrators only delegate full-control permissions to top level
OU administrators. Those administrators are responsible for everything
downward.
In task-based delegation, administration of specific group policies to
administrators who handle specific tasks. For example, security administrators
would get full-control of security GPOs, and application administrators would
get full-control of application GPOs.
Logon Facts
You should know the following facts about managing logon:
Password policies are only effective in GPOs applied to the domain.
To create different password policies, you must create additional domains.
Each forest has a single alternate user principle name (UPN) suffix list that
you can edit from the properties of the Active Directory Domains and Trusts
node. After adding an alternate UPN suffix, you can configure all user accounts
to use the same UPN suffix, thus simplifying user logon for users in all domains
in the forest.
You should be familiar with the following password and account lockout policy
settings:
Setting Description
Enforce password history Keeps a history of user passwords (up
to 24) so that users cannot reuse
passwords.
Minimum password length Configures how many characters a
valid password must have.
Minimum password age Forces the user to use the new
password for whatever length of time
you determine before changing it
again.
Password must meet complexity Determines that user passwords
requirements cannot contain the user name, the
user's real name, the company name,
or a complete dictionary word. The
password must also contain multiple
types of characters, such as upper
and lowercase letters, numbers, and
symbols.
Maximum password age Forces the user to change passwords
at whatever time interval you
determine.
Account lockout threshold Configures how many incorrect
passwords can be entered before
being locked out.
Account lockout duration Identifies how long an account will
stay locked out once it has been
locked. A value of 0 indicates that an
administrator must manually unlock
the account. Any other number
indicates the number of minutes
before the account will be
automatically unlocked.
Reset account lockout after Specifies the length of time that
must pass after a failed login
attempt before the counter resets to
zero.
Automatic Certificate Enrollment Facts
You should know the following facts about using Group Policy to configure
automatic certificate enrollment:
Before you can add an automatic certificate request, you must have
certificate templates configured on your system. Run Certtmpl.msc to install
the certificate templates.
For a completely automatic certificate installation, set the Request Handling
options of the certificate template to enroll the subject without requiring any
user input.
Without the Request Handling option selected, the user will be prompted for
input during the certificate enrollment phase.
An icon on the taskbar will also appear, which users can click to start the
enrollment process.
Replication Facts
You should know the following facts about replication:
Active Directory automatically decides which servers are the bridgehead
servers (generally, the first domain controller in the site).
To force a specific server to be the bridgehead server, you must manually
configure it as the bridgehead server.
To designate a preferred bridgehead server, edit the server object
properties in Active Directory Sites and Services.
Replication between sites occurs only between the bridgehead servers.
To have different replication settings for different WAN links, you need to
configure multiple site links.
For complete flexibility, you should create a site link for each network
connection between sites.
The default link cost is 100.
A higher cost for a link is less desirable. To force traffic over one link, set a
lower cost. For example, set a lower cost for high-speed links to force traffic
over the high speed link. Configure a higher cost for dial-up links that are used
as backup links.
Costs are additive when multiple links are required between sites.
Use SMTP replication for high latency links where RPC replication would
probably fail.
• What is LDAP?
The Lightweight Directory Access Protocol (LDAP) is a directory service
protocol that runs directly over the TCP/IP stack
• Where is the AD database held? What other folders are related to AD?
AD Database is saved in %systemroot%/ntds. You can see other files also in
this folder. These are the main files controlling the AD structure ntds.dit,
edb.log, res1.log, res2.log, edb.chk
• What is the SYSVOL folder? All active directory data base security
related information store in SYSVOL folder and it’s only created on NTFS
partition. The Sysvol folder on a Windows domain controller is used to
replicate file-based data among domain controllers.
Application directory partitions are usually created by the applications that will
use them to store and replicate data. For testing and troubleshooting purposes,
members of the Enterprise Admins group can manually create or manage
application directory partitions using the Ntdsutil command-line tool.
OR
You can use Replmon.exe for the same purpose.
OR
AD Sites and Services and nslookup gc._msdcs.
To find the in GC from the command line you can try using DSQUERY
command.
dsquery server -isgc to find all the gc's in the forest
you can try dsquery server -forest -isgc.
Replmon is the first tool you should use when troubleshooting Active
Directory replication issues. As it is a graphical tool, replication issues
are easy to see and somewhat easier to diagnose than using its command
line counterparts. The purpose of this document is to guide you in how
to use it, list some common replication errors and show some examples
of when replication issues can stop other network installation actions
• How can you forcibly remove AD from a server, and what do you do
later?
• Demote the server using dcpromo /forceremoval, then remove the metadata from
Active directory using ndtsutil. There is no way to get user passwords from AD
that I am aware of, but you should still be able to change them.
• Another way out too
• Restart the DC is DSRM mode
• a. Locate the following registry subkey:
• HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\ProductOptio
ns
• b. In the right-pane, double-click ProductType.
• c. Type ServerNT in the Value data box, and then click OK.
• Restart the server in normal mode
• its a member server now but AD entries are still there. Promote teh server to a
fake domain say ABC.com and then remove gracefully using DCpromo. Else
after restart you can also use ntdsutil to do metadata as told in teh earlier post
Restart the server in normal mode it’s a member server now but AD
entries are still there. Promote teh server to a fake domain say ABC.com
and then remove gracefully using DCpromo. Else after restart you can
also use ntdsutil to do metadata as told in teh earlier post
• What tool would I use to try to grab security related packets from the
wire?
You must use sniffer-detecting tools to help stop the snoops. ...
A good packet sniffer would be "ethereal".
www.ethereal.com
QFE 265089 (included in Windows 2000 SP2 and later) is required to prevent
potential domain controller corruption.
For more information about preparing your forest and domain see KB article
Q3311 61 at http://support.microsoft.com.
[User Action]
If ALL your existing Windows 2000 domain controllers meet this requirement,
type C and then press ENTER to continue. Otherwise, type any other key and
press ENT ER to quit.
C
Opened Connection to SAVDALDC01
SSPI Bind succeeded
Current Schema Version is 30
Upgrading schema to version 31
Connecting to "SAVDALDC01"
Logging in as current user using SSPI
Importing directory from file "C:\WINDOWS\system32\sch31.ldf"
Loading entries.....................................................
......................................................
139 entries modified successfully.
The command has completed successfully
Adprep successfully updated the forest-wide information.
• How would you find all users that have not logged on since last
month?
• Using only native commands, JSILLD.bat produces a sorted/formated
report of Users who have not logged on since YYYYMMDD.
• The report is sorted by UserName and list the user's full name and last
logon date.
• The syntax for using JSILLD.bat is:
• JSILLD \Folder\OutputFile.Ext YYYYMMDD [/N]
• where:
• YYYYMMDD will report all users who have not logged on since this
date.
• /N is an optional parameter that will bypass users who have never
logged on.
• JSILLD.bat contains:
@echo off
setlocal
if {%2}=={} goto syntax
if "%3"=="" goto begin
if /i "%3"=="/n" goto begin
:syntax
@echo Syntax: JSILLD File yyyymmdd [/N]
endlocal
goto :EOF
:begin
if /i "%2"=="/n" goto syntax
set dte=%2
set XX=%dte:~0,4%
if "%XX%" LSS "1993" goto syntax
set XX=%dte:~4,2%
if "%XX%" LSS "01" goto syntax
if "%XX%" GTR "12" goto syntax
set XX=%dte:~6,2%
if "%XX%" LSS "01" goto syntax
if "%XX%" GTR "31" goto syntax
set never=X
if /i "%3"=="/n" set never=/n
set file=%1
if exist %file% del /q %file%
for /f "Skip=4 Tokens=*" %%i in ('net user /domain^|findstr /v /c:"----"^|
findstr /v /i /c:"The command completed"') do (
do call :parse "%%i"
)
endlocal
goto :EOF
:parse
set str=#%1#
set str=%str:#"=%
set str=%str:"#=%
set substr=%str:~0,25%#
set substr=%substr: =%
set substr=%substr: #=%
set substr=%substr:#=%
if "%substr%"=="" goto :EOF
for /f "Skip=1 Tokens=*" %%i in ('net user "%substr%" /domain') do call
:parse1 "%%i"
set substr=%str:~25,25%#
set substr=%substr: =%
set substr=%substr: #=%
set substr=%substr:#=%
if "%substr%"=="" goto :EOF
for /f "Skip=1 Tokens=*" %%i in ('net user "%substr%" /domain') do call
:parse1 "%%i"
set substr=%str:~50,25%#
set substr=%substr: =%
set substr=%substr: #=%
set substr=%substr:#=%
if "%substr%"=="" goto :EOF
for /f "Skip=1 Tokens=*" %%i in ('net user "%substr%" /domain') do call
:parse1 "%%i"
goto :EOF
:parse1
set ustr=%1
if %ustr%=="The command completed successfully." goto :EOF
set ustr=%ustr:"=%
if /i "%ustr:~0,9%"=="Full Name" set fullname=%ustr:~29,99%
if /i not "%ustr:~0,10%"=="Last logon" goto :EOF
set txt=%ustr:~29,99%
for /f "Tokens=1,2,3 Delims=/ " %%i in ('@echo %txt%') do set MM=%%i&set
DD=%%j&set YY=%%k
if /i "%MM%"=="Never" goto tstnvr
goto year
:tstnvr
if /i "%never%"=="/n" goto :EOF
goto report
:year
if "%YY%" GTR "1000" goto mmm
if "%YY%" GTR "92" goto Y19
set /a YY=100%YY%%%100
set YY=%YY% + 2000
goto mmm
:Y19
set YY=19%YY%
:mmm
set /a XX=100%MM%%%100
if %XX% LSS 10 set MM=0%XX%
set /a XX=100%DD%%%100
if %XX% LSS 10 set DD=0%XX%
set YMD=%YY%%MM%%DD%
if "%YMD%" GEQ "%dte%" goto :EOF
:report
set fullname=%fullname% #
set fullname=%fullname:~0,35%
set substr=%substr% #
set substr=%substr:~0,30%
@echo %substr% %fullname% %txt% >> %file%
12345
Tool object "DN" (as in LDAP distinguished name) -switch value For
example:
DSadd user "cn=billy, ou=managers, dc=cp, dc=com" -pwd cX49pQba
This will add a user called Billy to the Managers OU and set the password
to cx49Qba
Here are some of the common DS switches which work with DSadd and
DSmod
-pwd (password) -upn (userPrincipalName) -fn (FirstName) -samid (Sam
account name).
The best way to learn about this DS family is to logon at
a domain controller and experiment from the command line. I have
prepared examples of the two most common programs. Try some sample
commands for DSadd.
Two most useful Tools: DSQuery and DSGet
The DSQuery and DSGet remind me of UNIX commands in that they
operate at the command line, use powerful verbs, and produce plenty of
action. One pre-requisite for getting the most from this DS family is a
working knowledge of LDAP.
If you need to query users or computers from a range of OU's and then
return information, for example, office, department manager. Then
DSQuery and DSGet would be your tools of choice. Moreover, you can
export the information into a text file
Ldifde
The LDAP Data Interchange Format (LDIF) is a draft Internet standard for a file
format that may be used for performing batch operations against directories
that conform to the LDAP standards. LDIF can be used to export and import
data, allowing batch operations such as add, create, and modify to be
performed against the Active Directory. A utility program called LDIFDE is
included in Windows 2000 to support batch operations based on the LDIF file
format standard. This article is designed to help you better understand how the
LDIFDE utility can be used to migrate directories.
Csvde
Imports and exports data from Active Directory Domain Services (AD DS) using
files that store data in the comma-separated value (CSV) format. You can also
support batch operations based on the CSV file format standard.
The source .csv file can come from an Exchange Server directory export.
However, because of the difference in attribute mappings between the
Exchange Server directory and Active Directory, you must make some
modifications to the .csv file. For example, a directory export from Exchange
Server has a column that is named "obj-class" that you must rename to
"objectClass." You must also rename "Display Name" to "displayName."
• What are the FSMO roles? Who has them by default? What happens
when each one fails?
FSMO stands for the Flexible single Master Operation
It has 5 Roles: -
• Schema Master:
The schema master domain controller controls all updates and
modifications to the schema. Once the Schema update is complete, it is
replicated from the schema master to all other DCs in the directory. To
update the schema of a forest, you must have access to the schema
master. There can be only one schema master in the whole forest.
• Domain naming master:
The domain naming master domain controller controls the addition or
removal of domains in the forest. This DC is the only one that can add or
remove a domain from the directory. It can also add or remove cross
references to domains in external directories. There can be only one
domain naming master in the whole forest.
• Infrastructure Master:
When an object in one domain is referenced by another object in
another domain, it represents the reference by the GUID, the SID (for
references to security principals), and the DN of the object being
referenced. The infrastructure FSMO role holder is the DC responsible for
updating an object's SID and distinguished name in a cross-domain object
reference. At any one time, there can be only one domain controller
acting as the infrastructure master in each domain.
Note: The Infrastructure Master (IM) role should be held by a domain
controller that is not a Global Catalog server (GC). If the Infrastructure
Master runs on a Global Catalog server it will stop updating object
information because it does not contain any references to objects that it
does not hold. This is because a Global Catalog server holds a partial
replica of every object in the forest. As a result, cross-domain object
references in that domain will not be updated and a warning to that
effect will be logged on that DC's event log. If all the domain controllers
in a domain also host the global catalog, all the domain controllers have
the current data, and it is not important which domain controller holds
the infrastructure master role.
• Relative ID (RID) Master:
The RID master is responsible for processing RID pool requests from all
domain controllers in a particular domain. When a DC creates a security
principal object such as a user or group, it attaches a unique Security ID
(SID) to the object. This SID consists of a domain SID (the same for all
SIDs created in a domain), and a relative ID (RID) that is unique for each
security principal SID created in a domain. Each DC in a domain is
allocated a pool of RIDs that it is allowed to assign to the security
principals it creates. When a DC's allocated RID pool falls below a
threshold, that DC issues a request for additional RIDs to the domain's
RID master. The domain RID master responds to the request by retrieving
RIDs from the domain's unallocated RID pool and assigns them to the pool
of the requesting DC. At any one time, there can be only one domain
controller acting as the RID master in the domain.
• PDC Emulator:
The PDC emulator is necessary to synchronize time in an enterprise.
Windows 2000/2003 includes the W32Time (Windows Time) time service
that is required by the Kerberos authentication protocol. All Windows
2000/2003-based computers within an enterprise use a common time.
The purpose of the time service is to ensure that the Windows Time
service uses a hierarchical relationship that controls authority and does
not permit loops to ensure appropriate common time usage.
The PDC emulator of a domain is authoritative for the domain. The PDC
emulator at the root of the forest becomes authoritative for the
enterprise, and should be configured to gather the time from an
external source. All PDC FSMO role holders follow the hierarchy of
domains in the selection of their in-bound time partner.
:: In a Windows 2000/2003 domain, the PDC emulator role holder retains
the following functions:
:: Password changes performed by other DCs in the domain are
replicated preferentially to the PDC emulator.
Authentication failures that occur at a given DC in a domain because of
an incorrect password are forwarded to the PDC emulator before a bad
password failure message is reported to the user.
Account lockout is processed on the PDC emulator.
Editing or creation of Group Policy Objects (GPO) is always done from
the GPO copy found in the PDC Emulator's SYSVOL share, unless
configured not to do so by the administrator.
The PDC emulator performs all of the functionality that a Microsoft
Windows NT 4.0 Server-based PDC or earlier PDC performs for Windows
NT 4.0-based or earlier clients.
This part of the PDC emulator role becomes unnecessary when all
workstations, member servers, and domain controllers that are running
Windows NT 4.0 or earlier are all upgraded to Windows 2000/2003. The
PDC emulator still performs the other functions as described in a
Windows 2000/2003 environment.
• I want to look at the RID allocation table for a DC. What do I do?
install support tools from OS disk(OS Inst:
Disk=>support=>tools=>suptools.msi)
If the domain controller that is the Schema Master FSMO role holder is
temporarily unavailable, DO NOT seize the Schema Master role.
If you are going to seize the Schema Master, you must permanently disconnect
the current Schema Master from the network.
If you seize the Schema Master role, the boot drive on the original Schema
Master must be completely reformatted and the operating system must be
cleanly installed, if you intend to return this computer to the network.
NOTE: The Boot Partition contains the system files (\System32). The System
Partition is the partition that contains the startup files, NTDetect.com, NTLDR,
Boot.ini, and possibly Ntbootdd.sys.
The Active Directory Installation Wizard (Dcpromo.exe) assigns all 5 FSMO roles
to the first domain controller in the forest root domain. The first domain
controller in each new child or tree domain is assigned the three domain-wide
roles. Domain controllers continue to own FSMO roles until they are reassigned
by using one of the following methods:
• An administrator reassigns the role by using a GUI administrative tool.
• An administrator reassigns the role by using the ntdsutil /roles
command.
• An administrator gracefully demotes a role-holding domain controller by
using the Active Directory Installation Wizard. This wizard reassigns any
locally-held roles to an existing domain controller in the forest.
Demotions that are performed by using the dcpromo /forceremoval
command leave FSMO roles in an invalid state until they are reassigned by
an administrator.
A domain controller whose FSMO roles have been seized should not be
permitted to communicate with existing domain controllers in the forest. In
this scenario, you should either format the hard disk and reinstall the operating
system on such domain controllers or forcibly demote such domain controllers
on a private network and then remove their metadata on a surviving domain
controller in the forest by using the ntdsutil /metadata cleanup command. The
risk of introducing a former FSMO role holder whose role has been seized into
the forest is that the original role holder may continue to operate as before
until it inbound-replicates knowledge of the role seizure. Known risks of two
domain controllers owning the same FSMO roles include creating security
principals that have overlapping RID pools, and other problems.
Back to the top
Transfer FSMO roles
To transfer the FSMO roles by using the Ntdsutil utility, follow these steps:
1. Log on to a Windows 2000 Server-based or Windows Server 2003-
based member computer or domain controller that is located in the forest
where FSMO roles are being transferred. We recommend that you log on
to the domain controller that you are assigning FSMO roles to. The logged-
on user should be a member of the Enterprise Administrators group to
transfer Schema master or Domain naming master roles, or a member of
the Domain Administrators group of the domain where the PDC emulator,
RID master and the Infrastructure master roles are being transferred.
2. Click Start, click Run, type ntdsutil in the Open box, and then
click OK.
3. Type roles, and then press ENTER.
Note To see a list of available commands at any one of the prompts in the
Ntdsutil utility, type ?, and then press ENTER.
4. Type connections, and then press ENTER.
5. Type connect to server servername, and then press ENTER, where
servername is the name of the domain controller you want to assign the
FSMO role to.
6. At the server connections prompt, type q, and then press ENTER.
7. Type transfer role, where role is the role that you want to
transfer. For a list of roles that you can transfer, type ? at the fsmo
maintenance prompt, and then press ENTER, or see the list of roles at the
start of this article. For example, to transfer the RID master role, type
transfer rid master. The one exception is for the PDC emulator role,
whose syntax is transfer pdc, not transfer pdc emulator.
8. At the fsmo maintenance prompt, type q, and then press ENTER
to gain access to the ntdsutil prompt. Type q, and then press ENTER to
quit the Ntdsutil utility.
Notes
o Under typical conditions, all five roles must be assigned to "live"
domain controllers in the forest. If a domain controller that owns a
FSMO role is taken out of service before its roles are transferred,
you must seize all roles to an appropriate and healthy domain
controller. We recommend that you only seize all roles when the
other domain controller is not returning to the domain. If it is
possible, fix the broken domain controller that is assigned the FSMO
roles. You should determine which roles are to be on which
remaining domain controllers so that all five roles are assigned to a
single domain controller. For more information about FSMO role
placement, click the following article number to view the article in
the Microsoft Knowledge Base: 223346
(http://support.microsoft.com/kb/223346/ ) FSMO placement and
optimization on Windows 2000 domain controllers
o If the domain controller that formerly held any FSMO role is not
present in the domain and if it has had its roles seized by using the
steps in this article, remove it from the Active Directory by
following the procedure that is outlined in the following Microsoft
Knowledge Base article: 216498
(http://support.microsoft.com/kb/216498/ ) How to remove data in
active directory after an unsuccessful domain controller demotion
o Removing domain controller metadata with the Windows 2000
version or the Windows Server 2003 build 3790 version of the
ntdsutil /metadata cleanup command does not relocate FSMO roles
that are assigned to live domain controllers. The Windows Server
2003 Service Pack 1 (SP1) version of the Ntdsutil utility automates
this task and removes additional elements of domain controller
metadata.
o Some customers prefer not to restore system state backups of
FSMO role-holders in case the role has been reassigned since the
backup was made.
o Do not put the Infrastructure master role on the same domain
controller as the global catalog server. If the Infrastructure master
runs on a global catalog server it stops updating object information
because it does not contain any references to objects that it does
not hold. This is because a global catalog server holds a partial
replica of every object in the forest.
• To ensure a good backup includes at least the system state data and
contents of the system disk, you must be aware of the tombstone
lifetime. By default, the tombstone is 60 days. Any backup older than 60
days is not a good backup. Plan to backup at least two domain
controllers in each domain, one of at least one backup to enable an
authoritative restore of the data when necessary.
• Active Directory system state data does not contain Active Directory
unless the server, on which you are backing up the system state data, is
a domain controller. Active Directory is present only on domain
controllers.
The SYSVOL shared folder: This shared folder contains Group policy
templates and logon scripts. The SYSVOL shared folder is present only on
domain controllers.
The Registry: This database repository contains information about the
computer's configuration.
System startup files: Windows Server 2003 requires these files during its
initial startup phase. They include the boot and system files that are
under windows file protection and used by windows to load, configure,
and run the operating system.
The COM+ Class Registration database: The Class registration is a
database of information about Component Services applications.
The Certificate Services database: This database contains certificates
that a server running Windows server 2003 uses to authenticate users.
The Certificate Services database is present only if the server is
operating as a certificate server.
System state data contains most elements of a system's configuration,
but it may not include all of the information that you require recovering
data from a system failure. Therefore, be sure to backup all boot and
system volumes, including the System State, when you back up your
server.
Method 1
If Windows 2000 Service Pack 2 or later is installed on your computer, you can
use the Setpwd.exe utility to change the SAM-based Administrator password. To
do this:
setpwd /s:servername
4. When you are prompted to type the password for the Directory Service
Restore Mode Administrator account, type the new password that you
want to use.
NOTE: If you make a mistake, repeat these steps to run setpwd again.
Method 2
• What are GPOs? Group Policy gives you administrative control over users
and computers in your network. By using Group Policy, you can define
the state of a user's work environment once, and then rely on Windows
Server 2003 to continually force the Group Policy settings that you apply
across an entire organization or to specific groups of users and
computers.
• Group Policy Advantages
You can assign group policy in domains, sites and organizational units.
All users and computers get reflected by group policy settings in domain,
site and organizational unit.
No one in network has rights to change the settings of Group policy; by
default only administrator has full privilege to change, so it is very
secure.
Policy settings can be removed and can further rewrite the changes.
Where GPO's store Group Policy Information
Group Policy objects store their Group Policy information in two
locations:
Managing GPOs
to avoid conflicts in replication, consider the selection of domain
controller, especially because the GPO data resides in SYSVOL folder and
the Active Directory. Active Directory uses two independent replication
techniques to replicate GPO data among all domain controllers in the
domain. If two administrator's changes can overwrite those made by
other administrator, depends on the replication latency. By default the
Group Policy Management console uses the PDC Emulator so that all
administrators can work on the same domain controller.
• WMI Filter
WMI filters is use to get the current scope of GPOs based on attributes of
the user or computer. In this way, you can increase the GPOs filtering
capabilities beyond the security group filtering mechanisms that were
previously available.
• Linking can be done with WMI filter to a GPO. When you apply a GPO to
the destination computer, Active Directory evaluates the filter on the
destination computer. A WMI filter has few queries that active Directory
evaluates in place of WMI repository of the destination computer. If the
set of queries is false, Active Directory does not apply the GPO. If set of
queries are true, Active Directory applies the GPO. You write the query
by using the WMI Query Language (WQL); this language is similar to
querying SQL for WMI repository.
• Also consider how you will implement Group Policy for the organization.
Be sure to consider the delegation of authority, separation of
administrative duties, central versus decentralized administration, and
design flexibility so that your plan will provide for ease of use as well as
administration.
• Planning GPOs
Create GPOs in way that provides for the simplest and most manageable
design -- one in which you can use inheritance and multiple links.
2:- Site-Any GPOs that have been linked to the site that the computer
belongs to are processed next. Processing is in the order that is specified
by the administrator, on the Linked Group Policy Objects tab for the site
in Group Policy Management Console (GPMC). The GPO with the lowest
link order is processed last, and therefore has the highest precedence.
This order means that the local GPO is processed first, and GPOs that
are linked to the organizational unit of which the computer or user is a
direct member are processed last, which overwrites settings in the
earlier GPOs if there are conflicts. (If there are no conflicts, then the
earlier and later settings are merely aggregated.)
With all of these benefits, there are still negatives in using the GPMC alone.
Granted, the GPMC is needed and should be used by everyone for what it is
ideal for. However, it does fall a bit short when you want to protect the GPOs
from the following:
• Role based delegation of GPO management
• Being edited in production, potentially causing damage to desktops and
servers
• Forgetting to back up a GPO after it has been modified
• Change management of each modification to every GPO
• What are the GPC and the GPT? Where can I find them?
GPOs store group policy settings in two locations: a Group Policy
container (GPC) (preferred) and a Group Policy template (GPT). The GPC
is an Active Directory object that stores version information, status
information, and other policy information (for example, application
objects).
The GPT is used for file-based data and stores software policy, script,
and deployment information. The GPT is located on the system volume
folder of the domain controller. A GPO can be associated with one or
more Active Directory containers, such as a site, domain, or
organizational unit. Multiple containers can be associated with the same
GPO, and a single container can have more than one associated GPO.
Declare your class as Final. A final class cannot be inherited by any other
class.
You can block policy inheritance for a domain or organizational unit.
Using block inheritance prevents GPOs linked to higher sites, domains, or
organizational units from being automatically inherited by the child-
level. By default, children inherit all GPOs from the parent, but it is
sometimes useful to block inheritance. For example, if you want to
apply a single set of policies to an entire domain except for one
organizational unit, you can link the required GPOs at the domain level
(from which all organizational units inherit policies by default), and then
block inheritance only on the organizational unit to which the policies
should not be applied
like an example:
• How can you determine what GPO was and was not applied for a user?
Name a few ways to do that. Simply use the Group Policy Management
Console created by MS for that very purpose, allows you to run simulated
policies on computers or users to determine what policies are enforced.
Link in sources
• A user claims he did not receive a GPO, yet his user and computer
accounts are in the right OU, and everyone else there gets the GPO.
What will you look for? Here interviewer want to know the
troubleshooting steps
what gpo is applying ?
if it applying in all user and computer?
what gpo are implemented on ou?
make sure user not be member of loopback policy as in loopback policy it
doesn't effect user settings only computer policy will applicable.
if he is member of gpo filter grp or not?
You may also want to check the computers event logs. If you find event ID
1085 then you may want to download the patch to fix this and reboot the
computer.
Assign Users
The software application is advertised when the user logs on. It is installed
when the user clicks on the software application icon via the start menu,
or accesses a file that has been associated with the software application.
Assign Computers
The software application is advertised and installed when it is safe to do
so, such as when the computer is next restarted.
Publish to users
The software application does not appear on the start menu or desktop.
This means the user may not know that the software is available. The
software application is made available via the Add/Remove Programs
option in control panel, or by clicking on a file that has been associated
with the application. Published applications do not reinstall themselves in
the event of accidental deletion, and it is not possible to publish to
computers.
• What is a subnet mask? A subnet mask separates the IP address into the
network and host addresses
• What is ARP? Address Resolution Protocol, a network
layer protocol used to convert an IP address into a physical address
(called a DLC address), such as an Ethernet address
• What is ARP Cache Poisoning? ARP cache poisoning, also known as ARP
spoofing, is the process of falsifying the source Media Access Control
(MAC) addresses of packets being sent on an Ethernet network.
• What is RFC 1918? RFC 1918 is Address Allocation for Private Internets
The Internet Assigned Numbers Authority (IANA) has reserved the
following three blocks of the IP address space for private internets:
10.0.0.0 - 10.255.255.255 (10/8 prefix) 172.16.0.0 - 172.31.255.255
(172.16/12 prefix) 192.168.0.0 - 192.168.255.255 (192.168/16 prefix) We
will refer to the first block as "24-bit block", the second as "20-bit block",
and to the third as "16-bit" block.
• What is CIDR? In Internet Protocol terminology, a private network is
typically a network that uses private IP address space, following the
standards set by RFC 1918 and RFC 4193. These addresses are common in
home and office local area networks (LANs), as globally routable
addresses are scarce, expensive to obtain, or their use is not necessary.
Private IP address spaces were originally defined in efforts to delay IPv4
address exhaustion, but they are also a feature of the next generation
Internet Protocol, IPv6.
• You have the following Network ID: 131.112.0.0. You need at least
500 hosts per network. How many networks can you create? What
subnet mask will you use? If you need to divide it up into the maximum
number of subnets containing at least 500 hosts each, you should use a /
23 subnet mask. This will provide you with 128 networks of 510 hosts
each. If you used a /24 mask, you would be limited to 254 hosts.
Similarly, a /22 mask would be wasteful, allowing you 1022 hosts.
• You need to view at network traffic. What will you use? Name a few
tools? winshark or tcp dump
you can use Network Monitor. You can also use Etheral
• What is DHCP? What are the benefits and drawbacks of using it? DHCP,
Dynamic Host Configuration Protocol, is a communications protocol that
dynamically assigns unique IP addresses to network devices
Also, the DHCP lease renewal process helps assure that where client
configurations need to be updated often (such as users with mobile or
portable computers who change locations frequently), these changes can
be made efficiently and automatically by clients communicating directly
with DHCP servers.
Benefits:
Disadvantage
Your machine name does not change when you get a new IP address. The
DNS (Domain Name System) name is associated with your IP address and
therefore does change. This only presents a problem if other clients try
to access your machine by its DNS name.
Benefits:
Disadvantage
Your machine name does not change when you get a new IP address. The
DNS (Domain Name System) name is associated with your IP address and
therefore does change. This only presents a problem if other clients try
to access your machine by its DNS name.
• Describe the steps taken by the client and DHCP server in order to
obtain an IP address.
At least one DHCP server must exist on a network. Once the DHCP server
software is installed, you create a DHCP scope, which is a pool of IP
addresses that the server manages. When clients log on, they request an
IP address from the server, and the server provides an IP address from
its pool of available addresses.
DHCPNAK (server response to indicate to the client that its lease has
expired or if the client announces a bad network configuration)
DHCP server will issue a NAK to the client ONLY IF it is sure that the
client, "on the local subnet", is asking for an address that doesn't exist
on that subnet.
1. Requested address from possibly the same subnet but not in the
address pool of the server:-
This can be the failover scenario in which 2 DHCP servers are serving the
same subnet so that when one goes down, the other should not NAK to
clients which got an IP from the first server.
If the Address is from the same superscope to which the subnet belongs,
DHCP servers will ACK the REQUEST.
The DHCP protocol utilizes UDP ports 67 and 68, which are the same
ports used by BOOTP.
In this chapter, you'll learn how to implement a DHCP server, including the
installation process, authorization of the server, and the configuration
of DHCP scopes. The chapter ends by looking at how to manage a DHCP server
and monitor its performance.
Traditionally, DNS and DHCP servers have been configured and managed one at
a time. Similarly, changing authorization rights for a particular user on a group
of devices has meant visiting each one and making configuration changes. DHCP
integration with DNS allows the aggregation of these tasks across devices,
enabling a company's network services to scale in step with the growth of
network users, devices, and policies, while reducing administrative operations
and costs.
This integration provides practical operational efficiencies that lower total cost
of ownership. Creating a DHCP network automatically creates an associated
DNS zone, for example, reducing the number of tasks required of network
administrators. And integration of DNS and DHCP in the same database instance
provides unmatched consistency between service and management views of IP
address-centric network services data.
Windows Server 2003 DNS supports DHCP by means of the dynamic update of
DNS zones. By integrating DHCP and DNS in a DNS deployment, you can provide
your network resources with dynamic addressing information stored in DNS. To
enable this integration, you can use the Windows Server 2003 DHCP service.
The dynamic update standard, specified in RFC 2136: Dynamic Updates in the
Domain Name System (DNS UPDATE), automatically updates DNS records. Both
Windows Server 2003 and Windows 2000 support dynamic update, and both
clients and DHCP servers can send dynamic updates when their IP addresses
change.
Dynamic update enables a DHCP server to register address (A) and pointer
(PTR) resource records on behalf of a DHCP client by using DHCP Client FQDN
option 81. Option 81 enables the DHCP client to provide its FQDN to the DHCP
server. The DHCP client also provides instructions to the DHCP server
describing how to process DNS dynamic updates on behalf of the DHCP client.
The DHCP server can dynamically update DNS A and PTR records on behalf of
DHCP clients that are not capable of sending option 81 to the DHCP server. You
can also configure the DHCP server to discard client A and PTR records when
the DHCP client lease is deleted. This reduces the time needed to manage
these records manually and provides support for DHCP clients that cannot
perform dynamic updates. In addition, dynamic update simplifies the setup of
Active Directory by enabling domain controllers to dynamically register SRV
resource records.
If the DHCP server is configured to perform DNS dynamic updates, it performs
one of the following actions:
• The DHCP server updates resource records at the request of the client.
The client requests the DHCP server to update the DNS PTR record on
behalf of the client, and the client registers A.
• The DHCP server updates DNS A and PTR records regardless of whether
the client requests this action or not.
By itself, dynamic update is not secure because any client can modify
DNS records. To secure dynamic updates, you can use the secure
dynamic update feature provided in Windows Server 2003. To delete
outdated records, you can use the DNS server aging and scavenging
feature.
• What is the BOOTP protocol used for, where might you find it in
Windows network infrastructure? BootP (RFC951) provides
a unique IP address to the requester (using port 67) similar to the DHCP
request on port 68 AND
can provide (where supported) the ability to boot a system without a
hard drive (ie: a diskless client)
Apple OS X 10.* Server supports BootP (albeit) renamed as NetBoot. The facility
allows the Admin to maintain a selected set of configurations as boot images
and then assign sets of client systems to share(or boot from) that image. For
example Accounting, Management, and Engineering departments have
elements in common, but which can be unique from other departments.
Performing upgrades and maintenance on three images is far more productive
that working on all client systems individually.
Startup is obviously network intensive, and beyond 40-50 clients, the Admin
needs to carefully subnet the infrastructure, use gigabit switches, and host the
images local to the clients to avoid saturating the network. This will expand
the number of BootP servers and multiply the number of images, but the
productivity of 1 BootP server per 50 clients is undeniable :)
A zone contains the resource records for all of the names within the particular
zone. Zone files are used if DNS data is not integrated with Active Directory.
The zone files contain the DNS database resource records which define the
zone. If DNS and Active Directory are integrated, then DNS data is stored in
Active Directory.
The different types of zones used in Windows Server 2003 DNS are listed below:
Primary zone
Secondary zone
Active Directory-integrated zone
Reverse lookup zone
Stub zone
A primary zone is the only zone type that can be edited or updated because
the data in the zone is the original source of the data for all domains in the
zone. Updates made to the primary zone are made by the DNS server
that is authoritative for the specific primary zone. You can also back up data
from a primary zone to a secondary zone.
A secondary zone is a read-only copy of the zone that was copied from the
master server during zone transfer.
In fact, a secondary zone can only be updated through zone transfer.
A reverse lookup zone is an authoritative DNS zone. These zones are mainly
used to resolve IP addresses to resource names on the network. A reverse
lookup zone can be either of the following zones:
Primary zone
Secondary zone
Active Directory-integrated zone
A stub zone is a new Windows Server 2003 feature. Stub zones only contain
those resource records necessary to identify the authoritative DNS servers for
the master zone. Stub zones therefore contain only a copy of a zone, and are
used to resolve recursive queries and iterative queries:
• Iterative queries: The DNS server provides the best answer it can. This
can be: