KCC

The KCC is a built-in process that runs on all domain controllers and generates replication
topology Ior the Active Directory Iorest. The KCC creates separate replication topologies
depending on whether replication is occurring within a site (intrasite) or between sites (intersite).
The KCC also dynamically adjusts the topology to accommodate new domain controllers,
domain controllers moved to and Irom sites, changing costs and schedules, and domain
controllers that are temporarily unavailable.
How do you view replication properties for AD?
By using Active Directory Replication Monitor.
Start~ Run~ Replmon
What are sites What are they used for?
One or more well-connected (highly reliable and Iast) TCP/IP subnets. A site allows
administrators to conIigure Active Directory access and replication topology to take advantage oI
the physical network.
Name some OU design considerations?
OU design requires balancing requirements Ior delegating administrative rights independent oI
Group Policy needs and the need to scope the application oI Group Policy. The Iollowing OU
design recommendations address delegation and scope issues:
Applying Group Policy An OU is the lowest-level Active Directory container to which you can
assign Group Policy settings. Delegating administrative authority usually don`t go more than 3
OU levels
http://technet.microsoIt.com/en-us/library/cc783140.aspx
What are FMSO Roles? List them.
Fsmo roles are server roles in a Forest
There are Iive types oI FSMO roles
1-Schema master
2-Domain naming master
3-Rid master
4-PDC Emullator
5-InIrastructure master
Logical Diagram of Active Directory ?, What is the difference between child domain &
additional domain Server?
Well, iI you know what a domain is then you have halI the answer. Say you have the domain
MicrosoIt.com. Now microsoIt has a server named server1 in that domain, which happens to the
be parent domain. So it`s FQDN is server1.microsoIt.com. II you add an additional domain
server and name it server2, then it`s FQDN is server2.microsoIt.com.
Now MicrosoIt is big so it has oIIices in Europe and Asia. So they make child domains Ior them
and their FQDN would look like this: europe.microsoIt.com & asia.microsoIt.com. Now lets say
each oI them have a server in those child domains named server1. Their FQDN would then look
like this: server1.europe.microsoIt.com & server1.asia.microsoIt.com..
What are Active Directory Groups?
Groups are containers that contain user and computer objects within them as members. When
security permissions are set Ior a group in the Access Control List on a resource, all members oI
that group receive those permissions. Domain Groups enable centralized administration in a
domain. All domain groups are created on a domain controller.
In a domain, Active Directory provides support Ior diIIerent types oI groups and group scopes.
The group type determines the type oI task that you manage with the group. The group scope
determines whether the group can have members Irom multiple domains or a single domain.
Group Types
* Security groups: Use Security groups Ior granting permissions to gain access to resources.
Sending an e-mail message to a group sends the message to all members oI the group. ThereIore
security groups share the capabilities oI distribution groups.
* Distribution groups: Distribution groups are used Ior sending e-main messages to groups oI
users. You cannot grant permissions to security groups. Even though security groups have all the
capabilities oI distribution groups, distribution groups still requires, because some applications
can only read distribution groups.
Group Scopes
Group scope normally describe which type oI users should be clubbed together in a way which is
easy Ior there administration. ThereIore, in domain, groups play an important part. One group
can be a member oI other group(s) which is normally known as Group nesting. One or more
groups can be member oI any group in the entire domain(s) within a Iorest.
* Domain Local Group: Use this scope to grant permissions to domain resources that are
located in the same domain in which you created the domain local group. Domain local groups
can exist in all mixed, native and interim Iunctional level oI domains and Iorests. Domain local
group memberships are not limited as you can add members as user accounts, universal and
global groups Irom any domain. Just to remember, nesting cannot be done in domain local group.
A domain local group will not be a member oI another Domain Local or any other groups in the
same domain.
* Global Group: Users with similar Iunction can be grouped under global scope and can be
given permission to access a resource (like a printer or shared Iolder and Iiles) available in local
or another domain in same Iorest. To say in simple words, Global groups can be use to grant
permissions to gain access to resources which are located in any domain but in a single Iorest as
their memberships are limited. User accounts and global groups can be added only Irom the
domain in which global group is created. Nesting is possible in Global groups within other
groups as you can add a global group into another global group Irom any domain. Finally to
provide permission to domain speciIic resources (like printers and published Iolder), they can be
members oI a Domain Local group. Global groups exist in all mixed, native and interim
Iunctional level oI domains and Iorests.
* Universal Group Scope: these groups are precisely used Ior email distribution and can be
granted access to resources in all trusted domain as these groups can only be used as a security
principal (security group type) in a windows 2000 native or windows server 2003 domain
Iunctional level domain. Universal group memberships are not limited like global groups. All
domain user accounts and groups can be a member oI universal group. Universal groups can be
nested under a global or Domain Local group in any domain.
What are the types of backup? Explain each?
Incremental
A 'normal incremental backup will only back up Iiles that have been changed since the last
backup oI any type. This provides the quickest means oI backup, since it only makes copies oI
Iiles that have not yet been backed up. For instance, Iollowing our Iull backup on Friday,
Monday`s tape will contain only those Iiles changed since Friday. Tuesday`s tape contains only
those Iiles changed since Monday, and so on. The downside to this is obviously that in order to
perIorm a Iull restore, you need to restore the last Iull backup Iirst, Iollowed by each oI the
subsequent incremental backups to the present day in the correct order. Should any one oI these
backup copies be damaged (particularly the Iull backup), the restore will be incomplete.
DiIIerential
A cumulative backup oI all changes made aIter the last Iull backup. The advantage to this is the
quicker recovery time, requiring only a Iull backup and the latest diIIerential backup to restore
the system. The disadvantage is that Ior each day elapsed since the last Iull backup, more data
needs to be backed up, especially iI a majority oI the data has been changed.
What is the SYSVOL folder?
The Windows Server 2003 System Volume (SYSVOL) is a collection oI Iolders and reparse
points in the Iile systems that exist on each domain controller in a domain. SYSVOL provides a
standard location to store important elements oI Group Policy objects (GPOs) and scripts so that
the File Replication service (FRS) can distribute them to other domain controllers within that
domain.
You can go to SYSVOL Iolder by typing : systemroot/sysvol
What is the ISTG Who has that role by default?
The Iirst server in the site becomes the ISTG Ior the site, The domain controller holding this role
may not necessarily also be a bridgehead server.
What is the order in which GPOs are applied?
Local, Site, Domain, OU

What are some of the new tools and features provided by Windows Server 2008?
Windows Server 2008 now provides a desktop environment similar to MicrosoIt Windows Vista
and includes tools also Iound in Vista, such as the new backup snap-in and the BitLocker drive
encryption Ieature. Windows Server 2008 also provides the new IIS7 web server and the
Windows Deployment Service.
What are the diIIerent editions oI Windows Server 2008?
The entry-level version oI Windows Server 2008 is the Standard Edition. The Enterprise Edition
provides a platIorm Ior large enterprisewide networks. The Datacenter Edition provides support
Ior unlimited Hyper-V virtualization and advanced clustering services. The Web Edition is a
scaled-down version oI Windows Server 2008 intended Ior use as a dedicated web server. The
Standard, Enterprise, and Datacenter Editions can be purchased with or without the Hyper-V
virtualization technology.
What two hardware considerations should be an important part of the planning process for
a Windows Server 2008 deployment?
Any server on which you will install Windows Server 2008 should have at least the minimum
hardware requirement Ior running the network operating system. Server hardware should also be
on the Windows Server 2008 Hardware Compatibility List to avoid the possibility oI hardware
and network operating system incompatibility.
What are the options for installing Windows Server 2008?
You can install Windows Server 2008 on a server not currently conIigured with NOS, or you can
upgrade existing servers running Windows 2000 Server and Windows Server 2003.
How do you configure and manage a Windows Server 2008 core installation?
This stripped-down version oI Windows Server 2008 is managed Irom the command line.
Which Control Panel tool enables you to automate the running of server utilities and other
applications?
The Task Scheduler enables you to schedule the launching oI tools such as Windows Backup and
Disk DeIragmenter.
What are some of the items that can be accessed via the System Properties dialog box?
You can access virtual memory settings and the Device Manager via the System Properties
dialog box.
When a child domain is created in the domain tree, what type of trust relationship exists
between the new child domain and the trees root domain?
Child domains and the root domain oI a tree are assigned transitive trusts. This means that the
root domain and child domain trust each other and allow resources in any domain in the tree to
be accessed by users in any domain in the tree.
What is the primary function of domain controllers?
The primary Iunction oI domain controllers is to validate users to the network. However, domain
controllers also provide the catalog oI Active Directory objects to users on the network.
What are some of the other roles that a server running Windows Server 2008 could fill on
the network?
A server running Windows Server 2008 can be conIigured as a domain controller, a Iile server, a
print server, a web server, or an application server. Windows servers can also have roles and
Ieatures that provide services such as DNS, DHCP, and Routing and Remote Access.
Which Windows Server 2008 tools make it easy to manage and configure a servers roles
and features?
The Server Manager window enables you to view the roles and Ieatures installed on a server and
also to quickly access the tools used to manage these various roles and Ieatures. The Server
Manager can be used to add and remove roles and Ieatures as needed.
What Windows Server 2008 service is used to install client operating systems over the
network?
Windows Deployment Services (WDS) enables you to install client and server operating systems
over the network to any computer with a PXE-enabled network interIace.
What domain services are necessary for you to deploy the Windows Deployment Services
on your network?
Windows Deployment Services requires that a DHCP server and a DNS server be installed in the
domain
How is WDS configured and managed on a server running Windows Server 2008?
The Windows Deployment Services snap-in enables you to conIigure the WDS server and add
boot and install images to the server.
What is the difference between a basic and dynamic drive in the Windows Server 2008
environment?
A basic disk embraces the MS-DOS disk structure; a basic disk can be divided into partitions
(simple volumes).
Dynamic disks consist oI a single partition that can be divided into any number oI volumes.
Dynamic disks also support Windows Server 2008 RAID implementations.
What is RAID in Windows Server 2008?
RAID, or Redundant Array oI Independent Disks, is a strategy Ior building Iault tolerance into
your Iile servers. RAID enables you to combine one or more volumes on separate drives so that
they are accessed by a single drive letter. Windows Server 2008 enables you to conIigure RAID
0 (a striped set), RAID 1 (a mirror set), and RAID 5 (disk striping with parity).
What conceptual model helps provide an understanding of how network protocol stacks
such as TCP/IP work?
The OSI model, consisting oI the application, presentation, session, transport, network, data link,
and physical layers, helps describe how data is sent and received on the network by protocol
stacks.
What protocol stack is installed by default when you install Windows Server 2008 on a
network server?
TCP/IP (v4 and v6) is the deIault protocol Ior Windows Server 2008. It is required Ior Active
Directory implementations and provides Ior connectivity on heterogeneous networks.
How is a server running Windows Server 2008 configured as a domain controller, such as
the domain controller for the root domain or a child domain?
Installing the Active Directory on a server running Windows Server 2008 provides you with the
option oI creating a root domain Ior a domain tree or oI creating child domains in an existing
tree. Installing Active Directory on the server makes the server a domain controller.
What are some of the tools used to manage Active Directory objects in a Windows Server
2008 domain?
When the Active Directory is installed on a server (making it a domain controller), a set oI
Active Directory snap-ins is provided. The Active Directory Users and Computers snap-in is
used to manage Active Directory objects such as user accounts, computers, and groups. The
Active Directory Domains and Trusts snap-in enables you to manage the trusts that are deIined
between domains. The Active Directory Sites and Services snap-in provides Ior the management
oI domain sites and subnets.
How are domain user accounts created and managed?
The Active Directory Users and Computers snap-in provides the tools necessary Ior creating user
accounts and managing account properties. Properties Ior user accounts include settings related
to logon hours, the computers to which a user can log on, and the settings related to the user`s
password.
What type of Active Directory objects can be contained in a group?
A group can contain users, computers, contacts, and other nested groups.
What type of group is not available in a domain that is running at the mixed-mode
functional level?
Universal groups are not available in a mixed-mode domain. The Iunctional level must be raised
to Windows 2003 or Windows 2008 to make these groups available.
What types of Active Directory objects can be contained in an Organizational Unit?
Organizational Units can hold users, groups, computers, contacts, and other OUs. The
Organizational Unit provides you with a container directly below the domain level that enables
you to reIine the logical hierarchy oI how your users and other resources are arranged in the
Active Directory.
What are Active Directory sites in Windows Server 2008?
Active Directory sites are physical locations on the network`s physical topology. Each regional
domain that you create is assigned to a site. Sites typically represent one or more IP subnets that
are connected by IP routers. Because sites are separated Irom each other by a router, the domain
controllers on each site periodically replicate the Active Directory to update the Global Catalog
on each site segment.
Can servers running Windows Server 2008 provide services to clients when they are not
part of a domain?
Servers running Windows Server 2008 can be conIigured to participate in a workgroup. The
server can provide some services to the workgroup peers but does not provide the security and
management tools provided to domain controllers.
What does the use of Group Policy provide you as a network administrator?
Group Policy provides a method oI controlling user and computer conIiguration settings Ior
Active Directory containers such as sites, domains, and OUs. GPOs are linked to a particular
container, and then individual policies and administrative templates are enabled to control the
environment Ior the users or computers within that particular container.
What tools are involved in managing and deploying Group Policy?
GPOs and their settings, links, and other inIormation such as permissions can be viewed in the
Group Policy Management snap-in.
How do you deal with Group Policy inheritance issues?
GPOs are inherited down through the Active Directory tree by deIault. You can block the
inheritance oI settings Irom upline GPOs (Ior a particular container such as an OU or a local
computer) by selecting Block Inheritance Ior that particular object. II you want to enIorce a
higher-level GPO so that it overrides directly linked GPOs, you can use the EnIorce command on
the inherited (or upline) GPO.
How can you make sure that network clients have the most recent Windows updates
installed and have other important security features such as the Windows Firewall enabled
before they can gain full network access?
You can conIigure a Network Policy Server (a service available in the Network Policy and
Access Services role). The Network Policy Server can be conIigured to compare desktop client
settings with health validators to determine the level oI network access aIIorded to the client.
What is the purpose of deploying local DNS servers?
A domain DNS server provides Ior the local mapping oI Iully qualiIied domain names to IP
addresses. Because the DNS is a distributed database, the local DNS servers can provide record
inIormation to remote DNS servers to help resolve remote requests related to Iully qualiIied
domain names on your network.
In terms of DNS, what is a caching-only server?
A caching-only DNS server supplies inIormation related to queries based on the data it contains
in its DNS cache. Caching-only servers are oIten used as DNS Iorwarders. Because they are not
conIigured with any zones, they do not generate network traIIic related to zone transIers.
How the range of IP addresses is defined for a Windows Server 2008 DHCP server?
The IP addresses supplied by the DHCP server are held in a scope. A scope that contains more
than one subnet oI IP addresses is called a superscope. IP addresses in a scope that you do not
want to lease can be included in an exclusion range.
O Interview Question
system administrator interview question with
answers Part 2
Posted on May 7, 2009. Filed under: Interview Question , Tags: Interview Question ,
Welcome to system administrator interview question with answers Part 2; iI you have read part 1
oI these article then please go on or else also please read system administrator interview
question with answers Part 1
1. Can a workstation computer be conIigured to browse the Internet and yet NOT have a deIault
gateway?
II we are using public ip address, we can browse the internet. II it is having an intranet address a
gateway is needed as a router or Iirewall to communicate with internet.
2. What is CIDR?
CIDR (Classless Inter-Domain Routing, sometimes known as supernetting) is a way to allocate
and speciIy the Internet addresses used in inter-domain routing more Ilexibly than with the
original system oI Internet Protocol (IP) address classes. As a result, the number oI available
Internet addresses has been greatly increased. CIDR is now the routing system used by virtually
all gateway hosts on the Internet`s backbone network. The Internet`s regulating authorities now
expect every Internet service provider (ISP) to use it Ior routing.
3. What is DHCP? What are the beneIits and drawbacks oI using it?
DHCP is Dynamic Host ConIiguration Protocol. In a networked environment it is a method to
assign an address` to a computer when it boots up.
Advantages
All the IP conIiguration inIormation gets automatically conIigured Ior your client machine by the
DHCP server.
II you move your client machine to a diIIerent subnet, the client will send out its discover
message at boot time and work as usual. However, when you Iirst boot up there you will not be
able to get back the IP address you had at your previous location regardless oI how little time has
passed.
Disadvantage
Your machine name does not change when you get a new IP address. The DNS (Domain Name
System) name is associated with your IP address and thereIore does change. This only presents a
problem iI other clients try to access your machine by its DNS name.
4. How do you manually create SRV records in DNS?
To create SRV records in DNS do below steps: -
Open DNS
Click on Zone Select domain abc.local -
Right Click to domain and go to Other New Records
And choose service location (SRV)
5. Name 3 beneIits oI using AD-integrated zones.
BeneIits as Iollows
a. you can give easy name resolution to ur clients.
b. By creating AD- integrated zone you can also trace hacker and spammer by creating reverse
zone.
c. AD integrated zoned all Ior incremental zone transIers which on transIer changes and not the
entire zone. This reduces zone transIer traIIic.
d. AD Integrated zones suport both secure and dmanic updates.
e. AD integrated zones are stored as part oI the active directory and support domain-wide or
Iorest-wide replication through application pertitions in AD.
6. How do I clear the DNS cache on the DNS server?
Go to cmd prompt and type 'ipconIig/Ilushdns without quotes
7. What is NAT?
NAT (Network Address Translation) is a technique Ior preserving scarce Internet IP addresses.
For more details go to MicrosoIt link
8. How do you conIigure NAT on Windows 2003?
For above answer go to below link
ConIigure NAT
9. How to conIigure special ports to allow inbound connections?
a. Click Start, Administrative Tools, and then click Routing and Remote Access to open the
Routing and Remote Access management console.
b. Locate the interIace that you want to conIigure.
c. Right-click the interIace and then select Properties Irom the shortcut menu.
d. Click the Special Ports tab.
e. Under Protocol, select TCP or UDP and then click the Add button.
I. Enter the port number oI the incoming traIIic in Incoming Port.
g. Select On This Address Pool Entry, and provide the public IP address oI the incoming traIIic.
h. Enter the port number oI the private network resource in Outgoing Port.
i. Enter the private network resource`s private IP address in Private Address.
j. Click OK.
DNS Interview Questions and Answer
1. Secure services in your network require reverse name resolution to make it more diIIicult
to launch successIul attacks against the services. To set this up, you conIigure a reverse
lookup zone and proceed to add records. Which record types do you need to create?
2. What is the main purpose oI a DNS server?
3. SOA records must be included in every zone. What are they used Ior?
4. By deIault, iI the name is not Iound in the cache or local hosts Iile, what is the Iirst step
the client takes to resolve the FQDN name into an IP address?
5. What is the main purpose oI SRV records?
6. BeIore installing your Iirst domain controller in the network, you installed a DNS server
and created a zone, naming it as you would name your AD domain. However, aIter the
installation oI the domain controller, you are unable to locate inIrastructure SRV records
anywhere in the zone. What is the most likely cause oI this Iailure?
7. Which oI the Iollowing conditions must be satisIied to conIigure dynamic DNS updates
Ior legacy clients?
8. At some point during the name resolution process, the requesting party received
authoritative reply. Which Iurther actions are likely to be taken aIter this reply?
9. Your company uses ten domain controllers, three oI which are also used as DNS servers.
You have one companywide AD-integrated zone, which contains several thousand
resource records. This zone also allows dynamic updates, and it is critical to keep this
zone up-to-date.
Replication between domain controllers takes up a signiIicant amount oI bandwidth. You
are looking to cut bandwidth usage Ior the purpose oI replication. What should you do?
10.You are administering a network connected to the Internet. Your users complain that
everything is slow. Preliminary research oI the problem indicates that it takes a
considerable amount oI time to resolve names oI resources on the Internet. What is the
most likely reason Ior this?
Answers........
1. PTR Records
2. DNS servers are used to resolve FQDN hostnames into IP addresses and vice versa
3. SOA records contain a TTL value, used by deIault in all resource records in the zone.
SOA records contain the e-mail address oI the person who is responsible Ior maintaining
the zone. SOA records contain the current serial number oI the zone, which is used in
zone transIers.
4. PerIorms a recursive search through the primary DNS server based on the network
interIace conIiguration
5. SRV records are used in locating hosts that provide certain network services.
6. The zone you created was not conIigured to allow dynamic updates. The local interIace
on the DNS server was not conIigured to allow dynamic updates.
7. The zone to be used Ior dynamic updates must be conIigured to allow dynamic updates.
The DHCP server must support, and be conIigured to allow, dynamic updates Ior legacy
clients.
8. AIter receiving the authoritative reply, the resolution process is eIIectively over.
9. Change the replication scope to all DNS servers in the domain.
10.DNS servers are not caching replies.. Local client computers are not caching replies.
The cache.dns Iile may have been corrupted on the server.

What is DHCP`s purpose?
DHCP`s purpose is to enable individual computers on an IP network to extract their
conIigurations Irom a server (the DHCP server`) or servers, in particular, servers that have no
exact inIormation about the individual computers until they request the inIormation. The overall
purpose oI this is to reduce the work necessary to administer a large IP network. The most
signiIicant piece oI inIormation distributed in this manner is the IP address.
What protocol and port does DHCP use?
DHCP, like BOOTP runs over UDP, utilizing ports 67 and 68.
What is Global Catalog? The Global Catalog authenticates network user logons and Iields
inquiries about objects across a Iorest or tree. Every domain has at least one GC that is hosted on
a domain controller. In Windows 2000, there was typically one GC on every site in order to
prevent user logon Iailures across the network.
What is Stub Zone in DNS Server?
A stub zone is a copy oI a zone that contains only those resource records necessary to identiIy
the authoritative Domain Name System (DNS) servers Ior that zone. A stub zone is used to
resolve names between separate DNS namespaces. This type oI resolution may be necessary
when a corporate merger requires that the DNS servers Ior two separate DNS namespaces
resolve names Ior clients in both namespaces.
A stub zone consists oI:
O The start oI authority (SOA) resource record, name server (NS) resource records, and the
glue A resource records Ior the delegated zone.
O The IP address oI one or more master servers that can be used to update the stub zone.
The master servers Ior a stub zone are one or more DNS servers authoritative Ior the child zone,
usually the DNS server hosting the primary zone Ior the delegated domain name.
Where is the file of Active Directory data file stored?
Active Directory data store in SystemRoot\ntds\NTDS.DIT. The ntds.dit Iile is the heart oI
Active Directory including user accounts
What are the types of records in DNS?
To see the records oI DNS Server checks this path - DNS Records
What is DHCP and at which port DHCP work?
Dynamic Host ConIiguration Protocol (DHCP) is a network protocol that enables a server to
automatically assign an IP address to a computer Irom a deIined range oI numbers (i.e., a scope)
conIigured Ior a given network. DHCP assigns an IP address when a system is started
DHCP client uses port 67 and the DHCP server uses port 68.
What is DORA process in DHCP and How it works?
DHCP (D)iscover
DHCP (O)IIer
DHCP (R)equest
DHCP (A)cknowledge
1) Client makes a UDP Broadcast to the server about the DHCP discovery.
2) DHCP oIIers to the client.
3) In response to the oIIer Client requests the server.
4) Server responds all the Ip Add/mask/gty/dns/wins inIo along with the acknowledgement
packet.
What is Super Scope in DHCP?
A superscope allows a DHCP server to provide leases Irom more than one scope to clients on a
single physical network. BeIore you can create a superscope, you must use DHCP Manager to
deIine all scopes to be included in the superscope. Scopes added to a superscope are called
member scopes. Superscopes can resolve DHCP service issues in several diIIerent ways; these
issues include situations in which:
O Support is needed Ior DHCP clients on a single physical network segmentsuch as a
single Ethernet LAN segmentwhere multiple logical IP networks are used. When more
than one logical IP network is used on a physical network, these conIigurations are also
known as multinets.
O The available address pool Ior a currently active scope is nearly depleted and more
computers need to be added to the physical network segment.
O Clients need to be migrated to a new scope.
O Support is needed Ior DHCP clients on the other side oI BOOTP relay agents, where the
network on the other side oI the relay agent has multiple logical subnets on one physical
network. For more inIormation, see 'Supporting BOOTP Clients later in this chapter.
O A standard network with one DHCP server on a single physical subnet is limited to
leasing addresses to clients on the physical subnet.
What is Stub zone DNS?
A stub zone is a copy oI a zone that contains only those resource records necessary to identiIy
the authoritative Domain Name System (DNS) servers Ior that zone. A stub zone is used to
resolve names between separate DNS namespaces. This type oI resolution may be necessary
when a corporate merger requires that the DNS servers Ior two separate DNS namespaces
resolve names Ior clients in both namespaces.
A stub zone consists oI:
O The start oI authority (SOA) resource record, name server (NS) resource records, and the
glue A resource records Ior the delegated zone.
O The IP address oI one or more master servers that can be used to update the stub zone.
The master servers Ior a stub zone are one or more DNS servers authoritative Ior the child zone,
usually the DNS server hosting the primary zone Ior the delegated domain name
What is Active Directory? Active Directory is a network-based object store and service that
locates and manages resources, and makes these resources available to authorized users and
groups. An underlying principle oI the Active Directory is that everything is considered an
objectpeople, servers, workstations, printers, documents, and devices. Each object has certain
attributes and its own security access control list (ACL).
What`s the difference between forward lookup zone and reverse lookup zone in DNS?
Forward lookup is name-to-IP address; the reverse lookup is IP address-to-name.
How to transfer roles in Active Directory?
Using Ntdsutil.exe we can transIer roles in Active Directory. To know more regarding role
transIer click this link.
How to backup Active Directory and which main file you take in backing of Active
Directory?
We can take backup with Ntbackup utility.
Active Directory is backed up as part oI system state, a collection oI system components that
depend on each other. You must backup and restore system state components together.
Components that comprise the system state on a domain controller include:
O System Start-up Files (boot files). These are the Iiles required Ior Windows 2000 Server
to start.
O System registry.
O Class registration database of Component Services. The Component Object Model
(COM) is a binary standard Ior writing component soItware in a distributed systems
environment.
O SYSVOL. The system volume provides a deIault Active Directory location Ior Iiles that
must be shared Ior common access throughout a domain. The SYSVOL Iolder on a
domain controller contains:
4 NETLOGON shared Iolders. These usually host user logon scripts and Group
Policy objects (GPOs) Ior non-Windows 2000based network clients.
4 User logon scripts Ior Windows 2000 ProIessionalbased clients and clients that
are running Windows 95, Windows 98, or Windows NT 4.0.
4 Windows 2000 GPOs.
4 File system junctions.
4 File Replication service (FRS) staging directories and Iiles that are required to be
available and synchronized between domain controllers.
O Active Directory. Active Directory includes:
4 Ntds.dit: The Active Directory database.
4 Edb.chk: The checkpoint Iile.
4 Edb*.log: The transaction logs, each 10 megabytes (MB) in size.
4 Res1.log and Res2.log: Reserved transaction logs.
What is Active Biiectoiy Bomain Seivices 8.
Active Biiectoiy Bomain Seivices (AB BS), foimeily known as Active Biiectoiy Biiectoiy Seivices,
is the cential location foi configuiation infoimation, authentication iequests, anu infoimation
about all of the objects that aie stoieu within youi foiest. 0sing Active Biiectoiy, you can efficiently
manage useis, computeis, gioups, piinteis, applications, anu othei uiiectoiy-enableu objects fiom
one secuie, centializeu location.
What is the SYSv0L foluei.
The Sysvol foluei on a Winuows uomain contiollei is useu to ieplicate file-baseu uata among
uomain contiolleis. Because junctions aie useu within the Sysvol foluei stiuctuie, Winuows NT file
system (NTFS) veision . is iequiieu on uomain contiolleis thioughout a Winuows uistiibuteu file
system (BFS) foiest.
This is a quote fiom miciosoft themselves, basically the uomain contiollei info stoieu in files like
youi gioup policy stuff is ieplicateu thiough this foluei stiuctuie
What's New in Winuows Seivei 8 Active Biiectoiy Bomain Seivices.
Active Biiectoiy Bomain Seivices in Winuows Seivei 8 pioviues a numbei of enhancements
ovei pievious veisions, incluuing these:
AuuitingAB BS auuiting has been enhanceu significantly in Winuows Seivei 8. The
enhancements pioviue moie gianulai auuiting capabilities thiough foui new auuiting categoiies:
Biiectoiy Seivices Access, Biiectoiy Seivices Changes, Biiectoiy Seivices Replication, anu Betaileu
Biiectoiy Seivices Replication. Auuitionally, auuiting now pioviues the capability to log olu anu
new values of an attiibute when a successful change is maue to that attiibute.
Fine-uiaineu Passwoiu PoliciesAB BS in Winuows Seivei 8 now pioviues the capability to
cieate uiffeient passwoiu anu account lockout policies foi uiffeient sets of useis in a uomain. 0sei
anu gioup passwoiu anu account lockout policies aie uefineu anu applieu via a Passwoiu Setting
0bject (PS0). A PS0 has attiibutes foi all the settings that can be uefineu in the Befault Bomain
Policy, except Keibeios settings. PS0s can be applieu to both useis anu gioups.
Reau-0nly Bomain ContiolleisAB BS in Winuows Seivei 8 intiouuces a new type of uomain
contiollei calleu a ieau-only uomain contiollei (R0BC). R0BCs contain a ieau-only copy of the AB
BS uatabase. R0BCs aie coveieu in moie uetail in Chaptei , "Nanage Sites anu Replication."
Restaitable Active Biiectoiy Bomain SeivicesAB BS in Winuows Seivei 8 can now be
stoppeu anu iestaiteu thiough NNC snap-ins anu the commanu line. The iestaitable AB BS seivice
ieuuces the time iequiieu to peifoim ceitain maintenance anu iestoie opeiations. Auuitionally,
othei seivices iunning on the seivei iemain available to satisfy client iequests while AB BS is
stoppeu.
AB BS Batabase Nounting ToolAB BS in Winuows Seivei 8 comes with a AB BS uatabase
mounting tool, which pioviues a means to compaie uata as it exists in snapshots oi backups taken
at uiffeient times. The AB BS uatabase mounting eliminates the neeu to iestoie multiple backups to
compaie the AB uata that they contain anu pioviues the capability to examine any change maue to
uata stoieu in AB BS.
What is the ulobal Catalog.
A global catalog seivei is a uomain contiollei. It is a mastei seaichable uatabase that contains
infoimation about eveiy object in eveiy uomain in a foiest. The global catalog contains a complete
ieplica of all objects in Active Biiectoiy foi its host uomain, anu contains a paitial ieplica of all
objects in Active Biiectoiy foi eveiy othei uomain in the foiest.
It has two impoitant functions:
Pioviues gioup membeiship infoimation uuiing logon anu authentication
Belps useis locate iesouices in Active Biiectoiy
What aie R0BCs. Anu what aie the majoi benefits of using R0BCs.
A ieau-only uomain contiollei (R0BC) is a new type of uomain contiollei in the Winuows Seivei
8 opeiating system. With an R0BC, oiganizations can easily ueploy a uomain contiollei in
locations wheie physical secuiity cannot be guaianteeu. An R0BC hosts ieau-only paititions of the
Active Biiectoiy Bomain Seivices (AB BS) uatabase.
Befoie the ielease of Winuows Seivei 8, if useis hau to authenticate with a uomain contiollei
ovei a wiue aiea netwoik (WAN), theie was no ieal alteinative. In many cases, this was not an
efficient solution. Bianch offices often cannot pioviue the auequate physical secuiity that is
iequiieu foi a wiitable uomain contiollei. Fuitheimoie, bianch offices often have pooi netwoik
banuwiuth when they aie connecteu to a hub site. This can inciease the amount of time that is
iequiieu to log on. It can also hampei access to netwoik iesouices.
Beginning with Winuows Seivei 8, an oiganization can ueploy an R0BC to auuiess these
pioblems. As a iesult, useis in this situation can ieceive the following benefits:
* Impioveu secuiity
* Fastei logon times
* Noie efficient access to iesouices on the netwoik
What uoes an R0BC uo.
Inauequate physical secuiity is the most common ieason to consiuei ueploying an R0BC. An R0BC
pioviues a way to ueploy a uomain contiollei moie secuiely in locations that iequiie fast anu
ieliable authentication seivices but cannot ensuie physical secuiity foi a wiitable uomain
contiollei.
Bowevei, youi oiganization may also choose to ueploy an R0BC foi special auministiative
iequiiements. Foi example, a line-of-business (L0B) application may iun successfully only if it is
installeu on a uomain contiollei. 0i, the uomain contiollei might be the only seivei in the bianch
office, anu it may have to host seivei applications.
In such cases, the L0B application ownei must often log on to the uomain contiollei inteiactively oi
use Teiminal Seivices to configuie anu manage the application. This situation cieates a secuiity
iisk that may be unacceptable on a wiitable uomain contiollei.
An R0BC pioviues a moie secuie mechanism foi ueploying a uomain contiollei in this scenaiio.
You can giant a nonauministiative uomain usei the iight to log on to an R0BC while minimizing the
secuiity iisk to the Active Biiectoiy foiest.
You might also ueploy an R0BC in othei scenaiios wheie local stoiage of all uomain usei
passwoius is a piimaiy thieat, foi example, in an extianet oi application-facing iole.
What is REPABNIN.
Repaumin.exe: Replication Biagnostics Tool
This commanu-line tool assists auministiatois in uiagnosing ieplication pioblems between
Winuows uomain contiolleis.
Auministiatois can use Repaumin to view the ieplication topology (sometimes iefeiieu to as
RepsFiom anu RepsTo) as seen fiom the peispective of each uomain contiollei. In auuition,
Repaumin can be useu to manually cieate the ieplication topology (although in noimal piactice this
shoulu not be necessaiy), to foice ieplication events between uomain contiolleis, anu to view both
the ieplication metauata anu up-to-uateness vectois.
Repaumin.exe can also be useu foi monitoiing the ielative health of an Active Biiectoiy foiest. The
opeiations ieplsummaiy, showiepl, showiepl csv, anu showvectoi latency can be useu to check
foi ieplication pioblems.
What is NETB0N.
NETB0N is a commanu-line tool that allows management of Winuows uomains anu tiust
ielationships. It is useu foi batch management of tiusts, joining computeis to uomains, veiifying
tiusts, anu secuie channels
http:wiki.answeis.comQWhatisNETB0N
What is the uiffeience between tiansfeiiing a fsmo iole anu seizing one which one shoulu you not
seize why.

What is NETDOM?
NETDOM is a command-line tool that allows management oI Windows domains and trust
relationships. It is used Ior batch management oI trusts, joining computers to domains, veriIying
trusts, and secure channels
A:
Enables administrators to manage Active Directory domains and trust relationships Irom the
command prompt.
Netdom is a command-line tool that is built into Windows Server 2008. It is available iI you
have the Active Directory Domain Services (AD DS) server role installed. To use netdom, you
must run the netdom command Irom an elevated command prompt. To open an elevated
command prompt, click Start, right-click Command Prompt, and then click Run as
administrator.
You can use netdom to:
O Join a computer that runs Windows XP ProIessional or Windows Vista to a Windows
Server 2008 or Windows Server 2003 or Windows 2000 or Windows NT 4.0 domain.
4 Provide an option to speciIy the organizational unit (OU) Ior the computer
account.
4 Generate a random computer password Ior an initial Join operation.
O Manage computer accounts Ior domain member workstations and member servers.
Management operations include:
4 Add, Remove, Query.
4 An option to speciIy the OU Ior the computer account.
4 An option to move an existing computer account Ior a member workstation Irom
one domain to another while maintaining the security descriptor on the computer
account.
O Establish one-way or two-way trust relationships between domains, including the
Iollowing kinds oI trust relationships:
4 From a Windows 2000 or Windows Server 2003 or Windows Server 2008 domain
to a Windows NT 4.0 domain.
4 From a Windows 2000 or Windows Server 2003 or Windows Server 2008 domain
to a Windows 2000 or Windows Server 2003 or Windows Server 2008 domain in
another enterprise.
4 Between two Windows 2000 or Windows Server 2003 or Windows Server 2008
domains in an enterprise (a shortcut trust).
4 The Windows Server 2008 or Windows Server 2003 or Windows 2000 Server
halI oI an interoperable Kerberos protocol realm.
O VeriIy or reset the secure channel Ior the Iollowing conIigurations:
4 Member workstations and servers.
4 Backup domain controllers (BDCs) in a Windows NT 4.0 domain.
4 SpeciIic Windows Server 2008 or Windows Server 2003 or Windows 2000
replicas.
O Manage trust relationships between domains, including the Iollowing operations:
4 Enumerate trust relationships (direct and indirect).
4 View and change some attributes on a trust.


What is the difference between transferring a
fsmo role and seizing one which one should
you not seize why?


Seizing an FSMO can be a destructive process and should only be attempted iI the existing
server with the FSMO is no longer available.


II the domain controller that is the Schema Master FSMO role holder is temporarily unavailable,
DO NOT seize the Schema Master role.


II you are going to seize the Schema Master, you must permanently disconnect the current
Schema Master Irom the network.


II you seize the Schema Master role, the boot drive on the original Schema Master must be
completely reIormatted and the operating system must be cleanly installed, iI you intend to
return this computer to the network.


NOTE: The Boot Partition contains the system Iiles (\System32). The System Partition is the
partition that contains the startup Iiles, NTDetect.com, NTLDR, Boot.ini, and possibly
Ntbootdd.sys.



The Active Directory Installation Wizard (Dcpromo.exe) assigns all 5 FSMO roles to the Iirst
domain controller in the Iorest root domain. The Iirst domain controller in each new child or tree
domain is assigned the three domain-wide roles. Domain controllers continue to own FSMO
roles until they are reassigned by using one oI the Iollowing methods:


O What is an IP address?
O What is a subnet mask?
O What is ARP?
O What is ARP Cache Poisoning?
O What is the ANDing process?
O What is a deIault gateway? What happens iI I don't have one?
O Can a workstation computer be conIigured to browse the Internet and yet NOT have a
deIault gateway?
O What is a subnet?
O What is APIPA?
O What is an RFC? Name a Iew iI possible (not necessarily the numbers, just the ideas
behind them)
O What is RFC 1918?
O What is CIDR?
O You have the Iollowing Network ID: 192.115.103.64/27. What is the IP range Ior your
network?
O You have the Iollowing Network ID: 131.112.0.0. You need at least 500 hosts per
network. How many networks can you create? What subnet mask will you use?
O You need to view at network traIIic. What will you use? Name a Iew tools
O How do I know the path that a packet takes to the destination?
O What does the ping 192.168.0.1 -l 1000 -n 100 command do?
O What is DHCP? What are the beneIits and drawbacks oI using it?
O Describe the steps taken by the client and DHCP server in order to obtain an IP address.
O What is the DHCPNACK and when do I get one? Name 2 scenarios.
O What ports are used by DHCP and the DHCP clients?
O Describe the process oI installing a DHCP server in an AD inIrastructure.
O What is DHCPINFORM?
O Describe the integration between DHCP and DNS.
O What options in DHCP do you regularly use Ior an MS network?
O What are User Classes and Vendor Classes in DHCP?
O How do I conIigure a client machine to use a speciIic User Class?
O What is the BOOTP protocol used Ior, where might you Iind it in Windows network
inIrastructure?
O DNS zones describe the diIIerences between the 4 types.
O DNS record types describe the most important ones.
O Describe the process oI working with an external domain name
O Describe the importance oI DNS to AD.
O Describe a Iew methods oI Iinding an MX record Ior a remote domain on the Internet.
O What does "Disable Recursion" in DNS mean?
O What could cause the Forwarders and Root Hints to be grayed out?
O What is a "Single Label domain name" and what sort oI issues can it cause?
O What is the "in-addr.arpa" zone used Ior?
O What are the requirements Irom DNS to support AD?
O How do you manually create SRV records in DNS?
O Name 3 beneIits oI using AD-integrated zones.
O What are the beneIits oI using Windows 2003 DNS when using AD-integrated zones?
O You installed a new AD domain and the new (and Iirst) DC has not registered its SRV
records in DNS. Name a Iew possible causes.
O What are the beneIits and scenarios oI using Stub zones?
O What are the beneIits and scenarios oI using Conditional Forwarding?
O What are the diIIerences between Windows Clustering, Network Load Balancing and
Round Robin, and scenarios Ior each use?
O How do I work with the Host name cache on a client computer?
O How do I clear the DNS cache on the DNS server?
O What is the 224.0.1.24 address used Ior?
O What is WINS and when do we use it?
O Can you have a MicrosoIt-based network without any WINS server on it? What are the
"considerations" regarding not using WINS?
O Describe the diIIerences between WINS push and pull replications.
O What is the diIIerence between tombstoning a WINS record and simply deleting it?
O Name the NetBIOS names you might expect Irom a Windows 2003 DC that is registered
in WINS.
O Describe the role oI the routing table on a host and on a router.
O What are routing protocols? Why do we need them? Name a Iew.
O What are router interIaces? What types can they be?
O In Windows 2003 routing, what are the interIace Iilters?
O What is NAT?
O What is the real diIIerence between NAT and PAT?
O How do you conIigure NAT on Windows 2003?
O How do you allow inbound traIIic Ior speciIic hosts on Windows 2003 NAT?
O What is VPN? What types oI VPN does Windows 2000 and beyond work with natively?
O What is IAS? In what scenarios do we use it?
O What's the diIIerence between Mixed mode and Native mode in AD when dealing with
RRAS?
O What is the "RAS and IAS" group in AD?
O What are Conditions and ProIile in RRAS Policies?
O What types or authentication can a Windows 2003 based RRAS work with?
O How does SSL work?
O How does IPSec work?
O How do I deploy IPSec Ior a large number oI computers?
O What types oI authentication can IPSec use?
O What is PFS (PerIect Forward Secrecy) in IPSec?
O How do I monitor IPSec?
O Looking at IPSec-encrypted traIIic with a sniIIer. What packet types do I see?
O What can you do with NETSH?
O How do I look at the open ports on my machine?
Tecbnical Interview Questions - Active Directory
O WhaL ls AcLlve ulrecLory?
O WhaL ls LuA?
O an you connecL AcLlve ulrecLory Lo oLher 3rdparLy ulrecLory Servlces? name a few opLlons
O Where ls Lhe Au daLabase held? WhaL oLher folders are relaLed Lo Au?
O WhaL ls Lhe S?SvCL folder?
O name Lhe Au ns and repllcaLlon lssues for each n
O WhaL are appllcaLlon parLlLlons? When do l use Lhem
O ow do you creaLe a new appllcaLlon parLlLlon
O ow do you vlew repllcaLlon properLles for Au parLlLlons and us?
O WhaL ls Lhe Clobal aLalog?
O ow do you vlew all Lhe Cs ln Lhe foresL?
O Why noL make all us ln a large foresL as Cs?
O @rylng Lo look aL Lhe Schema how can l do LhaL?
O WhaL are Lhe SupporL @ools? Why do l need Lhem?
O WhaL ls Lu? WhaL ls 8LLMCn? WhaL ls AuSlLul@? WhaL ls nL@uCM? WhaL ls 8LAuMln?
O WhaL are slLes? WhaL are Lhey used for?
O WhaLs Lhe dlfference beLween a slLe llnks schedule and lnLerval?
O WhaL ls Lhe k?
O WhaL ls Lhe lS@C? Who has LhaL role by defaulL?
O WhaL are Lhe requlremenLs for lnsLalllng Au on a new server?
O WhaL can you do Lo promoLe a server Lo u lf youre ln a remoLe locaLlon wlLh slow WAn llnk?
O ow can you forclbly remove Au from a server and whaL do you do laLer? - an l geL user
passwords from Lhe Au daLabase?
O WhaL Lool would l use Lo Lry Lo grab securlLy relaLed packeLs from Lhe wlre?
O name some Cu deslgn conslderaLlons
O WhaL ls LombsLone llfeLlme aLLrlbuLe?
O WhaL do you do Lo lnsLall a new Wlndows 2003 u ln a Wlndows 2000 Au?
O WhaL do you do Lo lnsLall a new Wlndows 2003 82 u ln a Wlndows 2003 Au?
O ow would you flnd all users LhaL have noL logged on slnce lasL monLh?
O WhaL are Lhe uS* commands?
O WhaLs Lhe dlfference beLween LulluL and SvuL? usage conslderaLlons?
O WhaL are Lhe lSMC roles? Who has Lhem by defaulL? WhaL happens when each one falls?
O WhaL lSMC placemenL conslderaLlons do you know of?
O l wanL Lo look aL Lhe 8lu allocaLlon Lable for a u WhaL do l do?
O WhaLs Lhe dlfference beLween Lransferrlng a lSMC role and selzlng one? Whlch one should you
nC@ selze? Why?
O ow do you conflgure a sLandby operaLlon masLer for any of Lhe roles?
O ow do you backup Au?
O ow do you resLore Au?
O ow do you change Lhe uS 8esLore admln password?
O Why canL you resLore a u LhaL was backed up 4 monLhs ago?
O WhaL are CCs?
O WhaL ls Lhe order ln whlch CCs are applled?
O name a few beneflLs of uslng CM
O WhaL are Lhe C and Lhe C@? Where can l flnd Lhem?
O WhaL are CC llnks? WhaL speclal Lhlngs can l do Lo Lhem?
O WhaL can l do Lo prevenL lnherlLance from above?
O ow can l overrlde blocklng of lnherlLance?
O ow can you deLermlne whaL CC was and was noL applled for a user? name a few ways Lo do
LhaL
O A user clalms he dld noL recelve a CC yeL hls user and compuLer accounLs are ln Lhe rlghL Cu
and everyone else Lhere geLs Lhe CC WhaL wlll you look for?
O name a few dlfferences ln vlsLa CCs
O name some CC seLLlngs ln Lhe compuLer and user parLs
O WhaL are admlnlsLraLlve LemplaLes?
O WhaLs Lhe dlfference beLween sofLware publlshlng and asslgnlng?
O an l deploy nonMSl sofLware wlLh CC?
O ?ou wanL Lo sLandardlze Lhe deskLop envlronmenLs (wallpaper My uocumenLs SLarL menu
prlnLers eLc) on Lhe compuLers ln one deparLmenL ow would you do LhaL?
W|ndows Server 2003 Interv|ew uest|ons Answers

1 ow do you doublebooL a Wln 2003 server box?

@he 8ooLlnl flle ls seL as readonly sysLem and hldden Lo prevenL unwanLed edlLlng @o change Lhe
8ooLlnl LlmeouL and defaulL seLLlngs use Lhe SysLem opLlon ln onLrol anel from Lhe Advanced Lab and
selecL SLarLup

2 WhaL do you do lf earller appllcaLlon doesn'L run on Wlndows Server 2003?

When an appllcaLlon LhaL ran on an earller legacy verslon of Wlndows cannoL be loaded durlng Lhe
seLup funcLlon or lf lL laLer malfuncLlons you musL run Lhe compaLlblllLy mode funcLlon @hls ls
accompllshed by rlghLcllcklng Lhe appllcaLlon or seLup program and selecLlng roperLles
ompaLlblllLy selecLlng Lhe prevlously supporLed operaLlng sysLem

3 lf you unlnsLall Wlndows Server 2003 whlch operaLlng sysLems can you reverL Lo?

Wln ML Wln 98 2000 x noLe however LhaL you cannoL upgrade from ML and 98 Lo Wlndows Server
2003

4 ow do you geL Lo lnLerneL llrewall seLLlngs?

SLarL onLrol anel neLwork and lnLerneL onnecLlons neLwork onnecLlons

3 WhaL are Lhe Wlndows Server 2003 keyboard shorLcuLs?

Wlnkey opens or closes Lhe SLarL menu Wlnkey + 88LAk dlsplays Lhe SysLem roperLles dlalog box
Wlnkey + @A8 moves Lhe focus Lo Lhe nexL appllcaLlon ln Lhe Laskbar Wlnkey + Sll@ + @A8 moves Lhe
focus Lo Lhe prevlous appllcaLlon ln Lhe Laskbar Wlnkey + 8 moves Lhe focus Lo Lhe noLlflcaLlon area
Wlnkey + u shows Lhe deskLop Wlnkey + L opens Wlndows Lxplorer showlng My ompuLer Wlnkey + l
opens Lhe Search panel Wlnkey + @8L + l opens Lhe Search panel wlLh Search for ompuLers module
selecLed Wlnkey + l1 opens elp Wlnkey + M mlnlmlzes all Wlnkey + Sll@+ M undoes mlnlmlzaLlon
Wlnkey + 8 opens 8un dlalog Wlnkey + u opens Lhe uLlllLy Manager Wlnkey + L locks Lhe compuLer

6 WhaL ls AcLlve ulrecLory?

AcLlve ulrecLory ls a neLworkbased ob[ecL sLore and servlce LhaL locaLes and manages resources and
makes Lhese resources avallable Lo auLhorlzed users and groups An underlylng prlnclple of Lhe AcLlve
ulrecLory ls LhaL everyLhlng ls consldered an ob[ecLpeople servers worksLaLlons prlnLers documenLs
and devlces Lach ob[ecL has cerLaln aLLrlbuLes and lLs own securlLy access conLrol llsL (AL)

7 Where are Lhe Wlndows n@ rlmary uomaln onLroller (u) and lLs 8ackup uomaln onLroller
(8u) ln Server 2003?

@he AcLlve ulrecLory replaces Lhem now all domaln conLrollers share a mulLlmasLer peerLopeer read
and wrlLe relaLlonshlp LhaL hosLs coples of Lhe AcLlve ulrecLory

8 ow long does lL Lake for securlLy changes Lo be repllcaLed among Lhe domaln conLrollers?

SecurlLyrelaLed modlflcaLlons are repllcaLed wlLhln a slLe lmmedlaLely @hese changes lnclude accounL
and lndlvldual user lockouL pollcles changes Lo password pollcles changes Lo compuLer accounL
passwords and modlflcaLlons Lo Lhe Local SecurlLy AuLhorlLy (LSA)

9 WhaL's new ln Wlndows Server 2003 regardlng Lhe unS managemenL?

When u promoLlon occurs wlLh an exlsLlng foresL Lhe AcLlve ulrecLory lnsLallaLlon Wlzard conLacLs an
exlsLlng u Lo updaLe Lhe dlrecLory and repllcaLe from Lhe u Lhe requlred porLlons of Lhe dlrecLory lf
Lhe wlzard falls Lo locaLe a u lL performs debugglng and reporLs whaL caused Lhe fallure and how Lo flx
Lhe problem ln order Lo be locaLed on a neLwork every u musL reglsLer ln unS u locaLor unS
records @he AcLlve ulrecLory lnsLallaLlon Wlzard verlfles a proper conflguraLlon of Lhe unS
lnfrasLrucLure All unS conflguraLlon debugglng and reporLlng acLlvlLy ls done wlLh Lhe AcLlve ulrecLory
lnsLallaLlon Wlzard

10 When should you creaLe a foresL?

CrganlzaLlons LhaL operaLe on radlcally dlfferenL bases may requlre separaLe Lrees wlLh dlsLlncL
namespaces unlque Lrade or brand names ofLen glve rlse Lo separaLe unS ldenLlLles CrganlzaLlons
merge or are acqulred and namlng conLlnulLy ls deslred CrganlzaLlons form parLnershlps and [olnL
venLures Whlle access Lo common resources ls deslred a separaLely deflned Lree can enforce more
dlrecL admlnlsLraLlve and securlLy resLrlcLlons
11 ow can you auLhenLlcaLe beLween foresLs?

lour Lypes of auLhenLlcaLlon are used across foresLs (1) kerberos and n@LM neLwork logon for remoLe
access Lo a server ln anoLher foresL (2) kerberos and n@LM lnLeracLlve logon for physlcal logon ouLslde
Lhe user's home foresL (3) kerberos delegaLlon Lo nLler appllcaLlon ln anoLher foresL and (4) user
prlnclpal name (un) credenLlals

uescrlbe how Lhe u lease ls obLalned

lL's a foursLep process conslsLlng of (a) l requesL (b) l offer l selecLlon and (d) acknowledgemenL

l can'L seem Lo access Lhe lnLerneL don'L have any access Lo Lhe corporaLe neLwork and on lpconflg my
address ls 169234** WhaL happened?

@he 169234** neLmask ls asslgned Lo Wlndows machlnes runnlng 98/2000/x lf Lhe u server ls
noL avallable @he name for Lhe Lechnology ls AlA (AuLomaLlc rlvaLe lnLerneL roLocol Addresslng)

We've lnsLalled a new Wlndowsbased u server however Lhe users do noL seem Lo be geLLlng u
leases off of lL @he server musL be auLhorlzed flrsL wlLh Lhe AcLlve ulrecLory

ow can you force Lhe cllenL Lo glve up Lhe dhcp lease lf you have access Lo Lhe cllenL ?

lpconflg /release

WhaL auLhenLlcaLlon opLlons do Wlndows 2000 Servers have for remoLe cllenLs?

A SA A MSA and LA

WhaL are Lhe neLworklng proLocol opLlons for Lhe Wlndows cllenLs lf for some reason you do noL wanL
Lo use @/l?

nWLlnk (novell) neL8Lul Apple@alk (Apple)

WhaL ls daLa llnk layer ln Lhe CSl reference model responslble for?

uaLa llnk layer ls locaLed above Lhe physlcal layer buL below Lhe neLwork layer @aklng raw daLa blLs and
packaglng Lhem lnLo frames @he neLwork layer wlll be responslble for addresslng Lhe frames whlle Lhe
physlcal layer ls reponslble for reLrlevlng and sendlng raw daLa blLs

WhaL ls blndlng order?

@he order by whlch Lhe neLwork proLocols are used for cllenLserver communlcaLlons @he mosL
frequenLly used proLocols should be aL Lhe Lop

ow do crypLographybased keys ensure Lhe valldlLy of daLa Lransferred across Lhe neLwork?

Lach l packeL ls asslgned a checksum so lf Lhe checksums do noL maLch on boLh recelvlng and
LransmlLLlng ends Lhe daLa was modlfled or corrupLed

Should we deploy lSLbased securlLy or cerLlflcaLebased securlLy?

@hey are really Lwo dlfferenL Lechnologles lSec secures Lhe @/l communlcaLlon and proLecLs Lhe
lnLegrlLy of Lhe packeLs erLlflcaLebased securlLy ensures Lhe valldlLy of auLhenLlcaLed cllenLs and
servers

WhaL ls LMCS@S flle?

lL's a flle sLored on a hosL machlne LhaL ls used Lo resolve neL8lCS Lo speclflc l addresses

WhaL's Lhe dlfference beLween forward lookup and reverse lookup ln unS?

lorward lookup ls nameLoaddress Lhe reverse lookup ls addressLoname

ow can you recover a flle encrypLed uslng LlS?

use Lhe domaln recovery agenL
1. What is Active Directory schema?
2. What are the domain Iunctional level in Windows Server 2003?
3. What are the Iorest Iunctional level in Windows Server 2003?
4. What is global catalog server?
5. How we can raise domain Iunctional & Iorest Iunctional level in Windows Server 2003?
6. Which is the deaIult protocol used in directory services?
7. What is IPv6?
8. What is the deIault domain Iunctional level in Windows Server 2003?
9. What are the physical & logical components oI ADS
10.In which domain Iunctional level, we can rename domain name?
11.What is multimaster replication?
12.What is a site?
13.Which is the command used to remove active directory Irom a domain controler?
14.How we can create console, which contain schema?
15.What is trust?
16.What is the Iile that`s responsible Ior keep all Active Directory database?
17.1. Q: What does Active Directory mean?
18.A: The active Directory means a service that identiIies and handles resources, making
them visible Ior diIIerent groups or members that are authorized. It has the role oI an
object store. The Active directory sees as objects workstations, people, servers devices or
documents and they all have their own characteristics and access control list or ACL.
19.
20.2.Q: What is the meaning of Global Catalog?
21.A: A Global Catalog is something that each domain has, and it is used Ior authenticating
the user on the network, on windows 2000 network logon`s were protected Irom Iailures
by assigning a Global Catalog to every site.
22.
23..Q: What is the use for DHCP?
24.A: DHCP is used Ior the DHCP servers, personal computers can get their conIiguration
Irom a DHCP server on an IP conIiguration. The server knows nothing about the personal
computers until they make a request Ior inIormation. Usually the most common
inIormation sent is IP address and DHCP is used to make a large network administration
easier.
25.
26..Q: What does a Super Scope do in DHCP?
27.A: The Super Scope gives the DHCP server the possibility to have leases to multiple
clients on the same physical network. The leases come Irom multiple scopes. All scopes
must be deIined using DHCP manager beIore the Super Scope creation and they are
named member scopes. The DHCP problems can be resolved by the Super Scope in
diIIerent ways like the Iollowing:
28.a) on a physical network like a LAN network where multiple logical IP networks exist
Super Scope is very useIul here. These types oI networks are also named multinets.
29.b) there is also need Ior a Super Scope when the address pool Ior the current scope
becomes empty and there is a need Ior new computers on the physical network.
30.c) when clients have to move on another scope.
31.d) when DHCP clients Irom the other side oI the relay agents (BOOTP) or the network
has many logical subnets.
32.e) when standard networks are limited to leasing addresses Ior the clients.
33..Q: How can we switch the roles in an Active Directory?
34.A: Switching or transIerring roles in an Active Directory can be made with the use oI
Ntdsutil.exe.
35.
36..Q: What is the purpose of a Stub zone DNS?
37.A: The copy oI a zone that has only the needed resources Ior Iinding the authoritative
DNS servers in that speciIic zone (DNS Domain Name Servers) is called a Stub zone. It
also resolves names Ior DNS namespaces, thing required when names must be resolved
Irom two diIIerent DNS namespaces. The Stub zone contains: the master server`s IP that
is used Ior updating the Stub zone and the SOA (Start oI Authority), the NS (name
server) and the glue A delegated zone records.
38.
39..Q: What main file is used for Active Directory backup and how it is made?
40.A: Active Directory backup is made using NTbackup utility. The backup is made once
with the system state and they are restored also together because they depend on each
other. The system state has diIIerent components like:
41.a) The registry
42.b) Boot Iiles or startup Iiles (Iiles required by the operating system to start).
43.c) The component services
44.d) The system volume or the SYSVOL Iolder this is a Iolder that contains Iiles that are
shared on a domain.
45.e) The Active Directory
46.
47..Q: Does a windows administrator have to be critical?
48.A: Yes and I can explain how. A system administrator is responsible Ior an entire
network which means he/she must take care oI multiple things in the same time which is
not an easy task. In order to achieve this, an administrator must have high organization
skills and a high technical knowledge and he/she must prevent the problems Irom
happening so that he/she won`t have to be Iorced to Iix them.
49.
50..Q: In what way is forward lookup zone different from the reverse lookup zone in
NDS?
51.A: There is one diIIerence between these two: the Iorward lookup means name to IP and
reverse lookup means IP to name.
52.
53.8.Q: As a system administrator can you make backup and recovery of data?
54.A: This is a responsibility that any system administrator must have assume as a basic
skill. OI course there are many types oI backup that can be made but all must be known
Ior a successIul career.
55.
56..Q: What is the meaning of DHCP and what is the port used by it to work?
57.A: DHCP or Dynamic Host ConIiguration Protocol has the ability to assign an IP
automatically, this is done in Iact by the server and has a number range. When the system
starts an IP is assigned automatically. The DHCP server has port number 68, while the
client has 67.
58.
59.10.Q: Can you ensure an updated system all the time and perform market research?
60.A: Staying up-to-date is another strong point oI a proIessional administrator, technology
evolves and we must keep up with the Ilow, otherwise we can`t do our job in a
proIessional way. Market research is the key to an up-to date work.
61.
62.11.Q: Is it possible for a computer to be able to browse the internet without having a
default gateway?
63.A: Yes it is as long as we use a public IP address. The gateway is required as a router or
Iirewall when using an intranet address.
64.
65.12.Q: What are the advantages or disadvantages of using DHCP?
66.A: The advantage is that the DHCP server conIigures all IP`s automatically and the
disadvantage is that when you receive a new IP address the machine name remains the
same because oI its association with the IP. It`s not a real problem but when somebody
tries to access the machine by its name it become one.
67.
68.1.Q: Are you familiar with monitoring?
69.A: Yes, monitoring is a base activity oI a system administrator, he/she manages all the
access rights and the server space, security oI the user accounts is one oI the most
important things here. Also an administrator must make sure that the user`s activity
doesn`t aIIect in any way the integrity oI the server.
70.
71.1.Q: How can we create a SRV record in DNS?
72.A: To do this we must open the DNS then we must select the abc.local domain the right
click and we must go to Other New Records and the SRV ( choose location).
73.
74.1.Q: In how much time are the security changes applied on the domain controllers?
75.A: Including policies Ior personal and public lockout, the changes apply immediately.
The changes also include passwords and LSA or Local Security Authority.
76.
77.1.Q: What do you do if a an end user states that a file is gone?
78.A: Files are deleted constantly by end users but the backup can restore them. Anyhow
beIore using the backup we must check iI the user didn`t move the Iile by mistake in
another place.
79.
80.1.Q: Where is the storage place of the environmental settings and documents from
the roaming profile?
81.A: These documents and settings are deposited locally until the user`s log oII, when they
are moved into the shared Iolder Irom the server so the log on at a Iresh system may take
a while because oI this.
82.
83.18.Q: What are the classes that we can find in the Active Directory of Windows
Server 200?
84.A: We can Iind:
85.a) the abstract class which can be made to look like a template and create other
templates, no matter iI they are abstract, auxiliary or structural.
86.b) the structural class is the important type oI class that is made Irom multiple abstract
classes or an existing structural class. They are the only ones that can make Active
Directory objects.
87.c) the auxiliary class is used as a replace Ior many attributes oI a structural class, it is a
list oI attributes.
88.d) The 88 class is used Ior objects classes that were deIined beIore 1993 and it is not a
common class, it doesn`t use abstract, structural or auxiliary classes.
89.
90.1.Q: When is a good time for creating a forest?
91.A: Certain companies that have diIIerent bases require diIIerent trees and separate
namespaces. And unique names sometimes give birth to diIIerent identities oI DNS. Also
companies are sometimes acquired and get under other inIluences but the continuity must
be preserved Ior the names.
92.
93.20.Q: Can you explain to us about you experience in the past regarding windows
administration?
94.A: I have ten years oI experience in this Iield, I was passionate about computers since
childhood and I installed many operating systems at home and inside organizations
including these versions oI windows: 95, 98, 98 SE, NT, Millenium, 2000, 2003 Server,
XP, Seven, Vista. I also managed these systems and perIormed maintenance, I worked
with diIIerent applications Irom the windows environment.
95.
96.21.Q: How can you handle a situation in which for instance if you have an
application that is not running on Windows 200 because it`s older?
97.A: In this situation the application has to be started in the compatibility mode with a
previously windows operating system. This is made by right clicking the application icon
and choosing another Windows Irom the compatibility menu.
98.
99.22.Q: What is the meaning of Repadmin.exe from Windows Server 2008?
100. A: Repadmin.exe means Replication Diagnostics Tool and helps Ior the
diagnostic oI domain controllers in the Windows system. This tool is used by
administrators to see the replication topology Irom the perspective oI every domain
controller. The active Directory Iorest can also be supervised by Repadmin.exe and
replication problems can be tracked.
101.
102. 2.Q: What difference can we find in the usage of CSVDE versus LDIFDE?
103. A: CSVDE and LDIFDE are both commands and are used Ior importing and
exporting objects but they are diIIerent in the way that CSVDE uses the Iormat CSV
(Comma Separated Value) which is an Excel Iile Ior Iiles and LDIFDE uses LDIF
(LDAP Data Interchange Format) Iile type which can be viewed with a simple text editor.
LDIFDE can be also used Ior editing or deleting objects unlike CSVDE.
104.
105. 2.Q: What big differences exist between these two operating systems:
Windows 2000 and Windows XP?
106. A: Windows 2000 has more capabilities than Windows XP especially regarding
Ieatures like DHCP, Terminal Services or DNS. It has all the advantages Ior server usage.
Windows 2000 is a little more proIessional than XP, but they are both coming with
diIIerent versions Ior every user taste. While XP has Home version, ProIessional or
Enterprise, Windows 2000 has ProIessional and Server editions. The Home version oI XP
comes with minimal Ieatures because the target clients are beginners.
107.
108. 2.Q: What are the things that make Unix different from Windows?
109. A: The code loading runtime oI Unix is diIIerent Irom the one that Windows has.
We must become aware oI how the system exactly works beIore we make a dynamically
loading module. Unix has the shared objects with the .so extension that encapsulate lines
oI code that the programs will use and the Iunctions names. These Iunction names
become the reIerences oI those Iunctions in the memory oI the program when the Iile is
combined with the program. In Windows the .dll Iile (dynamic-link library Iile) doesn`t
have reIerences and the code oI the Iiles does not link to the memory oI the program but
they get through a lookup table which points to data or Iunctions. Unix has just one type
oI library Iile, with the .a extension and the code oI many object Iile is contained within
with the .o extension. When the link is created Ior a shared object Iile the deIinition oI the
identiIier may not be Iound, so the object code Irom the library will be included.

AdRmsAdmin.msc Active Directory Rights Management Services
Adsiedit.msc ADSI Edit
Azman.msc Authorization Manager
Certmgr.msc Certmgr (CertiIicates)
Certtmpl.msc CertiIicates Template Console
CluAdmin.msc Failover Cluster Management
Comexp.msc Component Services
Compmgmt.msc Computer Management
Devmgmt.msc Device Manager
DIsmgmt.msc DFS Management
Dhcpmgmt.msc DHCP Manager
Diskmgmt.msc Disk Management
Dnsmgmt.msc DNS Manager
Domain.msc Active Directory Domains And Trusts
Dsa.msc Active Directory Users And Computers
Dssite.msc Active Directory Sites And Services
Eventvwr.msc Event Viewer
Fsmgmt.msc Shared Folders
Fsrm.msc File Server Resource Manager
Fxsadmin.msc MicrosoIt Fax Service Manager
Gpedit.msc Local Group Policy Editor
Lusrmgr.msc Local Users And Groups
NapclcIg.msc NAP Client ConIiguration
NIsmgmt.msc Services For Network File System
Nps.msc Network Policy Server
Ocsp.msc Online Responder
PerImon.msc Reliability And PerIormance Monitor
Pkiview.msc Enterprise PKI
Printmanagement.msc Print Management
Remoteprograms.msc TS RemoteApp Management
Rsop.msc Resultant Set oI Policy
Secpol.msc Local Security Policy
ServerManager.msc Server Manager
StorageMgmt.msc Share And Storage Management
Services.msc Services
StorExpl.msc Storage Explorer
Tapimgmt.msc Telephony
Taskschd.msc Task Scheduler
Tmp.msc Trusted PlatIorm Module (TPM) Management
Tsadmin.msc Terminal Services Management
TsconIig.msc Terminal Services ConIiguration
Tsgateway.msc TS Gateway Manager
Tsmmc.msc Remote Desktops
Uddi.msc UDDI Services Console
Wbadmin.msc Windows Server Backup
Wdsmgmt.msc Windows Deployment Services
Winsmgmt.msc WINS Manager
WmiMgmt.msc WMI Control

Read more: http://www.placementpapers.us/microsoIt/883-
windowsserver2008runcommandsadministrators.html#ixzz1cYPxjG00
Under Creative Commons License: Attribution
Windows Server 200 Active Directory and
Security questions
By admin , December 7, 2003
1. What`s the difference between local, global and universal groups? Domain local
groups assign access permissions to global domain groups Ior local domain resources.
Global groups provide access to resources in other trusted domains. Universal groups
grant access to resources in all trusted domains.
2. I am trying to create a new universal user group. Why can`t I? Universal groups are
allowed only in native-mode Windows Server 2003 environments. Native mode requires
that all domain controllers be promoted to Windows Server 2003 Active Directory.
3. What is LSDOU? It`s group policy inheritance model, where the policies are applied to
Local machines, Sites, Domains and Organizational Units.
4. Why doesn`t LSDOU work under Windows NT? II the NTConfig.pol Iile exist, it has
the highest priority among the numerous policies.
5. Where are group policies stored? SystemRootSystem32\GroupPolicy
6. What is GPT and GPC? Group policy template and group policy container.
7. Where is GPT stored? SystemRoot\SYSVOL\sysvol\domainname\Policies\GUID
8. You change the group policies, and now the computer and user settings are in
conflict. Which one has the highest priority? The computer settings take priority.
9. You want to set up remote installation procedure, but do not want the user to gain
access over it. What do you do? gponame~ User ConIiguration~ Windows Settings
~ Remote Installation Services~ Choice Options is your Iriend.
10.What`s contained in administrative template conf.adm? MicrosoIt NetMeeting
policies
11.How can you restrict running certain applications on a machine? Via group policy,
security settings Ior the group, then SoItware Restriction Policies.
12.You need to automatically install an app, but MSI file is not available. What do you
do? A .:ap text Iile can be used to add applications using the SoItware Installer, rather
than the Windows Installer.
13.What`s the difference between Software Installer and Windows Installer? The
Iormer has Iewer privileges and will probably require user intervention. Plus, it uses .zap
Iiles.
14.What can be restricted on Windows Server 200 that wasn`t there in previous
products? Group Policy in Windows Server 2003 determines a users right to modiIy
network and dial-up TCP/IP properties. Users may be selectively restricted Irom
modiIying their IP address and other network conIiguration parameters.
15.How frequently is the client policy refreshed? 90 minutes give or take.
16.Where is secedit? It`s now gpupdate.
17.You want to create a new group policy but do not wish to inherit. Make sure you
check lock inheritance among the options when creating the policy.
18.What is "tattooing" the Registry? The user can view and modiIy user preIerences that
are not stored in maintained portions oI the Registry. II the group policy is removed or
changed, the user preIerence will persist in the Registry.
19.How do you fight tattooing in NT/2000 installations? You can`t.
20.How do you fight tattooing in 200 installations? User ConIiguration - Administrative
Templates - System - Group Policy - enable - EnIorce Show Policies Only.
21.What does IntelliMirror do? It helps to reconcile desktop settings, applications, and
stored Iiles Ior users, particularly those who move between workstations or those who
must periodically work oIIline.
22.What`s the major difference between FAT and NTFS on a local machine? FAT and
FAT32 provide no security over locally logged-on users. Only native NTFS provides
extensive permission control on both remote and local Iiles.
23.How do FAT and NTFS differ in approach to user shares? They don`t, both have
support Ior sharing.
24.Explan the List Folder Contents permission on the folder in NTFS. Same as Read &
Execute, but not inherited by Iiles within a Iolder. However, newly created subIolders
will inherit this permission.
25.I have a file to which the user has access, but he has no folder permission to read it.
Can he access it? It is possible Ior a user to navigate to a Iile Ior which he does not have
Iolder permission. This involves simply knowing the path oI the Iile object. Even iI the
user can`t drill down the Iile/Iolder tree using My Computer, he can still gain access to
the Iile using the Universal Naming Convention (UNC). The best way to start would be
to type the Iull path oI a Iile into Run. window.
26.For a user in several groups, are Allow permissions restrictive or permissive?
Permissive, iI at least one group has Allow permission Ior the Iile/Iolder, user will have
the same permission.
27.For a user in several groups, are Deny permissions restrictive or permissive?
Restrictive, iI at least one group has Deny permission Ior the Iile/Iolder, user will be
denied access, regardless oI other group permissions.
28.What hidden shares exist on Windows Server 200 installation? Admin$, Drive$,
IPC$, NETLOGON, print$ and SYSVOL.
29.What`s the difference between standalone and fault-tolerant DFS (Distributed File
System) installations? The standalone server stores the DIs directory tree structure or
topology locally. Thus, iI a shared Iolder is inaccessible or iI the DIs root server is down,
users are leIt with no link to the shared resources. A Iault-tolerant root node stores the
DIs topology in the Active Directory, which is replicated to other domain controllers.
Thus, redundant root nodes may include multiple connections to the same data residing in
diIIerent shared Iolders.
30.We`re using the DFS fault-tolerant installation, but cannot access it from a Win8
box. Use the UNC path, not client, only 2000 and 2003 clients can access Server 2003
Iault-tolerant shares.
31.Where exactly do fault-tolerant DFS shares store information in Active Directory?
In Partition Knowledge Table, which is then replicated to other domain controllers.
32.Can you use Start->Search with DFS shares? Yes.
33.What problems can you have with DFS installed? Two users opening the redundant
copies oI the Iile at the same time, with no Iile-locking involved in DFS, changing the
contents and then saving. Only one Iile will be propagated through DFS.
34.I run Microsoft Cluster Server and cannot install fault-tolerant DFS. Yeah, you
can`t. Install a standalone one.
35.Is Kerberos encryption symmetric or asymmetric? Symmetric.
36.How does Windows 200 Server try to prevent a middle-man attack on encrypted
line? Time stamp is attached to the initial client request, encrypted with the shared key.
37.What hashing algorithms are used in Windows 200 Server? RSA Data Security`s
Message Digest 5 (MD5), produces a 128-bit hash, and the Secure Hash Algorithm 1
(SHA-1), produces a 160-bit hash.
38.What third-party certificate exchange protocols are used by Windows 200 Server?
Windows Server 2003 uses the industry standard PKCS-10 certiIicate request and PKCS-
7 certiIicate response to exchange CA certiIicates with third-party certiIicate authorities.
39.What`s the number of permitted unsuccessful logons on Administrator account?
Unlimited. Remember, though, that it`s the Administrator account, not any account that`s
part oI the Administrators group.
40.If hashing is one-way function and Windows Server uses hashing for storing
passwords, how is it possible to attack the password lists, specifically the ones using
NTLMv1? A cracker would launch a dictionary attack by hashing every imaginable term
used Ior password and then compare the hashes.
41.What`s the difference between guest accounts in Server 200 and other editions?
More restrictive in Windows Server 2003.
42.How many passwords by default are remembered when you check "Enforce
Password History Remembered"? User`s last 6 passwords.
43.What is Active Directory?
The Windows directory service that stores inIormation about all objects on the computer
network and makes this inIormation easy Ior administrators and users to Iind and apply.
With the Active Directory, users can gain access to resources anywhere on the network
with a single logon. Similarly, administrators have a single point oI administration Ior all
objects on the network, which can be viewed in a hierarchical structure.

What is the campus Windows AD Domain?
Active Directory is the directory service in a Windows network. The directory service
stores inIormation about network resources and makes the resources accessible to users
and applications. Andrew Windows includes the ad.cmu.edu Iorest root domain. This is
the top level naming structure. Andrew Windows also includes the andrew.ad.cmu.edu
domain within the Iorest.
44.What is a forest?
A Iorest reIers to an organizational structure that is a group oI one or more trusted
Windows trees. A Iorest shares a schema and global catalog servers. A single tree can
also be called a Iorest.
45.What is a tree?
A tree is basically a domain or domains connected together in a hierarchy. The trees are
linked together via a two-way transitive trust, sharing a common schema, conIiguration,
and global catalog.
46.What departments should consider joining the AD domain?
For departments running Netware, this is a great migration strategy. Departments
interested in single sign-on andrew accounts, cross-departmental inIormation sharing,
automating machine installs via RIS and GPO`s, NT4 departments, domains with limited
support personnel, and departments running stand-alone Windows 2000 or 2003 Servers
are some oI the reasons to consider the AD domain.
47.ow can I do a remote install of an operating system?
Many newer computers support the PXE standard that is built in the latest network
adapters that will let you install an operating system. Because no CD is required you can
build many machines much Iaster. You can also have soItware deployed that you`ve
deIined in a Group Policy Object.
48.What is the purpose of the AD password reset?
II you are accessing an Active Directory resource (such as a shared Iolder) Irom a non-
Kerberos computer (Win9x, WinNT) or a non-domain machine, you are required to reset
your Active Directory password. Client Machines use Kerberos reIerrals to get
credentials Irom the Andrew UNIX KDC`s.ThereIore, machines that can not understand
the Kerberos reIerrals need to directly set the Active Directory password.
49.Can I have my own AD infrastructure?
DNS Support Ior External Forests will be available via NetReg, and the Iorest structure
will reside under 'win.cmu.edu. Send Domain request to netdevandrew.cmu.edu;
SpeciIing Domain name (e.g. example.win.cmu.edu) andDomain Controllers (e.g.
dc1.example.win.cmu.edu, dc2.example.win.cmu.edu).
50.ow do I prepare to join the AD domain?
You must have administrative access to a Departmental Organizational Unit (OU). To
request an Organizational Unit (OU) Ior your department send Email to
advisorandrew.cmu.edu. You will also want to reIer the documents available on this
website.
51.What Operating Systems are supported on the AD domain?
Only modern Windows computers and servers are permitted to be part oI the AD domain.
52.What is an Organizational Unit (OU)?
A Windows OU is an organization unit (a directory container) Ior grouping similar
accounts or machines. OUs are used to provide a means oI delegating authority over a
group oI accounts or machines to a person (the local administrator).
53.What is inheritance, and how does it work?
Group Policy is passed down Irom parent to child containers within a domain, which you
can view by using the Active Directory Users and Computers snap-in tool. II you assign a
speciIic Group Policy setting to a high-level parent container, that Group Policy setting
applies to all containers beneath the parent container, including the user and computer
objects in each container. You can block policy inheritance at the domain or
organizational-unit level by opening the properties dialog box Ior the domain or
organizational unit and selecting the Block Policy inheritance check box.
54.ow do I administer my OU?
From a computer that is on the AD domain you will install the the Active Directory Users
and Computers snap-in tool. The tool is located on the Windows Server installation CD
in the i386 directory. Run adminpak.msi to install it.
55.Can departments block ou's on their parent?
Group Policy Objects applied at a parent level in Active Directory will be applied to all
child objects. Currently, there is one Group Policy Objects being applied at the Domain
level oI the tree. The Andrew Core GPO conIigures domain machines to Iunction with
the core Andrew Kerberos applications (e.g. NiItyTelnet, KerbFTP, Oracle Calendar,
Mulberry) and is inherited by all machines in the Andrew Domain.
You can block Top Level Group Policy Objects Irom being applied at the Organizational
Unit (OU) level. Blocking prevents inheritance oI GPO`s Irom parent objects, but they
can still be explicitly assigned at the Organizational Unit (OU) level.
56.Forest trust
57.A trust that must be explicitly created by a systems administrator between two Iorest root
domains. This trust allows all domains in one Iorest to transitively trust all domains in
another Iorest. A Iorest trust is not transitive across three or more Iorests. The trust is
transitive between two Iorests only and can be one-way or two-way. See also shortcut
trust; external trust; realm trust.
58.Forward lookup
59.In Domain Name System (DNS), a query process in which the Iriendly DNS domain
name oI a host computer is searched to Iind its Internet Protocol (IP) address.
60.lobal catalog
61.A domain controller that contains a partial replica oI every domain in Active Directory. A
global catalog holds a replica oI every object in Active Directory, but with a limited
number oI each object`s attributes. The global catalog stores those attributes most
Irequently used in search operations (such as a user`s Iirst and last names) and those
attributes required to locate a Iull replica oI the object. The Active Directory replication
system builds the global catalog automatically. The attributes replicated into the global
catalog include a base set deIined by MicrosoIt. Administrators can speciIy additional
properties to meet the needs oI their installation.
62.lobal catalog server
63.A domain controller that holds a copy oI the global catalog Ior the Iorest.
64.lobal group
65.A security or distribution group that can contain users, groups, and computers Irom its
own domain as members. Global security groups can be granted rights and permissions
Ior resources in any domain in the Iorest. See also local group; group.
66.lobally unique identifier (UID)
67.A 128-bit number that is guaranteed to be unique. GUIDs are assigned to objects when
the objects are created. The GUID never changes, even iI you move or rename the object.
Applications can store the GUID oI an object and use the GUID to retrieve that object
regardless oI its currentdistinguished name.
68.!O See roup !olicy Object (!O).
69.presult.exe
70.A command-line tool that enables you to create and display a Resultant Set oI Policy
(RSoP) query on the command line. In addition, Gpresult provides general inIormation
about the operating system, user, and computer.
71.pupdate.exe
72.In MicrosoIt Windows Server 2003 and MicrosoIt Windows XP ProIessional, a
command-line tool that enables you to reIresh policy immediately. Gpupdate replaces the
secedit.exe/reIreshpolicy command used Ior reIreshing Group
73.Policy Objects (GPOs) in MicrosoIt Windows 2000.
74.1. When is a system in safe state?
75.The set oI dispatchable processes is in a saIe state iI there exists at least one temporal
order in which all processes can be run to completion without resulting in a deadlock.
76.2. What is cycle stealing?
77.We encounter cycle stealing in the context oI Direct Memory Access (DMA). Either the
DMA controller can use the data bus when the CPU does not need it, or it may Iorce the
CPU to temporarily suspend operation. The latter technique is called cycle stealing. Note
that cycle stealing can be done only at speciIic break points in an instruction cycle.
78.3. What is meant by arm-stickiness?
79.II one or a Iew processes have a high access rate to data on one track oI a storage disk,
then they may monopolize the device by repeated requests to that track. This generally
happens with most common device scheduling algorithms (LIFO, SSTF, C-SCAN, etc).
High-density multisurIace disks are more likely to be aIIected by this than low density
ones.
80.4. What is busy waiting?
81.The repeated execution oI a loop oI code while waiting Ior an event to occur is called
busy-waiting. The CPU is not engaged in any real productive activity during this period,
and the process does not progress toward completion.
82.5. What are the typical elements of a process image?
User data: ModiIiable part oI user space. May include program data, user stack area, and
programs that may be modiIied.
User program: The instructions to be executed.
System Stack: Each process has one or more LIFO stacks associated with it. Used to store
parameters and calling addresses Ior procedure and system calls.
Process control Block (PCB): InIo needed by the OS to control processes.
83..What are turnaround time and response time?
84.Turnaround time is the interval between the submission oI a job and its completion.
Response time is the interval between submission oI a request, and the Iirst response to
that request.
85.7. What is a binary semaphore? What is its use?
86.A binary semaphore is one, which takes only 0 and 1 as values. They are used to
implement mutual exclusion and synchronize concurrent processes.
87.8. What is thrashing?
88.It is a phenomenon in virtual memory schemes when the processor spends most oI its
time swapping pages, rather than executing instructions. This is due to an inordinate
number oI page Iaults.
89.9. What is a trap and trapdoor?
90.Trapdoor is a secret undocumented entry point into a program used to grant access
without normal methods oI access authentication. A trap is a soItware interrupt, usually
the result oI an error condition
O What |s Act|ve D|rectory?
An active directory is a directory structure used on MicrosoIt Windows based computers and
servers to store inIormation and data about networks and domains. It is primarily used Ior online
inIormation and was originally created in 1996. It was Iirst used with Windows 2000.
An active directory (sometimes reIerred to as an AD) does a variety oI Iunctions including the
ability to rovide inIormation on objects, helps organize these objects Ior easy retrieval and
access, allows access by end users and administrators and allows the administrator to set security
up Ior the directory.
Active Directory is a hierarchical collection oI network resources that can contain users,
computers, printers, and other Active Directories. Active Directory Services (ADS) allow
administrators to handle and maintain all network resources Irom a single location . Active
Directory stores inIormation and settings in a central database
O What |s LDA?
The Lightweight Directory Access Protocol, or LDAP , is an application protocol Ior querying
and modiIying directory services running over TCP/IP. Although not yet widely implemented,
LDAP should eventually make it possible Ior almost any application running on virtually any
computer platIorm to obtain directory inIormation, such as email addresses and public keys.
Because LDAP is an open protocol, applications need not worry about the type oI server hosting
the directory.
O an you connect Act|ve D|rectory to other 3rdparty D|rectory Serv|ces? Name a few opt|ons
-Yes you can connect other vendors Directory Services with MicrosoIt`s version.
-Yes, you can use dirXML or LDAP to connect to other directories (ie. E-directory Irom Novell
or NDS (Novel directory System).
-Yes you can Connect Active Directory to other 3rd -party Directory Services such as dictonaries
used by SAP, Domino etc with the help oI MIIS ( MicrosoIt Identity Integration Server )
O Where |s the AD database he|d? What other fo|ders are re|ated to AD?
AD Database is saved in systemroot/ntds. You can see other Iiles also in this Iolder. These
are the main Iiles controlling the AD structure
ntds.dit
edb.log
res1.log
res2.log
edb.chk
When a change is made to the Win2K database, triggering a write operation, Win2K records the
transaction in the log Iile (edb.log). Once written to the log Iile, the change is then written to the
AD database. System perIormance determines how Iast the system writes the data to the AD
database Irom the log Iile. Any time the system is shut down, all transactions are saved to the
database.
During the installation oI AD, Windows creates two Iiles: res1.log and res2.log. The initial size
oI each is 10MB. These Iiles are used to ensure that changes can be written to disk should the
system run out oI Iree disk space. The checkpoint Iile (edb.chk) records transactions committed
to the AD database (ntds.dit). During shutdown, a 'shutdown statement is written to the edb.chk
Iile. Then, during a reboot, AD determines that all transactions in the edb.log Iile have been
committed to the AD database. II, Ior some reason, the edb.chk Iile doesn`t exist on reboot or the
shutdown statement isn`t present, AD will use the edb.log Iile to update the AD database.
The last Iile in our list oI Iiles to know is the AD database itselI, ntds.dit. By deIault, the Iile is
located in\NTDS, along with the other Iiles we`ve discussed
O What |s the SSVCL fo|der?
- All active directory data base security related inIormation store in SYSVOL Iolder and its only
created on NTFS partition.
- The Sysvol Iolder on a Windows domain controller is used to replicate Iile-based data among
domain controllers. Because junctions are used within the Sysvol Iolder structure, Windows NT
Iile system (NTFS) version 5.0 is required on domain controllers throughout a Windows
distributed Iile system (DFS) Iorest.
This is a quote Irom microsoIt themselves, basically the domain controller inIo stored in Iiles
like your group policy stuII is replicated through this Iolder structure
O Name the AD Ns and rep||cat|on |ssues for each N
*Schema NC, *ConIiguration NC, Domain NC
Schema NC This NC is replicated to every other domain controller in the Iorest. It contains
inIormation about the Active Directory schema, which in turn deIines the diIIerent object classes
and attributes within Active Directory.
Configuration NC Also replicated to every other DC in the Iorest, this NC contains Iorest-wide
conIiguration inIormation pertaining to the physical layout oI Active Directory, as well as
inIormation about display speciIiers and Iorest-wide Active Directory quotas.
Domain NC This NC is replicated to every other DC within a single Active Directory domain.
This is the NC that contains the most commonly-accessed Active Directory data: the actual
users, groups, computers, and other objects that reside within a particular Active Directory
domain.
O What are app||cat|on part|t|ons? When do I use them
Application directory partitions: These are speciIic to Windows Server 2003 domains.
An application directory partition is a directory partition that is replicated only to speciIic
domain controllers. A domain controller that participates in the replication oI a particular
application directory partition hosts a replica oI that partition. Only Domain controllers running
Windows Server 2003 can host a replica oI an application directory partition.
O ow do you create a new app||cat|on part|t|on
http://wiki.answers.com/Q/Howdoyoucreateanewapplicationpartition
O ow do you v|ew rep||cat|on propert|es for AD part|t|ons and Ds?
By using replication monitor
go to start ~ run ~ type replmon
O What |s the G|oba| ata|og?
The global catalog contains a complete replica oI all objects in Active Directory Ior its Host
domain, and contains a partial replica oI all objects in Active Directory Ior every other domain in
the Iorest.
The global catalog is a distributed data repository that contains a searchable, partial
representation oI every object in every domain in a multidomain Active Directory Iorest. The
global catalog is stored on domain controllers that have been designated as global catalog servers
and is distributed through multimaster replication. Searches that are directed to the global catalog
are Iaster because they do not involve reIerrals to diIIerent domain controllers.
In addition to conIiguration and schema directory partition replicas, every domain controller in a
Windows 2000 Server or Windows Server 2003 Iorest stores a Iull, writable replica oI a single
domain directory partition. ThereIore, a domain controller can locate only the objects in its
domain. Locating an object in a diIIerent domain would require the user or application to provide
the domain oI the requested object.
The global catalog provides the ability to locate objects Irom any domain without having to
know the domain name. A global catalog server is a domain controller that, in addition to its Iull,
writable domain directory partition replica, also stores a partial, read-only replica oI all other
domain directory partitions in the Iorest. The additional domain directory partitions are partial
because only a limited set oI attributes is included Ior each object. By including only the
attributes that are most used Ior searching, every object in every domain in even the largest Iorest
can be represented in the database oI a single global catalog server.
O ow do you v|ew a|| the Gs |n the forest?
C:\~repadmin/showreps
domaincontroller
OR
You can use Replmon.exe Ior the same purpose.
OR
AD Sites and Services and nslookup gc.msdcs.USERDNSDOMAIN
O Why not make a|| Ds |n a |arge forest as Gs?
The reason that all DCs are not GCs to start is that in large (or even Giant) Iorests the DCs would
all have to hold a reIerence to every object in the entire Iorest which could be quite large and
quite a replication burden.
For a Iew hundred, or a Iew thousand users even, this not likely to matter unless you have really
poor WAN lines.
O @ry|ng to |ook at the Schema how can I do that?
adsiedit.exe
option to view the schema
register schmmgmt.dll using this command
c:\windows\system32~regsvr32 schmmgmt.dll
Open mmc ~ add snapin ~ add Active directory schema
name it as schema.msc
Open administrative tool ~ schema.msc
O What are the Support @oo|s? Why do I need them?
Support Tools are the tools that are used Ior perIorming the complicated tasks easily. These can
also be the third party tools. Some oI the Support tools include DebugViewer,
DependencyViewer, RegistryMonitor, etc. -edit by Casquehead I beleive this question is
reIIering to the Windows Server 2003 Support Tools, which are included with MicrosoIt
Windows Server 2003 Service Pack 2. They are also available Ior download here:
http://www.microsoIt.com/downloads/details.aspx?Iamilyid96A35011-FD83-419D-939B-
A772EA2DF90&displaylangen
You need them because you cannot properly manage an Active Directory network without them.
Here they are, it would do you well to Iamiliarize yourselI with all oI them.
Acldiag.exe
Adsiedit.msc
Bitsadmin.exe
Dcdiag.exe
DIsutil.exe
Dnslint.exe
Dsacls.exe
Iadstools.dll
Ktpass.exe
Ldp.exe
Netdiag.exe
Netdom.exe
NtIrsutl.exe
Portqry.exe
Repadmin.exe
Replmon.exe
Setspn.exe
> What is REPLMON? What is ADSIEDIT? What is NETDOM? What is REPADMIN?
ADSIEdit is a MicrosoIt Management Console (MMC) snap-in that acts as a low-level editor Ior
Active Directory. It is a Graphical User InterIace (GUI) tool. Network administrators can use it
Ior common administrative tasks such as adding, deleting, and moving objects with a directory
service. The attributes Ior each object can be edited or deleted by using this tool. ADSIEdit uses
the ADSI application programming interIaces (APIs) to access Active Directory. The Iollowing
are the required Iiles Ior using this tool:
ADSIEDIT.DLL
ADSIEDIT.MSC
Regarding system requirements, a connection to an Active Directory environment and MicrosoIt
Management Console (MMC) is necessary

A: Replmon is the Iirst tool you should use when troubleshooting Active Directory replication
issues. As it is a graphical tool, replication issues are easy to see and somewhat easier to
diagnose than using its command line counterparts. The purpose oI this document is to guide you
in how to use it, list some common replication errors and show some examples oI when
replication issues can stop other network installation actions.
Ior more go to http://www.techtutorials.net/articles/replmonhowtoa.html
NETDOM is a command-line tool that allows management oI Windows domains and trust
relationships. It is used Ior batch management oI trusts, joining computers to domains, veriIying
trusts, and secure channels
A:
Enables administrators to manage Active Directory domains and trust relationships Irom the
command prompt.
Netdom is a command-line tool that is built into Windows Server 2008. It is available iI you
have the Active Directory Domain Services (AD DS) server role installed. To use netdom, you
must run the netdom command Irom an elevated command prompt. To open an elevated
command prompt, click Start, right-click Command Prompt, and then click Run as
administrator.
REPADMIN.EXE is a command line tool used to monitor and troubleshoot replication on a
computer running Windows. This is a command line tool that allows you to view the replication
topology as seen Irom the perspective oI each domain controller.
REPADMIN is a built-in Windows diagnostic command-line utility that works at the Active
Directory level. Although speciIic to Windows, it is also useIul Ior diagnosing some Exchange
replication problems, since Exchange Server is Active Directory based.
REPADMIN doesn`t actually Iix replication problems Ior you. But, you can use it to help
determine the source oI a malIunction.
O What are s|tes? What are they used for?
Active directory sites, which consist oI well-connected networks deIined by IP subnets that help
deIine the physical structure oI your AD, give you much better control over replication traIIic
and authentication traIIic than the control you get with Windows NT 4.0 domains.
Using Active Directory, the network and its objects are organized by constructs such as domains,
trees, Iorests, trust relationships, organizational units (OUs), and sites.
O What's the d|fference between a s|te ||nk's schedu|e and |nterva|?
Schedule enables you to list weekdays or hours when the site link is available Ior replication to
happen in the give interval. Interval is the re occurrence oI the inter site replication in given
minutes. It ranges Irom 15 10,080 mins. The deIault interval is 180 mins.
O What |s the k?
The KCC is a built-in process that runs on all domain controllers and generates replication
topology Ior the Active Directory Iorest. The KCC creates separate replication topologies
depending on whether replication is occurring within a site (intrasite) or between sites (intersite).
The KCC also dynamically adjusts the topology to accommodate new domain controllers,
domain controllers moved to and Irom sites, changing costs and schedules, and domain
controllers that are temporarily unavailable.
O What |s the IS@G? Who has that ro|e by defau|t?
Intersite Topology Generator (ISTG), which is responsible Ior the connections among the sites.
By deIault Windows 2003 Forest level Iunctionality has this role. By DeIault the Iirst Server has
this role. II that server can no longer preIorm this role then the next server with the highest
GUID then takes over the role oI ISTG.
O
What are the requ|rements for |nsta|||ng AD on a new server?
An NTFS partition with enough Iree space (250MB minimum)
An Administrator`s username and password
The correct operating system version
A NIC
Properly conIigured TCP/IP (IP address, subnet mask and optional deIault gateway)
A network connection (to a hub or to another computer via a crossover cable)
An operational DNS server (which can be installed on the DC itselI)
A Domain name that you want to use
The Windows 2000 or Windows Server 2003 CD media (or at least the i386 Iolder)
From the Petri IT Knowledge base. For more inIo, Iollow this link:
http://www.petri.co.il/activedirectoryinstallationrequirements.htm
O What can you do to promote a server to D |f you're |n a remote |ocat|on w|th s|ow WAN ||nk?
First available in Windows 2003, you will create a copy oI the system state Irom an existing DC
and copy it to the new remote server. Run 'Dcpromo /adv. You will be prompted Ior the
location oI the system state Iiles
O ow can you forc|b|y remove AD from a server and what do you do |ater? - an I get user
passwords from the AD database?
Demote the server using dcpromo /Iorceremoval, then remove the metadata Irom Active
directory using ndtsutil. There is no way to get user passwords Irom AD that I am aware oI, but
you should still be able to change them.
Another way out too
Restart the DC is DSRM mode
a. Locate the Iollowing registry subkey:
HKEYLOCALMACHINE\SYSTEM\CurrentControlSet\Control\ProductOptions
b. In the right-pane, double-click ProductType.
c. Type ServerNT in the Value data box, and then click OK.
Restart the server in normal mode
its a member server now but AD entries are still there. Promote teh server to a Iake domain say
ABC.com and then remove graceIully using DCpromo. Else aIter restart you can also use
ntdsutil to do metadata as told in teh earlier post
O What too| wou|d I use to try to grab secur|ty re|ated packets from the w|re?
you must use sniffer-detecting tools to help stop the snoops. . A good packet sniIIer would be
'ethereal
www.ethereal.com
O Name some CU des|gn cons|derat|ons ?
OU design requires balancing requirements Ior delegating administrative rights independent oI
Group Policy needs and the need to scope the application oI Group Policy. The Iollowing OU
design recommendations address delegation and scope issues:
Applying Group Policy An OU is the lowest-level Active Directory container to which you can
assign Group Policy settings.
Delegating administrative authority
usually don`t go more than 3 OU levels
O What |s tombstone ||fet|me attr|bute?
The number oI days beIore a deleted object is removed Irom the directory services. This assists
in removing objects Irom replicated servers and preventing restores Irom reintroducing a deleted
object. This value is in the Directory Service object in the conIiguration NIC by deIault 2000 (60
days) 2003 (180 days)
O
What do you do to |nsta|| a new W|ndows 2003 D |n a W|ndows 2000 AD?
II you plan to install windows 2003 server domain controllers into an existing windows 2000
domain or upgrade a windows 2000 domain controllers to windows server 2003, you Iirst need to
run the Adprep.exe utility on the windows 2000 domain controllers currently holding the schema
master and inIrastructure master roles. The adprep / Iorestprer command must Iirst be issued on
the windows 2000 server holding schema master role in the Iorest root doman to prepare the
existing schema to support windows 2003 active directory. The adprep /domainprep command
must be issued on the sever holding the inIrastructure master role in the domain where 2000
server will be deployed.
O What do you do to |nsta|| a new W|ndows 2003 k2 D |n a W|ndows 2003 AD?
A. II you`re installing Windows 2003 R2 on an existing Windows 2003 server with SP1
installed, you require only the second R2 CD-ROM. Insert the second CD and the r2auto.exe will
display the Windows 2003 R2 Continue Setup screen.
II you`re installing R2 on a domain controller (DC), you must Iirst upgrade the schema to the R2
version (this is a minor change and mostly related to the new DIs replication engine). To update
the schema, run the Adprep utility, which you`ll Iind in the Cmpnents\r2\adprep Iolder on the
second CD-ROM. BeIore running this command, ensure all DCs are running Windows 2003 or
Windows 2000 with SP2 (or later)
O ow wou|d you f|nd a|| users that have not |ogged on s|nce |ast month?
hLLp//wlklanswerscom/C/ow_would_you_flnd_all_users_LhaL_have_noL_logged_on_slnce_l
asL_monLh
O What are the DScommands?
New DS (Directory Service) Family oI built-in command line utilities Ior Windows Server 2003
Active Directory
New DS built-in tools Ior Windows Server 2003
The DS (Directory Service) group oI commands are split into two Iamilies. In one branch are
DSadd, DSmod, DSrm and DSMove and in the other branch are DSQuery and DSGet.
When it comes to choosing a scripting tool Ior Active Directory objects, you really are spoilt Ior
choice. The the DS Iamily oI built-in command line executables oIIer alternative strategies to
CSVDE, LDIFDE and VBScript.
Let me introduce you to the members oI the DS Iamily:
DSadd add Active Directory users and groups
DSmod modiIy Active Directory objects
DSrm to delete Active Directory objects
DSmove to relocate objects
DSQuery to Iind objects that match your query attributes
DSget list the properties oI an object
O What are the ISMC ro|es? Who has them by defau|t? What happens when each one fa||s?
FSMO stands Ior the Flexible single Master Operation
It has 5 Roles: -
O Schema Master
The schema master domain controller controls all updates and modiIications to the schema. Once
the Schema update is complete, it is replicated Irom the schema master to all other DCs in the
directory. To update the schema oI a Iorest, you must have access to the schema master. There
can be only one schema master in the whole Iorest.
O Doma|n nam|ng master
The domain naming master domain controller controls the addition or removal oI domains in the
Iorest. This DC is the only one that can add or remove a domain Irom the directory. It can also
add or remove cross reIerences to domains in external directories. There can be only one domain
naming master in the whole Iorest.
O Infrastructure Master
When an object in one domain is reIerenced by another object in another domain, it represents
the reIerence by the GUID, the SID (Ior reIerences to security principals), and the DN oI the
object being reIerenced. The inIrastructure FSMO role holder is the DC responsible Ior updating
an object`s SID and distinguished name in a cross-domain object reIerence. At any one time,
there can be only one domain controller acting as the inIrastructure master in each domain.
Note: The InIrastructure Master (IM) role should be held by a domain controller that is not a
Global Catalog server (GC). II the InIrastructure Master runs on a Global Catalog server it will
stop updating object inIormation because it does not contain any reIerences to objects that it does
not hold. This is because a Global Catalog server holds a partial replica oI every object in the
Iorest. As a result, cross-domain object reIerences in that domain will not be updated and a
warning to that eIIect will be logged on that DC`s event log. II all the domain controllers in a
domain also host the global catalog, all the domain controllers have the current data, and it is not
important which domain controller holds the inIrastructure master role.
O ke|at|ve ID (kID) Master
The RID master is responsible Ior processing RID pool requests Irom all domain controllers in a
particular domain. When a DC creates a security principal object such as a user or group, it
attaches a unique Security ID (SID) to the object. This SID consists oI a domain SID (the same
Ior all SIDs created in a domain), and a relative ID (RID) that is unique Ior each security
principal SID created in a domain. Each DC in a domain is allocated a pool oI RIDs that it is
allowed to assign to the security principals it creates. When a DC`s allocated RID pool Ialls
below a threshold, that DC issues a request Ior additional RIDs to the domain`s RID master. The
domain RID master responds to the request by retrieving RIDs Irom the domain`s unallocated
RID pool and assigns them to the pool oI the requesting DC. At any one time, there can be only
one domain controller acting as the RID master in the domain.
O D Lmu|ator
The PDC emulator is necessary to synchronize time in an enterprise. Windows 2000/2003
includes the W32Time (Windows Time) time service that is required by the Kerberos
authentication protocol. All Windows 2000/2003-based computers within an enterprise use a
common time. The purpose oI the time service is to ensure that the Windows Time service uses a
hierarchical relationship that controls authority and does not permit loops to ensure appropriate
common time usage.
The PDC emulator oI a domain is authoritative Ior the domain. The PDC emulator at the root oI
the Iorest becomes authoritative Ior the enterprise, and should be conIigured to gather the time
Irom an external source. All PDC FSMO role holders Iollow the hierarchy oI domains in the
selection oI their in-bound time partner.
:: In a Windows 2000/2003 domain, the PDC emulator role holder retains the Iollowing
Iunctions:
:: Password changes perIormed by other DCs in the domain are replicated preIerentially to the
PDC emulator.
Authentication Iailures that occur at a given DC in a domain because oI an incorrect password
are Iorwarded to the PDC emulator beIore a bad password Iailure message is reported to the user.
Account lockout is processed on the PDC emulator.
Editing or creation oI Group Policy Objects (GPO) is always done Irom the GPO copy Iound in
the PDC Emulator`s SYSVOL share, unless conIigured not to do so by the administrator.
The PDC emulator perIorms all oI the Iunctionality that a MicrosoIt Windows NT 4.0 Server-
based PDC or earlier PDC perIorms Ior Windows NT 4.0-based or earlier clients.
This part oI the PDC emulator role becomes unnecessary when all workstations, member servers,
and domain controllers that are running Windows NT 4.0 or earlier are all upgraded to Windows
2000/2003. The PDC emulator still perIorms the other Iunctions as described in a Windows
2000/2003 environment.
O What ISMC p|acement cons|derat|ons do you know of?
Windows 2000/2003 Active Directory domains utilize a Single Operation Master method called
FSMO (Flexible Single Master Operation), as described in Understanding FSMO Roles in
Active Directory.
In most cases an administrator can keep the FSMO role holders (all 5 oI them) in the same spot
(or actually, on the same DC) as has been conIigured by the Active Directory installation
process. However, there are scenarios where an administrator would want to move one or more
oI the FSMO roles Irom the deIault holder DC to a diIIerent DC.
Windows Server 2003 Active Directory is a bit diIIerent than the Windows 2000 version when
dealing with FSMO placement. In this article I will only deal with Windows Server 2003 Active
Directory, but you should bear in mind that most considerations are also true when planning
Windows 2000 AD FSMO roles
O What's the d|fference between transferr|ng a ISMC ro|e and se|z|ng one? Wh|ch one shou|d
you NC@ se|ze? Why?
Certain domain and enterprise-wide operations that are not good Ior multi-master updates are
perIormed by a single domain controller in an Active Directory domain or Iorest. The domain
controllers that are assigned to perIorm these unique operations are called operations masters or
FSMO role holders.
The Iollowing list describes the 5 unique FSMO roles in an Active Directory Iorest and the
dependent operations that they perIorm:
O Schema masLer @he Schema masLer role ls foresLwlde and Lhere ls one for each foresL @hls
role ls requlred Lo exLend Lhe schema of an AcLlve ulrecLory foresL or Lo run Lhe adprep
]doma|nprep command
O uomaln namlng masLer @he uomaln namlng masLer role ls foresLwlde and Lhere ls one for
each foresL @hls role ls requlred Lo add or remove domalns or appllcaLlon parLlLlons Lo or from a
foresL
O 8lu masLer @he 8lu masLer role ls domalnwlde and Lhere ls one for each domaln @hls role ls
requlred Lo allocaLe Lhe 8lu pool so LhaL new or exlsLlng domaln conLrollers can creaLe user
accounLs compuLer accounLs or securlLy groups
O u emulaLor @he u emulaLor role ls domalnwlde and Lhere ls one for each domaln @hls
role ls requlred for Lhe domaln conLroller LhaL sends daLabase updaLes Lo Wlndows n@ backup
domaln conLrollers @he domaln conLroller LhaL owns Lhls role ls also LargeLed by cerLaln
admlnlsLraLlon Lools and updaLes Lo user accounL and compuLer accounL passwords
O lnfrasLrucLure masLer @he lnfrasLrucLure masLer role ls domalnwlde and Lhere ls one for each
domaln @hls role ls requlred for domaln conLrollers Lo run Lhe adprep ]forestprep command
successfully and Lo updaLe Slu aLLrlbuLes and dlsLlngulshed name aLLrlbuLes for ob[ecLs LhaL are
referenced across domalns
The Active Directory Installation Wizard (Dcpromo.exe) assigns all 5 FSMO roles to the Iirst
domain controller in the Iorest root domain. The Iirst domain controller in each new child or tree
domain is assigned the three domain-wide roles. Domain controllers continue to own FSMO
roles until they are reassigned by using one oI the Iollowing methods:
O An admlnlsLraLor reasslgns Lhe role by uslng a Cul admlnlsLraLlve Lool
O An admlnlsLraLor reasslgns Lhe role by uslng Lhe ntdsut|| ]ro|es command
O An admlnlsLraLor gracefully demoLes a roleholdlng domaln conLroller by uslng Lhe AcLlve
ulrecLory lnsLallaLlon Wlzard @hls wlzard reasslgns any locallyheld roles Lo an exlsLlng domaln
conLroller ln Lhe foresL uemoLlons LhaL are performed by uslng Lhe dcpromo ]forceremova|
command leave lSMC roles ln an lnvalld sLaLe unLll Lhey are reasslgned by an admlnlsLraLor
We recommend that you transIer FSMO roles in the Iollowing scenarios:
O @he currenL role holder ls operaLlonal and can be accessed on Lhe neLwork by Lhe new lSMC
owner
O ?ou are gracefully demoLlng a domaln conLroller LhaL currenLly owns lSMC roles LhaL you wanL
Lo asslgn Lo a speclflc domaln conLroller ln your AcLlve ulrecLory foresL
O @he domaln conLroller LhaL currenLly owns lSMC roles ls belng Laken offllne for scheduled
malnLenance and you need speclflc lSMC roles Lo be asslgned Lo a llve" domaln conLroller @hls
may be requlred Lo perform operaLlons LhaL connecL Lo Lhe lSMC owner @hls would be
especlally Lrue for Lhe u LmulaLor role buL less Lrue for Lhe 8lu masLer role Lhe uomaln
namlng masLer role and Lhe Schema masLer roles
We recommend that you seize FSMO roles in the Iollowing scenarios:
O @he currenL role holder ls experlenclng an operaLlonal error LhaL prevenLs an lSMCdependenL
operaLlon from compleLlng successfully and LhaL role cannoL be Lransferred
O A domaln conLroller LhaL owns an lSMC role ls forcedemoLed by uslng Lhe dcpromo
]forceremova| command
O @he operaLlng sysLem on Lhe compuLer LhaL orlglnally owned a speclflc role no longer exlsLs or
has been relnsLalled
As replication occurs, non-FSMO domain controllers in the domain or Iorest gain Iull knowledge
oI changes that are made by FSMO-holding domain controllers. II you must transIer a role, the
best candidate domain controller is one that is in the appropriate domain that last inbound-
replicated, or recently inbound-replicated a writable copy oI the 'FSMO partition Irom the
existing role holder. For example, the Schema master role-holder has a distinguished name path
oI CNschema,CNconIiguration,dcIorest root domain~, and this mean that roles reside in
and are replicated as part oI the CNschema partition. II the domain controller that holds the
Schema master role experiences a hardware or soItware Iailure, a good candidate role-holder
would be a domain controller in the root domain and in the same Active Directory site as the
current owner. Domain controllers in the same Active Directory site perIorm inbound replication
every 5 minutes or 15 seconds.
A domain controller whose FSMO roles have been seized should not be permitted to
communicate with existing domain controllers in the Iorest. In this scenario, you should either
Iormat the hard disk and reinstall the operating system on such domain controllers or Iorcibly
demote such domain controllers on a private network and then remove their metadata on a
surviving domain controller in the Iorest by using the ntdsutil /metadata cleanup command.
The risk oI introducing a Iormer FSMO role holder whose role has been seized into the Iorest is
that the original role holder may continue to operate as beIore until it inbound-replicates
knowledge oI the role seizure. Known risks oI two domain controllers owning the same FSMO
roles include creating security principals that have overlapping RID pools, and other problems.
Transfer FSMU roles
To transIer the FSMO roles by using the Ntdsutil utility, Iollow these steps:
1 Log on Lo a Wlndows 2000 Serverbased or Wlndows Server 2003based member compuLer or
domaln conLroller LhaL ls locaLed ln Lhe foresL where lSMC roles are belng Lransferred We
recommend LhaL you log on Lo Lhe domaln conLroller LhaL you are asslgnlng lSMC roles Lo @he
loggedon user should be a member of Lhe LnLerprlse AdmlnlsLraLors group Lo Lransfer Schema
masLer or uomaln namlng masLer roles or a member of Lhe uomaln AdmlnlsLraLors group of Lhe
domaln where Lhe u emulaLor 8lu masLer and Lhe lnfrasLrucLure masLer roles are belng
Lransferred
2 llck Start cllck kun Lype nLdsuLll ln Lhe Cpen box and Lhen cllck Ck
3 @ype roles and Lhen press Ln@L8Note @o see a llsL of avallable commands aL any one of Lhe
prompLs ln Lhe nLdsuLll uLlllLy Lype ? and Lhen press Ln@L8
4 @ype connecLlons and Lhen press Ln@L8
3 @ype connecL Lo server setvetoome and Lhen press Ln@L8 where setvetoome ls Lhe name of
Lhe domaln conLroller you wanL Lo asslgn Lhe lSMC role Lo
6 AL Lhe server connect|ons prompL Lype q and Lhen press Ln@L8
7 @ype Lransfer tole where tole ls Lhe role LhaL you wanL Lo Lransfer lor a llsL of roles LhaL you can
Lransfer Lype ? aL Lhe fsmo ma|ntenance prompL and Lhen press Ln@L8 or see Lhe llsL of roles
aL Lhe sLarL of Lhls arLlcle lor example Lo Lransfer Lhe 8lu masLer role Lype Lransfer rld masLer
@he one excepLlon ls for Lhe u emulaLor role whose synLax ls Lransfer pdc noL Lransfer pdc
emulaLor
8 AL Lhe fsmo ma|ntenance prompL Lype q and Lhen press Ln@L8 Lo galn access Lo Lhe ntdsut||
prompL @ype q and Lhen press Ln@L8 Lo qulL Lhe nLdsuLll uLlllLy
Seize FSMU roles
To seize the FSMO roles by using the Ntdsutil utility, Iollow these steps:
1 Log on Lo a Wlndows 2000 Serverbased or Wlndows Server 2003based member compuLer or
domaln conLroller LhaL ls locaLed ln Lhe foresL where lSMC roles are belng selzed We
recommend LhaL you log on Lo Lhe domaln conLroller LhaL you are asslgnlng lSMC roles Lo @he
loggedon user should be a member of Lhe LnLerprlse AdmlnlsLraLors group Lo Lransfer schema
or domaln namlng masLer roles or a member of Lhe uomaln AdmlnlsLraLors group of Lhe
domaln where Lhe u emulaLor 8lu masLer and Lhe lnfrasLrucLure masLer roles are belng
Lransferred
2 llck Start cllck kun Lype nLdsuLll ln Lhe Cpen box and Lhen cllck Ck
3 @ype roles and Lhen press Ln@L8
4 @ype connecLlons and Lhen press Ln@L8
3 @ype connecL Lo server setvetoome and Lhen press Ln@L8 where setvetoome ls Lhe name of
Lhe domaln conLroller LhaL you wanL Lo asslgn Lhe lSMC role Lo
6 AL Lhe server connect|ons prompL Lype q and Lhen press Ln@L8
7 @ype selze tole where tole ls Lhe role LhaL you wanL Lo selze lor a llsL of roles LhaL you can
selze Lype ? aL Lhe fsmo ma|ntenance prompL and Lhen press Ln@L8 or see Lhe llsL of roles aL
Lhe sLarL of Lhls arLlcle lor example Lo selze Lhe 8lu masLer role Lype selze rld masLer @he one
excepLlon ls for Lhe u emulaLor role whose synLax ls selze pdc noL selze pdc emulaLor
8 AL Lhe fsmo ma|ntenance prompL Lype q and Lhen press Ln@L8 Lo galn access Lo Lhe ntdsut||
prompL @ype q and Lhen press Ln@L8 Lo qulL Lhe nLdsuLll uLlllLyNotes
4 under Lyplcal condlLlons all flve roles musL be asslgned Lo llve" domaln conLrollers ln
Lhe foresL lf a domaln conLroller LhaL owns a lSMC role ls Laken ouL of servlce before lLs
roles are Lransferred you musL selze all roles Lo an approprlaLe and healLhy domaln
conLroller We recommend LhaL you only selze all roles when Lhe oLher domaln
conLroller ls noL reLurnlng Lo Lhe domaln lf lL ls posslble flx Lhe broken domaln
conLroller LhaL ls asslgned Lhe lSMC roles ?ou should deLermlne whlch roles are Lo be
on whlch remalnlng domaln conLrollers so LhaL all flve roles are asslgned Lo a slngle
domaln conLroller lor more lnformaLlon abouL lSMC role placemenL cllck Lhe
followlng arLlcle number Lo vlew Lhe arLlcle ln Lhe MlcrosofL knowledge 8ase 223346
(hLLp//supporLmlcrosofLcom/kb/223346/ ) lSMC placemenL and opLlmlzaLlon on
Wlndows 2000 domaln conLrollers
4 lf Lhe domaln conLroller LhaL formerly held any lSMC role ls noL presenL ln Lhe domaln
and lf lL has had lLs roles selzed by uslng Lhe sLeps ln Lhls arLlcle remove lL from Lhe
AcLlve ulrecLory by followlng Lhe procedure LhaL ls ouLllned ln Lhe followlng MlcrosofL
knowledge 8ase arLlcle 216498 (hLLp//supporLmlcrosofLcom/kb/216498/ ) ow Lo
remove daLa ln acLlve dlrecLory afLer an unsuccessful domaln conLroller demoLlon
4 8emovlng domaln conLroller meLadaLa wlLh Lhe Wlndows 2000 verslon or Lhe Wlndows
Server 2003 bulld 3790 verslon of Lhe ntdsut|| ]metadata c|eanup command does noL
relocaLe lSMC roles LhaL are asslgned Lo llve domaln conLrollers @he Wlndows Server
2003 Servlce ack 1 (S1) verslon of Lhe nLdsuLll uLlllLy auLomaLes Lhls Lask and removes
addlLlonal elemenLs of domaln conLroller meLadaLa
4 Some cusLomers prefer noL Lo resLore sysLem sLaLe backups of lSMC roleholders ln
case Lhe role has been reasslgned slnce Lhe backup was made
4 uo noL puL Lhe lnfrasLrucLure masLer role on Lhe same domaln conLroller as Lhe global
caLalog server lf Lhe lnfrasLrucLure masLer runs on a global caLalog server lL sLops
updaLlng ob[ecL lnformaLlon because lL does noL conLaln any references Lo ob[ecLs LhaL
lL does noL hold @hls ls because a global caLalog server holds a parLlal repllca of every
ob[ecL ln Lhe foresL
To test whether a domain controller is also a global catalog server:
1 llck Start polnL Lo rograms polnL Lo Adm|n|strat|ve @oo|s and Lhen cllck Act|ve D|rectory
S|tes and Serv|ces
2 uoublecllck S|tes ln Lhe lefL pane and Lhen locaLe Lhe approprlaLe slLe or cllck Defau|tf|rsts|te
name lf no oLher slLes are avallable
3 Cpen Lhe Servers folder and Lhen cllck Lhe domaln conLroller
4 ln Lhe domaln conLroller's folder doublecllck N@DS Sett|ngs
3 Cn Lhe Act|on menu cllck ropert|es
6 Cn Lhe Genera| Lab vlew Lhe G|oba| ata|og check box Lo see lf lL ls selecLed
For more inIormation about FSMO roles, click the Iollowing article numbers to view the articles
in the MicrosoIt Knowledge Base:
O ow do you conf|gure a "standby operat|on master" for any of the ro|es?
1 Cpen Act|ve D|rectory S|tes and Serv|ces
2 Lxpand Lhe slLe name ln whlch Lhe sLandby operaLlons masLer ls locaLed Lo dlsplay Lhe Servers
folder
3 Lxpand Lhe Servers folder Lo see a llsL of Lhe servers ln LhaL slLe
4 Lxpand Lhe name of Lhe server LhaL you wanL Lo be Lhe sLandby operaLlons masLer Lo dlsplay lLs
n@uS SeLLlngs
3 8lghLcllck N@DS Sett|ngs cllck New and Lhen cllck onnect|on
6 ln Lhe I|nd Doma|n ontro||ers dlalog box selecL Lhe name of Lhe currenL role holder and Lhen
cllck Ck
7 ln Lhe New Cb[ectonnect|on dlalog box enLer an approprlaLe name for Lhe onnecLlon ob[ecL
or accepL Lhe defaulL name and cllck Ck
O ow do you backup AD?
Backing up Active Directory is essential to maintain an Active Directory database. You can back
up Active Directory by using the Graphical User InterIace (GUI) and command-line tools that
the Windows Server 2003 Iamily provides.
You Irequently backup the system state data on domain controllers so that you can restore the
most current data. By establishing a regular backup schedule, you have a better chance oI
recovering data when necessary.
To ensure a good backup includes at least the system state data and contents oI the system disk,
you must be aware oI the tombstone liIetime. By deIault, the tombstone is 60 days. Any backup
older than 60 days is not a good backup. Plan to backup at least two domain controllers in each
domain, one oI at least one backup to enable an authoritative restore oI the data when necessary.
System State Data
Several Ieatures in the windows server 2003 Iamily make it easy to backup Active Directory.
You can backup Active Directory while the server is online and other network Iunction can
continue to Iunction.
System state data on a domain controller includes the Iollowing components:
Active Directory system state data does not contain Active Directory unless the server, on which
you are backing up the system state data, is a domain controller. Active Directory is present only
on domain controllers.
The SYSVOL shared folder: This shared Iolder contains Group policy templates and logon
scripts. The SYSVOL shared Iolder is present only on domain controllers.
The Registry: This database repository contains inIormation about the computer`s conIiguration.
System startup files: Windows Server 2003 requires these Iiles during its initial startup phase.
They include the boot and system Iiles that are under windows Iile protection and used by
windows to load, conIigure, and run the operating system.
The COM+ Class Registration database: The Class registration is a database oI inIormation
about Component Services applications.
The Certificate Services database: This database contains certiIicates that a server running
Windows server 2003 uses to authenticate users. The CertiIicate Services database is present
only iI the server is operating as a certiIicate server.
System state data contains most elements oI a system`s conIiguration, but it may not include all
oI the inIormation that you require recovering data Irom a system Iailure. ThereIore, be sure to
backup all boot and system volumes, including the System State, when you back up your server.
Restoring Active Directory
In Windows Server 2003 Iamily, you can restore the Active Directory database iI it becomes
corrupted or is destroyed because oI hardware or soItware Iailures. You must restore the Active
Directory database when objects in Active Directory are changed or deleted.
Active Directory restore can be perIormed in several ways. Replication synchronizes the latest
changes Irom every other replication partner. Once the replication is Iinished each partner has an
updated version oI Active Directory. There is another way to get these latest updates by Backup
utility to restore replicated data Irom a backup copy. For this restore you don`t need to conIigure
again your domain controller or no need to install the operating system Irom scratch.
Active Directory Restore Methods
You can use one oI the three methods to restore Active Directory Irom backup media: primary
restore, normal (non authoritative) restore, and authoritative restore.
Primary restore: This method rebuilds the Iirst domain controller in a domain when there is no
other way to rebuild the domain. PerIorm a primary restore only when all the domain controllers
in the domain are lost, and you want to rebuild the domain Irom the backup.
Members oI Administrators group can perIorm the primary restore on local computer, or user
should have been delegated with this responsibility to perIorm restore. On a domain controller
only Domain Admins can perIorm this restore.
Normal restore: This method reinstates the Active Directory data to the state beIore the backup,
and then updates the data through the normal replication process. PerIorm a normal restore Ior a
single domain controller to a previously known good state.
Authoritative restore: You perIorm this method in tandem with a normal restore. An authoritative
restore marks speciIic data as current and prevents the replication Irom overwriting that data.
The authoritative data is then replicated through the domain.
PerIorm an authoritative restore individual object in a domain that has multiple domain
controllers. When you perIorm an authoritative restore, you lose all changes to the restore object
that occurred aIter the backup. Ntdsutil is a command line utility to perIorm an authoritative
restore along with windows server 2003 system utilities. The Ntdsutil command-line tool is an
executable Iile that you use to mark Active Directory objects as authoritative so that they receive
a higher version recently changed data on other domain controllers does not overwrite system
state data during replication.
O ow do you restore AD?

Restoring Active Directory :
In Windows Server 2003 Iamily, you can restore the Active Directory database iI it becomes
corrupted or is destroyed because oI hardware or soItware Iailures. You must restore the Active
Directory database when objects in Active Directory are changed or deleted.
Active Directory restore can be perIormed in several ways. Replication synchronizes the latest
changes Irom every other replication partner. Once the replication is Iinished each partner has an
updated version oI Active Directory. There is another way to get these latest updates by Backup
utility to restore replicated data Irom a backup copy. For this restore you don`t need to conIigure
again your domain controller or no need to install the operating system Irom scratch.
Active Directory Restore Methods
You can use one oI the three methods to restore Active Directory Irom backup media: primary
restore, normal (non authoritative) restore, and authoritative restore.
Primary restore: This method rebuilds the Iirst domain controller in a domain when there is no
other way to rebuild the domain. PerIorm a primary restore only when all the domain controllers
in the domain are lost, and you want to rebuild the domain Irom the backup.
Members oI Administrators group can perIorm the primary restore on local computer, or user
should have been delegated with this responsibility to perIorm restore. On a domain controller
only Domain Admins can perIorm this restore.
Normal restore: This method reinstates the Active Directory data to the state beIore the backup,
and then updates the data through the normal replication process. PerIorm a normal restore Ior a
single domain controller to a previously known good state.
Authoritative restore: You perIorm this method in tandem with a normal restore. An
authoritative restore marks speciIic data as current and prevents the replication Irom overwriting
that data. The authoritative data is then replicated through the domain.
PerIorm an authoritative restore individual object in a domain that has multiple domain
controllers. When you perIorm an authoritative restore, you lose all changes to the restore object
that occurred aIter the backup. Ntdsutil is a command line utility to perIorm an authoritative
restore along with windows server 2003 system utilities. The Ntdsutil command-line tool is an
executable Iile that you use to mark Active Directory objects as authoritative so that they receive
a higher version recently changed data on other domain controllers does not overwrite system
state data during replication.
METHUD
A.
You can`t restore Active Directory (AD) to a domain controller (DC) while the Directory Service
(DS) is running. To restore AD, perIorm the Iollowing steps.
Reboot the computer.
At the boot menu, select Windows 2000 Server. Don`t press Enter. Instead, press F8 Ior
advanced options. You`ll see the Iollowing text. OS Loader V5.0
Windows NT Advanced Options Menu
Please select an option:
SaIe Mode
SaIe Mode with Networking
SaIe Mode with Command Prompt
Enable Boot Logging
Enable VGA Mode
Last Known Good ConIiguration
Directory Services Restore Mode (Windows NT domain controllers only)
Debugging Mode
Use , and , to move the highlight to your choice.
Press Enter to choose.
Scroll down, and select Directory Services Restore Mode (Windows NT domain controllers
only).
Press Enter.
When you return to the Windows 2000 Server boot menu, press Enter. At the bottom oI the
screen, you`ll see in red text Directory Services Restore Mode (Windows NT domain controllers
only).
The computer will boot into a special saIe mode and won`t start the DS. Be aware that during
this time the machine won`t act as a DC and won`t perIorm Iunctions such as authentication.
Start NT Backup.
Select the Restore tab.
Select the backup media, and select System State.
Click Start Restore.
Click OK in the conIirmation dialog box.
AIter you restore the backup, reboot the computer and start in normal mode to use the restored
inIormation. The computer might hang aIter the restore completes; Sometimes it takes a 30-
minute wait on some machines.
O ow do you change the DS kestore adm|n password?
When you promote a Windows 2000 Server-based computer to a domain controller, you are
prompted to type a Directory Service Restore Mode Administrator password. This password is
also used by Recovery Console, and is separate Irom the Administrator password that is stored in
Active Directory aIter a completed promotion.
The Administrator password that you use when you start Recovery Console or when you press
F8 to start Directory Service Restore Mode is stored in the registry-based Security Accounts
Manager (SAM) on the local computer. The SAM is located in the\System32\ConIig Iolder. The
SAM-based account and password are computer speciIic and they are not replicated to other
domain controllers in the domain.
For ease oI administration oI domain controllers or Ior additional security measures, you can
change the Administrator password Ior the local SAM. To change the local Administrator
password that you use when you start Recovery Console or when you start Directory Service
Restore Mode, use the Iollowing method.
1. Log on to the computer as the administrator or a user who is a member oI the Administrators
group. 2. Shut down the domain controller on which you want to change the password. 3. Restart
the computer. When the selection menu screen is displayed during restar, press F8 to view
advanced startup options. 4. Click the Directory Service Restore Mode option. 5. AIter you log
on, use one oI the Iollowing methods to change the local Administrator password: At a
command prompt, type the Iollowing command:
net user administrator
Use the Local User and Groups snap-in (Lusrmgr.msc) to change the Administrator password.
6. Shut down and restart the computer. You can now use the Administrator account to log on to
Recovery Console or Directory Services Restore Mode using the new password.
O Why can't you restore a D that was backed up 4 months ago?
Because oI the tombstone liIe which is set to only 60 days
O What are GCs?
Group Policy gives you administrative control over users and computers in your network. By
using Group Policy, you can deIine the state oI a user`s work environment once, and then rely on
Windows Server 2003 to continually Iorce the Group Policy settings that you apply across an
entire organization or to speciIic groups oI users and computers.
Group Policy Advantages
You can assign group policy in domains, sites and organizational units.
All users and computers get reIlected by group policy settings in domain, site and organizational
unit.
No one in network has rights to change the settings oI Group policy; by deIault only
administrator has Iull privilege to change, so it is very secure.
Policy settings can be removed and can Iurther rewrite the changes.
Where GPO`s store Group Policy InIormation
Group Policy objects store their Group Policy inIormation in two locations:
Group Policy Container: The GPC is an Active Directory object that contains GPO status,
version inIormation, WMI Iilter inIormation, and a list oI components that have settings in the
GPO. Computers can access the GPC to locate Group Policy templates, and domain controller
does not have the most recent version oI the GPO, replication occurs to obtain the latest version
oI the GPO.
Group Policy Template: The GPT is a Iolder hierarchy in the shared SYSVOL Iolder on a
domain controller. When you create GPO, Windows Server 2003 creates the corresponding GPT
which contains all Group Policy settings and inIormation, including administrative templates,
security, soItware installation, scripts, and Iolder redirection settings. Computers connect to the
SYSVOL Iolder to obtain the settings.
The name oI the GPT Iolder is the Globally Unique IdentiIier (GUID) oI the GPO that you
created. It is identical to the GUID that Active Directory uses to identiIy the GPO in the GPC.
The path to the GPT on a domain controller is systemroot\SYSVOL\sysvol.
Managing GPOs
To avoid conIlicts in replication, consider the selection oI domain controller, especially because
the GPO data resides in SYSVOL Iolder and the Active Directory. Active Directory uses two
independent replication techniques to replicate GPO data among all domain controllers in the
domain. II two administrator`s changes can overwrite those made by other administrator,
depends on the replication latency. By deIault the Group Policy Management console uses the
PDC Emulator so that all administrators can work on the same domain controller.
WMI Filter
WMI Iilters is use to get the current scope oI GPOs based on attributes oI the user or computer.
In this way, you can increase the GPOs Iiltering capabilities beyond the security group Iiltering
mechanisms that were previously available.
Linking can be done with WMI Iilter to a GPO. When you apply a GPO to the destination
computer, Active Directory evaluates the Iilter on the destination computer. A WMI Iilter has
Iew queries that active Directory evaluates in place oI WMI repository oI the destination
computer. II the set oI queries is Ialse, Active Directory does not apply the GPO. II set oI queries
are true, Active Directory applies the GPO. You write the query by using the WMI Query
Language (WQL); this language is similar to querying SQL Ior WMI repository.
Planning a Group Policy Strategy Ior the Enterprise
When you plan an Active Directory structure, create a plan Ior GPO inheritance, administration,
and deployment that provides the most eIIicient Group Policy management Ior your
organization.
Also consider how you will implement Group Policy Ior the organization. Be sure to consider the
delegation oI authority, separation oI administrative duties, central versus decentralized
administration, and design Ilexibility so that your plan will provide Ior ease oI use as well as
administration.
Planning GPOs
Create GPOs in way that provides Ior the simplest and most manageable design one in which
you can use inheritance and multiple links.
Guidelines Ior Planning GPOs
Apply GPO settings at the highest level: This way, you take advantage oI Group Policy
inheritance. Determine what common GPO settings Ior the largest container are starting with the
domain and then link the GPO to this container.
Reduce the number oI GPOs: You reduce the number by using multiple links instead oI creating
multiple identical GPOs. Try to link a GPO to the broadest container possible level to avoid
creating multiple links oI the same GPO at a deeper level.
Create specialized GPOs: Use these GPOs to apply unique settings when necessary. GPOs at a
higher level will not apply the settings in these specialized GPOs.
Disable computer or use conIiguration settings: When you create a GPO to contain settings Ior
only one oI the two levels-user and computer-disable the logon and prevents accidental GPO
settings Irom being applied to the other area.
O What |s the order |n wh|ch GCs are app||ed?
Local, Site, Domain, OU
Group Policy settings are processed in the Iollowing order:
1:- Local Group Policy object-each computer has exactly one Group Policy object that is stored
locally. This processes Ior both computer and user Group Policy processing.
2:- Site-Any GPOs that have been linked to the site that the computer belongs to are processed
next. Processing is in the order that is speciIied by the administrator, on the Linked Group Policy
Objects tab Ior the site in Group Policy Management Console (GPMC). The GPO with the
lowest link order is processed last, and thereIore has the highest precedence.
3:- Domain-processing oI multiple domain-linked GPOs is in the order speciIied by the
administrator, on the Linked Group Policy Objects tab Ior the domain in GPMC. The GPO with
the lowest link order is processed last, and thereIore has the highest precedence.
4:- Organizational units-GPOs that are linked to the organizational unit that is highest in the
Active Directory hierarchy are processed Iirst, then GPOs that are linked to its child
organizational unit, and so on. Finally, the GPOs that are linked to the organizational unit that
contains the user or computer are processed.
At the level oI each organizational unit in the Active Directory hierarchy, one, many, or no
GPOs can be linked. II several GPOs are linked to an organizational unit, their processing is in
the order that is speciIied by the administrator, on the Linked Group Policy Objects tab Ior the
organizational unit in GPMC. The GPO with the lowest link order is processed last, and
thereIore has the highest precedence.
This order means that the local GPO is processed Iirst, and GPOs that are linked to the
organizational unit oI which the computer or user is a direct member are processed last, which
overwrites settings in the earlier GPOs iI there are conIlicts. (II there are no conIlicts, then the
earlier and later settings are merely aggregated.)
O Name a few benef|ts of us|ng GM
MicrosoIt released the Group Policy Management Console (GPMC) years ago, which is an
amazing innovation in Group Policy management. The tool provides control over Group Policy
in the Iollowing manner:
O Lasy admlnlsLraLlon of all CCs across Lhe enLlre AcLlve ulrecLory loresL
O vlew of all CCs ln one slngle llsL
O 8eporLlng of CC seLLlngs securlLy fllLers delegaLlon eLc
O onLrol of CC lnherlLance wlLh 8lock lnherlLance Lnforce and SecurlLy lllLerlng
O uelegaLlon model
O 8ackup and resLore of CCs
O MlgraLlon of CCs across dlfferenL domalns and foresLs
With all oI these beneIits, there are still negatives in using the GPMC alone. Granted, the GPMC
is needed and should be used by everyone Ior what it is ideal Ior. However, it does Iall a bit short
when you want to protect the GPOs Irom the Iollowing:
O 8ole based delegaLlon of CC managemenL
O 8elng edlLed ln producLlon poLenLlally causlng damage Lo deskLops and servers
O lorgeLLlng Lo back up a CC afLer lL has been modlfled
O hange managemenL of each modlflcaLlon Lo every CC
O ow can you determ|ne what GC was and was not app||ed for a user? Name a few ways to
do that
Simply use the Group Policy Management Console created by MS Ior that very purpose, allows
you to run simulated policies on computers or users to determine what policies are enIorced.
Link in sources
O What are adm|n|strat|ve temp|ates?
Administrative Templates are a Ieature oI Group Policy, a MicrosoIt technology Ior centralised
management oI machines and users in an Active Directory environment.
Administrative Templates Iacilitate the management oI registry-based policy. An ADM Iile is
used to describe both the user interIace presented to the Group Policy administrator and the
registry keys that should be updated on the target machines. An ADM Iile is a text Iile with a
speciIic syntax which describes both the interIace and the registry values which will be changed
iI the policy is enabled or disabled.
ADM Iiles are consumed by the Group Policy Object Editor (GPEdit). Windows XP Service
Pack 2 shipped with Iive ADM Iiles (system.adm, inetres.adm, wmplayer.adm, conI.adm and
wuau.adm). These are merged into a uniIied 'namespace in GPEdit and presented to the
administrator under the Administrative Templates node (Ior both machine and user policy).
O What's the d|fference between software pub||sh|ng and ass|gn|ng?
ANS An administrator can either assign or publish soItware applications.
Assign Users
The soItware application is advertised when the user logs on. It is installed when the user clicks
on the soItware application icon via the start menu, or accesses a Iile that has been associated
with the soItware application.
Assign Computers
The soItware application is advertised and installed when it is saIe to do so, such as when the
computer is next restarted.
Publish to users
The soItware application does not appear on the start menu or desktop. This means the user may
not know that the soItware is available. The soItware application is made available via the
Add/Remove Programs option in control panel, or by clicking on a Iile that has been associated
with the application. Published applications do not reinstall themselves in the event oI accidental
deletion, and it is not possible to publish to computers.
O an I dep|oy nonMSI software w|th GC?
How to create a tbird-party Microsoft Installer package
http://support.microsoIt.com/kb/257718/
O ou want to standard|ze the desktop env|ronments (wa||paper My Documents Start menu
pr|nters etc) on the computers |n one department ow wou|d you do that?
Login on client as Domain Admin user change whatever you need add printers etc go to system-
User proIiles copy this user proIile to any location by select Everyone in permitted to use aIter
copy change ntuser.dat to ntuser.man and assgin this path under user proIile