SERVER AD

                                              SERVER ADMINISTRATOR

What is the family of Windows 2003 family?

Windows Server 2003, Web Edition

Windows Server 2003, Standard Edition

Windows Server 2003, Enterprise Edition

Windows server 2003, Data center Edition

What is the family of windows 2008 family?

Windows Server 2008 R2 Foundation

Windows Server 2008 R2 Standard

Windows Server 2008 R2 Enterprise

Windows Server 2008 R2 Datacenter

Windows Server 2008 R2 Web server

Windows HPC Server 2008 R2 Suite

Windows Server 2008 R2 for Italium-Based System

The Standard, Enterprise, and Datacenter Editions can be purchased with or without the Hyper-V virtualization technology.

What two hardware considerations should be an important part of the planning process for a Windows Server 2008 deployment?

Any server on which you will install Windows Server 2008 should have at least the minimum hardware requirement for running the network operating system. Server hardware should also be on the Windows Server 2008 Hardware Compatibility List to avoid the possibility of hardware and network operating system incompatibility.

What are the options for installing Windows Server 2008?

You can install Windows Server 2008 on a server not currently configured with NOS, or

upgrade existing servers running Windows 2000 Server and Windows Server 2003.

How do you configure and manage a Windows Server 2008 core installation?

Which Control Panel tool enables you to automate the running of server utilities and other applications?

The Task Scheduler enables you to schedule the launching of tools such as Windows Backup and Disk Defragmenter.

What are some of the items that can be accessed via the System Properties dialog box?

You can access virtual memory settings and the Device Manager via the System Properties dialog box.

When a child domain is created in the domain tree, what type of trust relationship exists between the new child domain and the trees root domain?

Child domains and the root domain of a tree are assigned transitive trusts. This means that the root domain and child domain trust each other and allow resources in any domain in the tree to be accessed by users in any domain in the tree.

What are some of the other roles that a server running Windows Server 2008 could fill on the network?

A server running Windows Server 2008 can be configured as a

Domain controller,

File server,

Print server,

Web server,

Application server.

DNS, DHCP, and Routing and Remote Access.

Which Windows Server 2008 tools make it easy to manage and configure a server’s roles and features?

The Server Manager window enables you to view the roles and features installed on a server and also to quickly access the tools used to manage these various roles and features. The Server Manager can be used to add and remove roles and features as needed.

What Windows Server 2008 service is used to install client operating systems over the network?

Windows Deployment Services (WDS) enables you to install client and server operating systems over the network to any computer with a PXE-enabled network interface.

What domain services are necessary for you to deploy the Windows Deployment Services on your network?

Windows Deployment Services requires that a DHCP server and a DNS server be installed in the domain

How is WDS configured and managed on a server running Windows Server 2008?

The Windows Deployment Services snap-in enables you to configure the WDS server and add boot and install images to the server.

What is the difference between a basic and dynamic drive in the Windows Server 2008 environment?

A basic disk embraces the MS-DOS disk structure; a basic disk can be divided into partitions (simple volumes).
Dynamic disks consist of a single partition that can be divided into any number of volumes. Dynamic disks support RAID implementations.

What is RAID in Windows Server 2008?

RAID, or Redundant Array of Independent Disks, is a strategy for building fault tolerance into your file servers. RAID enables you to combine one or more volumes on separate drives so that they are accessed by a single drive letter. Windows Server 2008 enables you to configure

RAID 0 (a striped set),

RAID 1 (a mirror set),

RAID 5 (disk striping with parity).

What conceptual model helps provide an understanding of how network protocol stacks such as TCP/IP work?

The OSI model, consisting of the Application, Presentation, Session, Transport, Network, Data link, and Physical layers, helps describe how data is sent and received on the network by protocol stacks.

How is a server running Windows Server 2008 configured as a domain controller, such as the domain controller for the root domain or a child domain?

Installing the Active Directory on a server running Windows Server 2008 provides you with the option of creating a root domain for a domain tree or of creating child domains in an existing tree. Installing Active Directory on the server makes the server a domain controller.

What are some of the tools used to manage Active Directory objects in a Windows Server 2008 domain?

When the Active Directory is installed on a server (making it a domain controller), a set of Active Directory snap-ins is provided.

The Active Directory Users and Computers snap-in is used to manage Active Directory objects such as user accounts, computers, and groups.

The Active Directory Domains and Trusts snap-in enables you to manage the trusts that are defined between domains.

The Active Directory Sites and Services snap-in provides for the management of domain sites and subnets.

What are some of the new tools and features provided by Windows Server 2008?

Windows Server 2008 now provides a

Desktop environment similar to Microsoft Windows Vista and includes tools also found in Vista, new backup snap-in

Bit Locker drive encryption feature.

IIS 7 web server

Windows Deployment Service WDS

<> What is domain?
A domain is a group of network resources like applications, printers and shared folders. To access those resources users need to use their assigned username and password.

<>What is domain controller?
A Domain controller is a server which performs active directory server roles in a network. The idea of domain is to manage access to resources in a network including applications, printers and share folders. Here user can access network resources using their assigned user name and password.

What is the primary function of domain controllers?

The primary function of domain controllers is to validate users to the network. However, domain controllers also provide the catalog of Active Directory objects to users on the network.

<>What is forest?
A group of single or multiple domain trees which follow trust relationship and common logical structure among them. A forest is a complete instance of AD. The first domain of any forest is called root domain and the other child domains follow the root domain. The root domain in a forest must be included in Global Catalogue.

<> What is Active Directory?
An active directory (AD) is a centralized database system which performs variety of functions including organize different object like computers and users, allows administrator to apply different policy for those objects. Active directory is specially designed for distributed networking system

Active Directory is Microsoft's trademarked directory service, an integral part of the Windows 2000 architecture. Like other directory services, such as Novell Directory Services (NDS)

What is Active Directory Domain Services 2008?

Active Directory Domain Services (AD DS), formerly known as Active Directory Services, is the central location for configuration information, authentication requests, and information about all of the objects that are stored within your forest. Using Active Directory, you can efficiently manage users, computers, groups, printers, applications, and other directory-enabled objects from one secure, centralized location.

The Active Directory database file is stored in c:\windows\ntds\ntds.dit.

Importance of Active Directory: is a technology provides a variety of network services, including:

Lightweight Directory Access Protocol LDAP is the industry standard directory access protocol, making Active Directory widely accessible to management and query applications. Active Directory supports LDAPv3 and LDAPv2.

1.    Kerberos-based authentication

2.    DNS-based naming and other network information (Guts of DNS, Stable DNS is needed   for   AD to work properly)

3.    Central location for network administration and delegation of authority.

4.    Information security and single sign-on for user access to networked based resources.

5.    The ability to scale up or down easily.

6.    Central storage location for application data.

7.    Synchronization of directory updates amongst several servers.

8.    Active Directory also allows administrators to assign policies, deploy software, and apply critical updates to an organization.

9.    Active Directory stores information and settings in a central database.

Can you connect Active Directory to other 3rd-party Directory Services? Name a few options?

Yes. Microsoft Identity Integration Server (MIIS) is used to connect Active Directory to other 3rd-party Directory Services (including directories used by SAP, Domino, etc).

Where is the AD database held? What other folders are related to AD?

AD Database is saved in %systemroot%/ntds. You can see other files also in this folder. These are the main files controlling the AD structure

When a change is made to the Win2K database, triggering a write operation, Win2K records the transaction in the log file (edb.log). Once written to the log file, the change is then written to the AD database. System performance determines how fast the system writes the data to the AD database from the log file. Any time the system is shut down; all transactions are saved to the database.

During the installation of AD, Windows creates two files: res1.log and res2.log. The initial size of each is 10MB. These files are used to ensure that changes can be written to disk should the system run out of free disk space. The checkpoint file (edb.chk) records transactions committed to the AD database (ntds.dit). During shutdown, a "shutdown" statement is written to the edb.chk file. Then, during a reboot, AD determines that all transactions in the edb.log file have been committed to the AD database. If, for some reason, the edb.chk file doesn't exist on reboot or the shutdown statement isn't present, AD will use the edb.log file to update the AD database.

The last file in our list of files to know is the AD database itself, ntds.dit. By default, the file is

Located in \NTDS

Active Directory:
Ntds.dit	The Active Directory database.
Edb.chk:	The checkpoint file
Edb*.log:	The transaction logs, each 10 megabytes (MB)
Res1.log	Reserved transaction logs.
Res2.log:	Reserved transaction logs.

What is the SYSVOL folder?

Standard location to store important elements of Group Policy objects (GPOs) and scripts so that the File Replication service (FRS)

%systemroot%/Sysvol

<>What is the replication folder?
The SYSVOL is called the replication folder. It keeps all the public files of any domain. It replicates all policy and users level data after an interval.

All active directory data base security related information store in SYSVOL folder and it’s only created on NTFS partition.

<> What is LDAP?
Lightweight Directory Access Protocol (LDAP) is a set of standard protocol to access directory information. It is useful for internet access.
LDAP is an Internet protocol that email and other programs use to look up information from a server.

 The Lightweight Directory Access Protocol, or LDAP, is an application protocol for querying and modifying directory services running over TCP/IP.
Although not yet widely implemented, LDAP should eventually make it possible for almost any application running on virtually any computer platform to
obtain directory information, such as email addresses and public keys. Because LDAP is an open protocol, applications need not worry about the type of
server hosting the directory.

<> What’s the major difference between FAT and NTFS on a local machine?
FAT and FAT32 does not provide security for local users.

NTFS provides security for local user as well as for domain users.

<>What’s the basic difference between guest accounts in Server 2008 R2 and other editions?     more restrictive than any other editions

<> Why it is not possible to restore a DC backed up 4 months ago?
Because of the lifetime of backed up file is either 60 or 120 days.

<>What is Site?
A site represents physical network structure of Active Directory. It is an object in AD which represents geographic location that hosts networks. Moreover, it comprises of one or more subnets that are connect together with sufficient internet speed.

What are the Important Windows port numbers?

The range for assigned ports managed by the IANA is 0-1023.

(Internet assigned no authority)

Registered Ports: 1024-49151

Dynamic and private port no: 49152 to 65535

KERBEROS	88 – KERBEROS
FTP	21     – File transfer protocol
TFTP	69     – TFTP
Telnet	23     – Telnet
SMTP	25     – SMTP
DNS	53     – Domain Name System
DHCP	68     – Dynamic Host Configuration Protocol
POP3	110   – Post Office Protocol 3 port
HTTP	80    – H
HTTPS	443   – H
NNTP	119   – Network News Transfer Protocol
NTP	123   – NTP port number and network Time Protocol and SNTP
IMAP	143   – Internet Message Access Protocol
SSMTP	465   – SMTP Over SSL
SIMAP	993   – IMAP Over SSL
SPOP3	995   – POP# Over SSL
Time	123   – NTP port number and network Time Protocol and SNTP
NetBIOS	137   – Name Service
NetBIOS	139   – Datagram Service
LDAP	389   – LDAP port number and Lightweight Directory Access Protocol
RPC	135   – Remote procedure call Port number
SSH	22     – SSH port number and Secure Shell
DHCP Client	546   – DHCP Client
DHCP Server	547   – DHCP Server
Global Catalog	3268 – Global Catalog
RDP	3389 –

4. What are Active Directory ports?

List of Active Directory Ports for Active Directory replication and Active Directory authentication, these ports can be used to configure the Firewall.

IMPORTANT ports for Active Directory:

TCP 53	DSN (DNS Download)
UDP 53	DSN (DNS Queries)
TCP 42	WINS
UDP 42	WINS
TCP 3389	RDP (Remote Desktop)
TCP 135	MS-RPC
TCP 1025 & 1026	AD Login & replication
TCP 389	LDAP
TCP 639	LDAP over SSL/TLS
TCP 3268	Global Catalog
TCP 3268	Global Catalog over SSL/TSL
UDP 137 & 138	NetBIOS related
UDP 88	Kerberos v5
TCP 445	SMB , Microsoft-ds
TCP 139	SMB

Active Directory replication- There is no defined port for Active Directory replication, Active Directory replication remote procedure calls (RPC) occur dynamically over an available port through RPCSS (RPC Endpoint Mapper) by using port 135.

File Replication Services (FRS) - There is no defined port for FRS, FRS replication over remote procedure calls (RPCs) occurs dynamically over an available port by using RPCSS (RPC Endpoint Mapper) on port 135

DFS

APPLICATION SERVER

2. How to check tombstone lifetime value in your Forest

Tombstone lifetime value different from OS to OS, for

Windows server 2000/2003      = 60  days,

Windows Server 2003 SP1,      =180 days,

Windows Server 2003 R2         = 60  days,

Windows Server 2003 R2 SP2 =180

Windows server 2008                = 180 days

If you migrating windows 2003 environment to windows 2008 then its 60 day’s

You can use the below command to check/view the current tombstone lifetime value for your Domain/Forest

dsquery * “cn=directory service,cn=windows nt,cn=services,cn=configuration,dc=” –scope base –attr tombstonelifetime

Replace forestDN with your domain partition DN, for domainname.com the DN would be dc=domainname, dc=com

3. How to find the domain controller that contains the lingering object

If we enable Strict Replication Consistency

Lingering objects are not present on domain controllers that log Event ID 1988. The source domain controller contains the lingering object

If we doesn’t enable Strict Replication Consistency

Lingering objects are not present on domain controllers that log Event ID 1388. Domain controller that doesn’t log Event ID 1388 and that domain controller contain the lingering object

You have a 100 Domain controllers which doesn’t enable Strict Replication Consistency, then you will get the Event ID 1388 on all the 99 Domain controllers except the one that contain the lingering object

Need to Remove Lingering Objects from the affected domain controller or decommission the domain controller

You can use Event Comb tool (Eventcombmt.exe) is a multi-threaded tool that can be used to gather specific events from the Event Viewer logs of different computers at the same time.

5. How to do active directory health checks?

As an administrator you have to check your active directory health daily to reduce the active directory related issues, if you are not monitoring the health of your active directory what will happen

Let’s say one of the Domain Controller failed to replicate, first day you will not have any issue. If this will continue then you will have login issue and you will not find the object change and new object, that’s created and changed in other Domain Controller this will lead to other issues

If the Domain Controller is not replicated more than 60 day’s then it will lead to Lingering issue

Command to check the replication to all the DC’s (through this we can check Active Directory Health)

Repadmin /replsum /bysrc /bydest /sort:delta

You can also save the command output to text file, by using the below command.

Repadmin /replsum /bysrc /bydest /sort:delta >>c:\replication_report.txt

This will list the domain controllers that are failing to replicate with the delta value
you can daily run this to check your active directory health

6. GPRESULT failed with access denied error:

Unable to get the result from gpresult on windows 2003 server, gpresult return with the access denied errors, you can able to update the group policy without issue

Run the following commands to register the userenv.dll and recompile the rsop mof file.
To resolve the access denied error while doing the gpresult.
1. Open a cmd
1. re-register the userenv.dll
     Regsvr32 /n /I c:\winnt\system32\userenv.dll
2. CD c:\windows\system32\wbem
3. Mofcomp scersop.mof
4. Gpupdate /force
5. Gpresult

Now you able to run the gpresult without error and even server reboot not required for this procedure

7. What is the command to find out site name for given DC?

   dsquery server NYDC01 -site

   Domain controller name = NYDC01

8. Command to find all DCs in the given site

   Command to find all the Domain Controllers in the “Default-First-Site-Name” site

   dsquery server -o rdn -site Default-First-Site-Name

   Site name = Default-First-Site-Name

9. How many types of queries DNS does?

    Iterative Query
    Recursive Query

Iterative Query

In this query the client ask the name server for the best possible answer, the name server check the cache and zone for which it’s authoritative and returns the best possible answer to the client, which would be the full answer like IP address or try the other name server

Recursive Query

Client demands either a full answer or an error message (like record or domain name does not exist)
Client machine always send recursive query to the DNS server, if the DNS server does not have the requested information, DNS server send the iterative query to the other name server (through forwarders or secondary DNS server) until it gets the information, or until the name query fails.

How are domain user accounts created and managed?

The Active Directory Users and Computers snap-in provides the tools necessary for creating user accounts and managing account properties. Properties for user accounts include settings related to logon hours, the computers to which a user can log on, and the settings related to the user’s password.

What type of Active Directory objects can be contained in a group?

A group can contain users, computers, contacts, and other nested groups.

What type of group is not available in a domain that is running at the mixed-mode functional level?

Universal groups are not available in a mixed-mode domain. The functional level must be raised to Windows 2003 or Windows 2008 to make these groups available.

What types of Active Directory objects can be contained in an Organizational Unit?

Organizational Units can hold users, groups, computers, contacts, and other OUs. The Organizational Unit provides you with a container directly below the domain level that enables you to refine the logical hierarchy of how your users and other resources are arranged in the Active Directory.

What is Active Directory schema?

The Active Directory schema contains formal definitions of every object class that can be created in an Active Directory forest it also contains formal definitions of every attribute that can exist in an Active Directory object.
Active Directory stores and retrieves information from a wide variety of applications and services.

Can servers running Windows Server 2008 provide services to clients when they are not part of a domain?

Servers running Windows Server 2008 can be configured to participate in a workgroup. The server can provide some services to the workgroup peers but does not provide the security and management tools provided to domain controllers.

What does the use of Group Policy provide you as a network administrator?

Group Policy provides a method of controlling user and computer configuration settings for Active Directory containers such as sites, domains, and OUs. GPOs are linked to a particular container, and then individual policies and administrative templates are enabled to control the environment for the users or computers within that particular container.

What tools are involved in managing and deploying Group Policy?

GPOs and their settings, links, and other information such as permissions can be viewed in the Group Policy Management snap-in.

How do you deal with Group Policy inheritance issues?

GPOs are inherited down through the Active Directory tree by default. You can block the inheritance of settings from up line GPOs (for a particular container such as an OU or a local computer) by selecting Block Inheritance for that particular object. If you want to enforce a higher-level GPO so that it overrides directly linked GPOs, you can use the Enforce command on the inherited (or up line) GPO.

How can you make sure that network clients have the most recent Windows updates installed and have other important security features such as the Windows Firewall enabled before they can gain full network access?

You can configure a Network Policy Server (a service available in the Network Policy and Access Services role). The Network Policy Server can be configured to compare desktop client settings with health validates to determine the level of network access afforded to the client.

What is the purpose of deploying local DNS servers?

A domain DNS server provides for the local mapping of fully qualified domain names to IP addresses. Because the DNS is a distributed database, the local DNS servers can provide record information to remote DNS servers to help resolve remote requests related to fully qualified domain names on your network.

In terms of DNS, what is a caching-only server?

A caching-only DNS server supplies information related to queries based on the data it contains in its DNS cache. Caching-only servers are often used as DNS forwarders. Because they are not configured with any zones, they do not generate network traffic related to zone transfers.

How the range of IP addresses is defined for a Windows Server 2008 DHCP server?

The IP addresses supplied by the DHCP server are held in a scope. A scope that contains more than one subnet of IP addresses is called a superscope. IP addresses in a scope that you do not want to lease can be included in an exclusion range.

What’s New in Windows Server 2008 Active Directory Domain Services?

Active Directory Domain Services in Windows Server 2008 provides a number of enhancements over previous versions, including these:

Auditing—AD DS auditing has been enhanced significantly in Windows Server 2008. The enhancements provide more granular auditing capabilities through four new auditing categories: Directory Services Access, Directory Services Changes, Directory Services Replication, and Detailed Directory Services Replication. Additionally, auditing now provides the capability to log old and new values of an attribute when a successful change is made to that attribute.

Fine-Grained Password Policies—AD DS in Windows Server 2008 now provides the capability to create different password and account lockout policies for different sets of users in a domain. User and group password and account lockout policies are defined and applied via a Password Setting Object (PSO). A PSO has attributes for all the settings that can be defined in the Default Domain Policy, except Kerberos settings. PSOs can be applied to both users and groups.

Read-Only Domain Controllers—AD DS in Windows Server 2008 introduces a new type of domain controller called a read-only domain controller (RODC). RODCs contain a read-only copy of the AD DS database. RODCs are covered in more detail in Chapter 6, “Manage Sites and Replication.”

Restartable Active Directory Domain Services—AD DS in Windows Server 2008 can now be stopped and restarted through MMC snap-ins and the command line. The restartable AD DS service reduces the time required to perform certain maintenance and restore operations. Additionally, other services running on the server remain available to satisfy client requests while AD DS is stopped.

AD DS Database Mounting Tool—AD DS in Windows Server 2008 comes with a AD DS database mounting tool, which provides a means to compare data as it exists in snapshots or backups taken at different times. The AD DS database mounting eliminates the need to restore multiple backups to compare the AD data that they contain and provides the capability to examine any change made to data stored in AD DS.

What is the Global Catalog?

*A global catalog server is a domain controller.

*Master searchable database that contains information about every object in every domain in a forest.

*The global catalog contains a complete replica of all objects in Active Directory for its host domain,

*Contains a partial replica of all objects in Active Directory for every other domain in the forest.

*Provides group membership information during logon and authentication

*Helps users locate resources in Active Directory.

The Global Catalog (GC) contains an entry for every object in an enterprise forest but only a few properties for each object. An entire forest shares a GC, with multiple servers holding copies. You can perform an enterprise wide forest search only on the properties in the GC, whereas you can search for any property in a user’s domain tree. Only Directory Services (DSs) or domain controllers (DCs) can hold a copy of the GC.

Configuring an excessive number of GCs in a domain wastes network bandwidth during replication. One GC server per domain in each physical location is sufficient. Windows NT sets servers as GCs as necessary, so you don’t need to configure additional GCs unless you notice slow query response times.

Because full searches involve querying the whole domain tree rather than the GC, grouping the enterprise into one tree will improve your searches. Thus, you can search for items not in the GC.

●      How do you view all the GCs in the forest?

C:\>repadmin /showreps <domain_controller >

where domain_controller is the DC you want to query to determine whether it&rsquo;s a GC. The output will include the text DSA Options: IS_GC if the DC is a GC. . . .

You would need script to make such query, but you can also check your DNS for SRV records which contain   _gc in their name.

●      Why not make all DCs in a large forest as GCs?

When all the DC become a GC replication traffic will get increased and we could not keep the Infrastructure master and GC on the same domain ,so at least one dc should be act without holding the GC role .

●      Trying to look at the Schema, how can I do that?

Register the schmmgmt.dll with the command regsvr32

●      What are the Support Tools? Why do I need them?

Support Tools are the tools that are used for performing the complicated tasks easily. These can also be the third party tools. Some of the Support tools include DebugViewer, DependencyViewer, RegistryMonitor, etc.

●      What is LDP? What is REPLMON? What is ADSIEDIT? What is NETDOM? What is REPADMIN?

LDP : Label Distribution Protocol (LDP) is often used to establish MPLS LSPs when traffic engineering is not required. It establishes LSPs that follow the existing IP routing, and is particularly well suited for establishing a full mesh of LSPs between all of the routers on the network.

Replmon : Replmon displays information about Active Directory Replication.

ADSIEDIT :ADSIEdit is a Microsoft Management Console (MMC) snap-in that acts as a low-level editor for Active Directory. It is a Graphical User Interface (GUI) tool. Network administrators can use it for common administrative tasks such as adding, deleting, and moving objects with a directory service. The attributes for each object can be edited or deleted by using this tool. ADSIEdit uses the ADSI application programming interfaces (APIs) to access Active Directory. The following are the required files for using this tool: ADSIEDIT.DLL ADSIEDIT.MSC

NETDOM : NETDOM is a command-line tool that allows management of Windows domains and trust relationships. It is used for batch management of trusts, joining computers to domains, verifying trusts, and secure channels.

NETDOM is a command-line tool that allows management of Windows domains and trust relationships. It is used for batch management of trusts, joining computers to domains, verifying trusts, and secure channels

REPADMIN : REPADMIN is a built-in Windows diagnostic command-line utility that works at the Active Directory level. Although specific to Windows, it is also useful for diagnosing some Exchange replication problems, since Exchange Server is Active Directory based. REPADMIN doesn't actually fix replication problems for you. But, you can use it to help determine the source of a malfunction.

Repadmin.exe: Replication Diagnostics Tool

Its diagnosing replication problems between Windows domain controllers.

Administrators can use Repadmin to view the replication topology (sometimes referred to as RepsFrom and RepsTo).

In addition, Repadmin can be used to manually create the replication topology (although in normal practice this should not be necessary), to force replication events between domain controllers, and to view both the replication metadata and up-to-dateness vectors.

Repadmin.exe can also be used for monitoring the relative health of an Active Directory forest. replsummary, showrepl, showrepl /csv, and showvector /latency can be used to check for replication problems.

●      What are sites? What are they used for?

Active Directory (AD) sites, which consist of well-connected networks defined by IP subnets that help define the physical structure of your AD, give you much better control over replication traffic and authentication traffic than the control you get with Windows NT 4.0 domains. Because AD relies on IP, all LAN segments should have a defined IP subnet. This makes creating your AD site structure straightforward; you simply group well-connected subnets to form a site.

Creating AD sites benefits you in several ways, the first of which is that creating these sites lets you control replication traffic over WAN links. This control is important in Windows 2000 because any Win2K domain controller (DC) can originate changes to AD. To ensure that a change you make on one DC propagates to all DCs, Win2K uses multimaster replication (instead of the single-master replication that NT 4.0 uses). You might think that multimaster replication would make it difficult to plan for AD replication’s effect on your WAN links, but you can overcome this obstacle using AD sites.

●       What's the difference between a site link's schedule and interval?

Site Link is a physical connection object on which the replication transport mechanism depends on. Basically to speak it is the type of communication mechanism used to transfer the data between different sites. Site Link Schedule is nothing but when the replication process has to be takes place and the interval is nothing but how many times the replication has to be takes place in a give time period i.e Site Link Schedule.

●      What is the ISTG? Who has that role by default?

The first server in the site becomes the ISTG for the site, The Domain controller holding this role may not necessarily also be a bridgehead server.

Windows 2000 Domain controllers each create Active Directory Replication connection objects representing inbound replication from intra-site replication partners. For inter-site replication, one domain controller per site has the responsibility of evaluating the inter-site replication topology and creating Active Directory Replication Connection objects for appropriate bridgehead servers within its site. The domain controller in each site that owns this role is referred to as the Inter-Site Topology Generator (ISTG).

What are RODCs?

And what are the major benefits of using RODCs?

A read-only domain controller (RODC) is a new type of domain controller in the Windows Server® 2008 operating system. With an RODC, organizations can easily deploy a domain controller in locations where physical security cannot be guaranteed. An RODC hosts read-only partitions of the Active Directory® Domain Services (AD DS) database.

Before the release of Windows Server 2008, if users had to authenticate with a domain controller over a wide area network (WAN), there was no real alternative. In many cases, this was not an efficient solution. Branch offices often cannot provide the adequate physical security that is required for a writable domain controller. Furthermore, branch offices often have poor network bandwidth when they are connected to a hub site. This can increase the amount of time that is required to log on. It can also hamper access to network resources.

Beginning with Windows Server 2008, an organization can deploy an RODC to address these problems. As a result, users in this situation can receive the following benefits:

* Improved security

* Faster logon times

* More efficient access to resources on the network

What does an RODC do?

Inadequate physical security is the most common reason to consider deploying an RODC. An RODC provides a way to deploy a domain controller more securely in locations that require fast and reliable authentication services but cannot ensure physical security for a writable domain controller.

However, your organization may also choose to deploy an RODC for special administrative requirements. For example, a line-of-business (LOB) application may run successfully only if it is installed on a domain controller. Or, the domain controller might be the only server in the branch office, and it may have to host server applications.

In such cases, the LOB application owner must often log on to the domain controller interactively or use Terminal Services to configure and manage the application. This situation creates a security risk that may be unacceptable on a writable domain controller.

An RODC provides a more secure mechanism for deploying a domain controller in this scenario. You can grant a no administrative domain user the right to log on to an RODC while minimizing the security risk to the Active Directory forest.

You might also deploy an RODC in other scenarios where local storage of all domain user passwords is a primary threat, for example, in an extranet or application-facing role.

KCC
The KCC is a built-in process that runs on all domain controllers and generates replication topology for the Active Directory forest. The KCC creates separate replication topologies depending on whether replication is occurring within a site (intrasite) or between sites (intersite). The KCC also dynamically adjusts the topology to accommodate new domain controllers, domain controllers moved to and from sites, changing costs and schedules, and domain controllers that are temporarily unavailable.

KCC stands for knowledge consistency checker. Apart of the ISTG < intersite topology generator> role in active directory. The kcc checks and as an option, recreates topology information for the active directory domain.

How do you view replication properties for AD?
By using Active Directory Replication Monitor.
Start–> Run–> Replmon

What are sites what are they used for?
One or more well-connected (highly reliable and fast) TCP/IP subnets. A site allows administrators to configure Active Directory access and replication topology to take advantage of the physical network.

Name some OU design considerations?
OU design requires balancing requirements for delegating administrative rights – independent of Group Policy needs – and the need to scope the application of Group Policy. The following OU design recommendations address delegation and scope issues.
Applying Group Policy An OU is the lowest-level Active Directory container to which you can assign Group Policy settings. Delegating administrative authority usually don’t go more than 3 OU levels

What are Active Directory Groups?
Groups are containers that contain user and computer objects within them as members. When security permissions are set for a group in the Access Control List on a resource, all members of that group receive those permissions. Domain Groups enable centralized administration in a domain. All domain groups are created on a domain controller.
In a domain, Active Directory provides support for different types of groups and group scopes. The group type determines the type of task that you manage with the group. The group scope determines whether the group can have members from multiple domains or a single domain.

Group Types
* Security groups: Use Security groups for granting permissions to gain access to resources. Sending an e-mail message to a group sends the message to all members of the group. Therefore security groups share the capabilities of distribution groups.

* Distribution groups: Distribution groups are used for sending e-main messages to groups of users. You cannot grant permissions to security groups. Even though security groups have all the capabilities of distribution groups, distribution groups still requires, because some applications can only read distribution groups.

Group Scopes
Group scope normally describes which type of users should be clubbed together in a way which is easy for their administration. Therefore, in domain, groups play an important part. One group can be a member of other group(s) which is normally known as Group nesting. One or more groups can be member of any group in the entire domain(s) within a forest.

* Domain Local Group: Use this scope to grant permissions to domain resources that are located in the same domain in which you created the domain local group. Domain local groups can exist in all mixed, native and interim functional level of domains and forests. Domain local group memberships are not limited as you can add members as user accounts, universal and global groups from any domain. Just to remember, nesting cannot be done in domain local group. A domain local group will not be a member of another Domain Local or any other groups in the same domain.

* Global Group: Users with similar function can be grouped under global scope and can be given permission to access a resource (like a printer or shared folder and files) available in local or another domain in same forest. To say in simple words, Global groups can be use to grant permissions to gain access to resources which are located in any domain but in a single forest as their memberships are limited. User accounts and global groups can be added only from the domain in which global group is created. Nesting is possible in Global groups within other groups as you can add a global group into another global group from any domain. Finally to provide permission to domain specific resources (like printers and published folder), they can be members of a Domain Local group. Global groups exist in all mixed, native and interim functional level of domains and forests.

* Universal Group Scope: these groups are precisely used for email distribution and can be granted access to resources in all trusted domain as these groups can only be used as a security principal (security group type) in a windows 2000 native or windows server 2003 domain functional level domain. Universal group memberships are not limited like global groups. All domain user accounts and groups can be a member of universal group. Universal groups can be nested under a global or Domain Local group in any domain.

●      What are the FSMO roles? Who has them by default? What happens when each one fails?

Windows 2000/2003 Multi-Master Model

A multi-master enabled database, such as the Active Directory, provides the flexibility of allowing changes to occur at any DC in the enterprise, but it also introduces the possibility of conflicts that can potentially lead to problems once the data is replicated to the rest of the enterprise. One way Windows 2000/2003 deals with conflicting updates is by having a conflict resolution algorithm handle discrepancies in values by resolving to the DC to which changes were written last (that is, "the last writer wins"), while discarding the changes in all other DCs. Although this resolution method may be acceptable in some cases, there are times when conflicts are just too difficult to resolve using the "last writer wins" approach. In such cases, it is best to prevent the conflict from occurring rather than to try to resolve it after the fact.

For certain types of changes, Windows 2000/2003 incorporates methods to prevent conflicting Active Directory updates from occurring.

Windows 2000/2003 Single-Master Model

To prevent conflicting updates in Windows 2000/2003, the Active Directory performs updates to certain objects in a single-master fashion.

In a single-master model, only one DC in the entire directory is allowed to process updates. This is similar to the role given to a primary domain controller (PDC) in earlier versions of Windows (such as Microsoft Windows NT 4.0), in which the PDC is responsible for processing all updates in a given domain.

In a forest, there are five FSMO roles that are assigned to one or more domain controllers. The

Five FSMO roles are:

 Windows 2000/2003 Active Directory domains utilize a Single Operation Master method called FSMO (Flexible Single Master Operation).

The five FSMO roles are:

●      Schema master - Forest-wide and one per forest.

●      Domain naming master - Forest-wide and one per forest.

●      RID master - Domain-specific and one for each domain.

●      PDC - PDC Emulator is domain-specific and one for each domain.

●      Infrastructure master - Domain-specific and one for each domain.

In order to better understand your AD infrastructure and to know the added value that each DC might possess, an AD administrator must have the exact knowledge of which one of the existing DCs is holding a FSMO role, and what role it holds. With that knowledge in hand, the administrator can make better arrangements in case of a scheduled shut-down of any given DC, and better prepare him or herself in case of a non-scheduled cease of operation from one of the DCs.

How to find out which DC is holding which FSMO role? Well, one can accomplish this task by many means.

Method #1: Know the default settings

The FSMO roles were assigned to one or more DCs during the DCPROMO process. The following table summarizes the FSMO default locations:

FSMO Role	Number of DCs holding this role	Original DC holding the FSMO role
Schema	One per forest	The first DC in the first domain in the forest (i.e. the Forest Root Domain)
Domain Naming	One per forest
RID	One per domain	The first DC in a domain (any domain, including the Forest Root Domain, any Tree Root Domain, or any Child Domain)
PDC Emulator	One per domain
Infrastructure	One per domain

Method #2: Use the GUI

The FSMO role holders can be easily found by use of some of the AD snap-ins. Use this table to see which tool can be used for what FSMO role:

FSMO Role	Which snap-in should I use?
Schema	Schema snap-in
Domain Naming	AD Domains and Trusts snap-in
RID	AD Users and Computers snap-in
PDC Emulator
Infrastructure

Finding the RID Master, PDC Emulator, and Infrastructure Masters via GUI

To find out who currently holds the Domain-Specific RID Master, PDC Emulator, and Infrastructure Master FSMO Roles:

1.       Open the Active Directory Users and Computers snap-in from the Administrative Tools folder.

2.       Right-click the Active Directory Users and Computers icon again and press Operation Masters.

3.       Select the appropriate tab for the role you wish to view.

4.       When you're done click close.

Finding the Domain Naming Master via GUI

To find out who currently holds the Domain Naming Master Role:

1.       Open the Active Directory Domains and Trusts snap-in from the Administrative Tools folder.

2.       Right-click the Active Directory Domains and Trusts icon again and press Operation Masters.

3.       When you're done click close.

Finding the Schema Master via GUI

To find out who currently holds the Schema Master Role:

1.       Register the Schmmgmt.dll library by pressing Start > RUN and typing:  regsvr32 schmmgmt.dll

2.       Press OK. You should receive a success confirmation.

3.       From the Run command open an MMC Console by typing MMC.

4.       On the Console menu, press Add/Remove Snap-in.

5.       Press Add. Select Active Directory Schema.

6.       Press Add and press Close. Press OK.

7.       Click the Active Directory Schema icon. After it loads right-click it and press Operation Masters.

8.       Press the Close button.

Method #3: Use the Ntdsutil command

The FSMO role holders can be easily found by use of the Ntdsutil command.

Caution: Using the Ntdsutil utility incorrectly may result in partial or complete loss of Active Directory functionality.

1.       On any domain controller, click Start, click Run, type Ntdsutil in the Open box, and then click OK.

2.       Type roles, and then press ENTER.

Note: To see a list of available commands at any of the prompts in the Ntdsutil tool, type ?, and then press ENTER.

1.       Type connections, and then press ENTER.

2.       Type connect to server <servername>, where <servername> is the name of the server you want to use, and then press ENTER.

3.       At the server connections: prompt, type q, and then press ENTER again.

4.       At the FSMO maintenance: prompt, type Select operation target, and then press ENTER again.

5.       At the select operation target: prompt, type List roles for connected server, and then press ENTER again.

6.       Type q 3 times to exit the Ntdsutil prompt.

Method #4: Use the Netdom command

The FSMO role holders can be easily found by use of the Netdom command.

Netdom.exe is a part of the Windows 2000/XP/2003 Support Tools. You must either download it separately (from here Download Free Windows 2000 Resource Kit Tools) or by obtaining the correct Support Tools pack for your operating system. The Support Tools pack can be found in the \Support\Tools folder on your installation CD (or you can Download Windows 2000 SP4 Support Tools, Download Windows XP SP1 Deploy Tools).

1. On any domain controller, click Start, click Run, type CMD in the Open box, and then click OK.

2. In the Command Prompt window, type netdom query /domain:<domain> fsmo (where <domain> is the name of YOUR domain).

Method #5: Use the Replmon tool

The FSMO role holders can be easily found by use of the Netdom command.

Just like Netdom, Replmon.exe is a part of the Windows 2000/XP/2003 Support Tools. Replmon can be used for a wide verity of tasks, mostly with those that are related with AD replication. But Replmon can also provide valuable information about the AD, about any DC, and also about other objects and settings, such as GPOs and FSMO roles. Install the package before attempting to use the tool.

1.       On any domain controller, click Start, click Run, type REPLMON in the Open box, and then click OK.

2.       Right-click Monitored servers and select Add Monitored Server.

3.       In the Add Server to monitor window, select the Search the Directory for the server to add. Make sure your AD domain name is listed in the drop-down list.

4.       In the site list select your site, expand it, and click to select the server you want to query. Click Finish.

5.       Right-click the server that is now listed in the left-pane, and selects Properties.

6.       Click on the FSMO Roles tab and read the results.

7.       Click Ok when you're done.

FSMO ROLES:

What are FMSO Roles? List them.
FSMO roles are server roles in a Forest
There are five types of FSMO roles

1-Schema master
2-Domain naming master
3-Rid master
4-PDC Emulator
5-Infrastructure master

1. Schema Master:

* Controls all updates and modifications to the schema. Once the Schema update is complete, it     is replicated from the schema master to all other DCs in the directory.

* To update the schema of a forest, you must have access to the schema master.

*There can be only one schema master in the whole forest.

2. Domain naming master:

Controls the addition or removal of domains in the forest.

This DC is the only one that can add or remove a domain from the directory.

It can also add or remove cross references to domains in external directories.

There can be only one domain naming master in the whole forest.

3. Infrastructure Master:

When an object in one domain is referenced by another object in another domain, it represents the reference by the GUID, the SID (for references to security principals), and the DN of the object being referenced.

The infrastructure FSMO role holder is the DC responsible for updating an object's SID and distinguished name in a cross-domain object reference. At any one time, there can be only one domain controller acting as the infrastructure master in each domain.

Note: The Infrastructure Master (IM) role should be held by a domain controller that is not a Global Catalog server (GC). If the Infrastructure Master runs on a Global Catalog server it will stop updating object information because it does not contain any references to objects that it does not hold. This is because a GC server holds a partial replica of every object in the forest.

As a result, cross-domain object references in that domain will not be updated and a warning to that effect will be logged on that DC's event log. If all the domain controllers in a domain also host the global catalog, all the domain controllers have the current data, and it is not important which domain controller holds the infrastructure master role.

4. Relative ID (RID) Master:

The RID master is responsible for processing RID pool requests from all domain controllers in a particular domain. When a DC creates a security principal object such as a user or group, it attaches a unique Security ID (SID) to the object.

This SID consists of a domain SID (the same for all SIDs created in a domain), and a relative ID (RID) that Is unique for each security principal SID created in a domain. Each DC in a domain is allocated a pool of RIDs that it is allowed to assign to the security principals it creates.

When a DC's allocated RID pool falls below a threshold, that DC issues a request for additional

RIDs to the domain's RID master.

The domain RID master responds to the request by retrieving RIDs from the domain's unallocated RID pool and assigns them to the pool of the requesting DC. At any one time, there can be only one domain controller acting as the RID master in the domain.

5. PDC Emulator:

The PDC emulator is necessary to synchronize time in an enterprise. Windows 2000/2003 includes the

W32Time (Windows Time)

Time service that is required by the Kerberos authentication protocol.

All Windows 2000/2003-based computers within an enterprise use a common time. The purpose of the time service is to ensure that the Windows Time service uses a hierarchical relationship that controls authority and does not permit loops to ensure appropriate common time usage.

The PDC emulator of a domain is authoritative for the domain. The PDC emulator at the root of the forest becomes authoritative for the enterprise, and should be configured to gather the time from an external source.

All PDC FSMO role holders follow the hierarchy of domains in the selection of their in-bound time partner. In a Windows 2000/2003 domain, the PDC emulator role holder retains the following functions:

Password changes performed by other DCs in the domain are replicated preferentially to the PDC emulator

Authentication failures that occur at a given DC in a domain because of an incorrect password are forwarded to the PDC emulator before a bad password failure message is reported to the user.

Account lockout is processed on the PDC emulator.

Editing or creation of Group Policy Objects (GPO) is always done from the GPO copy found in the PDC.

Emulator's SYSVOL share, unless configured not to do so by the administrator.

The PDC emulator performs all of the functionality that a Microsoft Windows NT 4.0 Server-based PDC or Earlier PDC performs for Windows NT 4.0-based or earlier clients.

This part of the PDC emulator role becomes unnecessary when all workstations, member servers, and Understanding FSMO Roles in Active Directory domain controllers that are running Windows NT 4.0 or earlier are all upgraded to Windows 2000/2003.

The PDC emulator still performs the other functions as described in a Windows 2000/2003 environment. At any one time, there can be only one domain controller acting as the PDC emulator master in each domain in the forest.

●      What FSMO placement considerations do you know of?

In most cases an administrator can keep the FSMO role holders (all 5 of them) in the same spot (or actually, on the same DC) as has been configured by the Active Directory installation process. However, there are scenarios where an administrator would want to move one or more of the FSMO roles from the default holder DC to a different DC.

Windows Server 2003 Active Directory is a bit different than the Windows 2000 version when dealing with FSMO placement. In this article I will only deal with Windows Server 2003 Active Directory, but you should bear in mind that most considerations are also true when planning Windows 2000 AD FSMO roles.

Single Domain Forest

In a single domain forest, leave all of the FSMO roles on the first domain controller in the forest.

You should also configure the entire domain controller as Global Catalog servers. This will NOT place additional stress on the DCs, while allowing GC-related applications (such as Exchange Server) to easily perform GC queries.

Multiple Domain Forest

In a multiple domain forest, use the following guidelines:

●  In the forest root domain:

●  If all domain controllers are also global catalog servers, leave all of the FSMO roles on the first DC in the forest.

●  If all domain controllers are not also global catalog servers, move all of the FSMO roles to a DC that is not a global catalog server.

●  In each child domain, leave the PDC emulator, RID master, and Infrastructure master roles on the first DC in the domain, and ensure that this DC is never designated as a global catalog server (unless the child domain only contains one DC, then you have no choice but to leave it in place).

   Configure a standby operations master - For each server that holds one or more operations master roles, make another DC in the same domain available as a standby operations master. Making a DC as a standby operation master involves the following actions:

●  The standby operations master should not be a global catalog server except in a single domain environment, where all domain controllers are also global catalog servers.

●  The standby operations master should have a manually created replication connection to the domain controller that it is the standby operations master for, and it should be in the same site.

●  Configure the RID master as a direct replication partner with the standby or backup RID master. This configuration reduces the risk of losing data when you seize the role because it minimizes replication latency.

To create a connection object on the current operations master:

1. In Active Directory Sites and Services snap-in, in the console tree in the left pane, expand the Sites folder to see the list of available sites.

2. Expand the site name in which the current role holder is located to display the Servers folder.

3. Expand the Servers folder to see a list of the servers in that site.

4. Expand the name of the server that is currently hosting the operations master role to display NTDS Settings.

5. Right-click NTDS Settings, click New, and then click Connection.

6. In the Find Domain Controllers dialog box, select the name of the standby operations master then click OK.

7. In the New Object-Connection dialog box, enter an appropriate name for the connection object or accept the default name and click OK.

To create a connection object on the standby operations master perform the same procedure as above, and point the connection to the current FSMO role holder.

Note regarding Windows 2000 Active Directory domains: If the forest is set to a functional level of Windows 2000 native, you must locate the domain naming master on a server that hosts the global catalog. If the forest is set to a functional level of Windows Server 2003, it is not necessary for the domain naming master to be on a global catalog server.

Server performance and availability

Most FSMO roles require that the domain controller that holds the roles be:

Highly available server - FSMO functions require that the FSMO role holder is highly available at all times. A highly available DC is one that uses computer hardware that enables it to remain operational even during a hardware failure. For example, having a RAID1 or RAID5 configuration enables the server to keep running even if one hard disk fails.

Although most FSMO losses can be dealt with within a matter of hours (or even days at some cases), some FSMO roles, such as the PDC Emulator role, should never be offline for more than a few minutes at a time.

What will happen if you keep a FSMO role offline for a long period of time? This table has the info:

FSMO Role	Loss implications
Schema	The schema cannot be extended. However, in the short term no one will notice a missing Schema Master unless you plan a schema upgrade during that time.
Domain Naming	Unless you are going to run DCPROMO, then you will not miss this FSMO role.
RID	Chances are good that the existing DCs will have enough unused RIDs to last some time, unless you're building hundreds of users or computer object per week.
PDC Emulator	Will be missed soon. NT 4.0 BDCs will not be able to replicate, there will be no time synchronization in the domain, you will probably not be able to change or troubleshoot group policies and password changes will become a problem.
Infrastructure	Group memberships may be incomplete. If you only have one domain, then there will be no impact.

Not necessarily high capacity server - A high-capacity domain controller is one that has comparatively higher processing power than other domain controllers to accommodate the additional work load of holding the operations master role. It has a faster CPU and possibly additional memory and network bandwidth. FSMO roles usually do not place stress on the server's hardware.

One exception is the performance of the PDC Emulator, mainly when used in Windows 2000 Mixed mode along with old NT 4.0 BDCs. That is why you should:

●  Increase the size of the DC's processing power.

●  Do not make the DC a global catalog server.

●  Reduce the priority and the weight of the service (SRV) record in DNS to give preference for authentication to other domain controllers in the site.

●  Do not require that the standby domain controller be a direct replication partner (Seizing the PDC emulator role does not result in lost data, so there is no need to reduce replication latency for a seize operation).

●  Centrally locate this DC near the majority of the domain users.

Transferring FSMO Role

Moving the FSMO roles while both the original FSMO role holder and the future FSMO role holder are online and operational is called Transferring,

The transfer of an FSMO role is the suggested form of moving a FSMO role between domain controllers and can be initiated by the administrator or by demoting a domain controller. However, the transfer process is not initiated automatically by the operating system, for example a server in a shut-down state. FSMO roles are not automatically relocated during the shutdown process - this must be considered when shutting down a domain controller that has an FSMO role for maintenance

When the original FSMO role holder went offline or became non operational for a long period of time, the administrator might consider moving the FSMO role from the original, non-operational holder, to a different DC. The process of moving the FSMO role from a non-operational role holder to a different DC is called Seizing, Seizing FSMO Roles

Transfer FSMO roles by using the Ntdsutil.exe command-line utility or by using an MMC snap-in tool.

●      Active Directory Schema snap-in

●      Active Directory Domains and Trusts snap-in

●      Active Directory Users and Computers snap-in

To transfer the FSMO role the administrator must be a member of the following group:

FSMO Role	Administrator must be a member of
Schema	Schema Admins
Domain Naming	Enterprise Admins
RID	Domain Admins
PDC Emulator
Infrastructure

Transferring the RID Master, PDC Emulator, and Infrastructure Masters via GUI

To Transfer the Domain-Specific RID Master, PDC Emulator, and Infrastructure Master FSMO Roles:

1. Open the Active Directory Users and Computers snap-in from the Administrative Tools folder.

2. If you are NOT logged onto the target domain controller, in the snap-in, right-click the icon next to Active Directory Users and Computers and press Connect to Domain Controller.

3. Select the domain controller that will be the new role holder, the target, and press OK.

4. Right-click the Active Directory Users and Computers icon again and press Operation Masters.

5. Select the appropriate tab for the role you wish to transfer and press the Change button.

6. Press OK to confirm the change.

7. Press OK all the way out.

Transferring the Domain Naming Master via GUI

To Transfer the Domain Naming Master Role:

1.       Open the Active Directory Domains and Trusts snap-in from the Administrative Tools folder.

2.       If you are NOT logged onto the target domain controller, in the snap-in, right-click the icon next to Active Directory Domains and Trusts and press Connect to Domain Controller.

3.       Select the domain controller that will be the new role holder and press OK.

4.       Right-click the Active Directory Domains and Trusts icon again and press Operation Masters.

5.       Press the Change button.

6.       Press OK to confirm the change.

7.       Press OK all the way out.

Transferring the Schema Master via GUI

To Transfer the Schema Master Role:

1.       Register the Schmmgmt.dll library by pressing Start > RUN and typing:

1.       Press OK. You should receive a success confirmation.

2.       From the Run command open an MMC Console by typing MMC.

3.       On the Console menu, press Add/Remove Snap-in.

4.       Press Add. Select Active Directory Schema.

5.       Press Add and press Close. Press OK.

6.       If you are NOT logged onto the target domain controller, in the snap-in, right-click the Active Directory Schema icon in the Console Root and press Change Domain Controller.

7.       Press Specify .... and type the name of the new role holder. Press OK.

8.       Right-click right-click the Active Directory Schema icon again and press Operation Masters.

9.       Press the Change button.

10.    Press OK all the way out.

Transferring the FSMO Roles via Ntdsutil

Caution: Using the Ntdsutil utility incorrectly may result in partial or complete loss of Active Directory functionality.

1. On any domain controller, click Start, click Run, type Ntdsutil in the Open box, and then click OK.

1.       Type roles, and then press ENTER.

1.       Type connections, and then press ENTER. 

2.       Type connect to server <servername>, where <servername> is the name of the server you want to use, and then press ENTER.

1.       At the server connections: prompt, type q, and then press ENTER again.

1.       Type transfer <role>. Where <role> is the role you want to transfer.

EXAMPLE: To transfer the RID Master role, you would type transfer rid master:

Options are:

1.       You will receive a warning window asking if you want to perform the transfer. Click on Yes.

2.       After you transfer the roles, type q and press ENTER until you quit Ntdsutil.exe.

3.       Restart the server and make sure you update your backup.

4.        

Seizing the FSMO ROLES.

Windows 2000/2003 Active Directory domains utilize a Single Operation Master method called

FSMO (Flexible Single Master Operation).

 The five FSMO roles are:

●      Schema master - Forest-wide and one per forest.

●      Domain naming master - Forest-wide and one per forest.

●      RID master - Domain-specific and one for each domain.

●      PDC - PDC Emulator is domain-specific and one for each domain.

●      Infrastructure master - Domain-specific and one for each domain.

If a DC holding a FSMO role fails, the best thing to do is to try and get the server online again. Since none of the FSMO roles are immediately critical (well, almost none, the loss of the PDC Emulator FSMO role might become a problem unless you fix it in a reasonable amount of time), so it is not a problem to them to be unavailable for hours or even days.

If a DC becomes unreliable, try to get it back on line, and transfer the FSMO roles to a reliable computer. Administrators should use extreme caution in seizing FSMO roles. This operation, in most cases, should be performed only if the original FSMO role owner will not be brought back into the environment. Only seize a FSMO role if absolutely necessary when the original role holder is not connected to the network.

What will happen if you do not perform the seize in time? This table has the info:

FSMO Role	Loss implications
Schema	The schema cannot be extended. However, in the short term no one will notice a missing Schema Master unless you plan a schema upgrade during that time.
Domain Naming	Unless you are going to run DCPROMO, then you will not miss this FSMO role.
RID	Chances are good that the existing DCs will have enough unused RIDs to last some time, unless you're building hundreds of users or computer object per week.
PDC Emulator	Will be missed soon. NT 4.0 BDCs will not be able to replicate, there will be no time synchronization in the domain, you will probably not be able to change or troubleshoot group policies and password changes will become a problem.
Infrastructure	Group memberships may be incomplete. If you only have one domain, then there will be no impact.

Important: If the RID, Schema, or Domain Naming FSMOs are seized, then the original domain controller must not be activated in the forest again. It is necessary to reinstall Windows if these servers are to be used again.

The following table summarizes the FSMO seizing restrictions:

FSMO Role	Restrictions
Schema	Original must be reinstalled
Domain Naming
RID
PDC Emulator	Can transfer back to original
Infrastructure

Another consideration before performing the seize operation is the administrator's group membership, as this table lists:

FSMO Role	Administrator must be a member of
Schema	Schema Admins
Domain Naming	Enterprise Admins
RID	Domain Admins
PDC Emulator
Infrastructure

To seize the FSMO roles by using Ntdsutil, follow these steps:

1.       On any domain controller, click Start, click Run, type Ntdsutil in the Open box, and then click OK.

C:\WINDOWS>ntdsutil

2. Type roles, and then press ENTER.

ntdsutil: roles

fsmo maintenance:

Note: To see a list of available commands at any of the prompts in the Ntdsutil tool, type ?, and then press ENTER.

1.       Type connections, and then press ENTER.

fsmo maintenance: connections

server connections:

2.       Type connect to server <servername>, where <servername> is the name of the server you want to use, and then press ENTER.

server connections: connect to server server100

Binding to server100 ...

Connected to server100 using credentials of locally logged on user.

Server connections:

1.       At the server connections: prompt, type q, and then press ENTER again.

server connections: q

fsmo maintenance:

2.       Type seize <role>, where <role> is the role you want to seize. For example, to seize the RID Master role, you would type seize rid master:

Options are:

Seize domain naming master

Seize infrastructure master

Seize PDC

Seize RID master

Seize schema master

7.  You will receive a warning window asking if you want to perform the seize. Click on Yes.

fsmo maintenance: Seize infrastructure master

Attempting safe transfer of infrastructure FSMO before seizure.

ldap_modify_sW error 0x34(52 (Unavailable).

Ldap extended error message is 000020AF: SvcErr: DSID-03210300, problem 5002 (UNAVAILABLE) , data 1722 Win32 error returned is 0x20af(The requested FSMO operation failed. The current FSMO holder could not be contacted.)

Depending on the error code this may indicate a connection, ldap, or role transfer error.

Transfer of infrastructure FSMO failed, proceeding with seizure ...

Server "server100" knows about 5 roles

Schema - CN=NTDS Settings,CN=SERVER200,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=dpetri,DC=net

Domain - CN=NTDS Settings,CN=SERVER100,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=dpetri,DC=net

PDC - CN=NTDS Settings,CN=SERVER100,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=dpetri,DC=net

RID - CN=NTDS Settings,CN=SERVER200,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=dpetri,DC=net

Infrastructure - CN=NTDS Settings,CN=SERVER100,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=dpetri,DC=net

fsmo maintenance:

Note: All five roles need to be in the forest. If the first domain controller is out of the forest then seize all roles. Determine which roles are to be on which remaining domain controllers so that all five roles are not on only one server.

1.       Repeat steps 6 and 7 until you've seized all the required FSMO roles.

2.       After you seize or transfer the roles, type q, and then press ENTER until you quit the Ntdsutil tool.

Note: Do not put the Infrastructure Master (IM) role on the same domain controller as the Global Catalog server. If the Infrastructure Master runs on a GC server it will stop updating object information because it does not contain any references to objects that it does not hold. This is because a GC server holds a partial replica of every object in the forest.

How do you recover an object in Active Directory, which is accidentally deleted by you, with no backup?

Using ntdsutil.exe command, we can restore the AD objects.

Microsoft Active Directory Questions.

●      Name the AD NCs and replication issues for each NC

*Schema NC, *Configuration NC, * Domain NC

Schema NC: This NC is replicated to every other domain controller in the forest. It contains information about the Active Directory schema, which in turn defines the different object classes and attributes within Active Directory.

Configuration NC: Also replicated to every other DC in the forest, this NC contains forest-wide configuration information pertaining to the physical layout of Active Directory, as well as information about display specifiers and forest-wide Active Directory quotas.

Domain NC: This NC is replicated to every other DC within a single Active Directory domain. This is the NC that contains the most commonly-accessed Active Directory data: the actual users, groups, computers, and other objects that reside within a particular Active Directory domain.

●      What are application partitions? When do I use them

A1) Application Directory Partition is a partition space in Active Directory which an application can use to store that application specific data. This partition is then replicated only to some specific domain controllers.

The application directory partition can contain any type of data except security principles (users, computers, groups).

**A2) these are specific to Windows Server 2003 domains.
An application directory partition is a directory partition that is replicated only to specific domain controllers. A domain controller that participates in the replication of a particular application directory partition hosts a replica of that partition. Only domain controllers running Windows Server 2003 can host a replica of an application directory partition.

●      How do you create a new application partition

The DnsCmd command is used to create a new application directory partition. Ex. to create a partition named “NewPartition “ on the domain controller DC1.contoso.com, log on to the domain controller and type following command.

DnsCmd DC1/createdirectorypartition NewPartition.contoso.com

●      How do you view replication properties for AD partitions and DCs?

Go to start > run > type replmon

●      What are the requirements for installing AD on a new server?

●      An NTFS partition with enough free space (if you have FAT or FAT32 use convert c:/fs:ntfs command to convert it to NTFS)

●      An Administrator's username and password

●      The correct operating system version

●      A NIC

●      Properly configured TCP/IP (IP address, subnet mask and - optional - default gateway)

●      A network connection (to a hub or to another computer via a crossover cable)

●      An operational DNS server (which can be installed on the DC itself)

●      A Domain name that you want to use

●      The Windows Server 2003 CD media (or at least the i386 folder)

●      Brains (recommended, not required...)

●      What can you do to promote a server to DC if you're in a remote location with slow WAN link?

Install from Media In Windows Server 2003 a new feature has been added, and this time it's one that will actually make our lives easier... You can promote a domain controller using files backed up from a source domain controller!!!

This feature is called "Install from Media" and it's available by running DCPROMO with the /adv switch. It's not a replacement for network replication, we still need network connectivity, but now we can use an old System State copy from another Windows Server 2003, copy it to our future DC, and have the first and basic replication take place from the media, instead of across the network, this saving valuable time and network resources.

What you basically have to do is to back up the systems data of an existing domain controller, restore that backup to your replica candidate, use DCPromo /Adv to tell it to source from local media, rather than a network source.

This also works for global catalogs. If we perform a backup of a global catalog server, then we can create a new global catalog server by performing DCPromo from that restored media.

IFM Limitations

It only works for the same domain, so you cannot back up a domain controller in domain A and create a new domain B using that media.

It's only useful up to the tombstone lifetime with a default of 60 days. So if you have an old backup, then you cannot create a new domain controller using that, because you'll run into the problem of reanimating deleted objects.

Answer Link:http://www.petri.co.il/install_dc_from_media_in_windows_server_2003.htm

●      How can you forcibly remove AD from a server, and what do you do later?

Demoting Windows Server 2003 DCs: DCPROMO (Active Directory Installation Wizard) is a toggle switch, which allows you to either install or remove Active Directory DCs. To forcibly demote a Windows Server 2003 DC, run the following command either at the Start, Run, or at the command prompt:

dcpromo /forceremoval

Note: If you're running Certificate Services on the DC, you must first remove Certificate Services before continuing. If you specify the /forceremoval switch on a server that doesn't have Active Directory installed, the switch is ignored and the wizard pretends that you want to install Active Directory on that server.

Once the wizard starts, you will be prompted for the Administrator password that you want to assign to the local administrator in the SAM database. If you have Windows Server 2003 Service Pack 1 installed on the DC, you'll benefit from a few enhancements. The wizard will automatically run certain checks and will prompt you to take appropriate actions. For example, if the DC is a Global Catalog server or a DNS server, you will be prompted. You will also be prompted to take an action if your DC is hosting any of the operations master roles.

Demoting Windows 2000 DCs: On a Windows 2000 domain controller, forced demotion is supported with Service Pack 2 and later. The rest of the procedure is similar to the procedure I described for Windows Server 2003. Just make sure that while running the wizard, you clear the "This server is the last domain controller in the domain" check box. On Windows 2000 Servers you won't benefit from the enhancements in Windows Server 2003 SP1, so if the DC you are demoting is a Global Catalog server, you may have to manually promote some other DC to a Global Catalog server.

Cleaning the Metadata on a Surviving DC: Once you've successfully demoted the DC, your job is not quite done yet. Now you must clean up the Active Directory metadata. You may be wondering why I need to clean the metadata manually. The metadata for the demoted DC is not deleted from the surviving DCs because you forced the demotion. When you force a demotion, Active Directory basically ignores other DCs and does its own thing. Because the other DCs are not aware that you removed the demoted DC from the domain, the references to the demoted DC need to be removed from the domain.

Although Active Directory has made numerous improvements over the years, one of the biggest criticisms of Active Directory is that it doesn't clean up the mess very well. This is obvious in most cases but, in other cases, you won't know it unless you start digging deep into Active Directory database.

To clean up the metadata you use NTDSUTIL. The following procedure describes how to clean up metadata on a Windows Server 2003 SP1. According to Microsoft, the version of NTDSUTIL in SP1 has been enhanced considerably and does a much better job of clean-up, which obviously means that the earlier versions didn't do a very good job. For Windows 2000 DCs, you might want to check out Microsoft Knowledge Base article 216498, "How to remove data in Active Directory after an unsuccessful domain controller demotion."

Step-by-step procedure for cleaning metadata on Windows Server 2003 DCs:

1.       Logon to the DC as a Domain Administrator.

2.       At the command prompt, type ntdsutil.

3.       Type metadata cleanup.

4.       Type connections.

5.       Type connects to server servername, where servername is the name of the server you want to connect to.

6.       Type quit or q to go one level up. You should be at the Metadata Cleanup prompt.

7.       Type select operation target.

8.       Type list domains. You will see a list of domains in the forest, each with a different number.

9.       Type select domain number, where number is the number associated with the domain of your server

10.    Type list sites.

11.    Type select site number, where number is the number associated with the site of your server.

12.    Type list servers in site.

13.    Type select server number, where number is the number associated with the server you want to remove.

14.    Type quit to go to Metadata Cleanup prompt.

15.    Type remove selected server. You should see a confirmation that the removal completed successfully.

16.    Type quit to exit ntdsutil.

You might also want to cleanup DNS database by deleting all DNS records related to the server.

In general, you will have better luck using forced promotion on Windows Server 2003, because the naming contexts and other objects don't get cleaned as quickly on Windows 2000 Global Catalog servers, especially servers running Windows 2000 SP3 or earlier. Due to the nature of forced demotion and the fact that it's meant to be used only as a last resort, there are additional things that you should know about forced demotion.

Even after you've used NTDSUTIL to clean the metadata, you may still need to do additional cleaning manually using ADSIEdit or other such tools. You might want to check out Microsoft’s Knowledge Base article 332199, "Domain controllers do not demote gracefully when you use the Active Directory Installation Wizard to force demotion in Windows Server 2003 and in Windows 2000 Server," for more information

       http://redmondmag.com/columns/print.asp?EditorialsID=1352

http://www.petri.co.il/forcibly_removing_active_directoy_from_dc.htm

●      Can I get user passwords from the AD database?

As of my Knowledge there is no way to extract the password from AD Database. By the way there is a tool called cache dump. Using it we can extract the cached passwords from Windows XP machine which is joined to a Domain.

●      Name some OU design considerations.

●      Design OU structure based on Active Directory business requirements

●      NT Resource domains may fold up into OUs

●      Create nested OUs to hide objects

●      Objects easily moved between OUs

●      Departments , Geographic Region, Job Function, Object Type

http://www.windowsnetworking.com/articles_tutorials/Clearing-Confusion-OU-Design.html

●      What is tombstone lifetime attribute?

The number of days before a deleted object is removed from the directory services. This assists in removing objects from replicated servers and preventing restores from reintroducing a deleted object. This value is in the Directory Service object in the configuration NC.

To Change the tombstone lifetime attribute read this article

http://www.petri.co.il/changing_the_tombstone_lifetime_windows_ad.htm

●      What do you do to install a new Windows 2003 DC in a Windows 2000 AD?

Before you can introduce Windows Server 2003 domain controllers, you must prepare the forest and domains with the ADPrep utility.

●      ADPrep /forestprep on the schema master in your Windows 2000 forest.

●      ADPrep /domainprep on the Infrastructure Master in each AD domain.

     ADPrep is located in the i386 directory of the Windows Server 2003 install media.

Note: In Windows Server 2003 R2, ADPrep is not located in the same folder as in the older Windows Server 2003 media, and instead you need to look for it in the second CD. You see, Windows Server 2003 R2 comes on two installation disks. Installation disk 1 contains a slip-streamed version of Windows Server 2003 with Service Pack 2 (SP2). Installation disk 2 contains the Windows Server 2003 R2 files.

The correct version of the ADPrep.exe tool for Windows Server 2003 R2 is 5.2.3790.2075.

You can find the R2 ADPrep tool in the following folder on the second CD:

drive:\CMPNENTS\R2\ADPREP\

(where drive is the drive letter of your CD-Rom drive)

Read more about ADPrep and Windows Server 2003 R2 in KB 917385

Exchange 2000 note: Please make sure you read Windows 2003 ADPrep Fix for Exchange 2000 before installing the first Windows Server 2003 DC in your existing organization.

Microsoft recommends that you have at least Service Pack (SP) 2 installed on your domain controllers before running ADPrep. SP2 fixed a critical internal AD bug, which can manifest itself when extending the schema. There were also some fixes to improve the replication delay that can be seen when indexing attributes.

Similar to the Exchange setup.exe /forestprep and /domainprep switches.

●      The Exchange /forestprep command extends the schema and adds some objects in the   Configuration Naming Context.

●      The Exchange / domainprep command adds objects within the Domain Naming Context of the domain it is being run on and sets some ACLs.

The ADPrep command follows the same logic and performs similar tasks to prepare for the upgrade to Windows Server 2003.

The ADPrep /forestprep command extends the schema with quite a few new classes and attributes. These new schema objects are necessary for the new features supported by Windows Server 2003.

You can view the schema extensions by looking at the .ldf files in the \i386 directory on the Windows Server 2003 CD. These files contain LDIF entries for adding and modifying new and existing classes and attributes.

Since the schema is extended and objects are added in several places in the Configuration NC, the user running /forestprep must be a member of both the Schema Admins and Enterprise Admins groups.

The ADPrep /domainprep creates new containers and objects, modifies ACLs on some objects, and changes the meaning of the Everyone security principal.

Before you can run ADPrep /domainprep, you must be sure that the updates from /forestprep have replicated to all domain controllers in the forest.

/domainprep must be run on the Infrastructure Master of a domain and under the credentials of someone in the Domain Admins group.

You can view detailed output of the ADPrep command by looking at the log files in the %Systemroot%\system32\debug\adprep\logs directory.

Each time ADPrep is executed, a new log file is generated that contains the actions taken during that particular invocation.
The log files are named based on the time and date ADPrep was run.

Once you’ve run both /forestprep and /domainprep and allowed time for the changes to replicate to all domain controllers, you can then start upgrading your domain controllers to Windows Server 2003 or installing new Windows Server 2003 domain controllers.

●      What do you do to install a new Windows 2003 R2 DC in a Windows 2003 AD?

If you're installing Windows 2003 R2 on an existing Windows 2003 server with SP1 installed, you require only the second R2 CD-ROM. Insert the second CD and the r2auto.exe will display the Windows 2003 R2 Continue Setup screen.

If you're installing R2 on a domain controller (DC), you must first upgrade the schema to the R2 version (this is a minor change and mostly related to the new Dfs replication engine). To update the schema, run the Adprep utility, which you'll find in the Cmpnents\r2\adprep folder on the second CD-ROM. Before running this command, ensure all DCs are running Windows 2003 or Windows 2000 with SP2 (or later). Here's a sample execution of the Adprep /forestprep command:

D:\CMPNENTS\R2\ADPREP>adprep /forestprep

ADPREP WARNING: Forest and domain KB article Q3311 http://support.microsoft.com.

Before running adprep, all Windows 2000 domain controllers in the forest should be upgraded to Windows 2000 Service Pack 1 (SP1) with QFE 265089, or to Windows 2000 SP2 (or later).

QFE 265089 (included in Windows 2000 SP2 and later) is required to prevent potential domain controller corruption.

Adprep successfully updated the forest-wide information.

After running Adprep, install R2 by performing these steps:

1.       Click the "Continue Windows Server 2003 R2 Setup" link, as the figure shows.

2.       At the "Welcome to the Windows Server 2003 R2 Setup Wizard" screen, click Next.

3.       You'll be prompted to enter an R2 CD key (this is different from your existing Windows 2003 keys) if the underlying OS wasn't installed from R2 media (e.g., a regular Windows 2003 SP1 installation). Enter the R2 key and click next. Note: The license key entered for R2 must match the underlying OS type, which means if you installed Windows 2003 using a volume-license version key, then you can't use a retail or Microsoft Developer Network (MSDN) R2 key.

4.       You'll see the setup summary screen which confirms the actions to be performed (e.g., Copy files). Click Next.

5.       After the installation is complete, you'll see a confirmation dialog box. Click Finish.

●      How would you find all users that have not logged on since last month?

If you are using windows 2003 domain environment, then go to Active Directory Users and Computers, select the Saved Queries, right click it and select new query, then using the custom common queries and define query there is one which shows days since last logon

●      What are the DS* commands?

        http://www.computerperformance.co.uk/Logon/DSadd_DSmod_DSrm.htm

●      DSmod - modify Active Directory attributes

●      DSrm - to delete Active Directory objects

●      DSmove - to relocate objects

●      DSadd - create new accounts

●      DSquery - to find objects that match your query attributes

●      DSget - list the properties of an object

DSmod

Adding objects is great, but there are times in Windows 2003 when you need to change the Active Directory properties.

Scenario, you wish to quickly change a user's password.  This is task you are going to have to do regularly, and you would like to able to do it quickly from the command line.  Let us now modify the user's password with DSmod

Example 1 Modify Password

Logon to your domain controller Check which users you have, if necessary create an ou called guyds and user called guyt.

Examine the script below.  Decide how cn= or ou= or dc= need editing.

Run, CMD then copy your script and paste into the command window.  Alternatively type it starting with dsmod user .........

Command : dsmod user "cn=guyt, ou=guyds, dc=cp, dc=com" -pwd a1yC24kg

Example 2 Create user WITH password

Note 1: We could have created the password at the same time we created the user.  For ease of learning I introduce one variable at a time.  However, here is the complete command to add a user with a password. 

Command : dsadd user "cn=pault, ou=guyds, dc=cp, dc=com" -pwd a1yC24kg

Example 3 Modify Groups

Another use of DSmod is to add members to a group.

In this instance you need the full distinguished name (DN) of the group then the -addmbr switch followed by the DN of the users.  Tricky method!  Try dsmod group /? for more help.

Problems contact Guy Thomas see below for email address

Introduction to DSadd

DSadd is the most important member of this DS scripting family.  The primary use of DSadd is to quickly add user accounts to Windows Server 2003 Active Directory.  However, you can also use this method to create OUs computers, groups, or even contacts.

Creating an OU - DSadd ou....

Let us create an OU (organizational unit) to hold the rest of the test objects.  Edit the dc=cp and dc =com to the fully qualified name of your Windows 2003 domain.  As ever, pay close attention to the syntax, for instance the DN "ou=guyds, dc=cp, dc=com"  is enclosed in double speech marks.  Single 'speech marks' will not work.  Also remember that DS is new in Window 2003, so will not work in Windows 2000.

Example 1 Using DSadd to Create an Organizational Unit in Windows 2003

Preparation:  Logon to your domain controller.

Examine the script below.  Edit ou= or dc= to reflect YOUR domain.

Run, CMD then copy your script and paste into the command window.  Alternatively type it starting with dsadd ou .........

Command : dsadd ou "ou=guyds, dc=cp, dc=com"
 

Note 1: dsadd ou.  This command tells Active Directory which object to create, in this case an OU (not a user).

Note 2: You only really need speech marks if there is a space in any of your names. So ou=guyds, dc=cp, dc=com would work fine, but ou=GUY Space DS, dc=cp, dc=com fails because of the spaces in the GUY Space DS, name.  In this second example you would type: "ou=GUY Space DS, dc=cp, dc=com"

Example 2 Employing DSadd to Create a User. (Assumes you have completed Example 1)

The purpose of this example is to create a new user in an OU called guyds.

Preparation:    Logon to your domain controller. 

Examine the script below.  Decide if cn= or ou= or dc= need editing.

Run, CMD then copy your script and paste into the command window.  Alternatively type it starting with dsadd user .........

Creating a User - DSadd user....

Command: dsadd user "cn=guyt, ou=guyds, dc=cp, dc=com"
 

Note: DSadd requires the complete distinguished name.  Note also that the distinguished name is encased in double "speech marks".   I expect you spotted that the user will be created in the guyds organizational unit that was created in the first example.  Change "cn=guyt to a different user name if you wish.

DS Error Messages

DS has its own family of error messages.  I found that they are specific and varied, just remember to pay attention to detail.  READ ERROR MESSAGES SLOWLY.

New DS built-in tools for Windows Server 2003

At last I have found a real useful member of the DS family of utilities.  If I need to find a user quickly from the command prompt, i call for DSQuery.

Example 1 - DSQuery to list all the OUs in your domain

Let us find how many Organizational Units are there in your domain? This command will produce a listing of all OUs with this command.

Commands:

Dsquery ou dc=mydom,dc=com
or
dsquery ou domainroot

Learning Points

Note 1:  dc does NOT mean domain controller, it means domain context.

Note 2:  The dc commands are not case sensitive, but they dislike spaces.
dc=mydom,    dc=com will draw an error.

Note 3:  If you haven't got any OUs (Organizational Units), I seriously suggest that you create some to organize your users.

Note 4:  Best of all, in this scenario, you can substitute domainroot for dc=cp.

Example 2 - To find all users in the default Users folder with DSQuery

In this example we just want to trawl the users folder and find out who is in that container.

Commands: dsquery user cn=users,dc=cp,dc=com
 

Learning Points

Note 1:  The default users' folder is actually a container object called cn=users.  My point is if you try ou=users, the command fails.

Note 2:  I queried users, however dsquery requires the singular user, not userS.  Other objects that you can query are computer (not computers!), group or even contact.

Challenge 1:  Substitute OU=xyz for cn=users, where xyz is the name of your OU.  Unfortunately, cn=users domainroot does not work.

Challenge 2:  Substitute computer for user

Example 3 - DSQuery to list all your Domain Controllers

Suppose you want to list all of your domain controllers, (not computers).  Which command do you think would supply the information?

Commands:

dsquery server
dsquery server domainroot
dsquery server dc=cp,dc=com

Learning Points

Note 1:  Amazingly, dsquery server, the simplest command get the job done.

Note 2:  I thank Jim D for pointing out that we want here is the singular 'server'. 

Example 4 - To query the FSMO roles of your Domain Controllers

Here is a wonderful command to find the FSMO roles (Flexible Single Master Roles) -hasfsmo.  The arguments, which correspond to the 5 roles are: schema, rid, name, infr and pdc.

Commands:

dsquery server -hasfsmo schema

Learning Points

Note 1:  The command is -hasfsmo  not ?hasfsmo as in some documents.

Example 5 - DSQuery to find all users whose name begins with smith*

This DSQuery example shows two ways to filter your output and so home in on what you are looking for.  Let us pretend that we know the user's name but have no idea which OU they are to be found.  Moreover, we are not sure whether their name is spelt Smith, Smithy or Smithye.

Commands :

dsquery user domainroot -name smith*
or
dsquery user dc=cp,dc=com -name smith* d
or plain
dsquery user smith*

Learning Points

Note 1:  Remember to type the singular user.

Note 2:  Probably no need to introduce *, you probably realize it's a wildcard.

Note 3:  -name is but one of a family of filters. -desc or -disabled are others.

Example 6 - DSQuery to filter the output with -o rdn

The purpose of -o rdn is to reduce the output to just the relative distinguished name.  In a nutshell rdn strips away the OU=, DC= part which you may not be interested in.

Command: dsquery user -name smith* -o rdn

Learning Points

Note 1:  o is the letter oh (not a number).  In my minds eye o stands for output.

Note 2:  There is a switch -o dn, but this is not a switch I use. 

Summary - DSQuery

Knowledge is power.  The DS family in general and DSQuery in particular, are handy commands for interrogating Active Directory from the command line.  Perhaps the day will come when you need to find a user, computer or group without calling for the Active Users and Computers GUI.

DSGet

DSGet is a logical progression from DSQuery.  The idea is that when DSQuery returns a list of objects, DSGet can interrogate those objects for extra properties such as, description, manager or department.  Naturally this pre-supposes you entered the relevant information in the user's properties sheet!

Introduction to DSGet

My assumption is that you are comfortable with DSQuery, if this is not the case take the time to have a refresher

Next a reminder to pay close attention to DS syntax.  In this instance what we need is a pipe symbol ( | ) to join DSQuery with DSGet.  Just to be clear, you type this pipe (|) with the shift key and the key next to the Z.  (A colon : would produce an error).

Example 1 To Check that DSQuery is working

Let build a solid foundation with a DSQuery (Only found on a Windows Server 2003 DC)

Commands:

dsquery user domainroot -name smith*
or
dsquery user -name smith*

Learning Points

Note 1:  You need a Windows Server 2003 machine.  Perhaps you could remote desktop into such a server?

Note 2:  Feel free to change smith* to one of your users.  Better still, create a test account and start filling in those user properties.

Note 3:  This example is just to build a foundation.  Now let us move on to DSGet.

Example 2 Basic DSGet

We need to interrogate the output for more information.  So we use DSGet to retrieve the description.

Commands:

dsquery user domainroot -name smith*
or
dsquery user -name smith* | dsget user -dn -desc

Learning Points for DSGet

Note 1:  Master the pipe command | which separates dsquery from dsget.  To create |, Hold down the shift key while pressing the key next to the Z.

Note 2:  Even though dsquery told the operating system it was a user object, dsget still has to invoke user in its section of the command.

Challenge:  See what happens if you omit the -dn.

Example 3 - Which extra properties shall we query?

-display  Display name is different from the user's description field.  If you haven't done so already, time to get a user's properties sheet and start filling in those attribute boxes.

-office  Useful property

-sn This command does not work.  What's the matter with -sn?  I will tell you what's wrong; dsget requires -ln instead of -sn and -fn instead of givenName   grrrrrrrrrrrrrrrrrr.  Calm down Guy, go with the flow; think of all these useful switches.

O.K. No more moaning.  DSGet is actually fun and productive.  Guess what information these switches return?

-email, -tel, -mgr, -mobile

Answers: General (tab), email address, telephone number,  Organization (tab), Manager, Telephones (tab), Mobile.

Now find them on the user's properties sheet.

Example 4 - Change the DSget output.

They say the old tricks the best, so let us try exporting the DSGet output not to screen but a text file.  Here we need a different type of pipe command; this time it's the greater than symbol, for example,  > filename.txt.  So, just tag on > filename.txt to your DS command.  Follow up with:  notepad filename.txt.

 Commands:

dsquery user domainroot -name smith*
or
dsquery user -name smith* | dsget user -fn -ln -mgr > dsget.txt

Learning Points

Note 1: To read the file type, notepad dsget.txt

Note 2: I am impressed by the column format of the output

I would like to leave you with a few more DSGet object that you can interrogate or experiment with.  In addition to user, there are the following DSGet commands : Computer, also Server - meaning DC,  OU, Group, even Site and Subnet.

Note. There are also two commands called partition and quota, however, in the context of DSGet, partition and quota refer to Active Directory, not disk.  For example, the application partition in Active Directory.  Tell the truth, it was a big disappointment that DSGet did not return the disk information, but on reflection I was expecting the impossible.  DSGet partition means Active Directory partition.

Summary - DSGet

As far as DSGet is concerned, I have come from Philistine to champion.  Now I really enjoy the challenge of DSGet and appreciate the way it works hand in glove with DSQuery.  It also reminds of that old truism the more you know the easier it gets.

●      What's the difference between LDIFDE and CSVDE? Usage considerations?

CSVDE is a command that can be used to import and export objects to and from the AD into a CSV-formatted file. A CSV (Comma Separated Value) file is a file easily readable in Excel. I will not go to length into this powerful command, but I will show you some basic samples of how to import a large number of users into your AD. Of course, as with the DSADD command, CSVDE can do more than just import users. Consult your help file for more info. Like CSVDE, LDIFDE is a command that can be used to import and export objects to and from the AD into a LDIF-formatted file. A LDIF (LDAP Data Interchange Format) file is a file easily readable in any text editor; however it is not readable in programs like Excel. The major difference between CSVDE and LDIFDE (besides the file format) is the fact that LDIFDE can be used to edit and delete existing AD objects (not just users), while CSVDE can only import and export objects. 

Windows Server 2003 Active Directory and Security questions

What’s the difference between local, global and universal groups?

Domain local groups assign access permissions to global domain groups for local domain resources. Global groups provide access to resources in other trusted domains. Universal groups grant access to resources in all trusted domains.

I am trying to create a new universal user group. Why can’t I?

Universal groups are allowed only in native-mode Windows Server 2003 environments. Native mode requires that all domain controllers be promoted to Windows Server 2003 Active Directory.

What is LSDOU?

Group policy inheritance model where the policies are applied to Local machines, Sites, Domains and Organizational Units.

Why doesn’t LSDOU work under Windows NT?

 If the NTConfig.pol file exists, it has the highest priority among the numerous policies.

Where are group policies stored?   %SystemRoot%System32\GroupPolicy

What are GPT and GPC?  Group policy template and group policy container.

Where is GPT stored?       %SystemRoot%\SYSVOL\sysvol\domainname\Policies\GUID

You change the group policies, and now the computer and user settings are in conflict. Which one has the highest priority?       The computer settings take priority.

You want to set up remote installation procedure, but do not want the user to gain access over it. What do you do?

gponame–> User Configuration–> Windows Settings–> Remote Installation Services–> Choice Options is your friend.

What’s contained in administrative template conf.adm?  Microsoft NetMeeting policies

How can you restrict running certain applications on a machine?

Via group policy, security settings for the group, then Software Restriction Policies.

You need to automatically install an app, but MSI file is not available. What do you do?

A .zap text file can be used to add applications using the Software Installer, rather than the Windows Installer.

What’s the difference between Software Installer and Windows Installer?

The former has fewer privileges and will probably require user intervention. Plus, it uses .zap files.

What can be restricted on Windows Server 2003 that wasn’t there in previous products?

Group Policy in Windows Server 2003 determines a users right to modify network and dial-up TCP/IP properties. Users may be selectively restricted from modifying their IP address and other network configuration parameters.

How frequently is the client policy refreshed?  90 minutes give or take.

Where is secedit?  It’s now gpupdate.

You want to create a new group policy but do not wish to inherit. Make sure you check Block inheritance among the options when creating the policy.

What is "tattooing" the Registry?

The user can view and modify user preferences that are not stored in maintained portions of the Registry. If the group policy is removed or changed, the user preference will persist in the Registry.

How do you fight tattooing in NT/2000 installations?    You can’t.

How do you fight tattooing in 2003 installations?

 User Configuration - Administrative Templates - System - Group Policy - enable - Enforce Show Policies Only.

What does IntelliMirror do?

It helps to reconcile desktop settings, applications, and stored files for users, particularly those who move between workstations or those who must periodically work offline.

What’s the major difference between FAT and NTFS on a local machine?

FAT and FAT32 provide no security over locally logged-on users. Only native NTFS provides extensive permission control on both remote and local files.

How do FAT and NTFS differ in approach to user shares? They don’t, both have support for sharing.

Explan the List Folder Contents permission on the folder in NTFS.

Same as Read & Execute, but not inherited by files within a folder. However, newly created subfolders will inherit this permission.

I have a file to which the user has access, but he has no folder permission to read it. Can he access it?

It is possible for a user to navigate to a file for which he does not have folder permission. This involves simply knowing the path of the file object. Even if the user can’t drill down the file/folder tree using My Computer, he can still gain access to the file using the Universal Naming Convention (UNC). The best way to start would be to type the full path of a file into Run… window.

For a user in several groups, are Allow permissions restrictive or permissive?

Permissive, if at least one group has Allow permission for the file/folder, user will have the same permission.

For a user in several groups, are Deny permissions restrictive or permissive?

Restrictive, if at least one group has Deny permission for the file/folder, user will be denied access, regardless of other group permissions.

What hidden shares exist on Windows Server 2003 installation?

Admin$, Drive$, IPC$, NETLOGON, print$ and SYSVOL.

What’s the difference between standalone and fault-tolerant DFS (Distributed File System) installations?

The standalone server stores the Dfs directory tree structure or topology locally. Thus, if a shared folder is inaccessible or if the Dfs root server is down, users are left with no link to the shared resources. A fault-tolerant root node stores the Dfs topology in the Active Directory, which is replicated to other domain controllers. Thus, redundant root nodes may include multiple connections to the same data residing in different shared folders.

We’re using the DFS fault-tolerant installation, but cannot access it from a Win98 box. Use the UNC path, not client, only 2000 and 2003 clients can access Server 2003 fault-tolerant shares.

Where exactly do fault-tolerant DFS shares store information in Active Directory?

In Partition Knowledge Table, which is then replicated to other domain controllers?

Can you use Start->Search with DFS shares?      Yes.

What problems can you have with DFS installed?

Two users opening the redundant copies of the file at the same time, with no file-locking involved in DFS, changing the contents and then saving. Only one file will be propagated through DFS.

I run Microsoft Cluster Server and cannot install fault-tolerant DFS. Yeah, you can’t. Install a standalone one.

Is Kerberos encryption symmetric or asymmetric?    Symmetric.

How does Windows 2003 Server try to prevent a middle-man attack on encrypted line?

Time stamp is attached to the initial client request, encrypted with the shared key.

What hashing algorithms are used in Windows 2003 Server?

RSA Data Security’s Message Digest 5 (MD5), produces a 128-bit hash, and the Secure Hash Algorithm 1 (SHA-1), produces a 160-bit hash.

What third-party certificate exchange protocols are used by Windows 2003 Server?

Windows Server 2003 uses the industry standard PKCS-10 certificate request and PKCS-7 certificate response to exchange CA certificates with third-party certificate authorities.

What’s the number of permitted unsuccessful logons on Administrator account? Unlimited. Remember, though, that it’s the Administrator account, not any account that’s part of the Administrators group.

If hashing is one-way function and Windows Server uses hashing for storing passwords, how is it possible to attack the password lists, specifically the ones using NTLMv1?

A cracker would launch a dictionary attack by hashing every imaginable term used for password and then compare the hashes.

What’s the difference between guest accounts in Server 2003 and other editions?

More restrictive in Windows Server 2003.

How many passwords by default are remembered when you check "Enforce Password History Remembered"?   User’s last 6 passwords.

Describe how the DHCP lease is obtained?
It’s a four-step process consisting of (a) IP request, (b) IP offer, © IP selection and (d) acknowledgement.

I can’t seem to access the Internet, don’t have any access to the corporate network and on ipconfig my address is 169.254.*.*. What happened?
The 169.254.*.* netmask is assigned to Windows machines running 98/2000/XP if the DHCP server is not available. The name for the technology is APIPA (Automatic Private Internet Protocol Addressing).

We’ve installed a new Windows-based DHCP server, however, the users do not seem to be getting DHCP leases off of it?                                                                                                                                                  The server must be authorized first with the Active Directory.

How do you double-boot a Win 2003 server box?

The Boot.ini file is set as read-only, system, and hidden to prevent unwanted editing. To change the Boot.ini timeout and default settings, use the System option in Control Panel from the Advanced tab and select Startup.

What do you do if earlier application doesn’t run on Windows Server 2003?                                           When an application that ran on an earlier legacy version of Windows cannot be loaded during the setup function or if it later malfunctions, you must run the compatibility mode function. This is accomplished by right-clicking the application or setup program and selecting Properties –> Compatibility –> selecting the previously supported operating system.

What snap-in administrative tools are available for Active Directory?                                           Active Directory Domains and Trusts Manager, Active Directory Sites and Services Manager, Active Directory Users and Group Manager, Active Directory Replication (optional, available from the Resource Kit), Active Directory Schema Manager (optional, available from adminpak)

What types of classes exist in Windows Server 2003 Active Directory?                                       Structural class. The structural class is important to the system administrator in that it is the only type from which new Active Directory objects are created. Structural classes are developed from either the modification of an existing structural type or the use of one or more abstract classes.

What is presentation layer responsible for in the OSI model? The presentation layer establishes the data format prior to passing it along to the network application’s interface. TCP/IP networks perform this task at the application layer.

Does Windows Server 2003 support IPv6?

Yes, run ipv6.exe from command line to disable it.

Can Windows Server 2003 function as a bridge?

Yes, and it’s a new feature for the 2003 product. You can combine several networks and devices connected via several adapters by enabling IP routing.

What’s the role of http.sys in IIS? It is the point of contact for all incoming HTTP requests. It listens for requests and queues them until they are all processed, no more queues are available, or the Web server is shut down.

Where’s ASP cache located on IIS 6.0? On disk, as opposed to memory, as it used to be in IIS 5.

What is socket pooling? Non-blocking socket usage, introduced in IIS 6.0. More than one application can use a given socket.

Which characters should be enclosed in quotes when searching the index? &, @, $, #, ^, ( ), and |.

How would you search for C++? Just enter C++, since + is not a special character (and neither is C).

What about Barnes&Noble? Should be searched for as Barnes’&’Noble.

Are the searches case-sensitive? No.

What’s the order of precedence of Boolean operators in Microsoft Windows 2003 Server Indexing Service? NOT, AND, NEAR, OR.

How many group policies can be applied to an OU?

How many objects can be created in a Directory Partition?

In Active Directory Replication, which FSMO roles is participating in replication.?
A Case:
A Min DC (Windows 2003)  &  A BDC (windows 2000 Server)  when the time of replication, All partition will replicated, but what about "Applicatoin Partition in main DC".?

What is Global Catalog Server?

A global catalog server is a domain controller it is a master searchable database that contains information about every object in every domain in a forest. The global catalog contains a complete replica of all objects in Active Directory for its host domain, and contains a partial replica of all objects in Active Directory for every other domain in the forest. It have two important functions:

●      Provides group membership information during logon and authentication

●      Helps users locate resources in Active Directory

What is the ntds.tit file default size?

40 MB 

What is a default gateway?

The exit-point from one network and entry-way into another network, often the router of the network.

Describe the lease process of the DHCP server.                                                                                                  DHCP Server leases the IP addresses to the clients as follows:
DORA
D (Discover): DHCP Client sends broadcast packets to identify the dhcp server, this packet will contain the source MAC.
O (Offer): Once the packet is received by the DHCP server, the server will send the packet containing Source IP and Source MAC.
R (Request): Client will now contact the DHCP server directly and request for the IP address.
A (Acknowledge): DHCP server will send an ack packet which contains the IP address.

What is IPv6? Internet Protocol version 6 (IPv6) is a network layer IP standard used by electronic devices to exchange data across a packet-switched internetwork. It follows IPv4 as the second version of the Internet Protocol to be formally adopted for general use.  ip v6 it is a 128 bit size address. This is total 8 octants each octant size is 16 bits separated with “:”, it is in hexa decimal format. These 3 types:

1.       unicast address

2.       multicast address

3.       anycast address

loopback address of ip v6 is ::1

How do you double-boot a Win 2003 server box?

The Boot.ini file is set as read-only, system, and hidden to prevent unwanted editing. To change the Boot.ini timeout and default settings, use the System option in Control Panel from the Advanced tab and select Startup.

What do you do if earlier application doesn’t run on Windows Server 2003?

When an application that ran on an earlier legacy version of Windows cannot be loaded during the setup function or if it later malfunctions, you must run the compatibility mode function. This is accomplished by right-clicking the application or setup program and selecting Properties –> Compatibility –> selecting the previously supported operating system.

If you uninstall Windows Server 2003, which operating systems can you revert to?

Win ME, Win 98, 2000, XP. Note, however, that you cannot upgrade from ME and 98 to Windows Server 2003.

How do you get to Internet Firewall settings?

Start –> Control Panel –> Network and Internet Connections –> Network Connections.

What are the Windows Server 2003 keyboard shortcuts?

Winkey opens or closes the Start menu. Winkey + BREAK displays the System Properties dialog box. Winkey + TAB moves the focus to the next application in the taskbar. Winkey + SHIFT + TAB moves the focus to the previous application in the taskbar. Winkey + B moves the focus to the notification area. Winkey + D shows the desktop. Winkey + E opens Windows Explorer showing My Computer. Winkey + F opens the Search panel. Winkey + CTRL + F opens the Search panel with Search for Computers module selected. Winkey + F1 opens Help. Winkey + M minimizes all. Winkey + SHIFT+ M undoes minimization. Winkey + R opens Run dialog. Winkey + U opens the Utility Manager. Winkey + L locks the computer.

Where are the Windows NT Primary Domain Controller (PDC) and its Backup Domain Controller (BDC) in Server 2003?

The Active Directory replaces them. Now all domain controllers share a multimaster peer-to-peer read and write relationship that hosts copies of the Active Directory.

How long does it take for security changes to be replicated among the domain controllers?

Security-related modifications are replicated within a site immediately. These changes include account and individual user lockout policies, changes to password policies, changes to computer account passwords, and modifications to the Local Security Authority (LSA).

What’s new in Windows Server 2003 regarding the DNS management?

When DC promotion occurs with an existing forest, the Active Directory Installation Wizard contacts an existing DC to update the directory and replicate from the DC the required portions of the directory. If the wizard fails to locate a DC, it performs debugging and reports what caused the failure and how to fix the problem. In order to be located on a network, every DC must register in DNS DC locator DNS records. The Active Directory Installation Wizard verifies a proper configuration of the DNS infrastructure. All DNS configuration debugging and reporting activity is done with the Active Directory Installation Wizard.

When should you create a forest?

How can you authenticate between forests?

Four types of authentication are used across forests: (1) Kerberos and NTLM network logon for remote access to a server in another forest; (2) Kerberos and NTLM interactive logon for physical logon outside the user’s home forest; (3) Kerberos delegation to N-tier application in another forest; and (4) user principal name (UPN) credentials.

What snap-in administrative tools are available for Active Directory?

Active Directory Domains and Trusts Manager, Active Directory Sites and Services Manager, Active Directory Users and Group Manager, Active Directory Replication (optional, available from the Resource Kit), Active Directory Schema Manager (optional, available from adminpak)

What types of classes exist in Windows Server 2003 Active Directory?                                     Structural class. The structural class is important to the system administrator in that it is the only type from which new Active Directory objects are created. Structural classes are developed from either the modification of an existing structural type or the use of one or more abstract classes.

Abstract class. Abstract classes are so named because they take the form of templates that actually create other templates (abstracts) and structural and auxiliary classes. Think of abstract classes as frameworks for the defining objects.

Auxiliary class. The auxiliary class is a list of attributes. Rather than apply numerous attributes when creating a structural class, it provides a streamlined alternative by applying a combination of attributes with a single include action.

88 class. The 88 class includes object classes defined prior to 1993, when the 1988 X.500 specification was adopted. This type does not use the structural, abstract, and auxiliary definitions, nor is it in common use for the development of objects in Windows Server 2003 environments.

How do you delete a lingering object?

Windows Server 2003 provides a command called Repadmin that provides the ability to delete lingering objects in the Active Directory. 

What is Global Catalog?

The Global Catalog authenticates network user logons and fields inquiries about objects across a forest or tree. Every domain has at least one GC that is hosted on a domain controller. In Windows 2000, there was typically one GC on every site in order to prevent user logon failures across the network.

How is user account security established in Windows Server 2003?

When an account is created, it is given a unique access number known as a security identifier (SID). Every group to which the user belongs has an associated SID. The user and related group SIDs together form the user account’s security token, which determines access levels to objects throughout the system and network. SIDs from the security token is mapped to the access control list (ACL) of any object the user attempts to access.

If I delete a user and then create a new account with the same username and password, would the SID and permissions stay the same?

No. If you delete a user account and attempt to recreate it with the same user name and password, the SID will be different. 

What do you do with secure sign-ons in an organization with many roaming users?

Credential Management feature of Windows Server 2003 provides a consistent single sign-on experience for users. This can be useful for roaming users who move between computer systems. The Credential Management feature provides a secure store of user credentials that includes passwords and X.509 certificates.

Anything special you should do when adding a user that has a Mac?

"Save password as encrypted clear text" must be selected on User Properties Account Tab Options, since the Macs only store their passwords that way.

What remote access options does Windows Server 2003 support?

Dial-in, VPN, dial-in with callback.

Where are the documents and settings for the roaming profile stored?

All the documents and environmental settings for the roaming user are stored locally on the system, and, when the user logs off, all changes to the locally stored profile are copied to the shared server folder. Therefore, the first time a roaming user logs on to a new system the logon process may take some time, depending on how large his profile folder is.

Where are the settings for all the users stored on a given machine?

\Document and Settings\All Users

What languages can you use for log-on scripts?

JavaScipt, VBScript, DOS batch files (.com, .bat, or even .exe)

What are the differences between a site-to-site VPN and a VPN client connecting to a VPN server? What protocols are used for these?

>

EXPERT RESPONSE Site-to-site VPNs connect entire networks to each other -- for example, connecting a branch office network to a company headquarters network. In a site-to-site VPN, hosts do not have VPN client software; they send and receive normal TCP/IP traffic through a VPN gateway. The VPN gateway is responsible for encapsulating and encrypting outbound traffic, sending it through a VPN tunnel over the Internet, to a peer VPN gateway at the target site. Upon receipt, the peer VPN gateway strips the headers, decrypts the content, and relays the packet towards the target host inside its private network. Remote access VPNs connect individual hosts to private networks -- for example, travelers and teleworkers who need to access their company's network securely over the Internet. In a remote access VPN, every host must have VPN client software (more on this in a minute). Whenever the host tries to send any traffic, the VPN client software encapsulates and encrypts that traffic before sending it over the Internet to the VPN gateway at the edge of the target network. Upon receipt, that VPN gateway behaves as described above for site-to-site VPNs. If the target host inside the private network returns a response, the VPN gateway performs the reverse process to send an encrypted response back to the VPN client over the Internet. The most common secure tunneling protocol used in site-to-site VPNs is the IPsec Encapsulating Security Payload (ESP), an extension to the standard IP protocol used by the Internet and most corporate networks today. Most routers and firewalls now support IPsec and so can be used as a VPN gateway for the private network behind them. Another site-to-site VPN protocol is Multi-Protocol Label Switching (MPLS), although MPLS does not provide encryption. Remote access VPN protocols are more varied. The Point to Point Tunneling Protocol (PPTP) has been included in every Windows operating system since Windows 95. The Layer 2 Tunneling Protocol (L2TP) over IPsec is present in Windows 2000 and XP and is more secure than PPTP. Many VPN gateways use IPsec alone (without L2TP) to deliver remote access VPN services. All of these approaches require VPN client software on every host, and a VPN gateway that supports the same protocol and options/extensions for remote access. Over the past few years, many vendors have released secure remote access products that use SSL and ordinary web browsers as an alternative to IPsec/L2TP/PPTP VPNs. These "SSL VPNs" are often referred to as "clientless," but it is more accurate to say that they use web browsers as VPN clients, usually in combination with dynamically-downloaded software (Java applet, ActiveX control, or temporary Win32 program that is removed when the session ends). Also, unlike PPTP, L2TP, and IPsec VPNs, which connect remote hosts to an entire private network, SSL VPNs tend to connect users to specific applications protected by the SSL VPN gateway. To learn more about VPN protocols and topologies, watch my New directions in VPN searchSecurity webcast, or read this InfoSec Magazine article on SSL VPNs.

What is the order in which GPOs are applied?

Local, Site, Domain, OU

1. Can a workstation computer be configured to browse the Internet and yet NOT have a default gateway?

If we are using public ip address, we can browse the internet. If it is having an intranet address a gateway is needed as a router or firewall to communicate with internet.

2. What is CIDR?

CIDR (Classless Inter-Domain Routing, sometimes known as supernetting) is a way to allocate and specify the Internet addresses used in inter-domain routing more flexibly than with the original system of Internet Protocol (IP) address classes. As a result, the number of available Internet addresses has been greatly increased. CIDR is now the routing system used by virtually all gateway hosts on the Internet’s backbone network. The Internet’s regulating authorities now expect every Internet service provider (ISP) to use it for routing.

3. What is DHCP? What are the benefits and drawbacks of using it?

DHCP is Dynamic Host Configuration Protocol. In a networked environment it is a method to assign an ‘address’ to a computer when it boots up.

Advantages

All the IP configuration information gets automatically configured for your client machine by the DHCP server.

If you move your client machine to a different subnet, the client will send out its discover message at boot time and work as usual. However, when you first boot up there you will not be able to get back the IP address you had at your previous location regardless of how little time has passed.

Disadvantage

Your machine name does not change when you get a new IP address. The DNS (Domain Name System) name is associated with your IP address and therefore does change. This only presents a problem if other clients try to access your machine by its DNS name.

4. How do you manually create SRV records in DNS?

To create SRV records in DNS do below steps: -

Open DNS

Click on Zone —– Select domain ABC. local ——-

Right Click to domain and go to Other New Records——

And choose service location (SRV)

5. Name 3 benefits of using AD-integrated zones.

Benefits as follows

a. you can give easy name resolution to ur clients.

b. By creating AD- integrated zone you can also trace hacker and spammer by creating reverse      zone.

c. AD integrated zoned all for incremental zone transfers which on transfer changes and not the entire zone. This reduces zone transfer traffic.

d. AD Integrated zones suport both secure and dmanic updates.

e. AD integrated zones are stored as part of the active directory and support domain-wide or forest-wide replication through application pertitions in AD.

6. How do I clear the DNS cache on the DNS server?

Go to cmd prompt and type “ipconfig/flushdns” without quotes

7. What is NAT?

NAT (Network Address Translation) is a technique for preserving scarce Internet IP addresses. For more details go to Microsoft link

8. How do you configure NAT on Windows 2003?

For above answer go to below link

Configure NAT

9. How to configure special ports to allow inbound connections?

a. Click Start, Administrative Tools, and then click Routing and Remote Access to open the   Routing and Remote Access management console.

b. Locate the interface that you want to configure.

c. Right-click the interface and then select Properties from the shortcut menu.

d. Click the Special Ports tab.

e. Under Protocol, select TCP or UDP and then click the Add button.

f. Enter the port number of the incoming traffic in Incoming Port.

g. Select On This Address Pool Entry, and provide the public IP address of the incoming traffic.

h. Enter the port number of the private network resource in Outgoing Port.

i. Enter the private network resource’s private IP address in Private Address.

j. Click OK.

How to transfer roles in Active Directory?

Using Ntdsutil.exe we can transfer roles in Active Directory. To know more regarding role transfer clicks this link.

How to backup Active Directory and which main file you take in backing of Active Directory?

We can take backup with Ntbackup utility.

Active Directory is backed up as part of system state, a collection of system components that depend on each other. You must backup and restore system state components together.

Components that comprise the system state on a domain controller include:

System Start-up Files (boot files). These are the files required for Windows 2000 Server to start.

System registry.

Class registration database of Component Services. The Component Object Model (COM) is a binary standard for writing component software in a distributed systems environment.

NETLOGON: Shared folders. These usually host user logon scripts and Group Policy objects (GPOs) for non-Windows 2000based network clients.

User logon scripts for Windows 2000 Professional based clients and clients that are running Windows 95, Windows 98, or Windows NT 4.0.

Windows 2000 GPOs.

What are application partitions? When do we use them?

Application Directory Partition is a partition space in Active Directory which an application can use to store that application specific data. This partition is then replicated only to some specific domain controllers. The application directory partition can contain any type of data except security principles (users, computers, groups).

How do we Backup Active Directory?

Backing up Active Directory is essential to maintain an Active Directory database.

You can back up Active Directory by using the Graphical User Interface (GUI) and command-line tools that the Windows Server 2003 family provides. You frequently backup the system state data on domain controllers so that you can restore the most current data. By establishing a regular backup schedule, you have a better chance of recovering data when necessary. To ensure a good backup includes at least the system state data and contents of the system disk, you must be aware of the tombstone lifetime. By default, the tombstone is 60 days. Any backup older than 60 days is not a good backup. Plan to backup at least two domain controllers in each domain, one of at least one backup to enable an authoritative restore of the data when necessary.

How do we restore AD?

You can’t restore Active Directory (AD) to a domain controller (DC) while the Directory Service (DS) is running. To restore AD, perform the following steps.

Reboot the computer.

The computer will boot into a special safe mode and won’t start the DS. Be aware that during this time the machine won’t act as a DC and won’t perform functions such as authentication.

1. Start NT Backup.

2. Select the Restore tab.

3. Select the backup media and select System State.

4. Click Start Restore.

5. Click OK in the confirmation dialog box.

After you restore the backup, reboot the computer and start in normal mode to use the restored information. The computer might hang after the restore completes; I’ve experienced a 30-minute wait on some machines.

DHCP

What is DHCP’s purpose?

DHCP’s purpose is to enable individual computers on an IP network to extract their configurations from a server (the ‘DHCP server’) or servers, in particular, servers that have no exact information about the individual computers until they request the information. The overall purpose of this is to reduce the work necessary to administer a large IP network. The most significant piece of information distributed in this manner is the IP address.

What protocol and port does DHCP use?

DHCP, like BOOTP runs over UDP, utilizing ports 67 and 68.

Where is the file of Active Directory data file stored?

Active Directory data store in %SystemRoot%\ntds\NTDS.DIT. The ntds.dit file is the heart of Active Directory including user accounts

What is DHCP and at which port DHCP work?

Dynamic Host Configuration Protocol (DHCP) is a network protocol that enables a server to automatically assign an IP address to a computer from a defined range of numbers (i.e., a scope) configured for a given network. DHCP assigns an IP address when a system is started

DHCP client uses port 67 and the DHCP server uses port 68.

What is DORA process in DHCP and How it works?

DHCP (D)iscover
DHCP (O)ffer
DHCP (R)equest
DHCP (A)cknowledge

1) Client makes a UDP Broadcast to the server about the DHCP discovery.

2) DHCP offers to the client.

3) In response to the offer Client requests the server.

4) Server responds all the Ip Add/mask/gty/dns/wins info along with the acknowledgement   packet.

What is Super Scope in DHCP?

A superscope allows a DHCP server to provide leases from more than one scope to clients on a single physical network. Before you can create a superscope, you must use DHCP Manager to define all scopes to be included in the superscope. Scopes added to a superscope are called member scopes. Superscopes can resolve DHCP service issues in several different ways; these issues include situations in which:

Support is needed for DHCP clients on a single physical network segment—such as a single Ethernet LAN segment—where multiple logical IP networks are used. When more than one logical IP network is used on a physical network, these configurations are also known as multinets.

The available address pool for a currently active scope is nearly depleted and more computers need to be added to the physical network segment.

Clients need to be migrated to a new scope.

Support is needed for DHCP clients on the other side of BOOTP relay agents, where the network on the other side of the relay agent has multiple logical subnets on one physical network. For more information, see “Supporting BOOTP Clients” later in this chapter.

A standard network with one DHCP server on a single physical subnet is limited to leasing addresses to clients on the physical subnet.

 Describe how the DHCP lease is obtained.

It’s a four-step process consisting of (a) IP request, (b) IP offer, © IP selection and (d) acknowledgement.

I can’t seem to access the Internet, don’t have any access to the corporate network and on ipconfig my address is 169.254.*.*. What happened?

 The 169.254.*.* netmask is assigned to Windows machines running 98/2000/XP if the DHCP server is not available. The name for the technology is APIPA (Automatic Private Internet Protocol Addressing).

We’ve installed a new Windows-based DHCP server, however, the users do not seem to be getting DHCP leases off of it.

 The server must be authorized first with the Active Directory.

How can you force the client to give up the dhcp lease if you have access to the client PC?

ipconfig /release

What authentication options do Windows 2000 Servers have for remote clients?

PAP, SPAP, CHAP, MS-CHAP and EAP.

What are the networking protocol options for the Windows clients if for some reason you do not want to use TCP/IP?

NWLink (Novell), NetBEUI, AppleTalk (Apple).

DNS Interview Questions and Answer

1. Secure services in your network require reverse name resolution to make it more difficult to launch successful attacks against the services. To set this up, you configure a reverse lookup zone and proceed to add records. Which record types do you need to create?

PTR Records.

2. What is the main purpose of a DNS server?

DNS servers are used to resolve FQDN hostnames into IP addresses and vice versa

3. SOA records must be included in every zone. What are they used for?

SOA records contain a TTL value, used by default in all resource records in the zone. SOA records contain the e-mail address of the person who is responsible for maintaining the zone. SOA records contain the current serial number of the zone, which is used in zone transfers.

4. by default, if the name is not found in the cache or local hosts file, what is the first step the client takes to resolve the FQDN name into an IP address?

Performs a recursive search through the primary DNS server based on the network interface configuration

5. What is the main purpose of SRV records?

SRV records are used in locating hosts that provide certain network services.

6. before installing your first domain controller in the network, you installed a DNS server and created a zone, naming it as you would name your AD domain. However, after the installation of the domain controller, you are unable to locate infrastructure SRV records anywhere in the zone. What is the most likely cause of this failure?

The zone you created was not configured to allow dynamic updates. The local interface on the DNS server was not configured to allow dynamic updates.

7. Which of the following conditions must be satisfied to configure dynamic DNS updates for legacy clients?

The zone to be used for dynamic updates must be configured to allow dynamic updates. The DHCP server must support, and be configured to allow, dynamic updates for legacy clients.

8. at some point during the name resolution process, the requesting party received authoritative reply. Which further actions are likely to be taken after this reply?

After receiving the authoritative reply, the resolution process is effectively over.

9. Your company uses ten domain controllers, three of which are also used as DNS servers. You have one companywide AD-integrated zone, which contains several thousand resource records. This zone also allows dynamic updates, and it is critical to keep this zone up-to-date.
Replication between domain controllers takes up a significant amount of bandwidth. You are looking to cut bandwidth usage for the purpose of replication. What should you do?

Change the replication scope to all DNS servers in the domain.

10. You are administering a network connected to the Internet. Your users complain that everything is slow. Preliminary research of the problem indicates that it takes a considerable amount of time to resolve names of resources on the Internet. What is the most likely reason for this?

DNS servers are not caching replies.. Local client computers are not caching replies… The cache.dns file may have been corrupted on the server.

What’s the difference between forward lookup zone and reverse lookup zone in DNS?

Forward lookup is name-to-IP address; the reverse lookup is IP address-to-name.

What is Stub Zone in DNS Server?

A stub zone is a copy of a zone that contains only those resource records necessary to identify the authoritative Domain Name System (DNS) servers for that zone. A stub zone is used to resolve names between separate DNS namespaces. This type of resolution may be necessary when a corporate merger requires that the DNS servers for two separate DNS namespaces resolve names for clients in both namespaces.

A stub zone consists of:

The start of authority (SOA) resource record, name server (NS) resource records, and the glue a resource records for the delegated zone.

The IP address of one or more master servers that can be used to update the stub zone.

The master servers for a stub zone are one or more DNS servers authoritative for the child zone, usually the DNS server hosting the primary zone for the delegated domain name.

What are the types of records in DNS?

To see the records of DNS Server checks this path - DNS Records

What is binding order?

The order by which the network protocols are used for client-server communications. The most frequently used protocols should be at the top.

How do cryptography-based keys ensure the validity of data transferred across the network?

Each IP packet is assigned a checksum, so if the checksums do not match on both receiving and transmitting ends, the data was modified or corrupted.

Should we deploy IPSEC-based security or certificate-based security?

They are really two different technologies. IPSec secures the TCP/IP communication and protects the integrity of the packets. Certificate-based security ensures the validity of authenticated clients and servers.

What is LMHOSTS file?

 It’s a file stored on a host machine that is used to resolve NetBIOS to specific IP addresses.

How can you recover a file encrypted using EFS?

Use the domain recovery agent.

 What are the Logical / Physical Structures of the AD Environment?

Physical structure:

Forest, Site, Domain, DC

Logical structure:

Schema partition, configuration partition, domain partition and application partition

How to change the windows xp product key if wrongly installed with other product key but you have original product key? What you will do to make your os as Genuine?

Some third party software is available for this function or reinstalls this system

If 512mb Ram is there what will be the minimum and maximum Virtual memory for the system?

To workout the total virtual memory (page file) required for windows XP you should take the amount of ram in the system and + 25% (512MB + 25% (128MB) = 640MB total virtual memory. by setting both the min and max to 640MB you can increase the performances of the operating system.

  

What are GPOs?

Group Policy gives you administrative control over users and computers in your network. By using Group Policy, you can define the state of a user’s work environment once, and then rely on Windows Server 2003 to continually force the Group Policy settings that you apply across an entire organization or to specific groups of users and computers.

What domain services are necessary for you to deploy the Windows Deployment Services on your network?

Windows Deployment Services requires that a DHCP server and a DNS server be installed in the domain

What is the difference between a basic and dynamic drive in theWindowsServer2008environment?

A basic disk embraces the MS-DOS disk structure; a basic disk can be divided into partitions (simple volumes).
Dynamic disks consist of a single partition that can be divided into any number of volumes. Dynamic disks also support Windows Server 2008 RAID implementations.

What is the main purpose of a DNS server?

DNS servers are used to resolve FQDN hostnames into IP addresses and vice versa

Commonly Used DNS Records?

A-Records (Host address)

CNAME-Records (Canonical name for an alias)

MX-Records (Mail exchange)

NS-Records (Authoritative name server)

PTR-Records (domain name pointer)

SOA-Records (Start of authority)

Like the installation, managing Windows Server 2008 DHCP Server is also easy. Back in my Windows Server 2008 Server Manager, under Roles, I clicked on the new DHCP Server entry.

Figure 8: DHCP Server management in Server Manager

While I cannot manage the DHCP Server scopes and clients from here, what I can do is to manage what events, services, and resources are related to the DHCP Server installation. Thus, this is a good place to go to check the status of the DHCP Server and what events have happened around it.

However, to really configure the DHCP Server and see what clients have obtained IP addresses, I need to go to the DHCP Server MMC. To do this, I went to Start à Administrative Tools à DHCP Server, like this:

Figure 9: Starting the DHCP Server MMC

When expanded out, the MMC offers a lot of features. Here is what it looks like:

Figure 10: The Windows Server 2008 DHCP Server MMC

The DHCP Server MMC offers IPv4 & IPv6 DHCP Server info including all scopes, pools, leases, reservations, scope options, and server options.

If I go into the address pool and the scope options, I can see that the configuration we made when we installed the DHCP Server did, indeed, work. The scope IP address range is there, and so is the DNS Server & default gateway.

Figure 11: DHCP Server Address Pool

Figure 12: DHCP Server Scope Options

So how do we know that this really works if we do not test it? The answer is that we do not. Now, let’s test to make sure it works.

How do we test our Windows Server 2008 DHCP Server?

To test this, I have a Windows Vista PC Client on the same network segment as the Windows Server 2008 DHCP server. To be safe, I have no other devices on this network segment.

I did an IPCONFIG /RELEASE then an IPCONFIG /RENEW and verified that I received an IP address from the new DHCP server, as you can see below:

Figure 13: Vista client received IP address from new DHCP Server

Also, I went to my Windows 2008 Server and verified that the new Vista client was listed as a client on the DHCP server. This did indeed check out, as you can see below:

Figure 14: Win 2008 DHCP Server has the Vista client listed under Address Leases

A multi-master enabled database, such as the Active Directory, provides the flexibility of allowing changes to occur at any DC in the enterprise, but it also introduces the possibility of conflicts that can potentially lead to problems once the data is replicated to the rest of the enterprise.

One way Windows 2000/2003 deals with conflicting updates is by having a conflict resolution algorithm handle discrepancies in values by resolving to the DC to which changes were written last (that is, "the last writer wins"), while discarding the changes in all other DCs. Although this resolution method may be acceptable in some cases, there are times when conflicts are just too difficult to resolve using the "last writer wins" approach. In such cases, it is best to prevent the conflict from occurring rather than to try to resolve it after the fact.

For certain types of changes, Windows 2000/2003 incorporates methods to prevent conflicting Active Directory updates from occurring.

Windows 2000/2003 Single-Master Model

To prevent conflicting updates in Windows 2000/2003, the Active Directory performs updates to certain objects in a single-master fashion.

In a single-master model, only one DC in the entire directory is allowed to process updates. This is similar to the role given to a primary domain controller (PDC) in earlier versions of Windows (such as Microsoft Windows NT 4.0), in which the PDC is responsible for processing all updates in a given domain.

In a forest, there are five FSMO roles that are assigned to one or more domain controllers. The

What is group policy in active directory?

 What is Group Policy objects (GPOs)?

Group Policy objects, other than the local Group Policy object, are virtual objects. The policy setting information of a GPO is actually stored in two locations: the Group Policy container and the Group Policy template.

The Group Policy container is an Active Directory container that stores GPO properties, including information on version, GPO status, and a list of components that have settings in the GPO. The Group Policy template is located in the system volume folder (Sysvol) in the \Policies subfolder for its domain

What is the order in which GPOs are applied?

Group Policy settings are processed in the following order:

1. Local Group Policy object: ​Each computer has exactly one Group Policy object that is stored locally. This Processes for both computer and user Group Policy processing.

2. Site: ​Any GPOs that have been linked to the site that the computer belongs to are processed next.

Processing is in the order that is specified by the administrator, on the Linked Group Policy Objects tab for the site in Group Policy Management Console (GPMC). The GPO with the lowest link order is processed last, and therefore has the highest precedence.

3. Domain: ​Processing of multiple domain-linked GPOs is in the order specified by the administrator, on the

Linked Group Policy Objects tab for the domain in GPMC. The GPO with the lowest link order is processed last, and therefore has the highest precedence.

4. Organizational units: ​GPOs that are linked to the organizational unit that is highest in the Active Directory hierarchy are processed first, then POs that are linked to its child organizational unit, and so on. Finally, the

GPOs that are linked to the organizational unit that contains the user or computer are processed.

At the level of each organizational unit in the Active Directory hierarchy, one, many, or no GPOs can be linked. If several GPOs are linked to an organizational unit, their processing is in the order that is specified by the administrator, on the Linked Group Policy Objects tab for the organizational unit in GPMC.

The GPO with the lowest link order is processed last, and therefore has the highest precedence.

This order means that the local GPO is processed first, and GPOs that are linked to the organizational unit of which the computer or user is a direct member are processed last, which overwrites settings in the earlier GPOs if there are conflicts. (If there are no conflicts, then the earlier and later settings are merely aggregated.)

How to backup/restore Group Policy objects?

Begin the process by logging on to a Windows Server 2008 domain controller, and opening the Group Policy Management console. Now, navigate through the console tree to Group Policy Management |

Forest: | Domains | | Group Policy Objects.

When you do, the details pane should display all of the group policy objects that are associated with the domain. In Figure A there are only two group policy objects, but in a production environment you may have many more. The Group Policy Objects container stores all of the group policy objects for the domain.

Now, right-click on the Group Policy Objects container, and choose the Back up All command from the shortcut menu. When you do, Windows will open the Back up Group Policy Object dialog box.

As you can see in Figure B, this dialog box requires you to provide the path to which you want to store the backup files. You can either store the backups in a dedicated folder on a local drive, or you can place them in a folder on a mapped network drive. The dialog box also contains a Description field that you can use to provide a description of the backup that you are creating.

You must provide the path to which you want to store your backup of the group policy objects.

To initiate the backup process, just click the Back Up button. When the backup process completes, you should see a dialog box that tells you how many group policy objects were successfully backed up. Click OK to close the dialog box, and you're all done.

When it comes to restoring a backup of any Group Policy Object, you have two options. The first option is to right-click on the Group Policy Object, and chooses the Restore from Backup command from the shortcut menu. When you do this, Windows will remove all of the individual settings from the Group Policy Object, and then implement the settings found in the backup.

Your other option is to right-click on the Group Policy Object you want to restore, and choose the Import Settings option. This option works more like a merge than a restore.

Any settings that presently reside within the Group Policy Object are retained unless there is a contradictory setting within the file that is being imported.

You want to standardize the desktop environments (wallpaper, My Documents, Start menu,

Printers etc.) On the computers in one department. How would you do that?

Go to Start->programs->Administrative tools->Active Directory Users and Computers

Right Click on Domain->click on properties

On New windows Click on Group Policy

Select Default Policy->click on Edit

On group Policy console

Go to User Configuration->Administrative Template->Start menu and Taskbar

Select each property you want to modify and do the same.

What is the difference between software publishing and assigning?

Assign Users: The software application is advertised when the user logs on. It is installed when the user clicks on the software application icon via the start menu, or accesses a file that has been associated with the software application.

Assign Computers: The software application is advertised and installed when it is safe to do so, such as when the computer is next restarted.

Publish to users: The software application does not appear on the start menu or desktop. This means the user may not know that the software is available. The software application is made available via the Add/Remove Programs option in control panel, or by clicking on a file that has been associated with the Application.

Published applications do not reinstall themselves in the event of accidental deletion, and it is

not possible to publish to computers.

What are administrative templates?

Administrative Templates are a feature of Group Policy, a Microsoft technology for centralised management of machines and users in an Active Directory environment. Administrative Templates facilitate the management of registry-based policy. An ADM file is used to describe both the user interface presented to the Group Policy administrator and the registry keys that should be updated on the target machines.

An ADM file is a text file with a specific syntax which describes both the interface and the registry values which will be changed if the policy is enabled or disabled.

ADM files are consumed by the Group Policy Object Editor (GPEdit). Windows XP Service Pack 2 shipped with five ADM files (system.adm, inetres.adm, wmplayer.adm, conf.adm and wuau.adm). These are merged into a unified "namespace" in GPEdit and presented to the administrator under the Administrative

Templates node (for both machine and user policy).

Can I deploy non-MSI software with GPO?

Create the file in .zap extension.

Name some GPO settings in the computer and user parts ?

Group Policy Object (GPO) computer=Computer Configuration, User=User ConfigurationName some GPO settings in the computer and user parts.

A user claims he did not receive a GPO, yet his user and computer accounts are in the right OU, and everyone else there gets the GPO. What will you look for?

Make sure user not is member of loopback policy as in loopback policy it doesn't affect user settings only computer policy will applicable.

If he is member of GPO filter grp or not?

You may also want to check the computers event logs. If you find event ID 1085 then you may want to download the patch to fix this and reboot the computer.

How can I override blocking of inheritance?

You can set No Override on a specific Group Policy object link so that Group Policy objects linked at a

Lower-level of Active Directory — closer to the recipient user or computer account — cannot override that policy. If you do this, Group Policy objects linked at the same level, but not as No Override, are also prevented from overriding. If you have several links set to No Override, at the same level of Active Directory, then you needs to prioritize them. Links higher in the list have priority on all Configured (that is, enabled or Disabled) settings.

If you have linked a specific Group Policy object to a domain, and set the Group Policy object link to No Override, then the configured Group Policy settings that the Group Policy object contains applies to all organizational units under that domain. Group Policy objects linked to organizational units cannot override that domain-linked Group Policy object.

You can also block inheritance of Group Policy from above in Active Directory. This is done by checking

Block Policy inheritance on the Group Policy tab of the Properties sheet of the domain or organizational unit. This option does not exist for a site.

Some important facts about No Override and Block Policy are listed below:

# No Override is set on a link, not on a site, domain, organizational unit, or Group Policy object.

# Block Policy Inheritance is set on a domain or organizational unit, and therefore applies to all Group Policy objects linked at that level or higher in Active Directory which can be overridden.

# No Override takes precedence over Block Policy Inheritance if the two are in conflict.

What can I do to prevent inheritance from above?

You can block policy inheritance for a domain or organizational unit. Using block inheritance prevents GPOs linked to higher sites, domains, or organizational units from being automatically inherited by the child-level. By default, children inherit all GPOs from the parent, but it is sometimes useful to block inheritance.

For example, if you want to apply a single set of policies to an entire domain except for one organizational unit, you can link the required GPOs at the domain level (from which all organizational units inherit policies by default), and then block inheritance only on the organizational unit to which the policies should not be applied.

Name a few benefits of using GPMC.

Microsoft released the Group Policy Management Console (GPMC) years ago, which is an amazing innovation in Group Policy management. The tool provides control over Group Policy in the following manner:

# Easy administration of all GPOs across the entire Active Directory Forest

# View of all GPOs in one single list

# Reporting of GPO settings, security, filters, delegation, etc.

# Control of GPO inheritance with Block Inheritance, Enforce, and Security Filtering

# Delegation model

# Backup and restore of GPOs

# Migration of GPOs across different domains and forests with all of these benefits, there are   still negatives in using the GPMC alone. Granted, the GPMC is needed and should be used by     everyone for what it is ideal for. However, it does fall a bit short when you want to

   Protect the GPOs from the following:

# Role based delegation of GPO management

# being edited in production, potentially causing damage to desktops and servers

# forgetting to back up a GPO after it has been modified

# Change management of each modification to every GPO

Can you connect Active Directory to other 3rd- party Directory Services? Name a few options.
Ans: Yes you can connect other vendors Directory Services with Microsoft’s version.

-Yes, you can use dirXML or LDAP to connect to other directories (ie. E- directory from Novell or NDS (Novel directory System).
-Yes you can Connect Active Directory to other 3rd -party Directory Services such as dictonaries used by SAP, Domino etc with the help of MIIS (Microsoft Identity Integration Server)

Ques6: Name the AD NCs and replication issues for each NC
Ans: *Schema NC, *Configuration NC, Domain NC
-Schema NC This NC is replicated to every other domain controller in the forest. It contains information about the Active Directory schema, which in turn
defines the different object classes and attributes within Active Directory.
-Configuration NC Also replicated to every other DC in the forest, this NC contains forest-wide configuration information pertaining to the physical layout of
Active Directory, as well as information about display specifiers and forest-wide Active Directory quotas.
-Domain NC This NC is replicated to every other DC within a single Active Directory domain. This is the NC that contains the most commonly-accessed
Active Directory data: the actual users, groups, computers, and other objects that reside within a particular Active Directory domain.


Ques7: What are application partitions? When do I use them
Ans: Application directory partitions: These are specific to Windows Server 2003 domains.
An application directory partition is a directory partition that is replicated only to specific domain controllers. A domain controller that participates in the
replication of a particular application directory partition hosts a replica of that partition. Only Domain controllers running Windows Server 2003 can host a
replica of an application directory partition.

Ques9: How do you view replication properties for AD partitions and DCs?
Ans: By using replication monitor
          go to start > run > type replmon

Ques11: How do you view all the GCs in the forest?
Ans: C:\>repadmin/showreps
          domain_controller
OR- You can use Replmon.exe for the same purpose.
OR- AD Sites and Services and nslookup gc._msdcs.%USERDNSDOMAIN%

Ques12: Why not make all DCs in a large forest as GCs?
Ans: The reason that all DCs are not GCs to start is that in large (or even Giant) forests the DCs would all have to hold a reference to every object in 
the entire forest which could be quite large and quite a replication burden.
          For a few hundred, or a few thousand users even, this not likely to matter unless you have really poor WAN lines.

Ques13: Trying to look at the Schema, how can I do that?
Ans: adsiedit.exe
option to view the schema
register schmmgmt.dll using this command
c:\windows\system32>regsvr32 schmmgmt.dll
Open mmc –> add snapin –> add Active directory schema
name it as schema.msc
Open administrative tool –> schema.msc

Ques14: What are the Support Tools? Why do I need them?
Ans: Support Tools are the tools that are used for performing the complicated tasks easily. These can also be the third party tools. Some of the Support
tools include DebugViewer, DependencyViewer, RegistryMonitor, etc.  -edit by Casquehead  I beleive this question is reffering to the Windows Server 2003
Support Tools, which are included with Microsoft Windows Server 2003 Service Pack 2. 

You need them because you cannot properly manage an Active Directory network without them.
Here they are, it would do you well to familiarize yourself with all of them.
Acldiag.exe
Adsiedit.msc
Bitsadmin.exe
Dcdiag.exe
Dfsutil.exe
Dnslint.exe
Dsacls.exe
Iadstools.dll
Ktpass.exe
Ldp.exe
Netdiag.exe
Netdom.exe
Ntfrsutl.exe
Portqry.exe
Repadmin.exe
Replmon.exe
Setspn.exe

Ques15: What is REPLMON? What is ADSIEDIT? What is NETDOM? What is REPADMIN?
Ans: ADSIEdit is a Microsoft Management Console (MMC) snap-in that acts as a low-level editor for Active Directory. It is a Graphical User Interface (GUI)
tool. Network administrators can use it for common administrative tasks such as adding, deleting, and moving objects with a directory service. The
attributes for each object can be edited or deleted by using this tool. ADSIEdit uses the ADSI application programming interfaces (APIs) to access Active
Directory. The following are the required files for using this tool:
· ADSIEDIT.DLL
· ADSIEDIT.MSC

Regarding system requirements, a connection to an Active Directory environment and Microsoft Management Console (MMC) is necessary

A: Replmon is the first tool you should use when troubleshooting Active Directory replication issues. As it is a graphical tool, replication issues are easy to
see and somewhat easier to diagnose than using its command line counterparts. The purpose of this document is to guide you in how to use it, list some
common replication errors and show some examples of when replication issues can stop other network installation actions.

NETDOM is a command-line tool that allows management of Windows domains and trust relationships. It is used for batch management of trusts, joining computers to domains, verifying trusts, and secure channels

A: Enables administrators to manage Active Directory domains and trust relationships from the command prompt.
Netdom is a command line tool that is built into Windows Server 2008. It is available if you have the Active Directory Domain Services (AD DS) server role installed. To use netdom, you must run the netdomcommand from an elevated command prompt. To open an elevated command prompt, 

Click Start, right-click Command Prompt, and then click Run as administrator.

REPADMIN.EXE is a command line tool used to monitor and troubleshoot replication on a computer running Windows. This is a command line tool that
allows you to view the replication topology as seen from the perspective of each domain controller.

REPADMIN is a built-in Windows diagnostic command-line utility that works at the Active Directory level. Although specific to Windows, it is also useful for
diagnosing some Exchange replication problems, since Exchange Server is Active Directory based.

REPADMIN doesn’t actually fix replication problems for you. But, you can use it to help determine the source of a malfunction.

Ques16: What are sites? What are they used for?
Ans: Active directory sites, which consist of well-connected networks defined by IP subnets that help define the physical structure of your AD, give you
much better control over replication traffic and authentication traffic than the control you get with Windows NT 4.0 domains.
Using Active Directory, the network and its objects are organized by constructs such as domains, trees, forests, trust relationships, organizational units
(OUs), and sites.

Ques17: What’s the difference between a site link’s schedule and interval?
Ans: Schedule enables you to list weekdays or hours when the site link is available for replication to happen in the give interval. Interval is the 
re occurrence of the inter site replication in given minutes. It ranges from 15 – 10,080 mins. The default interval is 180 mins.

default Windows 2003 Forest level functionality
has this role.  By Default the first Server has this role. If that server can no longer preform this role then the next server with the highest GUID then takes
over the role of ISTG.

Ques20: What are the requirements for installing AD on a new server?
Ans: An NTFS partition with enough free space (250MB minimum)
· An Administrator’s username and password
· The correct operating system version
· A NIC
· Properly configured TCP/IP (IP address, subnet mask and – optional – default gateway)
· A network connection (to a hub or to another computer via a crossover cable)
· An operational DNS server (which can be installed on the DC itself)
· A Domain name that you want to use
· The Windows 2000 or Windows Server 2003 CD media (or at least the i386 folder)

Ques21: What can you do to promote a server to DC if you’re in a remote location with slow WAN link?
Ans: First available in Windows 2003, you will create a copy of the system state from an existing DC and copy it to the new remote server. Run 
“Dcpromo /adv”. You will be prompted for the location of the system state files

Ques22: How can you forcibly remove AD from a server, and what do you do later? • Can I get user passwords from the AD database?
Ans: Demote the server using dcpromo /forceremoval, then remove the metadata from Active directory using ndtsutil. There is no way to get user
passwords from AD that I am aware of, but you should still be able to change them.

Another way out too

Restart the DC is DSRM mode
a. Locate the following registry subkey:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\ProductOptions
b. In the right-pane, double-click ProductType.
c. Type ServerNT in the Value data box, and then click OK.
Restart the server in normal mode

it’s a member server now but AD entries are still there. Promote teh server to a fake domain say ABC.com and then remove gracefully using DCpromo.
Else after restart you can also use ntdsutil to do metadata as told in earlier post

Ques23: What tool would I use to try to grab security related packets from the wire?
Ans: you must use sniffer-detecting tools to help stop the snoops. … A good packet sniffer would be “ethereal”

Ques24: Name some OU design considerations?
Ans: OU design requires balancing requirements for delegating administrative rights – independent of Group Policy needs – and the need to scope the
application of Group Policy. The following OU design recommendations address delegation and scope issues:

Applying Group Policy An OU is the lowest-level Active Directory container to which you can assign Group Policy settings.

Delegating administrative authority
usually doesn’t go more than 3 OU levels

Ques25: What is tombstone lifetime attribute?
Ans: The number of days before a deleted object is removed from the directory services. This assists in removing objects from replicated servers and
preventing restores from reintroducing a deleted object. This value is in the Directory Service object in the configuration NIC by default 2000 (60 days)
2003 (180 days)

Ques26: What do you do to install a new Windows 2003 DC in a Windows 2000 AD?
Ans: If you plan to install windows 2003 server domain controllers into an existing windows 2000 domain or upgrade a windows 2000 domain controllers
to windows server 2003, you first need to run the Adprep.exe utility on the windows 2000 domain controllers currently holding the schema master and
infrastructure master roles. The adprep / forestprer command must first be issued on the windows 2000 server holding schema master role in the forest
root doman to prepare the existing schema to support windows 2003 active directory. The adprep /domainprep command must be issued on the sever
holding the infrastructure master role in the domain where 2000 server will be deployed.

Ques27: What do you do to install a new Windows 2003 R2 DC in a Windows 2003 AD?
Ans: A. If you’re installing Windows 2003 R2 on an existing Windows 2003 server with SP1 installed, you require only the second R2 CD-ROM. Insert the
second CD and the r2auto.exe will display the Windows 2003 R2 Continue Setup screen.

If you’re installing R2 on a domain controller (DC), you must first upgrade the schema to the R2 version (this is a minor change and mostly related to the
new Dfs replication engine). To update the schema, run the Adprep utility, which you’ll find in the Cmpnents\r2\adprep folder on the second CD-ROM.
Before running this command, ensure all DCs are running Windows 2003 or Windows 2000 with SP2 (or later)

Ques28: What are the DScommands?
Ans: New DS (Directory Service) Family of built-in command line utilities for Windows Server 2003 Active Directory
New DS built-in tools for Windows Server 2003
The DS (Directory Service) group of commands are split into two families. In one branch are DSadd, DSmod, DSrm and DSMove and in the other branch  are DSQuery and DSGet.
When it comes to choosing a scripting tool for Active Directory objects, you really are spoilt for choice. 

The the DS family of built-in command line executables offer alternative strategies to CSVDE, LDIFDE and VBScript.

Let me introduce you to the members of the DS family:

DSadd – add Active Directory users and groups
DSmod – modify Active Directory objects
DSrm – to delete Active Directory objects
DSmove – to relocate objects
DSQuery – to find objects that match your query attributes
DSget – list the properties of an object

RAID

Question 1: what is the difference raid 1 and raid 5?
Answer: On most situations you will be using one of the following four levels of RAIDs.
~ RAID 0
~ RAID 1
~ RAID 5
~ RAID 10 (also known as RAID 1+0)

RAID 0

~ Minimum 2 disks.
~ Excellent performance (as blocks are striped ).
~ No redundancy (no mirror, no parity ).
~ Don’t use this for any critical system.

In all the diagrams mentioned below:
~ A, B, C, D, E and F – represents blocks
~ p1, p2, and p3 – represents parity

RAID 1

~ Minimum 2 disks.
~ Good performance (no striping. no parity).
~ Excellent redundancy (as blocks are mirrored).

RAID 5

~ Minimum 3 disks.
~ Good performance (as blocks are striped).
~ Good redundancy (distributed parity).
~Best cost effective option providing both performance and redundancy. Use this for DB that is     heavily read oriented. Write operations will be slow.

RAID 10

~ Minimum 4 disks.
~ This is also called as “stripe of mirrors”
~ Excellent redundancy (as blocks are mirrored)
~ Excellent performance (as blocks are striped)
If you can afford the dollar, this is the BEST option for any mission critical applications (especially databases).

Question 2: Explain Different RAID?
Answer: However there are several non standard raids, which are not used except in some rare situations. It is good to know what they are.
This article explains with a simple diagram how RAID 2, RAID 3, RAID 4, and RAID 6 works.
RAID 2

~This uses bit level striping. i.e Instead of striping the blocks across the disks, it stripes the bits across the disks.
~ In the above diagram b1, b2, b3 are bits. E1, E2, E3 are error correction codes.
You need two groups of disks. One group of disks are used to write the data, another group is used to write the error correction codes.
~This uses Hamming error correction code (ECC), and stores this information in the redundancy disks.
~When data is written to the disks, it calculates the ECC code for the data on the fly, and stripes the data bits to the data-disks, and writes the ECC code to the redundancy disks.
~When data is read from the disks, it also reads the corresponding ECC code from the redundancy disks, and checks whether the data is consistent.
 If required, it makes appropriate corrections on the fly.
~This uses lot of disks and can be configured in different disk configuration. Some valid configurations are 1) 10 disks for data and 4 disks for ECC 2) 4 disks for data and 3 disks for ECC
~This is not used anymore. This is expensive and implementing it in a RAID controller is complex, and ECC is redundant now-a-days, as the hard disk
 themselves can do this.

---

RAID 3

~This uses byte level striping. i.e Instead of striping the blocks across the disks, it stripes the bits across the disks.
~ In the above diagram B1, B2, B3 are bytes. p1, p2, p3 are parities.
~ Uses multiple data disks, and a dedicated disk to store parity.
~ The disks have to spin in sync to get to the data.
~ Sequential read and write will have good performance.
~ Random read and write will have worst performance.
~ This is not commonly used.

RAID 4

~This uses block level striping.In the above diagram B1, B2, B3 are blocks. p1, p2, p3 are parity
~ Uses multiple data disks, and a dedicated disk to store parity.
~ Minimum of 3 disks (2 disks for data and 1 for parity)
~ Good random reads, as the data blocks are striped.
~ Bad random writes, as for every write, it has to write to the single parity disk.
~ It is somewhat similar to RAID 3 and 5, but little different.
~ This is just like RAID 3 in having the dedicated parity disk, but this stripes blocks.
~This is just like RAID 5 in striping the blocks across the data disks, but this has only one parity disk.

~ This is not commonly used.

---

RAID 6

~ Just like RAID 5, this does block level striping. However, it uses dual parity.
~ In the above diagram A, B, C is blocks. p1, p2, p3 are parities.
~ This creates two parity blocks for each data block. Can handle two disk failure
~ This RAID configuration is complex to implement in a RAID controller, as it has to
calculate two parity data for each data block.

●        Which FSMO role should you NOT seize? Why?

●        I want to look at the RID allocation table for a DC. What do I do?

●        What's the difference between transferring a FSMO role and seizing one?

●        How do you configure a "stand-by operation master" for any of the roles?

●        How do you backup AD? How do you restore AD?

●        How do you change the DS Restore admin password?

●        Why can't you restore a DC that was backed up 4 months ago?

●        What are GPOs? What is the order in which GPOs are applied?

●        Name a few benefits of using GPMC.

●        What are the GPC and the GPT? Where can I find them?

●        What are GPO links? What special things can I do to them?

●        What can I do to prevent inheritance from above?

●        How can I override blocking of inheritance?

●        How can you determine what GPO was and was not applied for a user? Name a few ways to do that.

●        A user claims he did not receive a GPO, yet his user and computer accounts are in the right OU, and everyone else there gets the GPO. What will you look for?

●        Name a few differences in Vista GPOs

●        Name some GPO settings in the computer and user parts.

●        What are administrative templates?

●        What's the difference between software publishing and assigning?

●        Can I deploy non-MSI software with GPO?

●        You want to standardize the desktop environments (wallpaper, My Documents, Start menu, printers etc.) on the computers in one department. How would you do that?

Windows Server 2008/R2 Active Directory

●      What is Active Directory?

●      What is LDAP?

●      Where is the AD database held? What other folders are related to AD?

●      Talk about all the AD-related roles in Windows Server 2008/R2.

●      What are the new Domain and Forest Functional Levels in Windows Server 2008/R2?

●      What is the SYSVOL folder?

●      What are the AD naming contexts (partitions)s and replication issues for each NC?

●      What are application partitions?

●      What applications or services use AD application partitions? Name a couple.

●      How do you create a new application partition?

●      What are the requirements for installing AD on a new server?

●      What can you do to promote a server to DC if you're in a remote location with slow WAN link?

●      How do you view replication properties for AD partitions and DCs?

●      What is the Global Catalog?

●      How do you view all the GCs in the forest?

●      Why not make all DCs in a large forest as GCs?

●      Talk about GCs and Universal Groups.

●      Describe the time synchronization mechanism in AD.

●      What is ADSIEDIT? What is NETDOM? What is REPADMIN?

●      What is DCDIAG? When would you use it?

●      What are sites? What are they used for?

●      What's the difference between a site link's schedule and interval?

●      What is the KCC?

●      What is the ISTG? Who has that role by default?

●      Talk about sites and GCs.

●      Talk about sites and Exchange Server 2007/2010.

●      What is GPO?

●      Describe the way GPO is applied throughout the domain.

●      What can you do to prevent inheritance from above?

●      How can you override blocking of inheritance?

●      Name some of the major changes in GPO in Windows Server 2008.

●      What are ADM files? What replaced them in Windows Server 2008?

●      What's the GPO repository? How do you use it?

●      What are GPO Preferences? Which client OSs can use GPO Preferences?

●      What are GPO Templates? What are WMI Filters?

●      What is the concept behind GPO Filtering?

●      How can you determine what GPO was and was not applied for a user? Name a few ways to do that.

●      A user claims he did not receive a GPO, yet his user and computer accounts are in the right OU, and everyone else there gets the GPO. What will you look for?

●      You want to standardize the desktop environments (wallpaper, My Documents, Start menu, printers etc.) on the computers in one department. How would you do that?

●      What are the major changes in AD in Windows Server 2008?

●      What are the major changes in AD in Windows Server 2008 R2?

●      What is the AD Recycle Bin? How do you use it?

●      What is tombstone lifetime attribute?

●      What are AD Snapshots? How do you use them?

●      What is Offline Domain Join? How do you use it? 

●      What are Fine-Grained Passwords? How do you use them?

●      Talk about Restartable Active Directory Domain Services in Windows Server 2008/R2. What is this feature good for?

●      What are the changes in auditing in Windows Server 2008/R2?

●      How can you forcibly remove AD from a server, and what do you do later?

●      Can I get user passwords from the AD database?

●      What tool would I use to try to grab security related packets from the wire?

●      Talk about PowerShell and AD.

●      Talk about Windows Backup and AD backups.

●      How do you change the DS Restore admin password?

●      Why can't you restore a DC that was backed up 7 months ago?

●      What's NTDSUTIL? When do you use it?

●      What are RODCs? What are the major benefits of using RODCs?

●      How do you install an RODC? Talk about RODCs and passwords.

●      What is Read Only DNS?

●      What happens when a remote site with an RODC loses connectivity to the main site?

●      Talk about Server Core and AD.

●      How do you promote a Server Core to DC?

●      What are the FSMO roles? Who has them by default? What happens when each one fails?

●      How can you tell who holds each FSMO role? Name a 2-3 of methods.

●      What FSMO placement considerations do you know of?

●      You want to look at the RID allocation table for a DC. What do you need to do?

●      What's the difference between transferring a FSMO role and seizing one? Which one should you NOT seize? Why?

http://www.microsoft.com/downloads/details.aspx?FamilyID=9d467a69-57ff-4ae7-96ee-b18c4790cffd&DisplayLang=en

Source:  http://technet.microsoft.com/en-us/library/cc784932(WS.10).aspx

http://bodkhearun.blogspot.in/2011/10/dns-interview-questions-and-answers.html

http://bodkhearun.blogspot.in/2011/10/common-windows-system-network.html

http://technet.microsoft.com/en-us/library/cc783140.aspx

http://www.petri.co.il/seizing_fsmo_roles.htm

http://www.petri.co.il/mcse-system-administrator-windows-server-2008-r2-active-directory-    interview-questions.htm

http://www.petri.co.il/mcse_system_administrator_active_directory_interview_questions.htm

http://bodkhearun.blogspot.in/2011/10/system-administrator-interview-question.html

File system junctions.

File Replication service (FRS) staging directories and files that are required to be available and synchronized between domain controllers.

Ques8: How do you create a new application partition
Ans: http://wiki.answers.com/Q/How_do_you_create_a_new_application_partition

Gui View

Schema Master

To view the schema you must first register the schema master dll with Windows. To do this enter the following in the RUN dialog of the start menu.

regsvr32 schmmgmt.dll

Once you have done this the schema master mmc snap-in will be available.

Active Directory Domains and Trusts

The Domain naming master can be viewed and transferred from here.

Active Directory User and Computers

The RID, PDC emulator and Infrastructure master roles can be viewed and transferred from here.

NTDSUTIL

NTDSUTIL provides FSMO maintenance and the option to seize a role (covered in the FSMO Role Failure section below).

To transfer a role using ntdsutil use the example below as a template for all the roles.

§  Open a command prompt

§  Enter in ntdsutil

§  At the ntdsutil command prompt enter in roles

§  At the fsmo maintenance prompt enter in connection

§  At the server connections prompt enter in connect to domancontrollername

§  At the server connections prompt enter in quit

§  At the fsmo maintenance prompt enter in transfer schema master

§  Quit from the console

FSMO Role Failure

Some of the operations master roles are essential for AD functionality, others can be unavailable for a while before their absence will be noticed. Normally it is not the failure of the role, but rather the failure of the DC on which the role is running.

If a DC fails which is a role holder you can seize the role on another DC, but you should always try and transfer the role first.

Before seizing a role you need to asses the duration of the outage of the DC which is holding the role. If it is likely to be a short outage due to a temporary power or network issue then you would probably want to wait rather than seize the role.

Schema Master Failure

In most cases the loss of the schema master will not affect network users and only affect Admins if modifications to the schema are required. You should however only seize this role when the failure of the existing holder is considered permanent.

Note: A DC whose schema master role has been seized should never be brought back online

Domain Naming Master Failure

Temporary loss of this role holder will not be noticeable to network users. Domain Admins will only notice the loss if they try and add or remove a domain in the forest. You should however only seize this role when the failure of the existing holder is considered permanent.

Note: A DC whose schema master role has been seized should never be brought back online

RID Master Failure

Temporary loss of this role holder will not be noticeable to network users. Domain Admins will only notice the loss if a domain they are creating objects in runs out of relative IDS (RIDs). You should however only seize this role when the failure of the existing holder is considered permanent.

Note: A DC whose schema master role has been seized should never be brought back online

PDC Emulator Master Failure

Network users will notice the loss of the PDC emulator. If the DC with this role fails you may need to immediately seize this role. Only pre Windows 2000 clients and NT4 BDCs will be affected.

If you seize the role and return the original DC to the network you can transfer the role back.

Infrastructure Master Failure

Temporary loss of this role holder will not be noticeable to network users. Administrators will not notice the role loss unless they are or have recently moved or renamed large numbers of accounts.

If you are required to seize the role do not seize it to a DC which is a global catalogue server unless all DCs are global catalogue servers.

If you seize the role and return the original DC to the network you can transfer the role back.

Gui View

Schema Master

To view the schema you must first register the schema master dll with Windows. To do this enter the following in the RUN dialog of the start menu.

regsvr32 schmmgmt.dll

Once you have done this the schema master mmc snap-in will be available.

Active Directory Domains and Trusts

The Domain naming master can be viewed and transferred from here.

Active Directory User and Computers

The RID, PDC emulator and Infrastructure master roles can be viewed and transferred from here.

NTDSUTIL

NTDSUTIL provides FSMO maintenance and the option to seize a role (covered in the FSMO Role Failure section below).

To transfer a role using ntdsutil use the example below as a template for all the roles.

§  Open a command prompt

§  Enter in ntdsutil

§  At the ntdsutil command prompt enter in roles

§  At the fsmo maintenance prompt enter in connection

§  At the server connections prompt enter in connect to domancontrollername

§  At the server connections prompt enter in quit

§  At the fsmo maintenance prompt enter in transfer schema master

§  Quit from the console

FSMO Role Failure

Some of the operations master roles are essential for AD functionality, others can be unavailable for a while before their absence will be noticed. Normally it is not the failure of the role, but rather the failure of the DC on which the role is running.

If a DC fails which is a role holder you can seize the role on another DC, but you should always try and transfer the role first.

Before seizing a role you need to asses the duration of the outage of the DC which is holding the role. If it is likely to be a short outage due to a temporary power or network issue then you would probably want to wait rather than seize the role.

Schema Master Failure

In most cases the loss of the schema master will not affect network users and only affect Admins if modifications to the schema are required. You should however only seize this role when the failure of the existing holder is considered permanent.

Note: A DC whose schema master role has been seized should never be brought back online

Domain Naming Master Failure

Temporary loss of this role holder will not be noticeable to network users. Domain Admins will only notice the loss if they try and add or remove a domain in the forest. You should however only seize this role when the failure of the existing holder is considered permanent.

Note: A DC whose schema master role has been seized should never be brought back online

RID Master Failure

Temporary loss of this role holder will not be noticeable to network users. Domain Admins will only notice the loss if a domain they are creating objects in runs out of relative IDS (RIDs). You should however only seize this role when the failure of the existing holder is considered permanent.

Note: A DC whose schema master role has been seized should never be brought back online

PDC Emulator Master Failure

Network users will notice the loss of the PDC emulator. If the DC with this role fails you may need to immediately seize this role. Only pre Windows 2000 clients and NT4 BDCs will be affected.

If you seize the role and return the original DC to the network you can transfer the role back.

Infrastructure Master Failure

Temporary loss of this role holder will not be noticeable to network users. Administrators will not notice the role loss unless they are or have recently moved or renamed large numbers of accounts.

If you are required to seize the role do not seize it to a DC which is a global catalogue server unless all DCs are global catalogue servers.

If you seize the role and return the original DC to the network you can transfer the role back.

http://www.windows-active-directory.com/active-directory-fsmo-roles-details.html

http://www.symantec.com/connect/articles/readyfsmo-roles-active-directory-windows-2008-server

·         192.168.0.0 - 192.168.255.255 (65,536 IP addresses)

·         172.16.0.0 - 172.31.255.255 (1,048,576 IP addresses)

·         10.0.0.0 - 10.255.255.255 (16,777,216 IP addresses)

Class	Address Range	Supports
Class A	1.0.0.1 to 126.255.255.254	Supports 16 million hosts on each of 127 networks.
Class B	128.1.0.1 to 191.255.255.254	Supports 65,000 hosts on each of 16,000 networks.
Class C	192.0.0.1 to 223.255.254.254	Supports 254 hosts on each of 2 million networks.
Class D	224.0.0.0 to 239.255.255.255	Reserved for multicast groups.
Class E	240.0.0.0 to 254.255.255.254	Reserved for future use, or Research and Development Purposes.

·         Ranges 127.x.x.x are reserved for the loopback or loca

●      What tool would I use to try to grab security related packets from the wire?

Network Monitor, Ethereal or Wireshark.