Vinayakvmwares.weebly.com



Active Directory-Based Activation (ADBA Cluster in 2012 serverActive Directory Federation Services (ADFS) Now In-BoxADPREP Integrated into DC PromotionDynamic Access Control (DAC)Domain Join via Direct AccessDFS Namespace and DFS Replication:-Data DeduplicationDHCPDNSFlexible Authentication Secure Tunneling (FAST)Expanded cluster scalabilityGUI for Recycle BinGroup Managed Service Accounts (GMSAs)Hyper-V:-Hyper-V Virtual SwitchIPAM:-iSCSI Target Server:-Kerberos Constrained Delegation (KCD) Across DomainsLive Migration without shared storage.Multiple concurrent Live MigrationsNIC TeamingOffline Domain JoinPowerShell History ViewerPower ShellRemote Desktop ServicesSMB(Server Message Block):-Storage Spaces:-Server Manager:-Storage Live MigrationUI for Fine-Grained Password PoliciesVirtual Domain Controller – Cloning and SnapshotsVirtual Snapshot and Cloning SupportWork Folder:-Windows Server GatewayActive Directory-Based Activation (ADBA) The good: ADBA eliminates the need for a Key Management Service server. The bad: Only forthcoming Windows 8 computers can leverage ADBA. Seriously, Microsoft?Active Directory Federation Services (ADFS) Now In-Box Adding ADFS no longer requires a separate installation. ADFS also gains multiple improvements. Watch this space, because you'll be seeing and using more ADFS in the years to come.ADPREP Integrated into DC Promotion Can't recall the proper steps to promote a member server to a DC? No worries, it's in there.Clustering in 2012 server:-Feature/FunctionalityNew or ImprovedDescriptionShared virtual hard disk (for guest clusters)NewEnables you to use .vhdx files as shared storage in a guest cluster.Virtual machine drain on shutdownNewEnables a Hyper-V host to automatically live migrate running virtual machines if the computer is shut down.Dynamic Access Control (DAC) Windows Server 2008 R2 brought the File Classification Infrastructure (FCI). This version's DAC adds far greater functionality to the (optional) second layer of FCI resource authorization.Domain Join via DirectAccess One word: Nifty! Nine words: Computers can now be domain-joined over the Internet. You'll need DirectAccess first. Trust me: You'll want it.DFS Namespace and DFS Replication:-DFS Namespace is used to group the share folders located on different servers into one or more logically structured namespaces.DFS Replication is a role service in File and Storage Services. It enables you to efficiently replicate folders across multiple servers and sites. DFS Replication uses a compression algorithm known as remote differential compression (RDC). RDC detects changes to the data in a file, and it enables DFS Replication to replicate only the changed file blocks instead of the entire fileData Deduplication:-Data duplication involve finding and removing the duplicate data.DHCP:-DNS registration enhancementsNewYou can use DHCP policies to configure conditions based on the fully qualified domain name (FQDN) of DHCP clients, and to register workgroup computers using a guest DNS suffix.DNS PTR registration optionsNewYou can enable DNS registration of address (A) and pointer (PTR) records, or just enable registration of A records.Windows PowerShell for DHCP serverImprovedNew Windows PowerShell cmdlets are available.Expanded cluster scalability—Previous versions of Windows Server were limited to 16 nodes. Windows Server 8 clusters can support up to 63 nodes and up to 4,000 virtual machines (VMs) per clusters.Flexible Authentication Secure Tunneling (FAST) The nickname for FAST is "Kerberos armoring," if that tells you anything. It isn't enabled by default and requires clients that support it. Think you'll be using it anytime soon?DNS:-FunctionalityNew or improvedDescriptionDNS Logging and DiagnosticsNewEnhanced DNS logging and diagnostics in Windows Server 2012 R2 and later includes DNS Audit events and DNS Analytic events. Enhanced logging enables monitoring of all DNS query, response, and operational transactions.Zone-level statisticsImprovedZone level statistics are available for different resource record types, zone transfers, and dynamic updates.DNSSEC supportImprovedDNSSSEC key management and support for signed file-backed zones is improved.Windows PowerShell supportImprovedNew Windows PowerShell parameters are available for DNS Server.Dynamic DNS ForwardersNewDNS now maintains a list of DNS Forwarders ordered by response time, to ensure queries are sent to forwarders with quicker response time.GUI for Recycle Bin Microsoft introduced the Active Directory Recycle Bin in Windows Server 2008 R2, but it was limited by its Windows PowerShell-only exposure. This time it gets a GUI.Group Managed Service Accounts (GMSAs) MSAs in Windows Server 2008 R2 made administering service accounts easier. GMSAs in this version extend their support to clustered and load-balanced services.Hyper-V:-Hyper-V version 3 is a huge improvement compared to the previous versions. Share a virtual disk (VHDX) between multiple virtual machines so that you can build a Hyper-V guest failover cluster is one of those.You can now also resize virtual disks without shutting down the Virtual Machine. This has some prerequisites such as connected to a SCSI controller and the format must be VHDX. Another new feature is a generation 2 virtual machine. This is a virtual machine where most of the emulated devices are gone and where you have a UEFI firmware instead of BIOS based firmware. There are also enhancements to Hyper-R replica (extended replication, different frequency), better Linux support (including dynamic memory for supported Linux distro’s) and much more.Hyper-V Virtual Switch:-The Hyper-V Virtual Switch is a software-based layer-2 Ethernet network switch that is available in Hyper-V Manager when you install the Hyper-V server role. To connect virtual machines to both virtual networks and the physical network.The Hyper-V Virtual Switch in Windows Server? 2012 introduces several new features and enhanced capabilities for tenant isolation, traffic shaping, protection against malicious virtual machines, and simplified troubleshooting.IPAM:- integrated suite of tools to enable end-to-end planning, deploying, managing and monitoring of your IP address infrastructure, with a rich user experience. IPAM automatically discovers IP address infrastructure servers on your network and enables you to manage them from a central interface.iSCSI Target Server:-iSCSI Target Server enables you to network boot multiple computers from a single operating system image that is stored in a centralized location. This improves efficiency, manageability, availability, and security. iSCSI Target Server can boot hundreds of computers by using a single operating system image.iSCSI Target Server allows Windows Server to host block storage remotely.Kerberos Constrained Delegation (KCD) Across Domains Another of those capabilities you've probably never used, but probably will in the future. KCD was first introduced in Windows Server 2003. Now it can span domains.Live Migration without shared storage—The ability to perform Live Migration without a SAN back end helps bring the advantages of virtualization and high availability to smaller businesses that can't afford the cost or complexities of a SAN.Multiple concurrent Live Migrations—Live Migration was introduced with Hyper-V 2.0, which was part of the Server 2008 R2 release. Hyper-V 2.0 could perform only one Live Migration at a time; Hyper-V 3.0 perform multiple live migrations.NIC Teaming:-NIC Teaming, also known as load balancing and failover (LBFO), allows multiple network adapters on a computer to be placed into a team for the following purposes:Bandwidth aggregationTraffic failover to prevent connectivity loss in the event of a network component failure Redundancy.NIC Team is collection of NIC cards that work together as one.Another benefit is that a NIC team can be huge. You can combine up to 32 physical NICs into a NIC team. Imagine for a moment that you built a team of 32 ten gigabit NICs. That would be the functional equivalent to having a 320 gigabit connection.Offline Domain JoinOffline Domain Join is improved in Windows Server 2012 AD DS, over the internet we can join the computer to domain if the domain is DirectAccess enabledPowerShell History Viewer You see the Windows PowerShell commands that correspond to actions you perform in the Active Directory Administrative Center UI.PowerShellPowerShell 4.0. Besides the usual bug fixes, new cmdlets and so on there are some other major enhancements also.One of the new features is called Desired State Configuration (DSC) which is a management system that enables the deployment and management of configuration data or software services and the environment in which these services run.Another new features is called the Save-Help cmdlets which allows you to download the PowerShell cmdlets from a remote computer with internet access (even if the remote computer does not have the specific modules installed) and then copy those help files to the server or workstation that doesn’t have internet connection. Debugging has also enhanced and now you are allowed to debug a remote PowerShell workflow or script and even when the remote session disconnects and you reconnect then the debugging session will be preserved.Remote Desktop ServicesSession shadowing is now included. There is now Quick Reconnect included in Remote Desktop clients and a huge amount of effort is placed in improving compression and bandwidth usage so that end-users have more fluent applications. SMB(Server Message Block):-SMB 3.0 was released with Windows Server 2012. SMB is a network file sharing protocol that allow to read or write to the files. Using SMB protocol application can read or access the file from the remote server.Storage Spaces:-Storage Spaces has been extended with some features to make it feature-par with high-end Storage Area Networks (SANs). Features like Tiered Storage spaces, write-back caching and Flexible resiliency options are now introduced and improve this great feature even furtherStorage tiers:- Automatically moves frequently accessed data to faster (solid-state drive) storage and infrequently accessed data to slower (hard disk) storage.Write-back-caching:- Buffers small random writes to solid-state drives, reducing the latency of writes.Parity space support for failover clusters:- enable us to create parity space for failure clusters.Dual parity:- Stores two copies of the parity information on a parity space, which helps protect you from two simultaneous physical disk failures and optimizes storage efficiencyAutomatically rebuild storage spaces from storage pool free space:- Decreases how long it takes to rebuild a storage space after a physical disk failure by using spare capacity in the pool instead of a single hot spare.Server Manager:-Server Manager in Windows Server 2008 R2 could not install roles over the network,In Windows Server 2012, you can install server roles and features over the network on other servers.Storage Live Migration—Hyper-V 3.0's Storage Live Migration lets you move a VM's virtual disk, configuration, and snapshot files to a new storage location with no interruption of end-user connectivity to the VM.UI for Fine-Grained Password Policies:- Also gaining a GUI are fine-grained password policies.Virtual Snapshot and Cloning Support Active Directory and hypervisor snapshots didn't mix before. Now they do, if your hypervisor supports VM Generation ID.Virtual Domain Controller – Cloning and SnapshotsTo virtualize and also clone your domain controllers optimally, at least the following conditions must be met:The PDC emulator must be on a domain controller with Windows Server 2012. You cannot clone the PDC emulator; it must always be available during the cloning process. The domain must already have at least two domain controllers with Windows Server 2012 because you can only clone the second. The first one provides the PDC emulator. The virtualization solution must support this new technology (VM generation ID). Currently, this is only Hyper-V in Windows Server 2012. To discover whether the virtualization solution you use supports the new VM generation ID, check out the Device Manager on a virtualized server with Windows Server 2012. The driver for system devices must be the Microsoft Hyper-V Generation Counter with the vmgencounter.sys driver file.Before you clone a virtual domain controller, you need to run theGet-ADDCCloningExcludedApplicationListcommandlet on the server. This cmdlet checks whether there are applications on the virtual server that do not support cloning.If the cmdlet discovers incompatible services, for example, the DHCP service or an antivirus scanner, a message appears telling you this.The configuration for cloning is created in the DCCloneConfig.xml file. The sample file, SampleDCCloneConfig.xml , is located in C:\Windows\System32 .After creating the DCCloneConfig.xml file, you can copy this to the folder with the Active Directory database, which is normally the C:\Windows\NTDS folder. You can only clone source domain controllers that are members of the Clonable domain controllers group in Active Directory. You also can only clone domain controllers that are not switched on. That is, you must shut down the appropriate domain controller before you can clone it.Before adding the new domain controller to Active Directory, you must copy the DCCloneConfig.xml file customized by the cloning process from the source computer to the folder with the Active Directory database – that is, normally from the source computer to C:\Windows\NTDS on the target computer. Windows modifies the name of the file to show that a cloning process has taken place. Change the name back to DCCloneConfig.xml .Next, you can either create a new virtual machine and use the copied hard drive, or you can import the exported server with the Hyper-V Manager or PowerShell. When you import, select the option Copy the virtual machine . When you start the domain controller, it parses the DCCloneConfig.xml file and prepares itself for the cloning. centertopWorkFolder:-To test Work Folders, create a document (using Notepad or any other app) on one of the client machines and save the document under the Work Folders location. In a few moments, you should see the document get synced to the other client machine.For example :- when user keep sensitive data in Work folder then it will get synchronized with file server then file server check for documents are sensitive or not if docs are confidential file server will encrypt the document using Window right management services before sync the confidential docs to all the users.For example:- when Tom save documents in work folder directory then doc get sync to File server. When Tom return to home he can work offline with documents after that docs sync with file server.Windows Server GatewayThe Windows Server Gateway is a Virtual Machine software router (template) that allows network traffic routing between virtual and physical networks, including the internet. Something very handy in your efforts to build private and hybrid clouds.Different flavors of 2008 servers Standard Edition Enterprise Edition Datacenter Edition Web EditionStandard EditionStandard Server is considered the entry-level version of Windows Sever 2008. It is suitable for smaller businesses and organizations Standard Server supplies all the features discussed in this hour, including Hyper-V virtualization, and IIS7. It also provides for Network Address Translation and multi home servers Standard Server supports multiple processors and up to 4GB of RAM on an x86-based server and 32GB of RAM on an X64-based server. Standard Server provides a maximum of 250 Remote Access connections and 250 Terminal Services connections.Enterprise EditionThe Enterprise Edition supplies all the features and tools provided by the Standard Edition. The major difference is that the Enterprise Edition is considered a workhorse platform for very large enterprisewide networks.To provide the processing power needed for larger networks, the Enterprise Edition can support up to 8 processors and also supports server clustering (up to 16 cluster nodes, meaning that 16 servers can be tied together using the clustering feature and thus can act as one megaserver).The Enterprise Edition on an x86-based server allows up to 64GB of RAM and up to 2TB on an x64-based system. This edition also provides for unlimited connections by Remote Access and Terminal Services clients.Datacenter EditionThe Datacenter Edition provides all the features found in the other editions and allows you to deploy servers with a great deal of hardware muscle. The Datacenter Edition provides for multiple processors (32 x86 and 64 x64) and has the same potential RAM capacity as the Enterprise Edition (64GB on x86 and 2TB on X64).The Datacenter Edition provides for unlimited Remote Access and Terminal Services connections. It also grants you unlimited deployment of virtual servers, whereas the limit with the Enterprise Edition is four and with the Standard Edition is one. The Datacenter Edition is considered the appropriate platform for very large-scale networks requiring access to large databases and real-time transaction validation.Web EditionThe Web Edition is considered the ideal platform for web hosting; The Web Edition provides IIS7 as its web platform.The Web Edition supports multiple processors (four on both x86 and x64 systems) and up to 4GB of RAM on an x86-based server and 32 GB of RAM on an x64-based server. As a product intended for delivery of web-based content, the Web Edition does not support common server services such as Remote Access or Terminal Services.Differences between window server 2000 and 2003WINDOWS SERVER 2000 WINDOWS SERVER 2003 1.Domain Renaming is not possible1.Domain Renaming possible2.No inbuilt firewall2.inbuilt firewall3.IIS 5.03.IIS 6.04.IE 5.04.IE 6.05.32 bit version5.64 bit version6.No enhancement in terminal service.6.Enhancement in terminal service.7.no7.DNS Stub zone8.no8.shadow copy9.No changes in schema version9.Schema version changes ver13to3010.Support 4-node clustering10.Support 8-node of clustering11.no hcl support11.Hardware Compatability list issued by microsoft12. Code name of 2000 is Win NT 5.012. Code name of 2000 is Win NT 5.113.create 1 million users13.create I billion users14.no improvment14.Improve the print managment15.support ipv415.ipv4 and ipv616.no 16. telnet sessions available17. we can apply 620 group policies17. we can apply nearly 720 so Win2003 server is more secure than win 2000 server.18.does not support .net18.support19. it supports of 8 processors and 64 GB RAM.19. supports up to 64 processors and max of 512GB RAM20. Win2000 has Server and Advance Server editions.20. Standard, Enterprise, Datacenter and Web server Editions.21.basic concept of DFS21.Enhance concept of DFS with multiple root.plexity in administration22.Easy administration.23.2000 doesn’t have this service.23. In 2003 we have concept of Volume shadow copy service which is used to create hard disk snap shot which is used in Disaster recovery.24.we don’t have end user policy managment24. End user policy management which is done in GPMC (Group policy management console).25. cross domain trust relation ship25. Cross forest trust relationship.26.no26.2003 has service called ADFS (Active Directory Federation Services) which is used to communicate between branches with safe authentication.27.27. In 2003 their is improved storage management using service File Server Resource Manager (FSRM).28.28.2003 has service called Windows Share point Services (It is an integrated portfolio ofcollaboration and communication services designed to connect people, information, processes, and systems both within and beyond the organizational firewall).29.29.When installing terminal services for win2000 u r prompted to select application server functions or administrative functions sets can be installed sequently on one server but it performs only one function at one time. But in 2003 still distinguishes between application and administrative services but installation and management are now consolidatedDifferences between window server 2000 ADS and 2003 ADS WINDOWS SERVER 2000 ADS WINDOWS SERVER 2003 ADS 1. Only one million object can be created.1. 2 Million object can be created .2. Universal group membership is not present.2.Present3.no present.3.Application directory partition is present4. In Win 2000 server we can apply 620 group policies .4. 2003 we can apply nearly 720 so Win2003 server is more secure than win 2000 Server.5. Between parent and child, there is no built in trust .It is called as non-transitive trust.5.built-in trust is called transitive trust.6. Emergency Repair Disk(ERD) is there.6. Automated System Recovery(ASR) is there.Differences between windows server 2003 and 2008WINDOWS SERVER 2003 WINDOWS SERVER 2008 1.1.RODC (Read only domain controller) introduced in it.2.RIS(Remote installation service)2.WDS(Window deployment services) introduced in it.3.Boot Sequence changed.4.Role based installation Services are known as role in it.5.Group policy option is separate in ADS6.Hyper-V introduced.7.IIS 6.07.IIS 7.08.Better Security9.Enhance Terminal work Access Protection11.Power Shell12.Window Aero13.Bit locker Drive Encryption14. 2003 we can only install fully O.S.14. we can install windows 2008 server either in full version(install all services& applications) or server core(only install minimal required services)15. Active Directory has been renamed to Active Directory DomainServices (AD DS).16. 2003 was made to control XP networks.16. is made to control Vista and win 7.. and win 8 is aslo( i think so) networks.17. The group policy and active directory schemas have been altered to include Vista polices.?18.18.Active Directory Recycle bin.19. Information technology (IT) professionals can use Active?Directory Recycle Bin to undo an accidental deletion of an Active?Directory object. Accidental object deletion causes business downtime. Deleted users cannot log on or access corporate resources.20. Active?Directory Administrative Center:- The Active?Directory Administrative Center has a task-oriented administration model, with support for larger datasets. The Active?Directory Administrative Center can help increase the productivity of IT professionals by providing a scalable, task-oriented user experience for managing AD?DS. In the past, the lack of a task-oriented user interface (UI) could make certain activities, such as resetting user passwords, more difficult than they had to be. The Active?Directory Administrative Center enumerates and organizes the activities that you perform when you manage a system.21. Active Directory Best Practices Analyzer. The Active?Directory Best Practices Analyzer (BPA) identifies deviations from best practices to help IT professionals better manage their Active?Directory deployments. BPA uses Windows?PowerShell cmdlets to gather run-time data. It analyzes Active?Directory settings that can cause unexpected behavior. It then makes Active?Directory configuration recommendations in the context of your deployment.22.Types of servers.The multiple types of servers or types of network servers are as follows:Server Platform:?Server platform is the fundamental hardware or software for a system which acts as an engine that drives the server. It is often used synonymously with an operating system.Application Server:?Also known as a type of middleware, it occupies a substantial amount of computing region between database servers and the end user, and is commonly used to connect the two.Audio/Video Server:?It provides multimedia capabilities to websites by helping the user to broadcast streaming multimedia content.Chat Server:?It serves the users to exchange data in an environment similar to Internet newsgroup which provides real-time discussion capabilities.Fax Server:?It is one of the best options for organizations that seek minimum incoming and outgoing telephone resources, but require to fax actual documents.FTP Server:?It works on one of the oldest of the Internet services, the file transfer protocol. It provides a secure file transfer between computers while ensuring file security and transfer control.Groupware Server:?It is a software designed that enables the users to work together, irrespective of the location, through the Internet or a corporate intranet and to function together in a virtual atmosphere.IRC Server:?It is an ideal option for those looking for real-time discussion capabilities. Internet Relay Chat comprises different network servers that enable the users to connect to each other through an IRC network.List Server:?It provides a better way of managing mailing lists. The server can be either open interactive discussion for the people or a one-way list that provides announcements, newsletters or advertising.Mail Server:?It transfers and stores mails over corporate networks through LANs, WANs and across the Internet.News Server:?It serves as a distribution and delivery source for many public news groups, approachable over the USENET news network.Proxy Server:?It acts as a mediator between a client program and an external server to filter requests, improve performance and share connections.Telnet Server:?It enables the users to log on to a host computer and execute tasks as if they are working on a remote computer.Virtual Servers: A virtual server is just like a physical computer because it is committed to an individual customer's demands, can be individually booted and maintains privacy of a separate computer. Basically, the distance among shared and dedicated (hosting) servers is reduced providing freedom to other customers, at a less cost. Now, it has become omnipresent in the data center.Web Server:?It provides static content to a web browser by loading a file from a disk and transferring it across the network to the user's web browser. This exchange is intermediated by the browser and the server, communicating using HTTP.Seven Important Files while Booting the OSBoot.ini(MBR-Master Boot Record)-:is the starting point to reads it read the starting point.NTLDR:-Load the OS into the RAM.IO.SYS:-To check the contents wheather they loaded into the RAM or not.Autoexe.bat.Config.sysMsdos..Different ways to install WindowsOS MEDIAIso fileNetwork Boot(pxe server which can install 100 os on 100 machines)TemplatesClones..ovf(open virtual file format.Windows 2008 and 2012 Cluster differencesFeature Windows Server Windows Server Value Statement2008 R2 Hyper-V 2012 Hyper-VAutomation support for Hyper-VWriting scripts for Hyper- V with in-box tools requires Windows Management Instrumentation (WMI) knowledge. That is, development skills are needed.Automation support consists of more than 150 built-in Hyper-V cmdlets for Microsoft Windows PowerShell. With these cmdlets, users canperform all available tasks in Hyper-V Manager, as well as several tasks exclusively in Windows PowerShell.Eliminates the need for development skills to perform automation support tasks.Affinity virtual machine rulesAdministrators can configure a preference that attempts to keep a designated virtual machine off the same node as similar virtual machines.Administrators can configure partnered virtual machines tomigrate simultaneously at failover.Migrates partnered virtual machines at failover.Anti-affinity virtual machine rulesThis feature is not supported.Administrators can specify that two virtual machines cannot coexist on the same node in a failover scenario.Ensures selectedmigrated virtual machines do not reside on thesame node in a failover.Application monitoringThis feature is not supported.The health of key services provided by virtual machines can be monitored. If an issue is detected, automatic corrective action can be initiated. Such action includes restarting a virtual machine ormoving it to a different Hyper-V server. This provides higher availability to workloads that do not support clustering.Provides monitoring for services and event logs inside virtual machines.Reduces the risk and impact of various issues.Backup capabilityData can be preserved by performing full-file backups. There are two methods for this:? Back up the virtual machine and snapshots as flat files when offline.? Use Windows Server or third-party tools to back up the virtual machine itself, with a normal backup of the operating system and data.Windows Server 2012Hyper-V supports incremental backup of virtual hard disks while the virtual machine is running:? During each incremental backup, only the differences are backed upReduces backup size and cost.Saves network bandwidth and disk space.Cluster Shared Volume (CSV)2.0This feature is not supported.Windows Server 2012Hyper-V can integrate with storage arrays for replication and hardware snapshots out of the boxSimplifies the configuration and operation of virtual machines.Provides greater security and enhanced performance.DHCP guardThis feature is not supported.DHCP guard drops server messages from unauthorized virtual machines that are acting as DHCP servers.DHCP server traffic from other virtual switch ports is automatically droppedProtects against rogueDHCP servers.Dynamic Memory, startup memory, and minimum memoryVirtual machines are assigned extra memory because Hyper-V cannot reclaim the memory from them after startup.Windows Server 2012Hyper-V can reclaim the unused memory from virtual machines with a minimum memory value lower than their startup value.Enables the consolidation of more virtual machines, especially in Virtual Desktop Infrastructure (VDI) environments.Data Center Bridging (DCB)This feature is not supported.Windows Server 2012Hyper-V uses DCB- capable hardware to converge multiple types of network traffic onto a single network adapter, with a maximum level of service to each.Helps to reduce the cost and complexity of maintaining separate traffic for network, management, live migration, and storage.Makes it easy to change allocations to different traffic flows.Disaster recoverySupport is provided for disaster recovery within IT environments and across datacenters, using geographically dispersed clustering capabilities.Failover clustering is used with hardware-basedSAN replication across datacenters. This approach is used to prevent the outage of an entire datacenter, but it is typically expensive.Asynchronous replication of virtual machines occurs over a network link from one Hyper-V host at a primary site to another Hyper-V host at a replica site. It also can restorethe system from an unplanned shutdown.In the event of failure (power outage, fire, or natural disaster) at the primary site, administrators can manually fail over production virtual machines to the Hyper-V server at the recovery site.During failover, virtual machines are brought back to a consistent point in time, and they can be accessed by the rest ofthe network within minutes.This version of Hyper-V is an affordable, reliable business continuity solution that can help to restore data at a remote site.Offers an affordable, in- box business continuity and disaster recovery solution.Provides the ability to quickly recover business functions during downtime, with minimal or no data loss.Delivers failure recovery in minutes.Encrypted cluster volumesThis feature is not supported.Microsoft BitLocker- encrypted cluster disks provide security for deployment outside the secure datacenter. They also provide a safeguard for the cloud.Enhances physical security for deployment outside the secure datacenter.Extension monitoringThis feature is not supported.Multiple monitoring and filtering extensions can be supported at the entrance and outlet portions of the Hyper-V Extensible Switch.Provides traffic visibility at different layers and enables statistical traffic data to be gathered.Extension uniquenessThis feature is not supported.Extension state/configuration is unique to each instance of a Hyper-V Extensible Switch on a machine.Provides enhanced security through a unique extension state.Guest clusteringGuest clustering is supported by using iSCSI.Workloads can be virtualized by directly accessing cluster guest operating systems and storage over Fibre Channel or through iSCSI.Provides the ability to connect Fibre Channel directly from within virtual machines.Generic Routing EncapsulationThis feature is not supported.Hyper-V Network Virtualization uses Generic Routing Encapsulation (GRE) IP packets to map a virtual network to a physicalnetwork. It can use as few as one IP address perhost.Enables better performance by reducing the burden on the switches.Hyper-V Extensible SwitchThis feature is not supported.The Hyper-V Extensible Switch is a Layer 2 virtual network switch that provides programmatically managed and extensible capabilities to connect virtual machines to the physical network. The Hyper-V Extensible Switch is an openplatform that lets vendors provide extensionswritten to standard Windows application programming interface (API) frameworks.Provides an open platform for partners’ plug-ins. Unified management, easier support, and core services for extensions are provided without charge. For example, all extensions have live migration support by default, and no special coding for services is required.Hyper-V host and workload supportUsers can configure up to64 logical processors on hardware, 1 TB of physical memory, 4virtual processors, and up to 64 GB of memory on a virtual machine. Up to 16 nodes and 1,000 virtual machines in a cluster also can be supported.Users can configure up to320 logical processors on hardware, 4 TB ofphysical memory, 64 virtual processors, and up to 1 TB of memory on a virtual machine. Up to 64 nodes and 8,000 virtual machines in a cluster also can be supported.Improves performance and maximizes the use of processors and memory.Hyper-Vsmart pagingThis feature is not supported.If a virtual machine is configured with a lower minimum memory than its startup memory andHyper-V needs additional memory to restart it, Hyper-V smart paging is used to bridge the gap between minimum and startup memory.Hyper-VclusteringHyper-V 2008 R2 has specific features, like failover clustering and clustered live migration, that are related to Hyper- V clustering. These features are described later in this table.Windows Server 2012Hyper-V provides protection against application and service failure, and system and hardware failure.IP address rewriteThis feature is not supported.Each virtual machine customer address (CA) is mapped to a unique host provider address (PA). Hyper-V Network Virtualization uses IP address rewrite to map the CA to the PA.Importing virtual machinesA virtual machine’s files that are to be imported can be duplicated and imported at another time.With the Import Wizard, users can quickly and reliably import virtual machines from one server to another. The Import Wizard detects and fixes problems and does not require a virtual machine to be exported.Provides a simpler, more streamlined way to import or copy virtual machines.Live migrationWindows Server 2008 R2 introduced the Live Migration feature, which permits users to move a running virtual machine from one physical computer to another with no downtime—assuming that the virtual machine is clustered.Windows Server 2012Hyper-V provides the ability to migrate virtual machines, with support for simultaneous live migrations. That is, users can move several virtual machines at the same time.Live migrations are not limited to a cluster. Virtual machines can be migrated across clusterboundaries, and between stand-alone servers that are not part of a cluster.Provides faster and simultaneous migration. Provides dynamic mobility of virtual machines across the datacenter.Live storage migrationA virtual machine’s storage can be moved only while the virtual machine is shut down.Live storage migration allows users to move virtual hard disks that are attached to a running virtual machine.Users can transfer virtual hard disks to a new location for upgrading or migrating storage, performing back-end storage maintenance, or redistributing the storage load.Provides better flexibility and control while managing storage in a cloud environment.Provides flexibility to move virtual hard disks without downtime.live migrationThe Live Migration feature requires the Failover Clustering feature to be added and configured on servers running Hyper-V. Hyper- V and failover clustering can be used together to make a virtual machine highly available.Live migrations in a clustered environment can use higher network bandwidths (up to 10GB). Administrators can perform multiplesimultaneous livemigrations.Provides quickermigration by using higher network bandwidth.Multitenant security and isolationServer virtualization provides isolationbetween virtual machines. However, the network layer of the datacenter is not fully isolated, and Layer 2 connectivity isimplied between differentworkloads that are running over the same infrastructure.Server virtualization provides a fully isolated network layer of the datacenter through programmatically managed and extensible capabilities. This enables connection to the network of virtual machines with policy enforcement for security and isolation.Provides flexibility to restrict access to a virtual machine on any node while maintaining isolation of the network and storage traffic.Provides enhanced security and isolation of customers’ networks from one another.Multiple extensions on same switchThis feature is not supported.Multiple extensions can coexist on the same Hyper-V Extensible Switch.Provides a cost-effective solution with better manageability and security.Multipath I/O (MPIO) functionality for Fibre Channel storagewithin a virtual machineThis feature is not supported.Windows Server 2012Hyper-V uses MPIO functionality for proper connectivity to Fibre Channel storage within a virtual machine.Helps to ensure highly available connectivity.Merging snapshotsIn Hyper-V 2008 R2, merging a snapshot into a parent virtual machine requires the virtual machine to be turned off for the entirety of the merge operation.The Hyper-V Live Merge feature allows users to merge snapshots back into the virtual machine while it continues to run.Provides flexibility to manage snapshots while a virtual machine is running.Minimizes use of space for virtual machines with work virtualizationVirtual LANs (VLANs) are used to isolate networks, but they are very complex to manage on a large scale.Hyper-V Network Virtualization helps to isolate network traffic on a shared infrastructure without the need to use VLANs. It also allows users to move virtual machines, as needed, within a virtual infrastructure while preserving virtual network assignments.Helps to achieve maximum performance with no new hardware (servers, switches, or appliances).Non-Uniform Memory Access (NUMA) supportinside virtual machinesThis feature is not supported.A NUMA topology can be projected onto a virtual machine, and guest operating systems and applications can make intelligent NUMA decisions.Provides enhanced performance on large virtual machines by enabling the guest operation system and applications to access local memory faster than remote work Interface Card (NIC)Teaming for load balancing and failover(LBFO)Hyper-V 2008 R2 uses network adapter teaming, a third-party technology that provides fault tolerance for multiple network adapters.Windows Server 2012Hyper-V provides built-in support for NIC Teaming: A virtual machine can have virtual network adapters that are connected to more than one virtual switch. If a network adapter under that virtual switch is disconnected, it still has connectivity. NICTeaming supports up to32 network adapters in a team.Provides higher reliability against network failure.Offloaded data transfer supportThis feature is not supported.Windows Server 2012Hyper-V uses SAN copy offload to copy large amounts of data from one location to another.Allows the CPU to concentrate on the processing needs of an application.Provides rapid provisioning and migration of virtual machines.Private virtual local area network (LAN), or PVLANThis feature is not supported.PVLANs allow Hyper-V administrators to isolate virtual machines from each other (for example, virtual machines cannot contact other virtual machines over the network), while still maintaining external network connectivity for all virtual machines.Increases virtual machine isolation in a multitenant environment, while not degrading access to public network resources.Router guardThis feature is not supported.Router guard dropsrouter advertisement and redirection messagesfrom unauthorized virtual machines that are actingas routers.Provides better security and an authorization check for virtual machines.Runtime memory configurationThis feature is not supported.Users can make configuration changes to Dynamic Memory (increase maximum memory or decrease minimum memory) when a virtual machine is running.Provides flexibility to use Dynamic Memory as needed, without affecting other virtual machines.Resource Metering in Hyper-VThis feature is not supported.Resource Metering allowsusers to track how many CPU, memory, storage, and network resourcesare consumed by a virtual machine over time. This information is gathered automatically (withoutthe need to constantly collect data from the virtual machine) and persists with the virtual machine through live migration/other mobility operationsEnables users to track the use of virtual machines.Support for4 KB disk sectors in Hyper-V virtual hard disksThis feature is not supported.Windows Server 2012Hyper-V uses MPIO functionality for proper connectivity to Fibre Channel storage within a virtual machine.Helps to ensure highly available connectivity.Virtual machine failover prioritizationAdministrators can configure the preference for node order on failover.Administrators can configure priorities to control the order of virtual machine failover. Lower priority virtual machines automatically release resources if they are needed for higher priority virtual machines.Ensures the availability of critical virtual machines.Provides optimum resource use by ensuring resource availability for high-priority virtual machines.Virtual Fibre Channel in Hyper-VThis feature is not supported.Virtual Fibre Channel in Hyper-V provides Fibre Channel ports within the guest operating system.Enables Fibre Channel to connect directly from within virtual machines.RAIDSRAID level 0 – StripingIn a RAID 0 system data are split up in blocks that get written across all the drives in the array. By using multiple disks (at least 2) at the same time, this offers superior I/O performance. This performance can be enhanced further by using multiple controllers, ideally one controller per disk.Advantages RAID 0 offers great performance, both in read and write operations. There is no overhead caused by parity controls.All storage capacity is used, there is no disk overhead.The technology is easy to implement.DisadvantagesRAID 0 is not fault-tolerant. If one disk fails, all data in the RAID 0 array are lost. It should not be used on mission-critical systems.Ideal useRAID 0 is ideal for non-critical storage of data that have to be read/written at a high speed, such as on a Photoshop image retouching station.RAID level 1 – MirroringData are stored twice by writing them to both the data disk (or set of data disks) and a mirror disk (or set of disks) . If a disk fails, the controller uses either the data drive or the mirror drive for data recovery and continues operation. You need at least 2 disks for a RAID 1 array.RAID 1 systems are often combined with RAID 0 to improve performance. Such a system is sometimes referred to by the combined number: a RAID 10 system.AdvantagesRAID 1 offers excellent read speed and a write-speed that is comparable to that of a single disk.In case a disk fails, data do not have to be rebuild, they just have to be copied to the replacement disk.RAID 1 is a very simple technology.DisadvantagesThe main disadvantage is that the effective storage capacity is only half of the total disk capacity because all data get written twice.Software RAID 1 solutions do not always allow a hot swap of a failed disk (meaning it cannot be replaced while the server keeps running). Ideally a hardware controller is used.Ideal useRAID-1 is ideal for mission critical storage, for instance for accounting systems. It is also suitable for small servers in which only two disks will be used.RAID level 3On RAID 3 systems, data blocks are subdivided (striped) and written in parallel on two or more drives. An additional drive stores parity information. You need at least 3 disks for a RAID 3 array.Since parity is used, a RAID 3 stripe set can withstand a single disk failure without losing data or access to data.AdvantagesRAID-3 provides high throughput (both read and write) for large data transfers.Disk failures do not significantly slow down throughput.DisadvantagesThis technology is fairly complex and too resource intensive to be done in software.Performance is slower for random, small I/O operations.Ideal useRAID 3 is not that common in prepress.RAID level 5RAID 5 is the most common secure RAID level. It is similar to RAID-3 except that data are transferred to disks by independent read and write operations (not in parallel). The data chunks that are written are also larger. Instead of a dedicated parity disk, parity information is spread across all the drives. You need at least 3 disks for a RAID 5 array.A RAID 5 array can withstand a single disk failure without losing data or access to data. Although RAID 5 can be achieved in software, a hardware controller is recommended. Often extra cache memory is used on these controllers to improve the write performance.AdvantagesRead data transactions are very fast while write data transaction are somewhat slower (due to the parity that has to be calculated).DisadvantagesDisk failures have an effect on throughput, although this is still acceptable.Like RAID 3, this is complex technology.Ideal useRAID 5 is a good all-round system that combines efficient storage with excellent security and decent performance. It is ideal for file and application servers.RAID level 10 – Combining RAID 0 & RAID 1RAID 10 combines the advantages (and disadvantages) of RAID 0 and RAID 1 in one single system. It provides security by mirroring all data on a secondary set of disks (disk 3 and 4 in the drawing below) while using striping across each set of disks to speed up data transfers.What about RAID levels 2, 4, 6 and 7?These levels do exist but are not that common, at least not in prepress environments. This is just a simple introduction to RAID-system. You can find more in-depth information on the pages of wikipedia or ACNC.Migrating AD from 2003 to 2012Transferring the Flexible Single Master Operations (FSMO) RoleOpen the Active Directory Users and Computers console on your new Windows Server 2012 R2?computer.Right click your domain and select Operations Masters in the sub menu.In the Operations Masters window, ensure the RID tab is selected.Select the Change button.Select Yes when asked about transferring the operations master role.Once the operations master role has successfully transferred, click OK to continue.Ensure the Operations Master box now shows your new 2012 R2?Windows Server.Repeat steps 4 to 6 for the PDC and Infrastructure tabs.Once completed, click Close to close the Operations Masters window.Close the Active Directory Users and Computers window.Changing the Active Directory Domain Controller?Open the Active Directory?Domains and?Trusts console on your new Windows Server 2012 R2?computer.Right click your domain and select Change Active Directory Domain Controller... in the sub menu.In the Change Directory Server window, select This Domain Controller or AD LDS instance.Select your new 2012 R2?Windows Server.Click OK to continue.Back in the Active Directory Domains and Trusts window, hover over the Active Directory Domains and Trusts found in the folder tree on the left hand side to ensure the server now reflects your new 2012 R2 Windows server.Right click Active Directory Domains and Trusts found in the folder tree and select Operations Manager... in the sub menu.In the Operations Master window, click Change to transfer the domain naming master role to the 2012 R2 Windows Server.When asked if you are sure you wish to transfer the operations master role to a different computer, click Yes.Once the operations master is successfully transferred, click OK to continue.Click Close to close the Operations Master window.Close the?Active Directory?Domains and?Trusts console.?Changing the Schema MasterOpen a command prompt in administration view on your new Windows Server 2012 R2 computer.On the command prompt window, enter regsvr32 schmmgmt.dll and hit enter.Once completed successfully, click OK to close the RegSvr32 window.Close the command prompt.?Add the Active Directory Schema Console from MMCOpen a MMC console on your new Windows Server 2012 R2 computer.Click File > Add/Remove Snap-in...In the Add or Remove Snap-ins window, select Active Directory Schema and click the Add > button.Click OK to continue.?Change the Schema MasterIn the same MMC console, right click Active Directory Schema and select?Change Active Directory Domain Controller...?in the sub menu.In the Change Directory Server window, select This Domain Controller or AD LDS instance.Select your new 2012 R2 Windows Server.Click OK to continue.A warning will appear stating that the Active Directory Schema snap-in in not connected. Click OK to continue.Hover over the Active Directory Schema folder in the folder tree to ensure the new Windows Server 2012 R2 computer is?shown.?Now right click Active Directory Schema and select?Operations Master... in the sub menu.In the Change Schema Master window, click Change to transfer the schema master role to the 2012 R2 Windows Server. When asked if you are sure you wish to transfer the?schema master role to a different computer, click Yes.Once the schema master is successfully transferred, click OK to continue.Click Close to close the Change?Schema Master window.In the MMC, click File > Exit.When asked to save the console, click No.?Once completed, open the?Active Directory Users and Computers console to verify that the Active Directory database successfully replicated to your new Windows Server 2012 R2 computer.? Be aware that the database replication may take some?time depending on the number of objects in Active Directory.?Removing the 2003 Windows Server from the Global Catalog ServerOpen Active Directory Sites and Services on your new Windows Server 2012 R2 computer.Expand the Sites folder, then the Default-First-Site-Name folder, then the Servers folder.Expand both listed servers. One should be your new 2012 Windows Server and one should be you 2003 Windows Server.Right click NTDS Settings found under your?old 2003 Windows Server.In the sub menu, select Properties.Under the General Tab, unselect Global Catalog and then click the Apply button.Click OK to continue.Close the?Active Directory Sites and Services window.Verify that your new 2012 R2 Windows Server is running the FSMO role by opening the command prompt in Administrative view and running the following command: Netdom query fsmo.In the Network and Sharing Center, be sure to change the Preferred DNS server to match the Alternate DNS server, then delete the IP address listed under the Alternate DNS server?should it currently be pointed to the old 2003 Windows Server.Global Catalog.Global Catalog is used to store Active directory objects located in domain and forestA Global Catalog is a domain Controller that stores copy of all Active directory objects in the forest.Global Catalog stores full copy of Active Directory objects in its host domain partial copy of all the objects in other domains.Global Catalog has two functions.1. It act as a domain controller that stores object data.2. It provide the data that permit network logon.In the absence of a GC, a user can log on only to the local system. However, a member of the Domain Administrators group can log on to the network without a GC. centertopA global catalog created automatically on the initial domain controller in the forest. We can add global catalog to the other domain controller or change the default location of global catalog to other domain controller.To enable to disable the global catalog1. Open Active Directory sites and services.2. In the console tree click the domain controller where you want to enable global catalog.3.Right click on NTDS Setting and click properties.4.Select Global Catalog check box to enable.A Global Catalog perform the following roles.a.Find Objects:- A Global Catalog enable user to search directory information throughout all domain in the forest. Searches are performed with maximum speed and maximum traffic.Suppose when we want to search for people for printer or computer, once you enter the search request it is routed to the default global Catalog port 3268 and sent to Global Catalog for resolution.b.Supply User Principle Name Authentication:- A Global Catalog resolve User Principle names, when authenticating domain controller does not have the knowledge of the account.For example if the user account is located in and user decided to logon with user principle name of from a computer located at the domain controller in will be unable to find the user account and then contact global catalog to complete the logon request.c.Supply Universal group membership information in multiple domain environment :- Global group membership are stored in the domain. Universal group membership are only stored in Global Catalog.For Example when user belongs to universal group membership group on the domain which is set to functional level of Window 2000 native and higher global catalog provide universal group information's to the user account at the time of user logged in the domain controller.If the Global Catalog is not available on the server if the user account is having Built in administrative authority then user always log on to the domain when Global Catalog is not available.d. Validate object references within a forest:- A Global Catalog is used by domain controller to validate the reference to the object in the other domain. When domain controller holds object with attribute containing references to the object in the other domain this reference is validated by Global Catalog.During an interactive domain logon, the domain controller authenticates the user by verifying the user’s identity, and also provides authorization data for the user’s access token by determining all groups of which the user is a member. Because the global catalog is the forestwide location of the membership of all universal groups, access to a global catalog server is a requirement for authentication in a multidomain forest. A global catalog server is also required for applications such as Microsoft Exchange Server. Global catalog is to have at least one global catalog server in each AD?DS site. When a global catalog server is available in a site, the authenticating domain controller is not required to communicate across a WAN link to retrieve global catalog information. It is recommended make all domain controllers be global catalog servers.The first domain controller that is created in the first domain in a forest is by default the Global Catalog server.If a domain only has one domain controller, that particular domain controller and the GC server are the same server.If an additional domain controller is added to the domain, users can configure that domain controller as the GC server.In order for Global Catalog servers to store a full copy of all objects in its host domain and a partial copy of all objects in all other domains within the forest, GC replication has to occur between those domain controllers.Domain:-A domain is defined as a logical group of network objects (computers, users, devices) that share the same Active Directory database. A tree can have multiple domains.Domain Controller:-A domain controller is a Windows-based computer system that is used for storing user account data in a central database. It is the centerpiece of the Windows Active Directory service that authenticates users, stores user account information and enforces security policy for a Windows domain.A domain controller allows system administrators to grant or deny users access to system resources, such as printers, documents, folders, network locations, etc., via a single user name and password.KDC service is responsible for domain user logon.If we plan to use server to provide active directory service to network user and computer configure this server as domain controller.DC is also responsible to security authentication request made by the user where user may be granted to the number of the network resources by using user name and password.A. Although you might have several domain controllers (DCs) providing fault tolerance for your domain, you still need to perform regular backups. Windows backs up AD as part of the System State and restores the directory by booting a DC into the Directory Services restore mode.The default Directory Services restore mode is a non authoritative restoration. In this mode, Windows restores a DC's directory from the backup. Then, the DC receives from its replication partners new information that's been processed since the backup. For example, let's say we restore a DC using a 2-day-old backup. After the DC starts, its replication partners send all updates that have occurred in the past 2 days. This type of restore is typically used if a DC fails for hardware or software reasons.An authoritative restoration restores the DC's directory to the state it was in when the backup was made, then overwrites all other DCs to match the restored DC, thereby removing any changes made since the backup. You don't have to perform an authoritative restoration of the entire directory--you can choose to make only certain objects authoritative. When you restore only parts of the directory, Windows updates the rest of the restored database by using information from the other DCs to bring the directory up-to-date, then replicates the objects that you mark as authoritative to the other DCs. This type of restore is most useful if you deleted, for example, an organizational unit (OU). In this case, you could restore an AD backup to a DC, mark the OU as authoritative, then start the DCs normally. Because you marked the OU as authoritative, Windows will ignore the fact that the OU was previously deleted, replicate the OU to the other DCs, and apply all other changes made since the backup to the restored DC from its replication partners.Non-Authoritative : Non-Authoritative method will restore an active directory to the server in which the restore is being done and will then receive all of the recent updates from its replication partners in the domain.Authoritative : Authoritative method restores the DC directory to the state that it was in when the backup was made, then overwrites all the other DC's to match the restored DC.Deleting the user and an OU, perform the following steps:1. Open Active Directory User and Computers, Expand required OU, deleted the user and an IT OU as shown in figure.Recovering a System State Backup, perform the following steps:1. Restart the DC into Directory Recovery Mode (Press F8 on the keyboard immediately after the BIOS POST screen and before the Windows Server 2012 logo appears) “OR”i.)At the command prompt, type bcdedit /set safeboot dsrepair and press Enter.ii.) At the command prompt, type shutdown –r –t 0 to restart the Domain Controller. “OR?ii.) In the Run box, type msconfig and press Enter.iii.)In the System Configuration windows, in the Boot options, check Safe boot and select Active Directory repair. Click OK and then restart the Domain Controller.2. Login with .\administrator and the Directory Services Restore Mode (DSRM) password you set up when you ran AD DS Installation, by clicking “Switch User”3. Right Click on Safe Mode Start Menu, click Command Prompt (Admin).4. In the command prompt, type wbadmin get versions and press Enter. This will provide you with a view of the image backup catalogue for your server.5. To start the restore process, type wbadmin start systemstaterecovery –version:08/22/2014-06:18After executing this command you will be prompted to continue. Type “Y” for yes and press Enter. Starting a system state recovery operation and this might take a few minute or longer. Once recovery is finished, you are asked to restart your computer as shown in figure. For an authoritative restore you do not restart the system.Performing an Authoritative Restore, perform the following steps:1. After the System State backup complete, Open Administrator: Command Prompt and type, ntdsutil and then press Enter.2. At the ntdsutil: prompt, type activate instance ntds, and then press Enter.3. At the ntdsutil: prompt, type authoritative restore, and then press Enter.4. This will bring up an authoritative restore prompt. At the prompt type the following command:restore object “cn=Prabir Singh,OU=Audit,OU=HeadOffice,DC=msserverpro,DC=com”restore subtree “OU=IT,OU=HeadOffice,DC=msserverpro,DC=com”Click Yes in the message box to confirm the Authoritative Restore. One record will be found and will be successfully updated. You will see the message Authoritative Restore completed successfully.Notice NTDSUTIL is increasing attribute version numbers by 100,0005. At the authoritative restore prompt, type quit and Press Enter to exit authoritative restore and then type quit again, then press Enter to exit ntdsutil.6. In the same command prompt type, bcdedit /deletevalue safeboot and press Enter.7. In the recovery of the system state successfully command prompt, type “Y” to restart the computer now.8. Once restarted in normal mode, logon on domain controller, and Press ENTER to continue… to acknowledge that the system state recovery operation has successfully completed.9. Open Active Directory Users and Computers, make sure that deleted user object and OU have been restored.??Summary:This is the part of AD DS disaster recovery procedures. You must test the restore procedures for an authoritative restore before you implement them throughout the organization. The above article outlines how to carry out authoritative restore in Windows Server 2012 R2. It will also work in Windows Server 2008 R2. I hope this helps.Perform a Nonauthoritative RestoreLog on to the DC that you want to restore with a domain administrator account:Open a command prompt using the blue PowerShell icon on the desktop taskbar, or from the Start screen. In the PowerShell console window, type bcdedit /set safeboot dsrepair and press Enter. Reboot the server and it will start in Directory Services Restore Mode (DSRM). You can do this quickly from the command prompt by typing shutdown -t 0 –r and pressing Enter. Wait a few minutes for the DC to reboot. You can log on locally or remotely, but remember that you will need to supply the DSRM password you set when promoting the server to a DC. The username for DSRM is administrator. If the server is booted in safe mode, this will be displayed on the desktop.Open a command prompt again using the blue PowerShell icon on the desktop taskbar, or from the Start screen. In the PowerShell console, type wbadmin getversions to show the available backups. The latest backup will be shown last in the list. Make a note of the version identifier for the backup you want to use for recovery, as it will be needed in the next step. Now type wbadmin start systemstaterecovery –version:12/23/2013-10:40 and press Enter, replacing the date and time with the version identifier for the backup that you want to restore. Answer Yes when prompted to confirm the restore operation. You will be prompted to confirm again, answer Yes. Sponsored Wait for the recovery process to finish, it may take some time. You’ll be able to see the progress in the PowerShell console.Reboot the system when prompted. Log back on using the DSRM password and you’ll see a command prompt dialog confirming that the system state recovery operation completed successfully. Press?Enter to continue. ?Open a command prompt again using the blue PowerShell icon on the desktop taskbar, or from the Start screen. Type bcdedit /deletevalue safeboot and press?Enter to remove the DSRM setting from the boot.ini file. Type shutdown –t 0 –r and press?Enter to restart the system and boot back to an operational domain controller. Method?1: Press F8 to restart in DSRM.Restart the domain controller.Some computers might require you to shut down the computer, rather than restart it, to see the option to start the domain controller in DSRM.After the boot option menu appears, press F8 to start the domain controller in DSRM.When the recovery options menu appears, select the option for DSRM.Method?2: Use Bcdedit.exe to restart in DSRM.Click Start, click Command Prompt, and then click Run as administrator.At the command prompt, type the following command, and then press ENTER:bcdedit /set safeboot dsrepairType the following command, and then press ENTER:shutdown -t 0 -rTo restart the server normally after you perform the restore operation, type the following command, and then press ENTER to have the server restart normally:bcdedit /deletevalue safebootType the following command, and then press ENTER:shutdown -t 0 -rYou can use this procedure to perform a nonauthoritative restore of AD?DS. After replication occurs and is complete, AD?DS is recovered on the domain controller.You can use the DSRM administrator password to either locally or remotely log on to the domain controller that you are restoring. You specify the DSRM password when you install AD?DS.To perform a nonauthoritative restore of AD?DSAt the Windows logon screen, click Switch User, and then click Other User. Type .\administrator as the user name, type the DSRM password for the server, and then press ENTER.Click Start, right-click Command Prompt, and then click Run as Administrator.At the command prompt, type the following command, and then press ENTER:wbadmin get versions -backuptarget:<targetDrive>: -machine:<BackupComputerName> Where:<targetDrive>: is the location of the backup that you want to restore.<BackupComputerName> is the name of the computer where you want to recover the backup. This parameter is useful when you have backed up multiple computers to the same location or you have renamed the computer since the backup was taken. Identify the version that you want to restore. You must enter this version exactly in the next step.At the command prompt, type the following command, and then press ENTER:wbadmin start systemstaterecovery -version:<MM/DD/YYYY-HH:MM> -backuptarget:<targetDrive>: -machine:<BackupComputerName> -quiet Where:<MM/DD/YYYY-HH:MM> is the version of the backup that you want to restore.<targetDrive>: is the volume that contains the backup.<BackupComputerName> is the name of the computer where you want to recover the backup. This parameter is useful when you have backed up multiple computers to the same location or you have renamed the computer since the backup was taken. If you do not specify the -quiet parameter, you are prompted to press Y to proceed with the restore process and press Y to confirm that the replication engine for SYSVOL has not changed since you created the backup.After the recovery operation has completed, if you are not going to perform an authoritative restore of any restored objects, restart the server. SYSVOL:-Sysvol folder is reside in each in every domain controller in the domain. It contains the domains public files that need to be accessed by clients and kept synchronized between domain controllers.it can be moved to another location during the promotion of a domain controller.Sysvol folder uses DFS to share the folder and files to users and clients.centertopcentertopcentertopcentertopcentertopThere are two replication technologies used to replicate the SYSVOL folder, File Replication Service and Distributed File System Replication Service.1. File Replication Service:- FRS:-Lets start by explaining the steps involved to keep the SYSVOL synchronised between domain controllers using FRS replication.1. A file is written to the disk on NTFS volume. NTFS change Journal entry is written and updated with details of the file. This is also called USN journal contains the logs about changes are made to the file on NTFS volume.centertopFRS service will monitor the USN and apply a 3 second delay before creating entry in inbound log.This process is know as aging cache. This will prevent the replication when the file is under updates.FRS calls the backup?API which uses?VSS technology to take a snapshot of the file and it’s attributes. This backup file is then compressed and stored in the staging area folder.At this point the outbound log is updated (again this is actually a table within the FRS database).If in step 1 a file was deleted rather than created then we don’t create a staging file, but the outbound log reflects the deletion. FRS on DC1 then sends a change notification to its replication partner DC2. DC2 adds the information about the change into its inbound log and accepts the change then sends a change acknowledgment back to DC1. DC2 then copies the file from DC1 into its staging area. It then writes an entry to its outbound log to allow other partners to pickup the change. DC2 then calls the backup API to restore the file from the staging area into the SYSVOL folder. So there you have it, FRS replication.Distributed File System Replication – DFS-RA brand new domain built upon Windows 2008 or higher will automatically use DFS-R to replicate its SYSVOL.The main difference with FRS is that instead of replicating entire files we only replicate the chunks of data that have changed.This is achieved by creating an?MD4(Message Digest version 4. A 128-bit cryptographic hash function) hash of the file.inbound and outbound logs is not required as replication partners exchange version vectors to identify which files have to be replicated between them.Domain controllers use a special shared folder named SYSVOL to replicate logon scripts and Group Policy object files to other domain controllersWindows 2000 and 2003 servers uses FRS and Windows 2008 server uses DFS-R.Migration Process for SYSVOL Replication – from FRS to DFS-R.1.Before SYSVOL migration begins, FRS replicates the SYSVOL shared folder.2.FRS continues to replicate the SYSVOL shared folder that the domain uses, while DFS Replication replicates a copy of the SYSVOL folder. This copy of the SYSVOL folder is not used to service requests from other domain controllers.3.The DFS Replication copy of the SYSVOL folder becomes responsible for servicing SYSVOL requests from other domain controllers. FRS continues to replicate the original SYSVOL folder, but DFS Replication now replicates the production SYSVOL folder that domain controllers in the Redirected state use.4.DFS Replication continues to handle all the SYSVOL replication. Windows deletes the original SYSVOL folder, and FRS no longer replicates SYSVOL data. Migrate SYSVOL replication from File Replication Service (FRS) to Distributed File System (DFS Replication).Migrating to the Prepared State (FRS will continue to replicate sysvol share folder where as DFS replication replicate copy of sysvol share folder.)Raising domain functional level to Windows 2008.Verify that SYSVOL folder is healthy FRS is correctly replicating the folder.Backup the data in the sysvol folder.Verify that DFS replication service is installed.Run dfsrmig /SetGlobalState 1 command on the PDC emulator to start the migration to the Prepared state.Waiting for all domain controllers to reach the Prepared state, which you can verify by running the dfsrmig /GetMigrationState command.Verifying that migration to the Prepared state succeeded.Migrating to the Redirected State(the DFS Replication copy of the SYSVOL folder becomes responsible for servicing SYSVOL requests from other domain controllers. FRS continues to replicate the original SYSVOL folder, but DFS Replication now replicates the production SYSVOL folder that domain controllers in the Redirected state use. )Verify that migration has reaches to the prepared state on the domain controllers.Run the dfsrmig /SetGlobalState 2 command on the PDC emulator to start the migration to the Redirected state.Waiting for all domain controllers to reach the Redirected state, which you can verify by running the dfsrmig /GetMigrationState command.Verifying that migration to the Redirected state succeeded.Migrating to the Eliminated State(DFS Replication is exclusively responsible for SYSVOL replication. Windows deletes the original SYSVOL folder, and FRS no longer replicates SYSVOL data. )Verify that migration has reaches to the Eliminated state.Run the dfsrmig /SetGlobalState 3 command on the PDC emulator to start the migration to the Eliminated state.Waiting for all domain controllers to reach the Eliminated state, which you can verify by running the dfsrmig /GetMigrationState command.Verifying that migration to the Eliminated state succeeded.Rolling Back Migration(However, after you migrate to the Eliminated state, you can no longer roll back the migration of SYSVOL replication to DFS Replication.)Issues:-1. Renaming of domain controller is not supported.Renaming of domain controller during migration or replication fails.To rename domain controller during the sysvol migration process.To rename a domain controller during migration, demote the domain controller, rename it, and then promote the domain controller, as described in the following steps.To rename a domain controller during the SYSVOL migration processAt a command prompt, run the dcpromo command to demote the domain controller.Open Server Manager from the Administrative Tools folder.In the Server Manager window, click Change System Properties.On the Computer Name tab of the System Properties dialog box, click Change.Under Computer name in the Computer Name/Domain Changes dialog box, change the computer name to the new name, and then click OK twice.At a command prompt, run the dcpromo command to re promote the computer as a domain controller with the new name.dfsrmig /GetMigrationState.-- To check the migration status.Dfsrmig-migrates SYSVOL replication from File Replication Service (FRS) to Distributed File System (DFS) Replication/SetGlobalState <state> …./GetGlobalState ../CreateGlobalObjects.../DeleteRoNtfrsMember and /DeleteRoDfsrMember Step-by-Step Guide for upgrading SYSVOL replication to DFSR (Distributed File System Replication)SYSVOL is a folder shared by domain controller to hold its logon scripts, group policies and other items related to AD. All the domain controllers in network will replicate the content of SYSVOL folder. The default path for SYSVOL folder is %SystemRoot%\SYSVOL. This folder path can define when you install the active directory. Windows Server 2003 and 2003 R2 uses File Replication Service (FRS) to replicate SYSVOL folder content to other domain controllers. But Windows server 2008 and later uses Distributed File System (DFS) for the replication.? DFS is more efficient than FRS. Since windows server 2003 is going out of support, most people already done or still looking for migrate in to latest versions. However migrating FSMO roles WILL NOT migrate SYSVOL replication from FRS to DFS. Most of the engineers forget about this step when they migrate from windows 2003 to new versions. For FRS to DFS migration we uses the Dfsrmig.exe utility. More info about it available on (v=ws.10).aspxFor the demo I am using windows server 2012 R2 server and I migrated FSMO roles already from a windows server 2003 R2 server. In order to proceed with the migration forest function level must set to windows server 2008 or later. So if your organization not done this yet first step is to get the forest and domain function level updated. You can verify if the system uses the FRS using dfsrmig /getglobalstate , To do this1)??? Log in to domain controller as Domain admin or Enterprise Admin2)??? Launch powershell console and type dfsrmig /getglobalstate. Output explains it’s not initiated DFRS migration yet. Before move in to the configurations we need to look into stages of the migration. There are four stable states going along with the four migration phases. 1)??? State 0 – Start2)??? State 1 – Prepared3)??? State 2 – Redirected 4)??? State 3 – Eliminated State 0 – StartWith initiating this state, FRS will replicate SYSVOL folder among the domain controllers. It is important to have up to date copy of SYSVOL before begins the migration process to avoid any conflicts. State 1 – PreparedIn this state while FRS continues replicating SYSVOL folder, DFSR will replicate a copy of SYSVOL folder. It will be located in %SystemRoot%\SYSVOL_DFRS by default. But this SYSVOL will not response for any other domain controller service requests. State 2 – RedirectedIn this state the DFSR copy of SYSVOL starts to response for SYSVOL service requests. FRS will continue the replication of its own SYSVOL copy but will not involve with production SYSVOL replication.State 3 – EliminatedIn this state, DFS Replication will continue its replication and servicing SYSVOL requests. Windows will delete original SYSVOL folder users by FRS replication and stop the FRS replication. In order to migrate from FRS to DFSR its must to go from State 1 to State 3.Let’s look in to the migration steps.Prepared State1.??? Log in to domain controller as Domain admin or Enterprise Admin2.??? Launch powershell console3.??? Type dfsrmig /setglobalstate 1 and press enter4.??? Type dfsrmig /getmigrationstate to confirm all domain controllers have reached prepared stateRedirected State1.??? Log in to domain controller as Domain admin or Enterprise Admin2.??? Launch powershell console3.??? Type dfsrmig /setglobalstate 2 and press enter4.??? Type dfsrmig /getmigrationstate to confirm all domain controllers have reached redirected stateEliminated State1.??? Log in to domain controller as Domain admin or Enterprise Admin2.??? Launch powershell console3.??? Type dfsrmig /setglobalstate 3 and press enter4.??? Type dfsrmig /getmigrationstate to confirm all domain controllers have reached eliminated stateThis completes the migration process and to confirm the SYSVOL share, type net share command and enter.Also make sure in each domain controller FRS service is stopped and disabled.FSMO Roles:-In AD Domain controllers are assigned some special roles for your network to function properly.These roles are called FSMO and DC which hold such roles are called FSMO role holder.During installation of AD all the FSMO role will install automatically on the first server But best practice is that we need to move thse FSMO roles to other servers.If you have only one DC then there is nothing to do since all the roles are in the DC.It is recommended to place forest role on domain controller and domain roles on another server.We will place infrastructure master role on the server which is not global catalog.All Active Directory domain controllers are capable of performing single masteroperations. The domain controller that actually performs a single master operation is thedomain controller that currently holds the operation’s token, or the “role holder.”.Active Directory extends the single-master model found in earlier versions of Windows to include multiple roles, and the ability to transfer roles to any domain controller (DC) in the enterprise. Because an Active Directory role is not bound to a single DC, it is referred to as a Flexible Single Master Operation (FSMO) role. Currently in Windows there are five FSMO roles:1.Forest wide operation master roles.a. Schema Master:- SM is responsible for performing updates to ADDS schema. Once schema update is completed it is replicated from schema master to all other DC's.There is only one schema master in the entire forest. SM is the only DC to perform write operations to the ADDS schema. Schema updates are replicated from SM to all other domain controllers in the forest..b. Domain Naming Master:-Responsible for addition and removal of all the domains and directory partition in the forest.There is only one domain naming master in the entire forest.you must be a member of the Enterprise Administrators group to make changes to the Domain Naming Master, such as transferring the FSMO role or adding domains or removing them from the forest.1.Domain wide operation master roles.a.PDC Emulator.PDC Emulator is necessary to synchronize the time in the enterprise.Windows includes the W32Time (Windows Time) time service that is required by the Kerberos authentication protocolPassword changes performed by other domains controller in the domain is replicated to the PDC Emulator.Authentication failures that occur at a given DC in a domain because of an incorrect password are forwarded to the PDC emulator before a bad password failure message is reported to the user. Account lockout is processed on the PDC emulator.PDC Emulator has highest impact on the performance of the domain controller.PDC Emulator process all the replication request from PDC to other Backup domain controller.It process all the password updates to the clients, not having AD enabled client software.b. RID(Relative Identifier) Master Role.RID is use to allocate block of RDI's to each domain controller in the domain.When ever domain controller create a new user,group or computer RID is used to assign Security Identifier(SID) to those objects.c. Infrastructure Master role.It is used to update the objects references in its domain that pointed to the object in other domains.Infrastructure master update the objects references in its domain locally and replicate to all other domains to keep domains objects up to date.Object reference contains Global Unique identifier(GUID), distinguished name, and SID.Schema:-Issues on FSMO:-The current domain controller is the operation master to transfer the operation master role to another computer you must first connect it.(This issue occurred because of we are transferring fsmo role from primary domain controller without connecting to other domain controller. We need to connect to other domain controller to transfer the role).definition of all object classes, and the attributes that make up those object classes, that can be stored in the directory.schema is the Active Directory component that defines all the objects and attributes that the directory service uses to store data.Step-By-Step: Active Directory Migration from Windows Server 2003 to Windows Server 2012 R2Open the Active Directory Users and Computers console on your new Windows Server 2012 R2?computer.Right click your domain and select Operations Masters in the sub menu.In the Operations Masters window, ensure the RID tab is selected.Select the Change button.Select Yes when asked about transferring the operations master role.Once the operations master role has successfully transferred, click OK to continue.Ensure the Operations Master box now shows your new 2012 R2?Windows Server.Repeat steps 4 to 6 for the PDC and Infrastructure tabs.Once completed, click Close to close the Operations Masters window.Close the Active Directory Users and Computers window. Changing the Active Directory Domain Controller?Open the Active Directory?Domains and?Trusts console on your new Windows Server 2012 R2?computer.Right click your domain and select Change Active Directory Domain Controller... in the sub menu.In the Change Directory Server window, select This Domain Controller or AD LDS instance.Select your new 2012 R2?Windows Server. Click OK to continue.Back in the Active Directory Domains and Trusts window, hover over the Active Directory Domains and Trusts found in the folder tree on the left hand side to ensure the server now reflects your new 2012 R2 Windows server.Right click Active Directory Domains and Trusts found in the folder tree and select Operations Manager... in the sub menu.In the Operations Master window, click Change to transfer the domain naming master role to the 2012 R2 Windows Server.When asked if you are sure you wish to transfer the operations master role to a different computer, click Yes.Once the operations master is successfully transferred, click OK to continue.Click Close to close the Operations Master window.Close the?Active Directory?Domains and?Trusts console. ?Changing the Schema MasterOpen a command prompt in administration view on your new Windows Server 2012 R2 computer.On the command prompt window, enter regsvr32 schmmgmt.dll and hit enter.Once completed successfully, click OK to close the RegSvr32 window.Add the Active Directory Schema Console from MMCOpen a MMC console on your new Windows Server 2012 R2 computer.Click File > Add/Remove Snap-in...In the Add or Remove Snap-ins window, select Active Directory Schema and click the Add > button.Click OK to continue. Change the Schema MasterIn the same MMC console, right click Active Directory Schema and select?Change Active Directory Domain Controller...?in the sub menu.In the Change Directory Server window, select This Domain Controller or AD LDS instance.Select your new 2012 R2 Windows Server.Click OK to continue.A warning will appear stating that the Active Directory Schema snap-in in not connected. Click OK to continue.Hover over the Active Directory Schema folder in the folder tree to ensure the new Windows Server 2012 R2 computer is?shown.?Now right click Active Directory Schema and select?Operations Master... in the sub menu.In the Change Schema Master window, click Change to transfer the schema master role to the 2012 R2 Windows Server. When asked if you are sure you wish to transfer the?schema master role to a different computer, click Yes.Once the schema master is successfully transferred, click OK to continue.Click Close to close the Change?Schema Master window.In the MMC, click File > Exit.When asked to save the console, click No. Removing the 2003 Windows Server from the Global Catalog ServerOpen Active Directory Sites and Services on your new Windows Server 2012 R2 computer.Expand the Sites folder, then the Default-First-Site-Name folder, then the Servers folder.Expand both listed servers. One should be your new 2012 Windows Server and one should be you 2003 Windows Server.Right click NTDS Settings found under your?old 2003 Windows Server.In the sub menu, select Properties.Under the General Tab, unselect Global Catalog and then click the Apply button.Click OK to continue.Close the?Active Directory Sites and Services window.Verify that your new 2012 R2 Windows Server is running the FSMO role by opening the command prompt in Administrative view and running the following command: Netdom query fsmo.In the Network and Sharing Center, be sure to change the Preferred DNS server to match the Alternate DNS server, then delete the IP address listed under the Alternate DNS server?should it currently be pointed to the old 2003 Windows Server. LDAP:-LDAP (Lightweight Directory Access Protocol) is an application protocol for querying and modifying items in active directory.LDAP (Lightweight Directory Access Protocol) is a software protocol for enabling anyone to locate organizations, individuals, and other resources such as files and devices in a network, whether on the public Internet or on a corporate intranet.Can you connect Active Directory to other 3rd-party Directory Services?Yes we can connect.... Dictionaries used by SAP and domino etc.Where is the AD database held? What other folders are related to AD?AD Database is saved in %systemroot%/ntds. You can see other files also in this folder. These are the main files controlling the AD structurentds.ditedb.logres1.logres2.logedb.chkWhen a change is made to the Win2012 database, then it records the transaction in the log file (edb.log). Once written to the log file, the change is then written to the AD database. During the installation of AD, Windows creates two files: res1.log and res2.log. The initial size of each is 10MB. These files are used to ensure that changes can be written to disk should the system run out of free disk space. The checkpoint file (edb.chk) records transactions committed to the AD database (ntds.dit). During shutdown, a “shutdown” statement is written to the edb.chk file. Then, during a reboot, AD determines that all transactions in the edb.log file have been committed to the AD database. If, for some reason, the edb.chk file doesn’t exist on reboot or the shutdown statement isn’t present, AD will use the edb.log file to update the AD database.Name the AD NCs and replication issues for each NC *Schema NC, *Configuration NC, Domain NCSchema NC This NC is replicated to every other domain controller in the forest. It contains information about the Active Directory schema, which in turn defines the different object classes and attributes within Active Directory.Configuration NC Also replicated to every other DC in the forest, this NC contains forest-wide configuration information pertaining to the physical layout of Active Directory, as well as information about display specifiers and forest-wide Active Directory quotas.Domain NC This NC is replicated to every other DC within a single Active Directory domain. This is the NC that contains the most commonly-accessed Active Directory data: the actual users, groups, computers, and other objects that reside within a particular Active Directory domain.What is Active Directory Partition?Active Directory information is segregated and logically stored.What are the active Directory partitions?Schema Partition:- Only one schema partition exists per forest. The schema partition is stored on all domain controllers in a forest. The schema partition contains definitions of all objects and attributes that you can create in the directory, and the rules for creating and manipulating them. Schema information is replicated to all domain controllers in the attribute definitions.Configuration Partition:-There is only one configuration partition per forest. The configuration partition contains information about the forest-wide active directory structure including what domains and sites exist, which domain controllers exist in each forest, and which services are available. Configuration information is replicated to all domain controllers in a forest.Domain Partition:-Many domain partitions can exist per forest. Domain partitions are stored on each domain controller in a given domain. A domain partition contains information about users, groups, computers and organizational units. The domain partition is replicated to all domain controllers of that domain. All objects in every domain partition in a forest are stored in the global catalog with only a subset of their attribute values.Application Partition:-Application partitions store information about application in Active Directory. Each application determines how it stores, categorizes, and uses application specific information. To prevent unnecessary replication to specific application partitions, you can designate which domain controllers in a forest host specific application partitions. Unlike a domain partitions, an application partition cannot store security principal objects, such as user accounts. In addition, the data in an application partition is not stored in the global catalog.How do you view replication properties for AD partitions and Dcs?go to start > run > type replmonHow do you view all the GCs in the forest? C:\>repadmin/showrepsdomain_controllerORYou can use Replmon.exe for the same purpose.ORAD Sites and Services and nslookup gc._msdcs.%USERDNSDOMAIN%Why not make all Domain Controller's in a large forest as Global Catalog's?The reason that all DCs are not GCs to start is that in large forests the DCs would all have to hold a reference to every object in the entire forest which could be quite large and quite a replication burden. For a few hundred, or a few thousand users even, this not likely to matter unless you have really poor WAN lines.Trying to look at the Schema, how can I do that? adsiedit.exe option to view the schemaregister schmmgmt.dll using this commandc:\windows\system32>regsvr32 schmmgmt.dllOpen mmc –> add snapin –> add Active directory schemaname it as schema.mscOpen administrative tool –> schema.mscWhat is REPLMON? What is ADSIEDIT? What is NETDOM? What is REPADMIN?ADSIEdit is a Microsoft Management Console (MMC) snap-in that acts as a low-level editor for Active Directory. It is a Graphical User Interface (GUI) tool. Network administrators can use it for common administrative tasks such as adding, deleting, and moving objects with a directory service.Replmon is the first tool you should use when troubleshooting Active Directory replication DOM is a command-line tool that allows management of Windows domains and trust relationships. It is used for batch management of trusts, joining computers to domains, verifying trusts, and secure channelsWhat are sites? What are they used for?A site define the set of well connected subnets. Site represent the physical structure of your network where as domain represent the logical structure of your network.In Active Directory, a site is a set of computers well-connected by a high-speed network, such as a local area network (LAN). All computers within the same site typically reside in the same building, or on the same campus network. A single site consists of one or more Internet Protocol (IP) subnets. Subnets are subdivisions of an IP network, with each subnet possessing its own unique network address. A subnet address groups neighboring computers in much the same way that postal codes group neighboring postal addresses.What is replication:-Replication must often occur both (intrasite) within sites and (Intersite) between sites to keep domain and forest data consistent among domain controllers that store the same directory partitions.Active Directory sites---- withing site(Intrasite) between the site(Intersite).Intrasite Replication:- All the domain controllers within the sites are replicate with each other.Intersite Replication:- Selected Domain controllers of two different sites will replicate during specified interval. Domain controller which is assigned for replication over the site is called Bridge Head Servers.Intrasite Replication:- Intrasite replication begins when you make a directory update on a domain controller. By default, the source domain controller waits 15 seconds and then sends an update notification to its closest replication partner. If the source domain controller has more than one replication partner, subsequent notifications go out by default at 3 second intervals to each partner. After receiving notification of a change, a partner domain controller sends a directory update request to the source domain controller. The source domain controller responds to the request with a replication operation. The 3 second notification interval prevents the source domain controller from being overwhelmed with simultaneous update requests from its replication partners.Intersite Replication:-Intersite replication occurs between replication partners in two different sites. Active Directory preserves bandwidth between sites by minimizing the frequency of replication and by allowing you to schedule the availability of site links for replication. By default, intersite replication across each site link occurs every 180 minutes that is 3 hours. You can modify this replication interval, and it can be brought down till 15 minutes. But its always recommended to keep the default interval because the intersite replication occurs between low speed WAN links, hence reducing the replication interval could cause high network traffic and latency.?Here's how intrasite directory replication works:When someone changes a directory, the source DS notifies the other destination servers in the site. Each server and each object in a directory has an update sequence number (USN), and each change in a directory object modifies the object's and the server's USN. Each remote server in the site that receives the notification requests from the source DS just the changes it does not have. The remote server checks its update sequence number to find out which changes it needs. If the USNs are equal between the two servers, no replication occurs. The source DS uses remote procedure calls (RPCs) to connect to the destination DS and download the changes. The destination server then integrates the new objects into its hierarchy. What is the KCC? The KCC is a built-in process that runs on all domain controllers and generates replication topology for the Active?Directory forest. The KCC creates separate replication topologies depending on whether replication is occurring within a site (intrasite) or between sites (intersite). The KCC also dynamically adjusts the topology to accommodate new domain controllers, domain controllers moved to and from sites, changing costs and schedules, and domain controllers that are temporarily unavailable.What is the ISTG? Who has that role by default? Intersite Topology Generator (ISTG), which is responsible for the connections among the sites. By default Windows 2003 Forest level functionality has this role.? What are the requirements for installing AD on a new server? · An NTFS partition with enough free space (250MB minimum)· An Administrator’s username and password· The correct operating system version· A NIC· Properly configured TCP/IP (IP address, subnet mask and – optional – default gateway)· A network connection (to a hub or to another computer via a crossover cable)· An operational DNS server (which can be installed on the DC itself)· A Domain name that you want to use· The Windows 2000 or Windows Server 2003 CD media (or at least the i386 folder)What can you do to promote a server to DC if you’re in a remote location with slow WAN link?First you need to take system state back up of your existing DC.Dcpromo /advHow can you forcibly remove AD from a server, and what do you do later? ? Can I get user passwords from the AD database?Demote the server using dcpromo /forceremoval, then remove the metadata from Active directory using ndtsutil. There is no way to get user passwords from AD that I am aware of, but you should still be able to change them.Another way out tooRestart the DC is DSRM modea. Locate the following registry subkey:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\ProductOptionsb. In the right-pane, double-click ProductType.c. Type ServerNT in the Value data box, and then click OK.Restart the server in normal modeits a member server now but AD entries are still there. Promote teh server to a fake domain say and then remove gracefully using DCpromo. Else after restart you can also use ntdsutil to do metadata as told in teh earlier postWhat is tombstone lifetime attribute?The number of days before a deleted object is removed from the directory services. This assists in removing objects from replicated servers and preventing restores from reintroducing a deleted object. This value is in the Directory Service object in the configuration NIC by default 2000 (60 days) 2003 (180 days).What do you do to install a new Windows 2003 DC in a Windows 2000 AD? If you plan to install windows 2003 server domain controllers into an existing windows 2000 domain or upgrade a windows 2000 domain controllers to windows server 2003, run the Adprep.exe utility on the windows 2000 domain controllers currently holding the schema master and infrastructure master roles. The adprep / forestprer command must first be issued on the windows 2000 server holding schema master role in the forest root doman to prepare the existing schema to support windows 2003 active directory. The adprep /domainprep command must be issued on the sever holding the infrastructure master role in the domain where 2000 server will be deployed.What are the DScommands? New DS (Directory Service) Family of built-in command line utilities for Windows Server 2003 Active DirectoryNew DS built-in tools for Windows Server 2003The DS (Directory Service) group of commands are split into two families. In one branch are DSadd, DSmod, DSrm and DSMove and in the other branch are DSQuery and DSGet.When it comes to choosing a scripting tool for Active Directory objects, you really are spoilt for choice. The the DS family of built-in command line executables offer alternative strategies to CSVDE, LDIFDE and VBScript.Let me introduce you to the members of the DS family:DSadd – add Active Directory users and groupsDSmod – modify Active Directory objectsDSrm – to delete Active Directory objectsDSmove – to relocate objectsDSQuery – to find objects that match your query attributesDSget – list the properties of an objectWhat’s the difference between transferring a FSMO role and seizing one? Which one should you NOT seize? Why? Certain domain and enterprise-wide operations that are not good for multi-master updates are performed by a single domain controller in an Active Directory domain or forest. The domain controllers that are assigned to perform these unique operations are called operations masters or FSMO role holders.The following list describes the 5 unique FSMO roles in an Active Directory forest and the dependent operations that they perform:Schema master – The Schema master role is forest-wide and there is one for each forest. This role is required to extend the schema of an Active Directory forest or to run the adprep /domainprep command. Domain naming master – The Domain naming master role is forest-wide and there is one for each forest. This role is required to add or remove domains or application partitions to or from a forest. RID master – The RID master role is domain-wide and there is one for each domain. This role is required to allocate the RID pool so that new or existing domain controllers can create user accounts, computer accounts or security groups. PDC emulator – The PDC emulator role is domain-wide and there is one for each domain. This role is required for the domain controller that sends database updates to Windows NT backup domain controllers. The domain controller that owns this role is also targeted by certain administration tools and updates to user account and computer account passwords. Infrastructure master – The Infrastructure master role is domain-wide and there is one for each domain. This role is required for domain controllers to run the adprep /forestprep command successfully and to update SID attributes and distinguished name attributes for objects that are referenced across domains. The Active Directory Installation Wizard (Dcpromo.exe) assigns all 5 FSMO roles to the first domain controller in the forest root domain. The first domain controller in each new child or tree domain is assigned the three domain-wide roles. Domain controllers continue to own FSMO roles until they are reassigned by using one of the following methods:An administrator reassigns the role by using a GUI administrative tool. An administrator reassigns the role by using the ntdsutil /roles command. An administrator gracefully demotes a role-holding domain controller by using the Active Directory Installation Wizard. This wizard reassigns any locally-held roles to an existing domain controller in the forest. Demotions that are performed by using the dcpromo /forceremoval command leave FSMO roles in an invalid state until they are reassigned by an administrator. We recommend that you transfer FSMO roles in the following scenarios:The current role holder is operational and can be accessed on the network by the new FSMO owner. You are gracefully demoting a domain controller that currently owns FSMO roles that you want to assign to a specific domain controller in your Active Directory forest. The domain controller that currently owns FSMO roles is being taken offline for scheduled maintenance and you need specific FSMO roles to be assigned to a “live” domain controller. This may be required to perform operations that connect to the FSMO owner. This would be especially true for the PDC Emulator role but less true for the RID master role, the Domain naming master role and the Schema master roles. We recommend that you seize FSMO roles in the following scenarios:The current role holder is experiencing an operational error that prevents an FSMO-dependent operation from completing successfully and that role cannot be transferred. A domain controller that owns an FSMO role is force-demoted by using the dcpromo /forceremoval command. The operating system on the computer that originally owned a specific role no longer exists or has been reinstalled. As replication occurs, non-FSMO domain controllers in the domain or forest gain full knowledge of changes that are made by FSMO-holding domain controllers. If you must transfer a role, the best candidate domain controller is one that is in the appropriate domain that last inbound-replicated, or recently inbound-replicated a writable copy of the “FSMO partition” from the existing role holder. For example, the Schema master role-holder has a distinguished name path of CN=schema,CN=configuration,dc=<forest root domain>, and this mean that roles reside in and are replicated as part of the CN=schema partition. If the domain controller that holds the Schema master role experiences a hardware or software failure, a good candidate role-holder would be a domain controller in the root domain and in the same Active Directory site as the current owner. Domain controllers in the same Active Directory site perform inbound replication every 5 minutes or 15 seconds.A domain controller whose FSMO roles have been seized should not be permitted to communicate with existing domain controllers in the forest. In this scenario, you should either format the hard disk and reinstall the operating system on such domain controllers or forcibly demote such domain controllers on a private network and then remove their metadata on a surviving domain controller in the forest by using the ntdsutil /metadata cleanup command. The risk of introducing a former FSMO role holder whose role has been seized into the forest is that the original role holder may continue to operate as before until it inbound-replicates knowledge of the role seizure. Known risks of two domain controllers owning the same FSMO roles include creating security principals that have overlapping RID pools, and other problems.Transfer FSMO rolesTo transfer the FSMO roles by using the Ntdsutil utility, follow these steps:Log on to a Windows 2000 Server-based or Windows Server 2003-based member computer or domain controller that is located in the forest where FSMO roles are being transferred. We recommend that you log on to the domain controller that you are assigning FSMO roles to. The logged-on user should be a member of the Enterprise Administrators group to transfer Schema master or Domain naming master roles, or a member of the Domain Administrators group of the domain where the PDC emulator, RID master and the Infrastructure master roles are being transferred. Click Start, click Run, type ntdsutil in the Open box, and then click OK. Type roles, and then press ENTER.Note To see a list of available commands at any one of the prompts in the Ntdsutil utility, type ?, and then press ENTER. Type connections, and then press ENTER. Type connect to server servername, and then press ENTER, where servername is the name of the domain controller you want to assign the FSMO role to. At the server connections prompt, type q, and then press ENTER. Type transfer role, where role is the role that you want to transfer. For a list of roles that you can transfer, type ? at the fsmo maintenance prompt, and then press ENTER, or see the list of roles at the start of this article. For example, to transfer the RID master role, type transfer rid master. The one exception is for the PDC emulator role, whose syntax is transfer pdc, not transfer pdc emulator. At the fsmo maintenance prompt, type q, and then press ENTER to gain access to the ntdsutil prompt. Type q, and then press ENTER to quit the Ntdsutil utility. Seize FSMO rolesTo seize the FSMO roles by using the Ntdsutil utility, follow these steps:Log on to a Windows 2000 Server-based or Windows Server 2003-based member computer or domain controller that is located in the forest where FSMO roles are being seized. We recommend that you log on to the domain controller that you are assigning FSMO roles to. The logged-on user should be a member of the Enterprise Administrators group to transfer schema or domain naming master roles, or a member of the Domain Administrators group of the domain where the PDC emulator, RID master and the Infrastructure master roles are being transferred. Click Start, click Run, type ntdsutil in the Open box, and then click OK. Type roles, and then press ENTER. Type connections, and then press ENTER. Type connect to server servername, and then press ENTER, where servername is the name of the domain controller that you want to assign the FSMO role to. At the server connections prompt, type q, and then press ENTER. Type seize role, where role is the role that you want to seize. For a list of roles that you can seize, type ? at the fsmo maintenance prompt, and then press ENTER, or see the list of roles at the start of this article. For example, to seize the RID master role, type seize rid master. The one exception is for the PDC emulator role, whose syntax is seize pdc, not seize pdc emulator. At the fsmo maintenance prompt, type q, and then press ENTER to gain access to the ntdsutil prompt. Type q, and then press ENTER to quit the Ntdsutil utility.Notes Under typical conditions, all five roles must be assigned to “live” domain controllers in the forest. If a domain controller that owns a FSMO role is taken out of service before its roles are transferred, you must seize all roles to an appropriate and healthy domain controller. We recommend that you only seize all roles when the other domain controller is not returning to the domain. If it is possible, fix the broken domain controller that is assigned the FSMO roles. You should determine which roles are to be on which remaining domain controllers so that all five roles are assigned to a single domain controller. For more information about FSMO role placement, click the following article number to view the article in the Microsoft Knowledge Base: 223346 ( ) FSMO placement and optimization on Windows 2000 domain controllers If the domain controller that formerly held any FSMO role is not present in the domain and if it has had its roles seized by using the steps in this article, remove it from the Active Directory by following the procedure that is outlined in the following Microsoft Knowledge Base article: 216498 ( ) How to remove data in active directory after an unsuccessful domain controller demotion Removing domain controller metadata with the Windows 2000 version or the Windows Server 2003 build 3790 version of the ntdsutil /metadata cleanup command does not relocate FSMO roles that are assigned to live domain controllers. The Windows Server 2003 Service Pack 1 (SP1) version of the Ntdsutil utility automates this task and removes additional elements of domain controller metadata. Some customers prefer not to restore system state backups of FSMO role-holders in case the role has been reassigned since the backup was made. Do not put the Infrastructure master role on the same domain controller as the global catalog server. If the Infrastructure master runs on a global catalog server it stops updating object information because it does not contain any references to objects that it does not hold. This is because a global catalog server holds a partial replica of every object in the forest. To test whether a domain controller is also a global catalog server:Click Start, point to Programs, point to Administrative Tools, and then click Active Directory Sites and Services. Double-click Sites in the left pane, and then locate the appropriate site or click Default-first-site-name if no other sites are available. Open the Servers folder, and then click the domain controller. In the domain controller’s folder, double-click NTDS Settings. On the Action menu, click Properties. On the General tab, view the Global Catalog check box to see if it is selected. For more information about FSMO roles, click the following article numbers to view the articles in the Microsoft Knowledge Base:How do you configure a “stand-by operation master” for any of the roles? Open Active Directory Sites and Services. Expand the site name in which the standby operations master is located to display the Servers folder. Expand the Servers folder to see a list of the servers in that site. Expand the name of the server that you want to be the standby operations master to display its NTDS Settings. Right-click NTDS Settings, click New, and then click Connection. In the Find Domain Controllers dialog box, select the name of the current role holder, and then click OK. In the New Object-Connection dialog box, enter an appropriate name for the Connection object or accept the default name, and click OK. How do you backup AD? Backing up Active Directory is essential to maintain an Active Directory database. You can back up Active Directory by using the Graphical User Interface (GUI) and command-line tools that the Windows Server 2003 family provides.You frequently backup the system state data on domain controllers so that you can restore the most current data. By establishing a regular backup schedule, you have a better chance of recovering data when necessary.To ensure a good backup includes at least the system state data and contents of the system disk, you must be aware of the tombstone lifetime. By default, the tombstone is 60 days. Any backup older than 60 days is not a good backup. Plan to backup at least two domain controllers in each domain, one of at least one backup to enable an authoritative restore of the data when necessary.System State DataSeveral features in the windows server 2003 family make it easy to backup Active Directory. You can backup Active Directory while the server is online and other network function can continue to function.System state data on a domain controller includes the following components:Active Directory system state data does not contain Active Directory unless the server, on which you are backing up the system state data, is a domain controller. Active Directory is present only on domain controllers.The SYSVOL shared folder: This shared folder contains Group policy templates and logon scripts. The SYSVOL shared folder is present only on domain controllers.The Registry: This database repository contains information about the computer’s configuration.System startup files: Windows Server 2003 requires these files during its initial startup phase. They include the boot and system files that are under windows file protection and used by windows to load, configure, and run the operating system.The COM+ Class Registration database: The Class registration is a database of information about Component Services applications.The Certificate Services database: This database contains certificates that a server running Windows server 2003 uses to authenticate users. The Certificate Services database is present only if the server is operating as a certificate server.System state data contains most elements of a system’s configuration, but it may not include all of the information that you require recovering data from a system failure. Therefore, be sure to backup all boot and system volumes, including the System State, when you back up your server.Restoring Active DirectoryIn Windows Server 2003 family, you can restore the Active Directory database if it becomes corrupted or is destroyed because of hardware or software failures. You must restore the Active Directory database when objects in Active Directory are changed or deleted. Active Directory restore can be performed in several ways. Replication synchronizes the latest changes from every other replication partner. Once the replication is finished each partner has an updated version of Active Directory. There is another way to get these latest updates by Backup utility to restore replicated data from a backup copy. For this restore you don’t need to configure again your domain controller or no need to install the operating system from scratch.Active Directory Restore MethodsYou can use one of the three methods to restore Active Directory from backup media: primary restore, normal (non authoritative) restore, and authoritative restore.Primary restore: This method rebuilds the first domain controller in a domain when there is no other way to rebuild the domain. Perform a primary restore only when all the domain controllers in the domain are lost, and you want to rebuild the domain from the backup.Members of Administrators group can perform the primary restore on local computer, or user should have been delegated with this responsibility to perform restore. On a domain controller only Domain Admins can perform this restore.Normal restore: This method reinstates the Active Directory data to the state before the backup, and then updates the data through the normal replication process. Perform a normal restore for a single domain controller to a previously known good state.Authoritative restore: You perform this method in tandem with a normal restore. An authoritative restore marks specific data as current and prevents the replication from overwriting that data. The authoritative data is then replicated through the domain.Perform an authoritative restore individual object in a domain that has multiple domain controllers. When you perform an authoritative restore, you lose all changes to the restore object that occurred after the backup. Ntdsutil is a command line utility to perform an authoritative restore along with windows server 2003 system utilities. The Ntdsutil command-line tool is an executable file that you use to mark Active Directory objects as authoritative so that they receive a higher version recently changed data on other domain controllers does not overwrite system state data during replication.METHODA.You can’t restore Active Directory (AD) to a domain controller (DC) while the Directory Service (DS) is running. To restore AD, perform the following steps.Reboot the computer.At the boot menu, select Windows 2000 Server. Don’t press Enter. Instead, press F8 for advanced options. You’ll see the following text. OS Loader V5.0Windows NT Advanced Options MenuPlease select an option:Safe ModeSafe Mode with NetworkingSafe Mode with Command PromptEnable Boot LoggingEnable VGA ModeLast Known Good ConfigurationDirectory Services Restore Mode (Windows NT domain controllers only) Debugging ModeUse | and | to move the highlight to your choice.Press Enter to choose.Scroll down, and select Directory Services Restore Mode (Windows NT domain controllers only).Press Enter.When you return to the Windows 2000 Server boot menu, press Enter. At the bottom of the screen, you’ll see in red text Directory Services Restore Mode (Windows NT domain controllers only).The computer will boot into a special safe mode and won’t start the DS. Be aware that during this time the machine won’t act as a DC and won’t perform functions such as authentication.Start NT Backup.Select the Restore tab.Select the backup media, and select System State.Click Start Restore.Click OK in the confirmation dialog box.After you restore the backup, reboot the computer and start in normal mode to use the restored information. The computer might hang after the restore completes; Sometimes it takes a 30-minute wait on some machines.Why can’t you restore a DC that was backed up 4 months ago? Because of the tombstone life which is set to only 60 days What are GPOs? Group Policy gives you administrative control over users and computers in your network. By using Group Policy, you can define the state of a user’s work environment once, and then rely on Windows Server 2003 to continually force the Group Policy settings that you apply across an entire organization or to specific groups of users and computers.Group Policy Container: The GPC is an Active Directory object that contains GPO status, version information, WMI filter information, and a list of components that have settings in the GPO. Computers can access the GPC to locate Group Policy templates, and domain controller does not have the most recent version of the GPO, replication occurs to obtain the latest version of the GPO.Group Policy Template: The GPT is a folder hierarchy in the shared SYSVOL folder on a domain controller. When you create GPO, Windows Server 2003 creates the corresponding GPT which contains all Group Policy settings and information, including administrative templates, security, software installation, scripts, and folder redirection settings. Computers connect to the SYSVOL folder to obtain the settings.The name of the GPT folder is the Globally Unique Identifier (GUID) of the GPO that you created. It is identical to the GUID that Active Directory uses to identify the GPO in the GPC. The path to the GPT on a domain controller is systemroot\SYSVOL\sysvol.Managing GPOsTo avoid conflicts in replication, consider the selection of domain controller, especially because the GPO data resides in SYSVOL folder and the Active Directory. Active Directory uses two independent replication techniques to replicate GPO data among all domain controllers in the domain. If two administrator’s changes can overwrite those made by other administrator, depends on the replication latency. By default the Group Policy Management console uses the PDC Emulator so that all administrators can work on the same domain controller.WMI FilterWMI filters is use to get the current scope of GPOs based on attributes of the user or computer. In this way, you can increase the GPOs filtering capabilities beyond the security group filtering mechanisms that were previously available.Linking can be done with WMI filter to a GPO. When you apply a GPO to the destination computer, Active Directory evaluates the filter on the destination computer. A WMI filter has few queries that active Directory evaluates in place of WMI repository of the destination computer. If the set of queries is false, Active Directory does not apply the GPO. If set of queries are true, Active Directory applies the GPO. You write the query by using the WMI Query Language (WQL); this language is similar to querying SQL for WMI repository.What is the order in which GPOs are applied? Local, Site, Domain, OUGroup Policy settings are processed in the following order:1:- Local Group Policy object-each computer has exactly one Group Policy object that is stored locally. This processes for both computer and user Group Policy processing.2:- Site-Any GPOs that have been linked to the site that the computer belongs to are processed next. Processing is in the order that is specified by the administrator, on the Linked Group Policy Objects tab for the site in Group Policy Management Console (GPMC). The GPO with the lowest link order is processed last, and therefore has the highest precedence.3:- Domain-processing of multiple domain-linked GPOs is in the order specified by the administrator, on the Linked Group Policy Objects tab for the domain in GPMC. The GPO with the lowest link order is processed last, and therefore has the highest precedence.4:- Organizational units-GPOs that are linked to the organizational unit that is highest in the Active Directory hierarchy are processed first, then GPOs that are linked to its child organizational unit, and so on. Finally, the GPOs that are linked to the organizational unit that contains the user or computer are processed.What are administrative templates? Administrative Templates are a feature of Group Policy, a Microsoft technology for centralised management of machines and users in an Active Directory environment.Administrative Templates facilitate the management of registry-based policy. An ADM file is used to describe both the user interface presented to the Group Policy administrator and the registry keys that should be updated on the target machines. An ADM file is a text file with a specific syntax which describes both the interface and the registry values which will be changed if the policy is enabled or disabled.What is Garbage collection?Garbage collection is the online defragmentation of the Active Directory which happens every 12 hours.When do we use WDS?Window Deployment service is used to deploy window operating system remotely.WDS mainly used for network based os installation.What is DNS and which port number is used by DNS?A: The Domain Name System (DNS) is used to resolve human-readable hostnames like into machine-readable IP addresses like 69.143.201.22.DNS servers use UDP port 53 but DNS queries can also use TCP port 53 if the former is not accepted.What are main Email Servers and which are their ports?Email servers can be of two types:Incoming Mail Server (POP3, IMAP, HTTP)The incoming mail server is the server associated with an email address account. There cannot be more than one incoming mail server for an email account. Outgoing Mail Server (SMTP)Most outgoing mail servers use SMTP (Simple Mail Transfer Protocol) for sending emails. The main email ports are:POP3 – port 110 IMAP – port 143 SMTP – port 25 HTTP – port 80 Secure SMTP (SSMTP) – port 465 Secure IMAP (IMAP4-SSL) – port 585 IMAP4 over SSL (IMAPS) – port 993 Secure POP3 (SSL-POP) – port 995 What do Forests, Trees, and Domains mean?A domain is defined as a logical group of network objects (computers, users, devices) that share the same active directory database.A tree is a collection of one or more domains and domain trees in a contiguous namespace linked in a transitive trust hierarchy.A forest is a collection of trees that share a common global catalog, directory schema, logical structure, and directory configuration. The forest represents the security boundary within which users, computers, groups, and other objects are accessible.What are Lingering Objects?A: A lingering object is a deleted AD object that still remains on the restored domain controller in its local copy of Active Directory. They can occur when changes are made to directories after system backups are created.When restoring a backup file, Active Directory generally requires that the backup file be no more than 180 days old. This can happen if, after the backup was made, the object was deleted on another DC more than 180 days ago.How can we remove Lingering Objects?A: Windows Server 2003 and 2008 have the ability to manually remove lingering objects using the console utility command REPADMIN.EXE.Why should you not restore a DC that was backed up 6 months ago?When restoring a backup file, Active Directory generally requires that the backup file be no more than 180 days old. If you attempt to restore a backup that is expired, you may face problems due to lingering objects.How do you backup AD?A: Backing up Active Directory is essential to maintain the proper health of the AD database.Windows Server 2003You can backup Active Directory by using the NTBACKUP tool that comes built-in with Windows Server 2003 or use any 3rd-party tool that supports this feature.Windows Server 2008In Server 2008, there isn’t an option to backup the System State data through the normal backup utility. We need to use the command line to backup Active Directory.1. Open up your command prompt by clicking Start, typing “cmd” and then hit Enter.2. In your command prompt, type “wbadmin start systemstatebackup -backuptarget:e:” and press Enter.3. Input “y” and press Enter to start the backup process.Explain if it is possible to connect Active Directory to other 3rd party Directory services? Yes, you can connect other vendors directory services with Microsoft version.? By using dirXML or LDAP to connect to other directories.Explain what is INODE?INODE holds the metadata of files; INODE is a pointer to a block on the disk, and it is unique.In simple words, it is a unique number allocated to a file in UNIX-like OS.Explain what is SYSVOL folder?It is a set of files and folders that is stored on the local hard disk of each domain controller in a domain and are replicated by the FRS ( File Replication Service).Explain what is the primary function of the domain controller?Primary function of the domain controller is to validate users to the networks, it also provide a catalog of Active Directory Objects.What does it mean by “tattooing” the Registry ?“ Tattooing” the registry means user can modify and view user preference that are not stored in the maintained portions of the Registry.? Even if the group policy is changed or removed, the user preference will still persist in the registry.Mention how many types of queries DNS does?The types of queries DNS does areIterative QueryRecursive Query? Explain what does IntelliMirror do?IntelliMirror helps to reconcile desktop settings, applications and stored files for users especially for those users who move between workstations or those who works offlineExplain in windows DNS server what is Primary, Secondary and Stub zone? Primary Zone: In this, the file is saved as normal text file with filename (.dns).Secondary Zone: It maintains a read-only copy of zone database on another DNS server.? Also, it acts as a back-up server to the primary server by providing fault tolerance and load balancingStub Zone: It consists of a copy of name server and SOA records which is used for reducing the DNS search orders.Why is DNS important?DNS is like a phone book for the Internet. If you know a person’s name but don’t know their telephone number, you can simply look it up in a phone book. DNS provides this same service to the Internet.How does DNS work?When you visit a domain such as your computer follows a series of steps to turn the human-readable web address into a machine-readable IP address.Step 1: Request informationWhen you ask your computer to resolve a hostname, such as visiting The first place your computer looks is its local DNS cache, which stores information that your computer has recently retrieved.If your computer doesn’t already know the answer, it needs to perform a DNS query to find out.(TTL- Time to live) is the setting for the each DNS record that specify how long resolver cache DNS query before the query expire or new one need to create.This speeds up your Internet experience when visiting a site you go to often (since less time is needed to complete DNS lookups) and also helps lower the load on DNS servers around the worldStandard DNS:- users that do not require the capacity (multiple zones, over 750,000 queries per month) or advanced features (reporting, failover, load balancing) of Dyn's Managed DNS products.Managed DNS:- users that do not require the capacity I.e multiple zones, over more than 750,000 queries per month).Common Records.A or AAAA Record – Usually a 1 hour TTL is a good compromise between enabling fast changes while taking advantage of DNS caching while someone is visiting your site. If changes to this record are often or need to happen quickly in an emergency, you can usually set it as low as 30 seconds. For DynECT Managed DNS features such as Active Failover, Load Balancing and GSLB, you can set the TTLs between 30 seconds and 5 minutes. For non-critical records that rarely – if ever – will need to change, you may be able to get away with having a TTL in the 12 hours to 1 day AME record – In many cases, a CNAME record will never be modified (ex. pointing to ’s A record). In those scenarios, a 12 hour to 1 day TTL is a good compromise as the benefits of caching outweigh need for a faster propagation time. If your CNAME record could potentially change (such as if you are using a CDN), you will want to a have a lower TTL.MX Record – MX records rarely, if ever, change, especially if you are using an email provider with a good track record or you have lots of redundancy when self hosting. You can usually set this to a 12 hour or 1 day TTL. If you want to ensure faster propagation times in the event of an emergency, a 1 to 4 hour TTL is a good compromise.TXT Records – Most commonly used for SPF or DKIM records. Usually safe to set in the 1 hour to 12 hour range since they rarely change.Step 2: Ask the recursive DNS serversIf the information is not stored locally, your computer queries (contacts) your ISP’s recursive DNS servers. Recursive servers have their own caches, so the process usually ends here and the information is returned to the user.Step 3: Ask the root nameserversIf the recursive servers don’t have the answer, they query the root nameservers. A nameserver is a computer that answers questions about domain names, such as IP addresses. The thirteen root nameservers act as a kind of telephone switchboard for DNS. They don’t know the answer, but they can direct our query to someone that knows where to find it.Step 4: Ask the TLD nameserversThe root nameservers will look at the first part of our request, reading from right to left — — and direct our query to the Top-Level Domain (TLD) nameservers for .com. Each TLD, such as .com, .org, and .us, have their own set of nameservers, which act like a receptionist for each TLD. These servers don’t have the information we need, but they can refer us directly to the servers that do have the information.Step 5: Ask the authoritative DNS serversThe TLD nameservers review the next part of our request — — and direct our query to the nameservers responsible for this specific domain. These authoritative nameservers are responsible for knowing all the information about a specific domain, which are stored in DNS records. There are many types of records, which each contain a different kind of information. In this example, we want to know the IP address for , so we ask the authoritative nameserver for the Address Record (A).Step 6: Retrieve the recordThe recursive server retrieves the A record for from the authoritative nameservers and stores the record in its local cache. If anyone else requests the host record for , the recursive servers will already have the answer and will not need to go through the lookup process again. All records have a time-to-live value, which is like an expiration date. After a while, the recursive server will need to ask for a new copy of the record to make sure the information doesn’t become out-of-date.Step 7: Receive the answerArmed with the answer, recursive server returns the A record back to your computer. Your computer stores the record in its cache, reads the IP address from the record, then passes this information to your browser. The browser then opens a connection to the web server and receives the website.Different Types of DNS Zones.Primary Zone:- Primary zone use to hold read write copy of zone data.Primary zone in the DNS server is the read/write copy of the DNS database. This means that whenever a new DNS record is added to the DNS database either automatically by the DNS clients or manually by the administrators, it is actually written in the primary zone of the DNS server. One DNS server can have only one primary DNS zone.Secondary Zone :- hold the read write copy of primary data. Used for load balancing purpose.Unlike primary DNS zone, the secondary DNS zone is the read-only copy of the DNS records. This means that the DNS records cannot be added directly to the secondary DNS zone. The secondary DNS zone can receive the updated records only from the primary DNS zone of the DNS server.Stub Zone:A stub zone is a new Windows Server 2003 feature. Stub zones only contain those resource records necessary to identify the authoritative DNS servers for the master zone. Stub zones therefore contain only a copy of a zone, and are used to resolve recursive and iterative queries:DNS QueriesIterative queries: The DNS server provides the best answer it can. This can be: The resolved name A referral to a different DNS server Recursive queries: The DNS server has to reply with the requested information or with an error. The DNS server cannot provide a referral to a different DNS server. To understand stub zone suppose you have users in your network which are continuously accessing your business partner’s network, printer and other resources and this network is not manage by you. Also you don’t have idea about their DNS zone and other network architecture. Then it good to create a stub zone for these queries, which only contain the enough information to send your client to your partner’s DNS so that other DNS resolve your client queries.DNS secondary zone is mostly deployed in another domain whose DNS server is not authoritative for resolving the queries of the current domain. For example, if there are two domains namely A and B, the primary DNS zones become authoritative for resolving the queries within their own domains, and the secondary DNS zone of the domain A will be placed in the domain B and vice-versa. With the help of this approach, if the DNS clients in the domain B try to communicate with any computer within the domain A, their queries can be resolved by the secondary DNS zone of the domain A that is placed within the domain B.Active Directory Integrated Zone:-An Active Directory-integrated zone is a zone that stores its data in Active Directory. DNS zone files are not needed. This type of zone is an authoritative primary zone. An Active Directory-integrated zone’s zone data isreplicated during the Active Directory replication process. Active Directory-integrated zones also enjoy the Active Directory’s security features.Forward lookup zone:- Is an authorative DNS zone. These zones mainly resolve host names to IP addresses on the network.A reverse lookup zone is an authoritative DNS zone. These zones mainly resolve IP addresses to resource names on the network. A reverse lookup zone can be either of the following zones:Primary zone Secondary zone Active Directory-integrated zone DNS- Iterative query and recursive query-----Suppose you are trying to find the phone no of your old friend “A” then you call your friend “B” but B does not have A's phone number But “B” gave you “C” number but when you dial “C” he does not have “A” phone no. But “C” know the phone no of “A” best friend “D”. you call “D” and “D” will provide you “A”'s phone number.-- this is the example of Iterative process.But when you called “B” and “B” said I don't know but I know how to find”. “B” call “C” then “D” and call you back with phone number is called Recursive query. Iteration is doing the job yourself but recursion is passing the buck.Recursive query :- In a Recursive DNS Query, the DNS Client sends a Query to a DNS Server for name resolution. The reply to the DNS Query can be an answer to the query or an error message. Iterative DNS Query: In Iterative DNS Query, when a DNS Client asks the DNS server for name resolution, the DNS Server provides the best answer it has. If the DNS Server doesn't know the answer to the DNS Query from Client, the answer can be a reference to another lower level DNS Server also. This lower level DNS Server is delegated at the higher level DNS Server to be Authoritative for the DNS namespace which the DNS Query is related with. Once the DNS Client get the referral from higher level DNS Server, it can then send a DNS Query to the lower level DNS server, got as referral.Inverse query :- When a DNS server receives an inverse query, it returns the friendly name for an IP address, rather than an IP address for a friendly name.PTR records is used to matches the IP addresses to friendly domain names.What is a recursive DNS query?A recursive DNS query is a kind of query in which the DNS server who received your query will do all the work of fetching the answer and giving it back to you. During this process, the DNS server might also query other DNS servers in the Internet on your behalf for the answer. Suppose you want to browse . Your DNS servers are 172.16.200.30 and 31. STEP 1: You enter in the browser. If the answer is not in the OS’s host file, the operating system's resolver will send a DNS query for the A record to the DNS server 172.16.200.30. STEP 2: The DNS server 172.16.200.30 on receiving the query will look through its tables (cache) to find the IP address (A record) for the domain , but in this case it does not have the entry, if it did it would return the entry and the process would now end. STEP 3: As the answer for the query is not available with the DNS server 172.16.200.30, this server sends a query to one of the DNS root servers for the answer. Note that root servers are always iterative servers. STEP 4: The DNS root servers will reply with a list of servers (referral) that are responsible for handling the .COM TLDs. STEP 5: Our DNS server 172.16.200.30 will select one of the .COM TLD servers from the list given by the root server to query the answer for "" STEP 6: Similar to the root servers, the TLD servers are also iterative in nature, so it replies back to our DNS server 172.16.200.30 with the list of IP addresses of the DNS servers (authoritative name servers for the domain) responsible for the domain . STEP 7: Our DNS server will select one of the IPs from the given list of authoritative name servers, and queries the A record for . The authoritative name server queried will reply back with the A record as below. = XXX:XX:XX:XX (Some IP address) STEP 8: Our DNS server 172.16.200.30 will reply back to us with the IP domain pair (and any other resource if available). Now the browser will send request to the IP given for the web page . Note: The above explained scenario of recursive query happened only because our DNS server 172.16.200.30 was configured as a recursive name server. You can also disable this feature for your DNS server. What is an iterative (non-recursive) DNS query?In an iterative query, a queried DNS server will never go and fetch the answer for you, but will give you the answer if it already has it. If it does not have the answer the DNS server will give your OS resolver a referral to other DNS servers (root server in our case). Note, all DNS servers must support iterative (non-recursive) queries. STEP 1: You enter in the browser. If the answer is not in your local computer’s host file the operating system's resolver will send a DNS query for the A record to the DNS server 172.16.200.30. STEP 2: The DNS server 172.16.200.30 on receiving the query will look through its tables (cache) to find the IP address (A record) for the domain , but in this case it does not have the entry, if it did it would return the entry and the process would now end. STEP 3: Now instead of querying the root server's, our DNS server will reply back to us with a referral to the root servers. Now our operating system resolver will query the root servers for the answer. Stub Zones and DelegationYou are the admin of root domain and you will taking care of DNS servers in root domain.DNS servers hold the resource record for the root domain. Let call root domain as root.tld.Another user want to create AD domain child.root.tld and user want to integrate dns zone for child.root.tld into AD in root domain.When a DNS client in root.tld requests a resource record from child.root.tld, you need a way to redirect the query to a DNS server that hosts a copy of the child.root.tld zone file. Classic DNS uses delegation to accomplish this task. Delegation creates NS records in the parent domain that identify DNS servers in the child domain. Delegation Wizard point at specific name servers by IP address. If an administrator in the child domain changes those IP addresses, or renames the DNS servers, or decommissions a server, this creates a lame delegation. Stub zones help you to avoid lame delegations by creating a zone that contains all the NS records for a specified zone, not just the ones specified for delegation. The stub zone host refreshes the NS list periodically to stay up to date with the current list of name servers for the specified zone. Hence, no lame delegations.What is an Authoritative DNS Server?Authoritative DNS servers are the servers that give answers to the recursive DNS servers.centertop1. You open your web browser and enter in the address field. At that point, the computer doesn't know the IP address for , so it sends a DNS query to your ISP's DNS server2. Your ISP's DNS server doesn't know the IP address for , so it will ask one of the ROOT DNS servers.3. The ROOT DNS server checks its database and finds that the Primary DNS for is 198.133.219.25. It replies to your ISP's server with this answer.4. Your ISP's DNS server now knows the IP address of?Cisco's DNS server, so it then sends a recursive query to 's DNS server and asking to resolve the fully qualified domain name .5. Cisco's DNS server checks its database and finds an entry for . This entry has an IP address of 198.133.219.25. Since the IP address of the DNS server and webserver (www) are identical, this means they are likely to be both on the same physical server. Load-balancing mechanisim can also have the same effect, making multiple services and physical machines have the same IP address.6. Your ISP's DNS server now knows the IP address for and sends the result to your computer.7. Your computer now knows the IP address of Cisco's website and is able to directly contact it. Naturally, the next step is to send an http request directly to Cisco's webserver and download the webpage.DNS Zone TransferA zone transfer can be defined as the process that occurs to copy the zone’s resource records on the primary DNS server to secondary DNS servers. Zone transfer enables a secondary DNS server to continue handling queries if the primary DNS server fails. A secondary DNS server can also transfer its zone data to other secondary DNS servers that are beneath it in the DNS hierarchy. In this case, the secondary DNS server is regarded as the master DNS server to the other secondary servers.Full transfer: When the user configures a secondary DNS server for a zone and starts the secondary DNS server, the secondary DNS server requests a full copy of the zone from the primary DNS server. A full transfer of all the zone information is performed.Incremental zone transfer: With an incremental zone transfer, only those resource records that have since changed in a zone are transferred to the secondary DNS servers. During zone transfer, the DNS database is on the primary.Active Directory transfers: These zone transfers occur when Active Directory-integrated zones are replicated to the domain controllers in a domain. Replication occurs through Active Directory replication.DNS Resource RecordsThe DNS database contains resource records (entries) that resolve name resolution queries sent to the DNS server.Resource Records TypeNameFunctionAHost recordContains the IP address of a specific host, and maps the FQDN to this 32-bit IPv4addresses.AAAAIPv6 address recordTies a FQDN to an IPv6 128-bit address.AFSDBAndrews files systemAssociates a DNS domain name to a server subtype: an AFS version 3volume or an authenticated name server using DCE/NCAATMAAsynchronous Transfer Mode addressAssociates a DNS domain name to the ATM address of theatm_address AMECanonical Name / Alias nameTies an alias to its associated domain name.HINFOHost info recordIndicates the CPU and OS type for a particular host.ISDNISDN info recordTies a FQDN to an associated ISDN telephone numberKEYPublic key resource recordContains the public key for zones that can use DNS SecurityExtensions (DNSSEC).MBMailbox name recordMaps the domain mail server name to the mail server.s hostnameMGMail group recordTies th domain mailing group to mailbox resource recordsMINFOMailbox info recordAssociates a mailbox for an individual that maintains it.MRMailbox renamed recordMaps an older mailbox name to its new mailbox name.MXMail exchange recordProvides routing for messages to mail servers and backupservers.NSName server recordProvides a list of the authoritative servers for a domain. Also providesthe authoritative DNS server for delegated subdomains.NXTNext resource recordIndicates those resource record types that exist for a name. Specifiesthe resource record in the zone.OPTOption resource recordA pseudo-resource record which provides extended DNSfunctionality.PTRPointer resource recordPoints to a different resource record, and is used for reverselookups to point to A type resource records.RTRoute through recordProvides routing information for hosts that do not have a WANaddress.SIGSignature resource recordStores the digital signature for an RR set.SOAStart of Authority resource recordThis resource record contains zone information fordetermining the name of the primary DNS server for the zone. The SOA record stores other zone property information,such as version information.SRVService locator recordUsed by Active directory to locate domain controllers, LDAP servers,and global catalog servers.TXTText recordMaps a DNS name to descriptive text.Start of Authority (SOA), Name Server (NS), Host (A), Alias (CNAME), Mail exchanger (MX), Pointer (PTR), Service location (SRV)TTL(Time to live), class.DHCP:-DHCP stands for Dynamic Host Configuration Protocol and is used to automatically assign IP configuration to hosts connecting to a network.Using DHCP we can automatically provide client computers and other TCP/IP-based network devices with valid IP addresses. You can also provide the additional configuration parameters these clients and devices need, called DHCP options, that allow them to connect to other network resources, such as DNS servers, WINS servers, and routers. centertop1. DHCPDISCOVERThis message is sent by a client that is connected to a local subnet. It’s a broadcast message that uses 255.255.255.255 as destination IP address while the source IP address is 0.0.0.02. DHCPOFFERThis message contains the network configuration settings for the client that sent the DHCPDISCOVER message.3. DHCPREQUESTThe client has accepted the network configuration sent in DHCPOFFER message from the server.4. DHCPACKThis message is sent by the DHCP server in response to DHCPREQUEST recieved from the client. The DHCPACK message is nothing but an acknowledgment by the DHCP server that authorizes the DHCP client to start using the network configuration it received from the DHCP server earlier.5. DHCPNAKThis message is sent by the DHCP server when it is not able to satisfy the DHCPREQUEST message from the client.6. DHCPDECLINEThis message is sent from the DHCP client to the server in case the client finds that the IP address assigned by DHCP server is already in use.7. DHCPINFORMThis message is sent from the DHCP client in case the IP address is statically configured on the client and only other network settings or configurations are desired to be dynamically acquired from DHCP server.8. DHCPRELEASEThis message is sent by the DHCP client in case it wants to terminate the lease of network address it has be provided by DHCP server.Step 1:?When the client computer boots up or is connected to a network, a DHCPDISCOVER message is sent from the client to the server. As there is no network configuration information on the client so the message is sent with 0.0.0.0 as source address and 255.255.255.255 as destination address. If the DHCP server is on local subnet then it directly receives the message or in case it is on different subnet then a relay agent connected on client’s? subnet is used to pass on the request to DHCP server. The transport protocol used for this message is UDP and the port number used is 67. The client enters the initializing stage during this step.Step 2:?When the DHCP server receives the DHCPDISCOVER request message then it replies with a DHCPOFFER message. As already explained, this message contains all the network configuration settings required by the client. For example, the yaddr field of the message will contain the IP address to be assigned to client. Similarly the the subnet mask and gateway information is filled in the options field. Also, the server fills in the client MAC address in the chaddr field. This message is sent as a broadcast (255.255.255.255) message for the client to receive it directly or if DHCP server is in different subnet then this message is sent to the relay agent that takes care of whether the message is to be passed as unicast or broadcast. In this case also, UDP protocol is used at the transport layer with destination port as 68. The client enters selecting stage during this step.Step 3:?The client forms a DHCPREQUEST message in reply to DHCPOFFER message and sends it to the server indicating it wants to accept the network configuration sent in the DHCPOFFER message. If there were multiple DHCP servers that received DHCPDISCOVER then client could receive multiple DHCPOFFER messages. But, the client replies to only one of the messages by populating the server identification field with the IP address of a particular DHCP server. All the messages from other DHCP servers are implicitly declined. The DHCPREQUEST message will still contain the source address as 0.0.0.0 as the client is still not allowed to use the IP address passed to it through DHCPOFFER message. The client enters requesting stage during this step. Step 4:?Once the server receives DHCPREQUEST from the client, it sends the DHCPACK message indicating that now the client is allowed to use the IP address assigned to it. The client enters the bound state during this step.IP? address assigned by DHCP server to DHCP client is on a lease. After the lease expires the DHCP server is free to assign the same IP address to any other host or device requesting for the same. For example, keeping lease time 8-10 hours is helpful in case of PC’s that are shut down at the end of the day.? So, lease has to be renewed from time to time. The DHCP client tries to renew the lease after half of the lease time has expired. This is done by the exchange of DHCPREQUEST and DHCPACK messages. While doing all this, the client enters the renewing stageWhen a scope is created, the default lease duration is set to eight days. However, because lease renewal is an ongoing process that can affect the performance of DHCP clients and your network, you can increase or decrease the lease duration to fit your specific needs.What is dhcp scope?DHCP scopes are used to define ranges of addresses from which a DHCP server can assign IP addresses to clients.Types of scopes in windows dhcp ?Normal Scope - Allows A, B and C Class IP address ranges to be specified including subnet masks, exclusions and reservations. Each normal scope defined must exist within its own subnet.Multicast Scope - Used to assign IP address ranges for Class D networks. Multicast scopes do not have subnet masks, reservation or other TCP/IP options.Multicast scope address ranges require that a Time To Live (TTL) value be specified (essentially the number of routers a packet can pass through on the way to its destination).Superscope - Essentially a collection of scopes grouped together such that they can be enabled and disabled as a single entity.What is Authorizing DHCP Servers in Active Directory?If the DHCP server was not authorized during installation, invoke the DHCP console (Start - All Programs - Administrative Tools - DHCP),right click on the DHCP to be authorized and select Authorize. What ports are used by DHCP and the DHCP clients ??Requests are on UDP port 68, Server replies on UDP 67 .IT: How to Set Up DHCP in Windows Server 2008 R2To get started, fire up the Server Manager, right click on roles, and then select add roles.You will be prompted with the normal “Before You Begin” screen, and after clicking Next you’ll be able to choose DHCP Server.Next you’ll want to select the network connection to bind the DHCP protocol to.Put in the IP address of your DNS Server, which in this case is the same machine–but be careful not to put the loopback address (127.0.0.1) as this will be the address your clients will go to for name resolution.Click next again to skip the WINS setup, this will bring you to creating a DHCP Scope, where you can click the Add button.Now you need to:Give your scope a name Enter the first address that you want available to clients to use Enter the last address that you want available to clients to use Enter the subnet mask (usually 255.255.255.0) Enter the IP address of your default gateway (usually your router IP at .1) Once you have clicked on OK, you can click next 4 times to get to the confirmation screen where you can finally click install.Once the installation is complete your DHCP will be functioning, and you can start managing your DHCP server right away.WINS(Window Internet Name service)DNSWINS is specifically for the devices like PC's, laptop and NT servers.Mainly for servers and network devices.Platform dependent.Platform Independent.Used for dynamic IP address like dhcpUsed for only static IP addressUse t oresolve NetBios Names to IP address and not vice versa.Use to resolve host name to IP and vice versa.Flat namespace is only 15 characters WINS supports incremental reproduction of the data for any modifications and WINS does not support TCP/IP application servicesDNS copies the entire database and DNS support TCP\IP application services.Active Directory Physical Structure :- Domain Controllers and Sites.Active Directory Logical structure:- objects, organizational units, domains, domain trees and Forests.Authentication mechanismsNTLM (Msv1_0.dll). Used for Windows NT LAN Manager (NTLM) authentication Kerberos (Kerberos.dll) and Key Distribution Center (Kdcsvc.dll). Used for Kerberos V5 authentication SSL (Schannel.dll). Used for Secure Sockets Layer (SSL) authentication Authentication provider (Secur32.dll). Used to manage authentication Windows 2012 server active directoryAD Virtualization:-AD Domain Controller CloningDomain and Forest Upgrades Made Simple; DCPROMO ImprovementsActive Directory Administrative Center PowerShell History ViewerAD-Integrated Product ActivationAD FS Takes One More Step Toward IntegrationActive Directory and Dynamic Access ControlRecycle Bin User InterfaceFine-Grained Password Policy User Interface Active Directory Replication and Topology Windows PowerShell cmdlets Active Directory Based Activation (AD BA) Kerberos Enhancements Flexible Authentication Secure Tunneling (FAST) Group Managed Service Accounts (gMSA)AD DS Platform ChangesDiffèrent flavours of operating systems.Disk Operating System or DOSWindows 3.1Windows 3.11Windows 95Windows 98Windows MEWindows 2000 ProfessionalWindows XPWindows VistaWindows 7Windows 8Different types of Windows 2012 servers.1. Datacenter?:- High density virtualization with unlimited number of virtual instances2. Standard?:-Low density or no virtualization; two virtual instance rights3.Essentials?:- No virtual rights and up to 25 user accounts and 50 devices. Replaces Small Business Essentials. Some limitation on features, and supports up to two processors.4.Foundation?:- No virtual rights for up to 15 users. An OEM-only offering for single processor servers.Different types of Windows 2008 servers.1. Datacenter?:- Unlimited remote access and teminal server connections. Unlimited deployment of servers2. Standard--- entey level version consider for small business. Deploy upto 1 servers.3.Enterprise-- deploy upto 4 servers4.Web edition.?:- web hosting.. provides iis7 as its platform. Mainly use for building and hosting web applications.Different types of Windows 2003 servers.1. Datacenter?:- Unlimited remote access and teminal server connections. Unlimited deployment of servers2. Standard--- entey level version consider for small business. Deploy upto 1 servers.3.Enterprise-- deploy upto 4 servers4.Web edition.?:- web hosting.. provides iis7 as its work Operating system(NOS)?:- A network operating system is an OS that has been developed by the Microsoft to provide the services to all the client computersWindows 2000 Server (Entire Family)Windows Server 2003 (Entire Family)Windows Server 2008 (Entire Family)Windows Server 2012 (Entire Family)services like ADDS?:- active directory domain services.When the Active Directory Domain Services (AD DS) are installed on a network operating system, the OS becomes a full-fledged domain controller that then becomes capable of managing the entire domain and the client computers that the domain has from a central location.What is Clustering. Briefly define & explain it ?Clustering is a technology, which is used to provide High Availability for mission critical applications. We can configure cluster by installing MCS (Microsoft cluster service) component from Add remove programs, which can only available in Enterprise Edition and Data center edition.Types of Clusters ?In Windows we can configure two types of clusters1. NLB (network load balancing) cluster for balancing load between servers. This cluster will not provide any high availability. Usually preferable at edge servers like web or proxy.2. Server Cluster: This provides High availability by configuring active-active or active-passive cluster. In 2 node active-passive cluster one node will be active and one node will be stand by. When active server fails the application will FAILOVER to stand by server automatically. When the original server backs we need to FAILBACK the applicationWhat is Quorum ? A shared storage need to provide for all servers which keeps information about clustered application and session state and is useful in FAILOVER situation. This is very important if Quorum disk fails entire cluster will fails.Why Quorum is necessary ?When network problems occur, they can interfere with communication between cluster nodes. A small set of nodes might be able to communicate together across a functioning part of a network, but might not be able to communicate with a different set of nodes in another part of the network. This can cause serious issues. In this “split” situation, at least one of the sets of nodes must stop running as a cluster.To prevent the issues that are caused by a split in the cluster, the cluster software requires that any set of nodes running as a cluster must use a voting algorithm to determine whether, at a given time, that set has quorum. Because a given cluster has a specific set of nodes and a specific quorum configuration, the cluster will know how many “votes” constitutes a majority (that is, a quorum). If the number drops below the majority, the cluster stops running. Nodes will still listen for the presence of other nodes, in case another node appears again on the network, but the nodes will not begin to function as a cluster until the quorum exists again.For example, in a five node cluster that is using a node majority, consider what happens if nodes 1, 2, and 3 can communicate with each other but not with nodes 4 and 5. Nodes 1, 2, and 3 constitute a majority, and they continue running as a cluster. Nodes 4 and 5 are a minority and stop running as a cluster, which prevents the problems of a “split” situation. If node 3 loses communication with other nodes, all nodes stop running as a cluster. However, all functioning nodes will continue to listen for communication, so that when the network begins working again, the cluster can form and begin to run.Different types of Quorum in Windows server 2008 ?1.Node Majority – Used when Odd number of nodes are in cluster.2.Node and Disk Majority – Even number of nodes(but not a multi-site cluster)3.Node and File Share Majority – Even number of nodes, multi-site cluster4.Node and File Share Majority – Even number of nodes, no shared storageDifferent types of Quorum in Windows server 2003 ?Standard Quorum : As mentioned above, a quorum is simply a configuration database for MSCS, and is stored in the quorum log file. A standard quorum uses a quorum log file that is located on a disk hosted on a shared storage interconnect that is accessible by all members of the cluster.Standard quorums are available in Windows NT 4.0 Enterprise Edition, Windows 2000 Advanced Server, Windows 2000 Datacenter Server, Windows Server 2003 Enterprise Edition and Windows Server 2003 Datacenter Edition.Majority Node Set Quorums : A majority node set (MNS) quorum is a single quorum resource from a server cluster perspective. However, the data is actually stored by default on the system disk of each member of the cluster. The MNS resource takes care to ensure that the cluster configuration data stored on the MNS is kept consistent across the different disks.Majority node set quorums are available in Windows Server 2003 Enterprise Edition, and Windows Server 2003 Datacenter Edition.Explain about each Quorum type ?Node Majority: Each node that is available and in communication can vote. The cluster functions only with a majority of the votes, that is, more than half.Node and Disk Majority: Each node plus a designated disk in the cluster storage (the “disk witness”) can vote, whenever they are available and in communication. The cluster functions only with a majority of the votes, that is, more than half.Node and File Share Majority: Each node plus a designated file share created by the administrator (the “file share witness”) can vote, whenever they are available and in communication. The cluster functions only with a majority of the votes, that is, more than half.No Majority: Disk Only: The cluster has quorum if one node is available and in communication with a specific disk in the cluster storage.How is the quorum information located on the system disk of each node kept in synch?The server cluster infrastructure ensures that all changes are replicated and updated on all members in a cluster.Can this method be used to replicate application data as well?No, that is not possible in this version of clustering. Only Quorum information is replicated and maintained in a synchronized state by the clustering infrastructure.Can I convert a standard cluster to an MNS cluster?Yes. You can use Cluster Administrator to create a new Majority Node Set resource and then, on the cluster properties sheet Quorum tab, change the quorum to that Majority Node Set resource.What is the difference between a geographically dispersed cluster and an MNS cluster?A geographic cluster refers to a cluster that has nodes in multiple locations, while an MNS-based cluster refers to the type of quorum resources in use. A geographic cluster can use either a shared disk or MNS quorum resource, while an MNS-based cluster can be located in a single site, or span multiple sites.What is the maximum number of nodes in an MNS cluster?Windows Server 2003 supports 8-node clusters for both Enterprise Edition and Datacenter Edition.Do I need special hardware to use an MNS cluster?There is nothing inherent in the MNS architecture that requires any special hardware, other than what is required for a standard cluster (for example, there must be on the Microsoft Cluster HCL). However, some situations that use an MNS cluster may have unique requirements (such as geographic clusters), where data must be replicated in real time between sites.Does a cluster aware application need to be rewritten to support MNS?No, using an MNS quorum requires no change to the application. However, some cluster aware applications expect a shared disk (for example SQL Server 2000), so while you do not need shared disks for the quorum, you do need shared disks for the application.Does MNS get rid of the need for shared disks?It depends on the application. For example, clustered SQL Server 2000 requires shared disk for data. Remember, MNS only removes the need for a shared disk quorum.What does a failover cluster do in Windows Server 2008 ?A failover cluster is a group of independent computers that work together to increase the availability of applications and services. The clustered servers (called nodes) are connected by physical cables and by software. If one of the cluster nodes fails, another node begins to provide service (a process known as failover). Users experience a minimum of disruptions in service.What new functionality does failover clustering provide in Windows Server 2008 ?New validation feature. With this feature, you can check that your system, storage, and network configuration is suitable for a cluster.Support for GUID partition table (GPT) disks in cluster storage. GPT disks can have partitions larger than two terabytes and have built-in redundancy in the way partition information is stored, unlike master boot record (MBR) disks.What happens to a running Cluster if the quorum disk fails in Windows Server 2003 Cluster ?In Windows Server 2003, the Quorum disk resource is required for the Clusterto function. In your example, if the Quorum disk suddenly became unavailableto the cluster then both nodes would immediately fail and not be able torestart the clussvc.In that light, the Quorum disk was a single point of failure in a MicrosoftCluster implementation. However, it was usually a fairly quick workaround toget the cluster back up and operational. There are generally two solutionsto that type of problem.1. Detemrine why the Quorum disk failed and repair.2. Reprovision a new LUN, present it to the cluster, assign it a driveletter and format. Then start one node with the /FQ switch and throughcluadmin designate the new disk resource as the Quorum. Then stop andrestart the clussvc normally and then bring online the second node.What happens to a running Cluster if the quorum disk fails in Windows Server 2008 Cluster ?Cluster continue to work but failover will not happen in case of any other failure in the active node.Window CommandsAD Domains and Trusts?domain.msc?Active Directory Management?admgmt.msc?AD Sites and Serrvices?dssite.msc?AD Users and COmputers?dsa.msc?ADSI Edit?adsiedit.msc?Authorization manager?azman.msc?Certification Authority Management?certsrv.msc?Certificate Templates?certtmpl.msc?Cluster Administrator?cluadmin.exe?Computer Management?compmgmt.msc?Component Services?comexp.msc?Configure Your Server?cys.exe? Device Manager?devmgmt.msc?DHCP Managment?dhcpmgmt.msc?Disk Defragmenter?dfrg.msc?Disk Manager?diskmgmt.msc?Distributed File System?dfsgui.msc?DNS Managment?dnsmgmt.msc? Event Viewer?eventvwr.msc? Indexing Service Management?ciadv.msc?IP Address Manage?ipaddrmgmt.msc? Licensing Manager?llsmgr.exe?Local Certificates Management?certmgr.msc?Local Group Policy Editor?gpedit.msc?Local Security Settings Manager?secpol.msc?Local Users and Groups Manager?lusrmgr.msc?Network Load balancing?nlbmgr.exe? Performance Montior?perfmon.msc?PKI Viewer?pkiview.msc?Public Key Managment?pkmgmt.msc? QoS Control Management?acssnap.msc? Remote Desktops?tsmmc.msc?Remote Storage Administration?rsadmin.msc?Removable Storage ?ntmsmgr.msc?Removalbe Storage Operator Requests?ntmsoprq.msc?Routing and Remote Access Manager?rrasmgmt.msc?Resultant Set of Policy?rsop.msc? Schema management?schmmgmt.msc?Services Management?services.msc?Shared Folders?fsmgmt.msc?SID Security Migration?sidwalk.msc? Telephony Management?tapimgmt.msc? Terminal Server Configuration?tscc.msc?Terminal Server Licensing ?licmgr.exe?Terminal Server Manager?tsadmin.exe? UDDI Services Managment?uddi.msc? Windows Mangement Instumentation?wmimgmt.msc? WINS Server manager?winsmgmt.mscActive DirectoryWhat is Active Directory?The database that holds information about component locations, users, groups, passwords, security, and other COM information. Stores information about resources on the network and provides a means of centrally organizing, managing, and controlling access to the resources. Active Directory includes enough information about users, groups, organizational units and other kinds of management domains and administrative information about a network to represent a complete digital model of the network.Active Directory is a directory service used to store information about the network resources across a domain.An Active Directory (AD) structure is a hierarchical framework of objects.The objects fall into three broad categories 1. Resources (e.g. printers), 2. Services (e.g. e-mail), and3. Users (accounts, or users and groups).Active Directory Schema The Active Directory schema defines objects that can be stored in Active Directory. The schema is a list of definitions that determines the kinds of objects and the types of information about those objects that can be stored in Active Directory Organizational Unit OUs An OU is a container used to organize objects within a domain into a logical administrative group. OUs provide a means for handling administrative tasks, such as the administration of users and resources, as they are the smallest scope to which you can delegate administrative authority. An OU can contain objects such as user accounts, groups, computers, printers, applications, file shares, and other OUs from the same domain. Trees A tree is a grouping or hierarchical arrangement of one or more Windows Server 2003 domains that you create by adding one or more child domains to an existing parent domain. Forests A forest is a grouping or hierarchical arrangement of one or more separate, completely independent domain trees. ■ All domains in a forest share a common schema. ■ All domains in a forest share a common global catalog. ■ Domains in a forest operate independently, but the forest enables communication across the entire organization. The Global Catalog The global catalog is the central repository of information about objects in a tree or forest. By default, a global catalog is created automatically on the initial domain controller in the first domain in the forest. A domain controller that holds a copy of the global catalog is called a global catalog server. Global Catalog Functions The global catalog performs the following two key functions: ■ It enables a user to log on to a network by providing universal group membership information to a domain controller when a logon process is initiated. ■ It enables finding directory information regardless of which domain in the forest actually contains the data. Sysvol:Logon scripts are found under the domain controller's NETLOGON admin share for Windows NT, whereas they are found under the SYSVOL share for Windows 2000.Policies and scripts are inside sysvolNTDS:Windows 2000 Active Directory data store, the actual database file, is %SystemRoot%\ntds\NTDS.DIT. The ntds.dit file is the heart of Active Directory including user accounts.DIT means directory information treeFSMO roles (Flexible Single Master Operation)The 5 FSMO server roles:Schema MasterForest LevelDomain Naming MasterForest LevelPDC EmulatorDomain LevelRID MasterDomain LevelInfrastructure MasterDomain LevelBrief all the FSMO RolesWindows 2000/2003 Multi-Master ModelA multi-master enabled database, such as the Active Directory, provides the flexibility of allowing changes to occur at any DC in the enterprise, but it also introduces the possibility of conflicts that can potentially lead to problems once the data is replicated to the rest of the enterprise. One way Windows 2000/2003 deals with conflicting updates is by having a conflict resolution algorithm handle discrepancies in values by resolving to the DC to which changes were written last (that is, "the last writer wins"), while discarding the changes in all other DCs. Although this resolution method may be acceptable in some cases, there are times when conflicts are just too difficult to resolve using the "last writer wins" approach. In such cases, it is best to prevent the conflict from occurring rather than to try to resolve it after the fact. For certain types of changes, Windows 2000/2003 incorporates methods to prevent conflicting Active Directory updates from occurring. Windows 2000/2003 Single-Master ModelTo prevent conflicting updates in Windows 2000/2003, the Active Directory performs updates to certain objects in a single-master fashion. In a single-master model, only one DC in the entire directory is allowed to process updates. This is similar to the role given to a primary domain controller (PDC) in earlier versions of Windows (such as Microsoft Windows NT 4.0), in which the PDC is responsible for processing all updates in a given domain. In a forest, there are five FSMO roles that are assigned to one or more domain controllers. The five FSMO roles are: Schema Master: The schema master domain controller controls all updates and modifications to the schema. Once the Schema update is complete, it is replicated from the schema master to all other DCs in the directory. To update the schema of a forest, you must have access to the schema master. There can be only one schema master in the whole forestDomain naming master: The domain naming master domain controller controls the addition or removal of domains in the forest. This DC is the only one that can add or remove a domain from the directory. It can also add or remove cross references to domains in external directories. There can be only one domain naming master in the whole forest. Infrastructure Master: When an object in one domain is referenced by another object in another domain, it represents the reference by the GUID, the SID (for references to security principals), and the DN of the object being referenced. The infrastructure FSMO role holder is the DC responsible for updating an object's SID and distinguished name in a cross-domain object reference. At any one time, there can be only one domain controller acting as the infrastructure master in each domain. Note: a domain controller that is not a Global Catalog server (GC) should hold The Infrastructure Master (IM) role. If the Infrastructure Master runs on a Global Catalog server it will stop updating object information because it does not contain any references to objects that it does not hold. This is because a Global Catalog server holds a partial replica of every object in the forest. As a result, cross-domain object references in that domain will not be updated and a warning to that effect will be logged on that DC's event log. If all the domain controllers in a domain also host the global catalog, all the domain controllers have the current data, and it is not important which domain controller holds the infrastructure master role.Relative ID (RID) Master: The RID master is responsible for processing RID pool requests from all domain controllers in a particular domain. When a DC creates a security principal object such as a user or group, it attaches a unique Security ID (SID) to the object. This SID consists of a domain SID (the same for all SIDs created in a domain), and a relative ID (RID) that is unique for each security principal SID created in a domain. Each DC in a domain is allocated a pool of RIDs that it is allowed to assign to the security principals it creates. When a DC's allocated RID pool falls below a threshold, that DC issues a request for additional RIDs to the domain's RID master. The domain RID master responds to the request by retrieving RIDs from the domain's unallocated RID pool and assigns them to the pool of the requesting DC. At any one time, there can be only one domain controller acting as the RID master in the domain. PDC Emulator: The PDC emulator is necessary to synchronize time in an enterprise. Windows 2000/2003 includes the W32Time (Windows Time) time service that is required by the Kerberos authentication protocol. All Windows 2000/2003-based computers within an enterprise use a common time. The purpose of the time service is to ensure that the Windows Time service uses a hierarchical relationship that controls authority and does not permit loops to ensure appropriate common time usage.The PDC emulator of a domain is authoritative for the domain. The PDC emulator at the root of the forest becomes authoritative for the enterprise, and should be configured to gather the time from an external source. All PDC FSMO role holders follow the hierarchy of domains in the selection of their in-bound time partner. In a Windows 2000/2003 domain, the PDC emulator role holder retains the following functions: Password changes performed by other DCs in the domain are replicated preferentially to the PDC emulator.Authentication failures that occur at a given DC in a domain because of an incorrect password are forwarded to the PDC emulator before a bad password failure message is reported to the user. Account lockout is processed on the PDC emulator. Editing or creation of Group Policy Objects (GPO) is always done from the GPO copy found in the PDC Emulator's SYSVOL share, unless configured not to do so by the administrator.The PDC emulator performs all of the functionality that a Microsoft Windows NT 4.0 Server-based PDC or earlier PDC performs for Windows NT 4.0-based or earlier clients. This part of the PDC emulator role becomes unnecessary when all workstations, member servers, and domain controllers that are running Windows NT 4.0 or earlier are all upgraded to Windows 2000/2003. The PDC emulator still performs the other functions as described in a Windows 2000/2003 environment. At any one time, there can be only one domain controller acting as the PDC emulator master in each domain in the forest.What if a FSMO server fails????? Schema MasterNo updates to the Active Directory schema will be possible. Since schema updates are rare (usually done by certain applications and possibly an Administrator adding an attribute to an object), then the malfunction of the server holding the Schema Master role will not pose a critical problem.Domain Naming MasterThe Domain Naming Master must be available when adding or removing a domain from the forest (i.e. running DCPROMO). If it is not, then the domain cannot be added or removed. ?It is also needed when promoting or demoting a server to/from a Domain Controller. ?Like the Schema?Master, this functionality is only used on occasion and is not critical unless you are modifying your domain or forest structure.PDC EmulatorThe server holding the PDC emulator role will cause the most problems if it is unavailable. ?This would be most noticeable in a mixed mode domain where you are still running NT 4 BDCs and if you are using downlevel clients (NT and Win9x). Since the PDC emulator acts as a NT 4 PDC, then any actions that depend on the PDC would be affected (User Manager for Domains, Server Manager, changing passwords, browsing and BDC replication).In a native mode domain the failure of the PDC emulator isn't as critical because other domain controllers can assume most of the responsibilities of the PDC emulator.RID MasterThe RID Master provides RIDs for security principles (users, groups, computer accounts). The failure of this FSMO server would have little impact unless you are adding a very large number of users or groups.Each DC in the domain has a pool of RIDs already, and a problem would occur only if the DC you adding the users/groups on ran out of RIDs.Infrastructure MasterThis FSMO server is only relevant in a multi-domain environment. If you only have one domain, then the Infrastructure Master is irrelevant. ?Failure of this server in a multi-domain environment would be a problem if you are trying to add objects from one domain to another.Placing FSMO Server Roles????So where are these FSMO server roles found? ?Is there a one to one relationship between the server roles and the number of servers that house them? The first domain controller that is installed in a Windows 2000 domain, by default, holds all five of the FSMO server roles. ?Then, as more domain controllers are added to the domain, the FSMO roles can be moved to other domain controllers. ?Moving a FSMO server role is a manual process, it does not happen automatically. ?But what if you only have one domain controller in your domain? ?That is fine. If you have only one domain controller in your organization then you have one forest, one domain, and of course the one domain controller. ?All 5 FSMO server roles will exist on that DC. ?There is no rule that says you have to have one server for each FSMO server role.However, it is always a good idea to have more than one domain controller in a domain for a number of reasons. ?Assuming you do have multiple domain controllers in your domain, there are some best practices to follow for placing FSMO server roles.The Schema Master and Domain Naming Master should reside on the same server, and that machine should be a Global Catalog server. ? Since all three are, by default, on the first domain controller installed in a forest, then you can leave them as they are.Note: According to MS, the Domain Naming master needs to be on a Global Catalog Server. ?If you are going to separate the Domain Naming master and Schema master, just make sure they are both on Global Catalog servers.The Infratructure Master should not be on the same server that acts as a Global Catalog server.The reason for this is the Global Catalog contains information about every object in the forest. When the Infrastructure Master, which is responsible for updating Active Directory information about cross domain object changes, needs information about objects not in it's domain, it contacts the Global Catalog server for this information. ?If they both reside on the same server, then the Infratructure Master will never think there are changes to objects that reside in other domains because the Global Catalog will keep it contantly updated. ?This would result in the Infrastructure Master never replicating changes to other domain controllers in it's domain.Note: In a single domain environment this is not an issue.Microsoft also recommeds that the PDC Emulator and RID Master be on the same server. ?This is not mandatory like the Infrastructure Master and the Global Catalog server above, but is recommended. Also, since the PDC Emulator will receive more traffic than any other FSMO role holder, it should be on a server that can handle the load.It is also recommended that all FSMO role holders be direct replication partners and they have high bandwidth connections to one another as well as a Global Catalog server.How to check FSMO rolesOpen Active Directory Users and Computers, right click on the domain you want to view the FSMO roles for and click "Operations MastersTo see Operation MasterOpen Active Directory Domains and Trusts, right click "Active Directory Domains and Trusts" at the top of the tree, and choose "Operations Master".To see Active Directory SchemaGo to Run and runregsvr32 schmmgmt.dllThis will give you the screen as shown below1 From the Run command open an MMC Console by typing MMC.2. On the Console menu, press Add/Remove Snap-in.Press Add. Select Active Directory Schema.Press Add and press Close. Press OK.If you are NOT logged onto the target domain controller, in the snap-in, right-click the Active Directory Schema and select operation Master this will show the screen as shown below. Note : To use Netdom to view the FSMO role holders, open a command prompt window and type:netdom query fsmo and press enter. ?You will see a list of the FSMO role servers:Permissions for FSMOBefore you can transfer a role, you must have the appropriate permissions depending on which role you plan to transfer:Schema Mastermember of the Schema Admins groupDomain Naming Mastermember of the Enterprise Admins groupPDC Emulatormember of the Domain Admins group and/or the Enterprise Admins groupRID Mastermember of the Domain Admins group and/or the Enterprise Admins groupInfrastructure Mastermember of the Domain Admins group and/or the Enterprise Admins groupTransferring the FSMO Roles via NtdsutilOn any domain controller, click Start, click Run, type Ntdsutil in the Open box, and then click OK.Type roles, and then press ENTER. Note: To see a list of available commands at any of the prompts in the Ntdsutil tool, type ?, and then press ENTER.Type connections, and then press ENTER. Type connect to server <servername>, where <servername> is the name of the server you want to use, and then press ENTER. At the server connections: prompt, type q, and then press ENTER again. Type transfer <role>. where <role> is the role you want to transfer. For example, to transfer the RID Master role, you would type transfer rid master:Options are:You will receive a warning window asking if you want to perform the transfer. Click on Yes.After you transfer the roles, type q and press ENTER until you quit Ntdsutil.exe.Restart the server and make sure you update your backup.Event Viewer in ADSystem state componentsKerberos V5 (RFC 1510) - An internet standard authentication protocol which is the default protocol for Windows 2000 computers within a domain. This is not used for computers in different forests. Windows NT LAN Manager (NTLM) - Used to authenticate users from Windows 95, 98, and NT systems. Windows 2000 Active Directory must be operating in mixed mode to use this authentication method. Secure Sockets Layer/Transport Layer Security (SSL/TLS) - Requires certificate servers and is used to authenticate users that are logging onto secure web sites. Smart card - Contains a chip with information about the user along with the user's private key. A personal identification number (PIN) is normally required to be authenticated using a smart card. Requires Extensible Authentication Protocol (EAP) to be enabled for the server to allow smart card authentication. Also some certificate authority must provide keys. How to Restore the System State on a Domain Controller1.To restore the system state on a domain controller, first start the computer in Directory Services Restore Mode. To do so, restart the computer and press the F8 key when you see the Boot menu.2.Choose Directory Services Restore Mode. 3.Choose the Windows 2000 installation you are going to recover, and then press ENTER.4.At the logon prompt, supply the Directory Services Restore mode credentials you supplied during the Dcpromo.exe process.5.Click OK to acknowledge that you are using Safe mode.6.Click Start, point to Programs, point to Accessories, point to System Tools, and then click Backup.7.Click the Restore tab.8.Click the appropriate backup media and the system state to restore. NOTE: During the restore operation, the Winnt\Sysvol folder must also be selected to be restored to have a working sysvol after the recovery process. Be sure that the advanced option to restore "junction points and data" is also selected prior to the restore. This ensures that sysvol junction points are re-created.9.In the Restore Files to box, click Original Location.NOTE: When you choose to restore a file to an alternative location or to a single file, not all system state data is restored. These options are used mostly for boot files or registry keys.10.Click Start Restore.11.After the restore process is finished, restart the computer.CautionIf you restore the System State data, and you do not designate an alternate location for the restored data, Backup will erase the System State data that is currently on your computer and replace it with the System State data you are restoring.?Also, if you restore the System State data to an alternate location, only the registry files, SYSVOL directory files, Cluster database information files, and system boot files are restored to the alternate location. The Active Directory directory services database, Certificate Services database, and COM+ Class Registration database are not restored if you designate an alternate location.?NoteYou must be an administrator or a backup operator to restore files and folders.? You should update the on-disk catalog for the tape before you perform the restore operation. You can also use the Restore wizard to restore the System State data by clicking Restore Wizard on the Tools menu.? In order to restore the System State data on a domain controller, you must first start your computer in a special safe mode called directory services restore mode. This will allow you to restore the SYSVOL directory and Active Directory directory service database.? You can only restore the System State data on a local computer You cannot restore the System State data on a remote computer? If you are restoring the System State data to a domain controller, you must choose whether you want to perform an authoritative restore or a nonauthoritative restore The default method of restoring the System State data to a domain controller is nonauthoritative.?????????????????? In this mode, any component of the System State that is replicated with another domain controller, such as the Active Directory directory service or the File Replication service (including the SYSVOL directory), will be brought up to date by replication after you restore the data.? For example, if the last backup was performed a week ago, and the System State is restored using the default restore method (nonauthoritative), any changes made subsequent to the backup operation will be replicated from the domain controllers.? In some cases, you may not want to replicate the changes that have been made subsequent to the last backup operation. In other words, there may be instances where you want all replicas to have the same state as the backed up data. To achieve this state, you must perform an authoritative restore. For example, you have to perform an authoritative restore if you inadvertently delete users, groups, or organizational units from the Active Directory directory service, and you want to restore the system so that the deleted objects are recovered and replicated. To do this, you need to run the Ntdsutil utility after you have restored the data but before you restart the domain controller. This utility lets you mark objects as authoritative, which will ensure that any replicated or distributed data that you have restored is properly replicated or distributed throughout your organization. The Ntdsutil command line utility can be run from the command prompt. Help for the Ntdsutil utility can also be found at the command prompt by typing ntdsutil /?. File Replication ServiceIn Windows 2000, the SYSVOL share is used to to authenticate users. The SYSVOL share includes group policy information which is replicated to all local domain controllers. File replication service (FRS) is used to replicate the SYSVOL share. The "Active Directory Users and Computers" tool is used to change the file replication service schedule.Intrasite ReplicationReplication that happens between controllers inside one site. All of the subnets inside the site should be connected by high speed network wires. Replication between two sites may need to be sent over a slower WAN link or leased line. Intrasite replication data is sent uncompressed. Site replication is done using Remote Procedure Call (RPC). If a change is made, replication occurs within five minutes, and replication is done every six hours if no changes were made. Domain controllers that receive updates replicate that information to other domain controllers on their route list. All changes are therefore completed within a site within 15 minutes since there can only be three hops. mThe topology used here is the ring topology talked about earlier and this replication is automatically set up by Active Directory, but may be modified by an administrator. DNS ReplicationThe DNS IP address and computer name is stored in Active Directory for Active Directory integrated DNS zones and replicated to all local domain controllers. DNS information is not replicated to domain controllers outside the domain. Intersite ReplicationIntrasite replication is replication between sites and must be set up by an administrator. Replication ManagementThe administrative tool, "Active Directory Sites and Services", is used to manage Active Directory replication. Replication data is compressed before being sent to minimze bandwidth use. There are two protocols used to replicate AD: Normally Remote Procedure Call (RPC) is used to replicate data and is always used for intrasite replication since it is required to support the FRS. RPC depends on IP (internet protocol) for transport. Simple Mail Transfer Protocol (SMTP) may be used for replication between sites. SMTP can't replicate the domain partition, however. Therefore the remote site would need to be in another domain to be able to effectively use SMTP for carrying replication data. Bridgehead server - A domain controller that is used to send replication information to one or more other sites. Schema CacheA schema cache which is a copy of the schema in memory can be used to speed up schema queries but should be used sparingly due to the high memory requirements. If the schemaUpdateNow attribute is added to the RootDSE a schema cache update is done immediately. Normally the schema cache is stored in memory when the system boots and updated every five minutes. The schema cache provides mapping between attribute identifiers such as a database column identifier or a MAPI identifier and the in-memory structures that describe those attributes. The schema cache also provides lookups for class identifiers to get in-memory structures describing those classes.SOA record (Start of Authority Record)The SOA record contains information about the zone in a string of fields. The SOA record tells the server to be authoritative for the zone.The "SOA" record is the most crucial record in a DNS entry. This record is called the start of authority because it denotes the DNS entry as the official source of information for its domainSRV Record (Service record)SRV-records are used to specify the location of a service.An SRV record is intended to provide information on available servicesSRV resource records map the name of a service to the name of a server offering that service. Active Directory clients and domain controllers use SRV records to determine the IP addresses of domain controllers.In order for Active Directory to function properly, DNS servers must provide support for Service Location (SRV) resource records described in RFC 2052, A DNS RR for specifying the location of services (DNS SRV). SRV resource records map the name of a service to the name of a server offering that service. Active Directory clients and domain controllers use SRV records to determine the IP addresses of domain controllers. Although not a technical requirement of Active Directory, it is highly recommended that DNS servers provide support for DNS dynamic updates described in RFC 2136, Observations on the use of Components of the Class A Address Space within the Internet.The Windows 2000 DNS service provides support for both SRV records and dynamic updates. If a non-Windows 2000 DNS server is being used, verify that it at least supports the SRV resource record. If not, it must be upgraded to a version that does support the use of the SRV resource record. For example, Windows NT Server 4.0 DNS servers must be upgraded to Service Pack 4 or later to support SRV resource records. A DNS server that supports SRV records but does not support dynamic update must be updated with the contents of the Netlogon.dns file created by the Active Directory Installation wizard while promoting a Windows 2000 Server to a domain controller. What is an "A" record?An "A" record, also called an "address" record, ties a domain name to an IP address. If there is a server on the Internet that is configured to handle traffic for this domain, you can enter the name of the domain (like "") and the IP address of the server (like "209.81.71.236"), and almost immediately, anyone surfing to that domain connects to the correct server.Address, or "A" records, map the name of a machine to its numeric IP address. In clearer terms, this record states the hostname and IP address of a certain machine. To "resolve" a hostname means to find its matching IP address. This is the record that A NAME server would send another name server to answer a resolution query.What is an "MX" record?"MX" ("Mail eXchanger") records are used to specify what server on the Internet is running e-mail software that is configured to handle e-mail for your domain. If you want your ISP to handle routing the e-mail for your domain to you, you need to specify the domain name or IP address of your ISP's mail server. In addition, you can specify the rank of each mail server when you have more than one. Make sure your ISP knows that you're using their servers to route your domain's email, or all your e-mail will "return to sender"!If you want to use our servers instead of your ISP's, don't specify any "MX" records, just configure our simple MailForward service!What is a "CNAME" record?"CNAME" records simply allow a machine to be known by more than one hostname. There must always be an A record for the machine before aliases can be added. The host name of a machine that is stated in an A record is called the canonical, or official name of the machine. Other records should point to the canonical name. Here is an example of a CNAME: . IN CNAME eric.. You can see the similarities to the previous record. Records always read from left to right, with the subject to be queried about on the left and the answer to the query on the right. A machine can have an unlimited number of CNAME aliases. A new record must be entered for each alias. "CNAME" records, short for "Canonical Name", create an alias from a domain name to another. You could create an alias from "yahoo." to "", and every reference to "yahoo." would go to the other location, regardless how yahoo changed their IP addresses! Be careful, however; CNAMEs won't work everywhere. If you create an MX record, and the name used for the mail server was defined using a CNAME, you might lose e-mail!Name Server Records (NS)An NS record or name server record maps a domain name to a list of DNS servers authoritative for that domain.NS-records identify the DNS servers responsible (authoritative) for a zone.zone should contain one NS-record for each of its own DNS servers (primary and secondaries). This is mostly used for zone transfer purposes (notify messages). These NS-records have the same name as the zone in which they are located. But the more important function of the NS-record is delegation. Delegation means that part of a domain is delegated to other DNS servers.An NS-record identifies the name of a DNS server - not the IP-address.NS records are imperative to functioning DNS entries. They are very simple; they merely state the authoritative name servers for the given domain. There must be at least two NS records in every DNS entry. NS records look like . IN NS draven.. There also must be an A record in your DNS for each machine you enter as A NAME server in your domain. If Allegiance Internet is doing primary and secondary names service, we will set up these records for you automatically, with "nse." and "nsf." as your two authoritative name servers. DNS ZonesPossible zones include: Forward lookup zone - Name to IP address map. Reverse lookup zone - IP address to name map. Standard primary zone (primary zone) - A master copy of a forward or reverse lookup zone. Active Directory integrated zone - A copy of a standard primary or Active Directory integrated zone. The IP address and computer name is stored in Active Directory and replicated to all local domain controllers. DNS information is not replicated to domain controllers outside the domain. Standard secondary zone (secondary zone) DNS Record types: A - Address record allowing a computer name to be translated into an IP address. Each computer must have this record for its IP address to be located. These names are not assigned for clients that have dynamically assigned IP addresses, but are a must for locating servers with static IP addresses. AAAA Host resource record for IPv6 protocol. AFDSB - Andrew File System Database resource record ATMA - Asynchronous Transfer Mode resource record. CNAME - Canonical name allowing additional names or aliases to be used to locate a computer. HINFO - Host information record with CPU type and operating system. ISDN - Integrated Services Digital Network resource record. MB - Mailbox resource record. MG - Mail group resource record. MINFO - Mailbox mail list information resource record. MR - Mailbox renamed resource record. MX - Mail Exchange server record. There may be several. NS - Name server record. There may be several. PTR - Pointer resource record. RP - Responsible person. RT - Route through resource record for specifying routes for certain DNS names. SOA - Start of Authority record defines the authoritative server and parameters for the DNS zone. These include timeout values, name of responsible person, SRV - Service locator resource record to map a service to servers providing the service. Windows 2000 clients will use this record to find a domain controller. TXT - Test resource record for informative text. WKS - Well known service resource record. X25 - To map a host name to an X.25 address. Role of WINS in the NetworkAlthough NetBIOS and NetBIOS names can be used with network protocols other than TCP/IP, WINS was designed specifically to support NetBIOS over TCP/IP (NetBT). WINS is required for any environment in which users access resources that have NetBIOS names. If you do not use WINS in such a network, you cannot connect to a remote network resource by using its NetBIOS name unless you use Lmhosts files, and you might be unable to establish file and print sharing connections.The following figure illustrates the role of WINS for computers that use NetBIOS names. Typically, DHCP is used to assign IP addresses automatically.WINS Name Registration and ResolutionIn a typical scenario, the following occurs:1. ClientA, which uses NetBIOS and is a WINS client, sends a name registration request to its configured primary WINS server (WINSA) when it starts up and joins the network. WINSA adds ClientA's NetBIOS name and IP address to the WINS database.2. When ClientB needs to connect to ClientA by its name, it requests the IP address from the WINS server.3. The WINS server locates the corresponding entry in its database and replies with ClientA's IP of pageSummary of WINS BenefitsWINS provides the following benefits over other NetBIOS name resolution methods:?WINS name resolution reduces NetBIOS name query broadcast traffic because clients can query a WINS server directly instead of broadcasting queries.?WINS enables the Computer Browser service to collect and distribute browse lists across IP routers. ?The WINS dynamic name-to-address database supports NetBIOS name registration and resolution in environments where DHCP-enabled clients are configured for dynamic TCP/IP address allocation.?The WINS database also supports centralized management and replicates name-to-address mappings to other WINS servers.?WINS and DNS can be used in the same environment to provide combined name searches in both namespaces. WINS and DNSWINS and DNS are both name resolution services for TCP/IP networks. While WINS resolves names in the NetBIOS namespace, DNS resolves names in the DNS domain namespace. WINS primarily supports clients that run older versions of Windows and applications that use NetBIOS. Windows?2000, Windows?XP, and Windows Server?2003 use DNS names in addition to NetBIOS names. Environments that include some computers that use NetBIOS names and other computers that use domain names must include both WINS servers and DNS servers.Windows Internet Naming Service (WINS), part of the Microsoft Windows NT and 2000 Servers, manages the association of workstation names and locations with Internet Protocol addresses (IP addresses) without the user or an administrator having to be involved in each configuration change. WINS automatically creates a computer name-IP address mapping entry in a table, ensuring that the name is unique and not a duplicate of someone else's computer name. When a computer is moved to another geographic location, the subnet part of the IP address is likely to change. Using WINS, the new subnet information will be updated automatically in the WINS table. WINS complements the NT Server's Dynamic Host Configuration Protocol (DHCP), which negotiates an IP address for any computer (such as your workstation) when it is first defined to the network. If you're a computer user on a network connected to a Windows NT/2000 Server, you may find WINS mentioned in some of your network-related programs or system messages.DDNS - Dynamic DNS"Definition: DDNS is a service that maps Internet domain names to IP addresses. DDNS serves a similar purpose to DNS: DDNS allows anyone hosting a Web or FTP server to advertise a public name to prospective users. Policy settings may be applied to any computer or user on the domain from the System Policy Editor. How can I forcibly transfer (seize) some or all of the FSMO Roles from one DC to another?Windows 2000/2003 Active Directory domains utilize a Single Operation Master method called FSMO (Flexible Single Master Operation), as described in Understanding FSMO Roles in Active Directory. The five FSMO roles are:Schema master - Forest-wide and one per forest. Domain naming master - Forest-wide and one per forest. RID master - Domain-specific and one for each domain. PDC - PDC Emulator is domain-specific and one for each domain. Infrastructure master - Domain-specific and one for each domain. In most cases an administrator can keep the FSMO role holders (all 5 of them) in the same spot (or actually, on the same DC) as has been configured by the Active Directory installation process. However, there are scenarios where an administrator would want to move one or more of the FSMO roles from the default holder DC to a different DC. Moving the FSMO roles while both the original FSMO role holder and the future FSMO role holder are online and operational is called Transferring, and is described in the Transferring FSMO Roles article.However, when the original FSMO role holder went offline or became non operational for a long period of time, the administrator might consider moving the FSMO role from the original, non-operational holder, to a different DC. The process of moving the FSMO role from a non-operational role holder to a different DC is called Seizing, If a DC holding a FSMO role fails, the best thing to do is to try and get the server online again. Since none of the FSMO roles are immediately critical (well, almost none, the loss of the PDC Emulator FSMO role might become a problem unless you fix it in a reasonable amount of time), so it is not a problem to them to be unavailable for hours or even days. If a DC becomes unreliable, try to get it back on line, and transfer the FSMO roles to a reliable computer. Administrators should use extreme caution in seizing FSMO roles. This operation, in most cases, should be performed only if the original FSMO role owner will not be brought back into the environment. Only seize a FSMO role if absolutely necessary when the original role holder is not connected to the network.What will happen if you do not perform the seize in time? This table has the info:FSMO Role Loss implicationsSchemaThe schema cannot be extended.?However, in the short term no one will notice a missing Schema Master unless you plan a schema upgrade during that time.Domain NamingUnless you are going to run DCPROMO, then you will not miss this FSMO role.RIDChances are good that the existing DCs will have enough unused RIDs to last some time, unless you're building hundreds of users or computer object per week.PDC EmulatorWill be missed soon. NT 4.0 BDCs will not be able to replicate, there will be no time synchronization in the domain, you will probably not be able to change or troubleshoot group policies and password changes will become a problem.InfrastructureGroup memberships may be incomplete.?If you only have one domain, then there will be no impact.Important: If the RID, Schema, or Domain Naming FSMOs are seized, then the original domain controller must not be activated in the forest again. It is necessary to reinstall Windows if these servers are to be used again. The following table summarizes the FSMO seizing restrictions:FSMO Role RestrictionsSchemaOriginal must be reinstalledDomain NamingRIDPDC EmulatorCan transfer back to originalInfrastructureAnother consideration before performing the seize operation is the administrator's group membership, as this table lists:FSMO Role Administrator must be a member ofSchemaSchema AdminsDomain NamingEnterprise AdminsRIDDomain AdminsPDC EmulatorInfrastructureNote: All five roles need to be in the forest. If the first domain controller is out of the forest then seize all roles. Determine which roles are to be on which remaining domain controllers so that all five roles are not on only one server.Repeat steps 6 and 7 until you've seized all the required FSMO roles.After you seize or transfer the roles, type q, and then press ENTER until you quit the Ntdsutil tool. Note: Do not put the Infrastructure Master (IM) role on the same domain controller as the Global Catalog server. If the Infrastructure Master runs on a GC server it will stop updating object information because it does not contain any references to objects that it does not hold. This is because a GC server holds a partial replica of every object in the forest.How can I migrate users and groups from my NT 4.0 domain to a Windows 2000 Domain?The Active Directory Migration Tool provides an easy, secure, and fast way to migrate to Windows 2000 Active Directory service. As a system administrator, you can use this tool to diagnose any possible problems before starting migration operations to Windows 2000 Server Active Directory. You can then use the task-based wizard to migrate users, groups, and computers; set correct file permissions; and migrate Microsoft Exchange Server mailboxes. The tool's reporting feature allows you to assess the impact of the migration, both before and after move operations. In many cases, if there is a problem, you can use the rollback features to automatically restore previous structures. The tool also provides support for parallel domains, so you can maintain your existing Windows NT 4.0 domains while you deploy Windows 2000.Note: To successfully run the AD Migration Tool the source domain must be running Windows NT 4.0 Service Pack 4 or later, and the target domain will be a Windows 2000-based domain in Native mode. The Active Directory Migration Tool version 3 (ADMT v3) simplifies the process of restructuring your operating environment to meet the needs of your organization. You can use ADMT v3 to migrate users, groups, and computers from Microsoft Windows NT 4.0 domains to Active Directory directory service domains; between Active Directory domains in different forests (interforest migration); and between Active Directory domains in the same forest (intraforest migration). ADMT v3 also performs security translation from Windows NT 4.0 domains to Active Directory domains and between Active Directory domains in different forests.NtdsutilNtdsutil.exe is a command-line tool that provides management facilities for Active Directory. Use Ntdsutil.exe to perform database maintenance of Active Directory, manage and control single master operations, and remove metadata left behind by domain controllers that were removed from the network without being properly uninstalled. This tool is intended for use by experienced administrators.NtdsUtil performs database maintenance of the Active Directory store,management and control of the Flexible Single Master Operations (FSMO),and cleaning up of metadata left behind by abandoned domain controllers,those which are removed from the network without being uninstalled. ? - Print this help information Authoritative restore - Authoritatively restore the DIT database Domain management - Prepare for new domain creation Files - Manage NTDS database files Help - Print this help information IPDeny List - Manage LDAP IP Deny List LDAP policies - Manage LDAP protocol policies Metadata cleanup - Clean up objects of decommissioned servers Popups %s - (en/dis)able popups with "on" or "off" Quit - Quit the utility Roles - Manage NTDS role owner tokens Security account management - Manage Security Account Database - Duplicate SID Cleanup Semantic database analysis - Semantic CheckerMetadata cleanupCleans up metadata for failed domain controllers. When a failed domain controller stores the only copy of one or more domains or application directory partitions (also called "naming contexts"), metadata cleanup also cleans up metadata for selected domains or application directory partitions. When you use the version of Ntdsutil.exe that is included with Windows?Server?2003 Service Pack?1 (SP1), metadata cleanup also removes File replication service (FRS) connections and attempts to transfer or seize any operations master roles that the retired domain controller holds.Win2k and win2003Unlike the transformation in the directory service architecture that took place between Windows NT and Windows 2000, the changes you see between Windows 2000 and Windows Server 2003 are much more incremental in nature. Windows Server 2003 is grounded in the same Active Directory structure in Windows 2000 where each domain controller holds a read-write copy of the AD database, relying on multi-master replication to keep everything up-to-date. In the Windows Server 2003 Active Directory Users & Computers MMC snap-in, you can now move an object from one location in the directory tree to another by using the familiar drag-and-drop method, rather than being forced to right-click the object and select "Move", as was the case in Windows 2000. You can also now select multiple objects simultaneously for editing or deletion, and save commonly-used queries within the ADUC console window. Although really, if you're going to be working with more than one object at a time, I would recommend that you get out of the MMC console anyway and use command-line tools or scripts to take away some of your administrative burdens. New command-line tools Windows Server 2003 includes a number of built-in command-line tools that were not available in Windows 2000, including: ? dsadd -- allows you to create objects from the command line ? dsmove -- moves an object from one OU or container to another within the same domain ? dsrm -- will delete an object from Active Directory ? dsquery -- will return an object or list of objects that matches criteria that you specify ? dsget -- will return one or more attributes of a particular Active Directory objectA) In 2000 we cannot rename domain whereas in 2003 we can rename Domain B) In 2000 it supports of 8 processors and 64 GB RAM (In 2000 Advance Server) whereas in 2003 supports up to 64 processors and max of 512GB RAM C)2000 Supports IIS 5.0 and 2003 Supports IIS6.0 D) 2000 doesn’t support Dot net whereas 2003 Supports Microsoft .NET 2.0 E) 2000 has Server and Advance Server editions whereas 2003 has Standard, Enterprise, Datacentre and Web server Editions. F) 2000 doesn’t have any 64 bit server operating system whereas 2003 has 64 bit server operating systems (Windows Server 2003 X64 Std and Enterprise Edition) G) 2000 has basic concept of DFS (Distributed File systems) with defined roots whereas 2003 has Enhanced DFS support with multiple roots. H) In 2000 there is complexality in administering Complex networks whereas 2003 is easy administration in all & Complex networks I) In 2000 we can create 1 million users and in 2003 we can create 1 billion users. J) In 2003 we have concept of Volume shadow copy service which is used to create hard disk snap shot which is used in Disaster recovery and 2000 doesn’t have this service. K) In 2000 we don’t have end user policy management, whereas in 2003 we have a End user policy management which is done in GPMC (Group policy management console). L) In 2000 we have cross domain trust relation ship and 2003 we have Cross forest trust relationship. M) 2000 Supports 4-node clustering and 2003 supports 8-node clustering. N) 2003 has High HCL Support (Hardware Compatibility List) issued by Microsoft O) Code name of 2000 is Win NT 5.0 and Code name of 2003 is Win NT 5.1 P) 2003 has service called ADFS (Active Directory Federation Services) which is used to communicate between branches with safe authentication. Q) In 2003 their is improved storage management using service File Server Resource Manager (FSRM) R) 2003 has service called Windows Share point Services (It is an integrated portfolio of collaboration and communication services designed to connect people, information, processes, and systems both within and beyond the organizational firewall.) S) 2003 has Improved Print management compared to 2000 server T) 2003 has telnet sessions available. U) 2000 supports IPV4 whereas 2003 supports IPV4 and IPV6 Kerberos User Authentication Protocol in Windows 2000Note that in matters regarding authentication, Windows 2000 is completely backwards compatible. This article focuses on Kerberos user authentication in a pure Windows 2000 environment: authentication between Windows 2000 servers and Windows 2000 clients. Domain functional levelsYou might already know that Windows 2000 Server supports native and mixed modes for Active Directory. A Windows 2000 domain running in mixed mode can include Windows NT backup domain controllers, but a handful of features available in native mode are not available. These include universal security groups, group nesting, and SID history features. Changing a Windows 2000 domain to native mode enables these features but at the cost of no longer allowing Windows NT BDCs in the domain.Windows Server 2003 introduces something similar in its domain functional levels. These modes include the following:Windows 2000 Mixed - This mode allows universal distribution groups, but not universal security groups. It also allows nesting of distribution groups but not security groups, with the exception of domain local security groups, which can contain global groups. Group conversion between group types is disabled, as is SID history. Windows NT 4.0, Windows 2000 Server, and Windows Server 2003 domain controllers are supported. Windows 2000 Native - This mode adds support for universal security groups, conversion between security and distribution groups, and full group nesting. It also enables SID history with support of migration of security principals from one domain to another. This mode supports Windows 2000 Server and Windows Server 2003 domain controllers. Windows Server 2003 Interim - This is an interim mode available only when upgrading Windows NT Server to Windows Server 2003. Interim mode provides improved replication and a handful of other features to facilitate domain migration to Windows Server 2003 Active Directory. Windows Server 2003 - You can consider this to be Windows Server 2003's native mode. This mode adds support for the Domain Controller Rename tool, adds the lastLogonTimestamp attribute for user and computer accounts for logon tracking, and the capability to set the userPassword attribute for InetOrgPerson user objects as the effective password. This mode supports only Windows Server 2003 domain controllers. TrustsConfiguring security in an environment with a single domain is a relatively easy process and generally only requires setting up some security groups, setting up user accounts, and optionally, setting up group policy for change control. As the network grows, structuring security and resource sharing can become more complex, particularly when multiple domains become necessary to provide adequate structure to the network. That's when trust relationships come into play.A trust relationship enables a domain to trust another domain for authentication. In a trust relationship, a trusting domain allows accounts in a trusted domain to authenticate in its domain. For example, assume that domain A trusts domain B. Domain A is the trusting domain and domain B is the trusted domain. Domain A will allow user accounts in domain B to be used to authenticate and access resources in domain A. Trust relationships like this one simplify domain and Active Directory structuring and management. In this example, you do not have to provide accounts in domain A to users in domain B and deal with the synchronization and management headaches that would entail.In Windows NT, trust relationships are always one-way. Domain A trusts domain B, for example, but domain B does not trust domain A unless you create a trust relationship in that direction. In addition, Windows NT trusts are non-transitive, meaning the trust does not cross to adjacent domains. For example, assume that domain A trusts domain B and domain B trusts domain C. In Windows NT, domain A will not trust domain C because the trust relationships are non-transitive.In Windows 2000 Server and Windows Server 2003, all trusts are transitive by default. Thus, if domain A trusts domain B and domain B trusts domain C, then domain A trusts domain C. However, access to resources in trusted domains doesn't happen automatically. You must configure permissions for resources in the trusting domain to enable users in the trusted domain to access them.Although all trust relationships accomplish essentially the same result—enabling one domain to trust another—different types of trust relationships do exist. You need to understand the role these trust relationships play before you can begin structuring a large network.Parent/child trustsWindows Active Directory domains form a hierarchy of domain trees. The domain above another in a domain tree is the parent domain; the one below is the child domain. For example, in my domain boyce.us, the domain support.boyce.us would be a child domain, with boyce.us being the parent domain. When you create a new child domain in the Active Directory, that child domain automatically has a transitive trust relationship with its parent domain and vice-versa. Therefore, parent/child trusts are always two-way, transitive trusts.Tree-root trustsThe tree and forest analogy can confuse some Active Directory newcomers, at least until they realize that domain trees grow upside-down. The root domain resides at the logical top of the forest and the trees branch out underneath the root domain. Let's use as an example. is the first domain created and therefore serves as the root of the forest. We then add two more domain trees; the first sales. and the second support.. The sales. domain might have other domains in its tree, such as east.sales. and west.sales..A tree-root trust establishes trust between a domain tree and the forest root. Because these relationships are two-way and transitive, tree-root trusts ultimately enable one domain tree in a forest to trust another domain tree in a forest. For example, users in sales. could access resources in support. if they had the necessary permissions.External and realm trustsAn external trust enables you to create trusts with Windows NT domains. You can also create external trusts with an Active Directory domain in another forest that is not connected by a forest trust. External trusts can be one-way or two-way, but are always non-transitive. When you create an external trust, security principals (user, group, computer, or service) in the external domain can access resources in the internal domain. In addition, domain local groups in the internal domain can contain security principals from the external domain.A realm trust establishes a trust relationship to an external, non-Windows Kerberos v5 realm. Realm trusts support cross-platform authentication and resource sharing between Active Directory domains and UNIX-based security services. Realm trusts can be either transitive or non-transitive and can be either one-way or two-way.Forest trustsA forest trust enables trust between a forest root domain in one forest and the forest root domain in another forest. A forest trust is transitive and can be either one-way or two-way. The transitivity of the forest trust is an important concept to understand because when the forest trust is in place, all domains in the trusted forest can access resources in all domains in the trusting forest, assuming the security principals have the necessary permissions in the target domains. In a two-way forest trust, this naturally goes both ways.Although forest trusts are transitive between the forests joined by the trust, they are not transitive to other forests that also have forest trusts. For example, assume that you create a two-way forest trust between Forest A and Forest B. You also create a two-way forest trust between Forest B and Forest C. Domains in A can access resources in B, but they can't access resources in C. Likewise, C can access B, but not A.Shortcut trustsIn a domain forest, authentication requests must follow a trust path between the source and destination domains. For example, an authentication request moves up the tree to the root domain, then down the other tree to the target domain. Shortcut trusts, which are transitive and can be either one-way or two-way, can speed up authentication between two domains in different trees of the same forest by providing a shortcut from one domain to the other. They are particularly useful when users in one domain frequently need to access resources in another domain in another tree. Rather than follow the entire trust path from one tree to the other, the authentication requests can take the shortcut directly from one domain to the other.Features of windows2003ACTIVE DIRECTORYEasier Deployment and ManagementADMT version 2.0—migrates password from NT4 to 2000 to 2003 or from 2000 to 2003Domain Rename--- supports changing Domain Name System and/or NetBios nameSchema Redefine--- Allows deactivation of attributes and class definitions in the Active directory schemaAD/AM--- Active directory in application mode is a new capability of AD that addresses certain deployment scenarios related to directory enabled applicationsGroup Policy Improvements----introduced GPMC tool to manage group policyUI—Enhanced User Interface Grater SecurityCross-forest AuthenticationCross-forest AuthorizationCross-certification EnhancementsIAS and Cross-forest authenticationCredential ManagerSoftware Restriction PoliciesImproved Performance and DependabilityEasier logon for remote officesGroup Membership replication enhancementsApplication Directory PartitionsInstall Replica from mediaDependability Improvements--- updated Inter-Site Topology Generator (ISTG) that scales better by supporting forests with a greater number of sites than Windows 2000. FILE AND PRINT SERVICESVolume shadow copy serviceNTFS journaling file systemEFSImproved CHDSK PerformanceEnhanced DFS and FRSShadow copy of shared foldersEnhanced folder redirectionRemote document sharing (WEBDAV) IISFault-tolerant process architecture----- The IIS 6.0 fault-tolerant process architecture isolates Web sites and applications into self-contained units called application poolsHealth Monitoring---- IIS 6.0 periodically checks the status of an application pool with automatic restart on failure of the Web sites and applications within that application pool, increasing application availability. IIS 6.0 protects the server, and other applications, by automatically disabling Web sites and applications that fail too often within a short amount of timeAutomatic Process Recycling--- IIS 6.0 automatically stops and restarts faulty Web sites and applications based on a flexible set of criteria, including CPU utilization and memory consumption, while queuing requestsRapid-fail Protection---- If an application fails too often within a short amount of time, IIS 6.0 will automatically disable it and return a "503 Service Unavailable" error message to any new or queued requests to the applicationEdit-While-Running is the process of DHCP for getting the IP address to the clientThere is a four way negotiation process b/w client and serverDHCP Discover (Initiated by client)DHCP Offer (Initiated by server)DHCP Select (Initiated by client)DHCP Acknowledgement (Initiated by Server)DHCP Negative Acknowledgement (Initiated by server if any issues after DHCP offer)Difference between FAT,NTFS & NTFSVersion5NTFS Version 5 featuresEncryption is possibleWe can enable Disk QuotasFile compression is possibleSparse filesIndexing ServiceNTFS change journalIn FAT file system we can apply only share level security. File level protection is not possible. In NTFS we can apply both share level as well as file level securityNTFS supports large partition sizes than FAT file systemsNTFS supports long file names than FAT file systemsWhat are the port numbers for FTP, Telnet, HTTP, DNSFTP –20 Data port FTP-21 Control Port, SMTP-25, Telnet – 23, HTTP-80, DNS-53, Kerberos-88, LDAP-389, POP3-110,HTTPS-443, IMAP-323, SNMP-161, Global Catalog =3268, Terminal services =3389, RDP =3389, File sharing =445What are the different types of profiles in 2000Local ProfilesRoaming profilesMandatory Profileswhat is the database files used for Active DirectoryThe key AD database files—edb.log, ntds.dit, res1.log, res2.log, and edb.chk—all of which reside in \%systemroot%\ntds on a domain controller (DC) by default. During AD installation, Dcpromo lets you specify alternative locations for these log files and database filesNTDS.DITWhat is the location of AD Database%System root%/NTDS/NTDS>DITWhat is the authentication protocol used in NTNTLM (NT LAN Manager)What is subnetting and supernettingSubnetting is the process of borrowing bits from the host portion of an address to provide bits for identifying additional sub-networksSupernetting merges several smaller blocks of IP addresses (networks) that are continuous into one larger block of addresses. Borrowing network bits to combine several smaller networks into one larger network does supernettingWhat is the use of terminal servicesTerminal services can be used as Remote Administration mode to administer remotely as well as Application Server Mode to run the application in one server and users can login to that server to user that application.What is the protocol used for terminal servicesRDPWhat is the difference between Authorized DHCP and Non Authorized DHCPTo avoid problems in the network causing by mis-configured DHCP servers, server in windows 2000 must be validate by AD before starting service to clients. If an authorized DHCP finds any DHCP server in the network it stop serving the clients Difference between inter-site and intra-site replication. Protocols using for replication.Intra-site replication can be done between the domain controllers in the same site. Inter-site replication can be done between two different sites over WAN linksBHS (Bridge Head Servers) is responsible for initiating replication between the sites. Inter-site replication can be done B/w BHS in one site and BHS in another site.We can use RPC over IP or SMTP as a replication protocols where as Domain partition is not possible to replicate using SMTPHow to monitor replicationWe can user Replmon tool from support toolsBrief explanation of RAID LevelsMicrosoft Windows XP, Windows 2000 and Windows Server 2003 offer two types of disk storage: basic and dynamic. Basic Disk StorageBasic storage uses normal partition tables supported by MS-DOS, Microsoft Windows 95, Microsoft Windows 98, Microsoft Windows Millennium Edition (Me), Microsoft Windows NT, Microsoft Windows 2000, Windows Server 2003 and Windows XP. A disk initialized for basic storage is called a basic disk. A basic disk contains basic volumes, such as primary partitions, extended partitions, and logical drives. Additionally, basic volumes include multidisk volumes that are created by using Windows NT 4.0 or earlier, such as volume sets, stripe sets, mirror sets, and stripe sets with parity. Windows XP does not support these multidisk basic volumes. Any volume sets, stripe sets, mirror sets, or stripe sets with parity must be backed up and deleted or converted to dynamic disks before you install Windows XP Professional. Dynamic Disk StorageDynamic storage is supported in Windows XP Professional, Windows 2000 and Windows Server 2003. A disk initialized for dynamic storage is called a dynamic disk. A dynamic disk contains dynamic volumes, such as simple volumes, spanned volumes, striped volumes, mirrored volumes, and RAID-5 volumes. With dynamic storage, you can perform disk and volume management without the need to restart Windows. Note: Dynamic disks are not supported on portable computers or on Windows XP Home Edition-based computers. You cannot create mirrored volumes or RAID-5 volumes on Windows XP Home Edition, Windows XP Professional, or Windows XP 64-Bit Edition-based computers. However, you can use a Windows XP Professional-based computer to create a mirrored or RAID-5 volume on remote computers that are running Windows 2000 Server, Windows 2000 Advanced Server, or Windows 2000 Datacenter Server, or the Standard, Enterprise and Data Center versions of Windows Server 2003.Storage types are separate from the file system type. A basic or dynamic disk can contain any combination of FAT16, FAT32, or NTFS partitions or volumes. A disk system can contain any combination of storage types. However, all volumes on the same disk must use the same storage type. Stub ZoneUnderstanding stub zonesA stub zone is a copy of a zone that contains only those resource records necessary to identify the authoritative Domain Name System (DNS) servers for that zone. A stub zone is used to resolve names between separate DNS namespaces. This type of resolution may be necessary when a corporate merger requires that the DNS servers for two separate DNS namespaces resolve names for clients in both namespaces.A stub zone consists of:?The start of authority (SOA) resource record, name server (NS) resource records, and the glue A resource records for the delegated zone.?The IP address of one or more master servers that can be used to update the stub zone.The master servers for a stub zone are one or more DNS servers authoritative for the child zone, usually the DNS server hosting the primary zone for the delegated domain name.what is the physical and logical structure of ADActive directory physical structure is a hierarchal structure which fallows Forests—Trees—Domains—Child Domains—Grand Child—etcActive directory is logically divided into 3 partitions 1. Configuration partition 2. Schema Partition 3. Domain partition 4. Application Partition (only in windows 2003 not available in windows 2000)Out of these Configuration, Schema partitions can be replicated between the domain controllers in the in the entire forest. Where as Domain partition can be replicated between the domain controllers in the same domainWhat is the process of user authentication (Kerberos V5) in windows 2000After giving logon credentials an encryption key will be generated which is used to encrypt the time stamp of the client machine. User name and encrypted timestamp information will be provided to domain controller for authentication. Then Domain controller based on the password information stored in AD for that user it decrypts the encrypted time stamp information. If produces time stamp matches to its time stamp. It will provide logon session key and Ticket granting ticket to client in an encryption format. Again client decrypts and if produced time stamp information is matching then it will use logon session key to logon to the domain. Ticket granting ticket will be used to generate service granting ticket when accessing network resourceswhat is DFS & its usageDFS is a distributed file system used to provide common environment for users to access files and folders even when they are shared in different servers physically.There are two types of DFS domain DFS and Stand alone DFS. We cannot provide redundancy for stand alone DFS in case of failure. Domain DFS is used in a domain environment which can be accessed by /domain name/root1 (root 1 is DFS root name). Stand alone DFS can be used in workgroup environment which can be accessed through /server name/root1 (root 1 is DFS root name). Both the cases we need to create DFS root ( Which appears like a shared folder for end users) and DFS links ( A logical link which is pointing to the server where the folder is physically shared)The maximum number of Dfs roots per server is?1. The maximum numbers of Dfs root replicas are 31.The maximum number of Dfs roots per domain is unlimited. The maximum number of Dfs links or shared folders in a Dfs root is?1,000What is tombstone periodTombstones are nothing but objects marked for deletion. After deleting an object in AD the objects will not be deleted permanently. It will be remain 60 days by default (which can be configurable) it adds an entry as marked for deletion on the object and replicates to all DC’s. After 60 days object will be deleted permanently from all Dc’s.What are the (two) services required for replicationFile Replication Service (FRS)Knowledge Consistency Checker (KCC)How to create application partition windows 2003 and its usage?An application directory partition is a directory partition that is replicated only to specific domain controllers. A domain controller that participates in the replication of a particular application directory partition hosts a replica of that partition. Only domain controllers running Windows Server?2003 can host a replica of an application directory partition.Applications and services can use application directory partitions to store application-specific data. Application directory partitions can contain any type of object, except security principals. TAPI is an example of a service that stores its application-specific data in an application directory partition.Application directory partitions are usually created by the applications that will use them to store and replicate data. For testing and troubleshooting purposes, members of the Enterprise Admins group can manually create or manage application directory partitions using the Ntdsutil command-line tool.What is universal group membership cache in windows 2003?Information is stored locally once this option is enabled and a user attempts to log on for the first time. The domain controller obtains the universal group membership for that user from a global catalog. Once the universal group membership information is obtained, it is cached on the domain controller for that site indefinitely and is periodically refreshed. The next time that user attempts to log on, the authenticating domain controller running Windows Server?2003 will obtain the universal group membership information from its local cache without the need to contact a global catalog.By default, the universal group membership information contained in the cache of each domain controller will be refreshed every 8 hours.GPMC & RSOP in windows 2003?GPMC is tool which will be used for managing group policies and will display information like how many policies applied, on which OU’s the policies applied, What are the settings enabled in each policy, Who are the users effecting by these polices, who is managing these policies. GPMC will display all the above information.RSoP provides details about all policy settings that are configured by an Administrator, including Administrative Templates, Folder Redirection, Internet Explorer Maintenance, Security Settings, Scripts, and Group Policy Software Installation.When policies are applied on multiple levels (for example, site, domain, domain controller, and organizational unit), the results can conflict. RSoP can help you determine a set of applied policies and their precedence (the order in which policies are applied).WHAT IS KCC?The Knowledge Consistency Checker (KCC), which manages connection objects for inter- and intrasite replication, ascertains whether you need to create new objects or delete existing objects. The KCC runs every 15 minutes by default.File Replication service (FRS) is a technology that replicates files and folders stored in the SYSVOL shared folder on domain controllers and Distributed File System (DFS) shared folders. When FRS detects that a change has been made to a file or folder within a replicated shared folder, FRS replicates the updated file or folder to other servers. Because FRS is a multimaster replication service, any server that participates in replication can generate changes. In addition, FRS can resolve file and folder conflicts to make data consistent among servers.By keeping files and folders synchronized across servers, FRS enables organizations to increase the availability of data. If one server becomes unavailable, the files are still available, because they exist on another server. Using multiple servers to host data also helps organizations that have offices in multiple geographic locations, because clients can access servers in or closest to their current site and do not need to use expensive WAN links to access data.There are numerous methods for keeping files synchronized on servers. Although SYSVOL requires FRS, DFS shared folders can be kept synchronized by using methods other than FRS, such as manual copying, Robocopy, or other replication tools. FRS provides numerous benefits that other replication methods do not. LDAPLDAP, Lightweight Directory Access Protocol, is an Internet protocol that email and other programs use to look up information from a server.Every email program has a personal address book, but how do you look up an address for someone who's never sent you email? How can an organization keep one centralized up-to-date phone book that everybody has access to?That question led software companies such as Microsoft, IBM, Lotus, and Netscape to support a standard called LDAP. "LDAP-aware" client programs can ask LDAP servers to look up entries in a wide variety of ways. LDAP servers index all the data in their entries, and "filters" may be used to select just the person or group you want, and return just the information you want. For example, here's an LDAP search translated into plain English: "Search for all people located in Chicago whose name contains "Fred" that have an email address. Please return their full name, email, title, and description."LDAP is not limited to contact information, or even information about people. LDAP is used to look up encryption certificates, pointers to printers and other services on a network, and provide "single signon" where one password for a user is shared between many services. LDAP is appropriate for any kind of directory-like information, where fast lookups and less-frequent updates are the norm.As a protocol, LDAP does not define how programs work on either the client or server side. It defines the "language" used for client programs to talk to servers (and servers to servers, too). On the client side, a client may be an email program, a printer browser, or an address book. The server may speak only LDAP, or have other methods of sending and receiving data—LDAP may just be an add-on method.If you have an email program (as opposed to web-based email), it probably supports LDAP. Most LDAP clients can only read from a server. Search abilities of clients (as seen in email programs) vary widely. A few can write or update information, but LDAP does not include security or encryption, so updates usually requre additional protection such as an encrypted SSL connection to the LDAP server.LDAP also defines: Permissions, set by the administrator to allow only certain people to access the LDAP database, and optionally keep certain data private. Schema: a way to describe the format and attributes of data in the server. For example: a schema entered in an LDAP server might define a "groovyPerson" entry type, which has attributes of "instantMessageAddress", and "coffeeRoastPreference". The normal attributes of name, email address, etc., would be inherited from one of the standard schemas, which are rooted in X.500 DCPROMO /ADV = Promote Remote Domain ControllersCreates an additional domain controller from restored backup files.Well basically it lets you build a domain controller from a backed up copy of active directory, so after a reboot the new domain controller only has to replicate the changes from a distant server.What's port 445 used for in Windows 2000/XP?Among the new ports used by Windows 2000, Windows XP and Windows Server 2003, is TCP port 445 which is used for SMB over TCP.The SMB (Server Message Block) protocol is used among other things for file sharing in Windows NT/2000/XP. In Windows NT it ran on top of NetBT (NetBIOS over TCP/IP), which used the famous ports 137, 138 (UDP) and 139 (TCP). In Windows 2000/XP/2003, Microsoft added the possibility to run SMB directly over TCP/IP, without the extra layer of NetBT. For this they use TCP port 445. At its simplest NetBIOS on your LAN may just be a necessary evil. NetBIOS on your WAN or over the Internet, however, is an enormous security risk. All sorts of information, such as your domain, workgroup and system names, as well as account information is obtainable via NetBIOS. It really is in your best interests to ensure that NetBIOS never leaves your network.If you are using a router as your Internet gateway then you will want to ensure that it does not allow inbound or outbound traffic via TCP ports 135-139.If you're using a Firewall then you should also block the same ports - TCP ports 135-139.If you are using a multi-homed machine i.e. more than 1 network card, then you should disable NetBIOS on every network card, or Dial-Up Connection under the TCP/IP properties, that is not part of your local networkDeadline in WSUSSet a deadline for automatic installation. When you select this option, you set specific times and dates to install updates, overriding any settings on the client computers. In addition, you can specify a past date for the deadline if you want to run an approval action immediately (that is, when the client computers next contact the WSUS server).What is ARP?Stands for Address Resolution Protocol.The ARP protocol is used to map IP addresses to MAC addresses.ASR BackupThe simplest way to back up your system with ASR is to use the Backup or Restore Wizard that starts by default when you select Accessories→System Tools→Backup. Simply start the wizard, select "Back up files and settings," and choose the option to back up "All information on this computer." Then, specify the remaining backup job parameters as usual. The result is that all information on your hard drives is backed up, including the boot, system, and data volumes. Later, should a disaster occur, you can restore your system by using the ASR restore process to the exact configuration it had earlier.The backup is done by using shadow copies to ensure that any open files on the system and boot volumes are properly backed up. Note, however, that this applies mainly to the system and boot volumes, which are critical for successful ASR backup. While shadow copies are also used to back up data volumes, these shadow copies are deleted afterward unless you've specifically enabled shadow copies on these volumes to help protect users' work from accidental loss or damage.An alternative method for performing ASR backup is to start Backup and switch to Advanced Mode. Then, under the Welcome tab (), select the Automated System Recovery Wizard button. This wizard lets you back up only information on your system and boot volumes that is critical to restore your system; it does not back up any data volumes, which are usually best left for your regular backup program to handle anyway.Figure 1. Starting the Automated System Recovery WizardDuring the ASR backup process, you're asked to insert a blank, formatted floppy to create a system recovery disk (commonly called an ASR floppy). This floppy is critical to the ASR restore process, so it's worth digging a little deeper into how it's used. The ASR backup process saves two files onto your floppy: the ASR state file (asr.sif), which contains information about the disk signatures and configuration of disk volumes on your machine, and asrpnp.sif, which contains information about different Plug and Play devices on your system. These two files are critical for the recovery of your system, because they connect the underlying hardware configuration with the operating system above it. As we'll see in a moment, you need to insert this floppy at the beginning of the ASR restore, in order to rebuild the disk subsystem and hardware configuration of your system before restoring the contents of the system and boot volumes.What if you have no floppy disk drive on your machine? Fortunately, you can still use ASR to back up your system, but its a bit of a workaround. During the ASR backup process copies of these asr.sif and asrpnp.sif files are also saved in the %SystemRoot%\Repair folder on your server. So, when you receive a prompt at the end of the backup process to insert a floppy, simply ignore the prompt and instead copy asr.sif and asrpnp.sif from Repair to a network share on another server (one that has a floppy disk drive installed). Then, copy the files from the share on that server to a blank floppy you insert into its drive, and you now have a working ASR floppy for your backup. Then, go buy a USB external floppy drive, because you'll need it if you ever have to rebuild your original server from the backup set you created. In other words, you can perform ASR backup without a floppy, but you cannot perform an ASR restore without one.What if you lose your ASR floppy? Well, the procedure just described will work in this case too. Just insert a new blank, formatted floppy into your server and copy asr.sif and asrpnp.sif from the Repair directory to the floppy. Note that these files must be located in the root folder on the floppy for the restore process to work, so use a separate floppy for each ASR backup; don't try to combine several ASR backups in different folders on one floppy.However, since the Repair directory is located on the boot volume of the system itself, if your system volume is toast, then so is your Repair directory and the files within it. So, what if you've lost your ASR floppy and the Repair directory is gone with your hard drive? There's still a workaround that can save your bacon: use the Backup utility on a different machine to open the backup catalog for the ASR backup set you want to restore, expand the %SystemRoot%\Repair directory on the boot volume, select asr.sif and asrpnp.sif as the files you want to restore, insert a blank floppy, and restore these two files to the root of the floppy. Presto! You now have a recovered ASR floppy you can use to initiate a restore.ASR RestoreThe ASR restore process in a nutshell is as follows: first, the disk configurations are restored; then, your system and boot volumes are formatted; and, finally, a bare-bones version of Windows is installed that starts Backup and rebuilds your system and boot volumes from your ASR backup set stored on tape media.WARNINGNote that your system and boot volumes are formatted. Clearly, using the ASR restore process should be considered a last-ditch effort, to be used only when everything else fails. See for information on how to choose between the various recovery options for Windows servers.Using ASR restoreLet's look at a restore in more detail. First, make sure you have your ASR floppy, tape backup media, and original installation files for Windows Server 2003 (i.e., the product CD). If you have any mass storage controllers on your server that require an updated driver to replace the one on the product CD, be sure to have this handy as well.Also—and this might be important—be sure to back up any data files or folders located on your system or boot volumes. Since ASR reformats these volumes, anything other than the Windows operating system files that are located on these volumes might be lost. Mind you, best practice is to never store data files on these volumes—you should store them on separate volumes instead—so if you've been following this practice you have nothing to worry about, right? Note that I said might be lost, not will be lost. While Windows documentation says that non-operating system files stored on system/boot volumes won't be restored by ASR, my own experience is that they are restored sometimes and other times not. So, just to be safe, back up these volumes separately using normal backup procedures so you can later restore any missing data files.Now, insert your product CD and boot from your CD-ROM drive (press the appropriate key to do this if required). Press F6 when prompted if you have an updated device driver for your mass storage device. Then, press F2 when text-mode setup prompts you to perform ASR restore, and insert the ASR floppy when asked to do so. The recovery process will rebuild the disk signatures and partition table, reformat the system/boot volumes, copy installation files, and begin installing Windows. A short while into the installation of Windows, the Automated System Recovery Wizard screen will ask you to specify the location of the tape backup media where your ASR backup is located. Once you specify this, the recovery process continues and it's considerably faster than the Windows installation process itself, which is nice. Be sure not to interrupt this process; otherwise, you'll have an incomplete and nonfunctional server. Once the restore process is finished, the logon screen appears and you're done.That is, you're done unless your system was totally fried and you have to rebuild it from scratch—in which case, you have to complete the procedure by restoring any data volumes on your server from your regular backup sets.Here's one more thing that's helpful, but not documented. Running the ASR restore process also creates a setup.log file that identifies the system and boot volumes, checksums for kernel files, the directory where Windows is installed, and the device drivers loaded during setup. A copy of this file is placed in %SystemRoot%\Repair and also another one is placed on the ASR floppy itself, which is handy for verifying the details of the restore process. Print that log and keep a record of it for troubleshooting purposes later.To delete extinct server metadata1. Open Command Prompt.2. Type:ntdsutil3. At the ntdsutil command, type:metadata cleanup4. Perform metadata cleanup as follows:?If you are performing metadata cleanup by using the version of Ntdsutil.exe that is included with Windows Server 2003 Service Pack 1 (SP1), at the metadata cleanup command, type:remove selected server ServerName Orremove selected server ServerName1 on ServerName2DUMPS Type of Dump File Size Description Context dumps4 KB - 64 rmation about the crashing systemException that initiated the crashContext record of the faulting threadModule list, limited to the faulting threads of the owner processThread list, limited to the faulting threads of the owner processCallstack of the faulting thread64 bytes of memory above and below the instruction pointer of the faulting threadStack memory dump of the faulting thread, truncated to fit a 64 KB limitSystem dumps64 KB - several MBAll information in a Context dumpCallstacks and context records for all threadsComplete module, process, and thread lists for the entire device2048 bytes of memory above and below the instruction pointer of the faulting thread.Global variables for the process that was current at the time of the crash Complete dumpsAll physical memory plus at least 64 KB All information in a context dumpA complete dump of all used memoryOverview of memory dump file options for Windows Server 2003, Windows XP, and Windows 2000SUMMARYYou can configure Microsoft Windows Server 2003, Microsoft Windows XP, and Microsoft Windows 2000 to write debugging information to three different file formats (also known as memory dump files) when your computer stops unexpectedly as a result of a Stop error (also known as a "blue screen," system crash, or bug check). You can also configure Windows not to write debugging information to a memory dump file. Windows can generate any one of the following three memory dump file types: ?Complete memory dump?Kernel memory dump?Small memory dump (64 KB)Complete memory dumpA complete memory dump records all the contents of system memory when your computer stops unexpectedly. If you select the Complete memory dump option, you must have a paging file on the boot volume that is sufficient to hold all the physical RAM plus 1 megabyte (MB). By default, the complete memory dump file is written to the %SystemRoot%\Memory.dmp file.If a second problem occurs and another complete memory dump (or kernel memory dump) file is created, the previous file is overwritten.Note The Complete memory dump option is not available on computers that are running a 32-bit operating system and that have 2 gigabytes (GB) or more of RAM. Kernel memory dumpA kernel memory dump records only the kernel memory. This speeds up the process of recording information in a log when your computer stops unexpectedly. Depending on the RAM in your computer, you must have between 150MB and up to 2GB of pagefile space available based on server load and the amount of physical RAM available for page file space on the boot volume.This dump file does not include unallocated memory or any memory that is allocated to User-mode programs. It includes only memory that is allocated to the kernel and hardware abstraction level (HAL) in Windows 2000 and later, and memory allocated to Kernel-mode drivers and other Kernel-mode programs. For most purposes, this dump file is the most useful. It is significantly smaller than the complete memory dump file, but it omits only those parts of memory that are unlikely to have been involved in the problem. By default, the kernel memory dump file is written to the %SystemRoot%\Memory.dmp file.If a second problem occurs and another kernel memory dump file (or a complete memory dump file) is created, the previous file is overwritten.Small memory dumpA small memory dump records the smallest set of useful information that may help identify why your computer stopped unexpectedly. This option requires a paging file of at least 2 MB on the boot volume and specifies that Windows 2000 and later create a new file every time your computer stops unexpectedly. A history of these files is stored in a folder.This dump file type includes the following information: ?The Stop message and its parameters and other data?A list of loaded drivers ?The processor context (PRCB) for the processor that stopped?The process information and kernel context (EPROCESS) for the process that stopped?The process information and kernel context (ETHREAD) for the thread that stopped?The Kernel-mode call stack for the thread that stoppedThis kind of dump file can be useful when space is limited. However, because of the limited information included, errors that were not directly caused by the thread that was running at the time of the problem may not be discovered by an analysis of this file.If a second problem occurs and a second small memory dump file is created, the previous file is preserved. Each additional file is given a distinct name. The date is encoded in the file name. For example, Mini022900-01.dmp is the first memory dump generated on February 29, 2000. A list of all small memory dump files is kept in the %SystemRoot%\Minidump folderTools for the various dump typesYou can load complete memory dumps and kernel memory dumps with standard symbolic debuggers, such as I386kd.exe. I386kd.exe is included with the Windows 2000 Support CD-ROM.Load small memory dumps by using Dumpchk.exe. Dumpchk.exe is included with the Support Tools for Windows 2000 and Windows XP. You can also use Dumpchk.exe to verify that a memory dump file has been created correctlyHow to read the small memory dump files that Windows creates for debuggingConfigure the dump typeTo configure startup and recovery options to use the small memory dump file, follow these steps.Note Because there are several versions of Microsoft Windows, the following steps may be different on your computer. If they are, see your product documentation to complete these steps. 1.Click Start, point to Settings, and then click Control Panel. 2.Double-click System. 3.Click the Advanced tab, and then click Settings under Startup and Recovery.4.In the Write debugging information list, click Small memory dump (64k).To change the folder location for the small memory dump files, type a new path in the Dump File box (or in the Small dump directory box, depending on your version of Windows).Open the dump fileTo open the dump file after the installation is complete, follow these steps: 1.Click Start, click Run, type cmd, and then click OK.2.Change to the Debugging Tools for Windows folder. To do this, type the following at the command prompt, and then press ENTER: cd c:\program files\debugging tools for windows3.To load the dump file into a debugger, type one of the following commands, and then press ENTER: windbg -y SymbolPath -i ImagePath -z DumpFilePathkd -y SymbolPath -i ImagePath -z DumpFilePathThe following table explains the use of the placeholders that are used in these commands. PlaceholderExplanationSymbolPathEither the local path where the symbol files have been downloaded or the symbol server path, including a cache folder. Because a small memory dump file contains limited information, the actual binary files must be loaded together with the symbols for the dump file to be correctly read. ImagePathThe path of these files. The files are contained in the I386 folder on the Windows XP CD-ROM. For example, the path may be C:\Windows\I386. DumpFilePathThe path and file name for the dump file that you are examining.Sample CommandsYou can use the following sample commands to open the dump file. These commands assume the following: ?The contents of the I386 folder on the Windows CD-ROM are copied to the C:\Windows\I386 folder.?Your dump file is named C:\Windows\Minidump\Minidump.dmp.Sample 1: kd -y srv*c:\symbols* -i c:\windows\i386 -z c:\windows\minidump\minidump.dmpSample 2. If you prefer the graphical version of the debugger instead of the command line version, type the following command instead: windbg -y srv*c:\symbols* -i c:\windows\i386 -z c:\windows\minidump\minidump.dmpExamine the dump fileThere are several commands that you can use to gather information in the dump file, including the following commands: ?The !analyze -show command displays the Stop error code and its parameters. The Stop error code is also known as the bug check code. ?The !analyze -v command displays verbose output. ?The lm N T command lists the specified loaded modules. The output includes the status and the path of the module.Note The !drivers extension command displays a list of all drivers that are loaded on the destination computer, together with summary information about their memory use. The !drivers extension is obsolete in Windows XP and later. To display information about loaded drivers and other modules, use the lm command. The lm N T command displays information in a format that is similar to the old !drivers extension.For help with other commands and for complete command syntax, see the debugging tools Help documentation. The debugging tools Help documentation can be found in the following location: C:\Program Files\Debugging Tools for Windows\Debugger.chmSimplify the commands by using a batch fileAfter you identify the command that you must have to load memory dumps, you can create a batch file to examine a dump file. For example, create a batch file and name it Dump.bat. Save it in the folder where the debugging tools are installed. Type the following text in the batch file: cd "c:\program files\debugging tools for windows"kd -y srv*c:\symbols* -i c:\windows\i386 -z %1When you want to examine a dump file, type the following command to pass the dump file path to the batch file: dump c:\windows\minidump\minidump.dmpPerforming offline defragmentation of the Active Directory databaseSUMMARYActive Directory automatically performs online defragmentation of the database at certain intervals (by default, every 12 hours) as part of the Garbage Collection process. Online defragmentation does not reduce the size of the database file (Ntds.dit), but instead optimizes data storage in the database and reclaims space in the directory for new objects. Performing an offline defragmentation creates a new, compacted version of the database file. Depending on how fragmented the original database file was, the new file may be considerably smaller. To perform offline defragmentation of the Active Directory database: 1.Back up Active Directory. Windows 2000 Backup natively supports backing up Active Directory while online. This occurs automatically when you select the option to back up everything on the computer in the Backup Wizard, or independently by selecting to back up the "System State" in the wizard.2.Reboot the domain controller, select the appropriate installation from the boot menu, and press F8 to display the Windows 2000 Advanced Options menu. Choose Directory Services Restore Mode and press ENTER. Press ENTER again to start the boot process.3.Log on using the Administrator account with the password defined for the local Administrator account in the offline. 4.Click Start, point to Programs, point to Accessories, and then click Command Prompt. At the command prompt, type ntdsutil, and then press ENTER.5.Type files, and then press ENTER. 6.Type info, and then press ENTER. This displays current information about the path and size of the Active Directory database and its log files. Note the path.7.Establish a location that has enough drive space for the compacted database to be stored.8.Type compact to drive:\directory, and then press ENTER, where drive and directory is the path to the location you established in the previous step.Note You must specify a directory path. If the path contains any spaces, the entire path must be surrounded by quotation marks. For example, type: compact to "c:\new folder" 9.A new database named Ntds.dit is created in the path you specified. 10.Type quit, and then press ENTER. Type quit again to return to the command prompt.11.If defragmentation succeeds without errors, follow the Ntdsutil.exe on-screen instructions. Delete all the log files in the log directory by typing the following command: del drive :\ pathToLogFiles \*.logCopy the new Ntds.dit file over the old Ntds.dit file in the current Active Directory database path that you noted in step 6. Note You do not have delete the Edb.chk file. 12.Restart the computer normallyThe Active Directory database garbage collection processSUMMARYIn Microsoft Windows 2000 and in Microsoft Windows Server 2003, the Active Directory database incorporates a garbage collection process that runs independently on each domain controller in the enterpriseGarbage collection is a housekeeping process that is designed to free space within the Active Directory database. In Windows 2000 and in the original release version of Windows Server 2003, this process runs on every domain controller in the enterprise with a default lifetime interval of 12 hours. You can change this interval by modifying the garbageCollPeriod attribute in the enterprise-wide DS configuration object (NTDS).The path of the \\Server1 domain controller in the domain would resemble the following: CN=Directory Service,CN=Windows NT,CN=Services,CN=Configuration,DC=CONTOSO,DC=COMUse an Active Directory editing tool to set the garbageCollPeriod attribute. Supported tools include Adsiedit.msc, Ldp.exe, and Active Directory Service Interfaces (ADSI) scripts.When an object is deleted, it is not removed from the Active Directory database. Instead, the object is instead marked for deletion at a later date. This mark is then replicated to other domain controllers. Therefore, the garbage collection process starts by removing the remains of previously deleted objects from the database. These objects are known as tombstones. Next, the garbage collection process deletes unnecessary log files. Finally, the process starts a defragmentation thread to claim additional free space. In addition, there are two methods to defragment the Active Directory database in Windows 2000 and in Windows Server 2003. One method is an online defragmentation operation that runs as part of the garbage collection process. The advantage of this method is that the server does not have to be taken offline for the operation to run. However, this method does not reduce the size of the Active Directory database file (Ntds.dit). The other method takes the server offline and defragments the database by using the Ntdsutil.exe utility. This approach requires that the database to start in repair mode. The advantage of this method is that the database is resized and unused space is removed. Therefore, and the size of the Ntds.dit file is reduced. To use this method, the domain controller must be taken offlineChanges to tombstone lifetime in Windows Server 2003 Service Pack 1The default tombstone lifetime (TSL) in Windows Server 2003 has proven to be too short. For example, a prestaged domain controller may be in transit for longer than 60 days. An administrator may not resolve a replication failure or bring an offline domain controller into operation until the TSL is exceeded. Windows Server 2003 Service Pack 1 (SP1) increases the TSL from 60 to 180 days in the following scenarios: ?A Windows NT 4.0 domain controller is upgraded to Windows Server 2003 by using Windows Server 2003 SP1 installation media to create a new forest.?A Windows Server 2003 SP1 computer creates a new forest.Windows Server 2003 SP1 does not modify the value of TSL when either of the following conditions is true: ?A Windows 2000 domain is upgraded to Windows Server 2003 by using installation media for Windows Server 2003 with SP1.?Windows Server 2003 SP1 is installed on a domain controller that is running the original release version of Windows Server 2003.Increasing the TSL for a domain to 180 days has the following benefits: ?Backups that are used in data recovery scenarios have a longer useful life.?System state backups that are used for installation from media promotions have a longer useful life.?Domain controllers can be offline longer. Prestaged computers approach TSL expiration less frequently.?A domain controller can successfully return to the domain after a longer time offline.?Knowledge of deleted objects is retained longer on the originating domain controller.Whitespace in ADAfter a object is tombstoned it will remain in the directory for the tombstone-lifetime (60 or 180 days by default,. The tombstone-lifetime assures that the tombstone will be replicated to every DC, so that every DC knows that the object is deleted. This is the reason why you can not use a backup to restore Active Directory which is older than the tombstone-lifetime - it would reintroduce objects which have been deleted prior The garbage collection process one every domain controller takes care that tombstones which are older than the tombstone-lifetime are deleted permanently. The garbage-collection process runs by default every 12 hours on each DC. You can also configure other periods by modifying the garbageCollPeriod Attribute of the CN=Directory Service,CN=Windows NT,CN=Services,CN=Configuration,DC=yourdomain,DC=com ObjectHowever, the object is permanently deleted now, but the NTDS.dit-Databasefile which contains the Active Directory will not decrease it's size. Instead the new "Whitespace" will be used for new objects. The only possibility to release the Whitespace in the database is to perform a offline defragmentation using NTDSUtil in the Directory Services Restore ModeHowever this is usually not necessary that often, but should definitely been done after upgrading a domain from Windows 2000 to Windows Server 2003. You may also want to do that after you deleted a lot of objects and the tombstone-lifetime is over.You can check whenever the garbage collection process runs and how big the amount of whitespace in the database-file is. After you set the following registry-key on your domain controller (usually no need to set it on every DC since the size and whitespace should be about the same on every DC of the domain) you'll get events in the directory services eventlog when the garbage-collection is started, stopped and how much whitespace it detected in the NTDS.ditHKLM\System\CurrentControlSet\Services\NTDS\Diagnostics"6 Garbage Collection" = 1 (reg_dword)Be careful with the logging-levels underneath that key, they are by default all 0, and you can increase them up to 5 to increase the logging-level. However as higher as the level is you might get performance issues and the eventlogs are flooded with a lot of informations. Keep them at 0, and only increase them slightly if you have specific reasons.GROUP TYPESSecurity: Security groups allow you to manage user and computer access to shared resources. You can also control who receives group policy settings. This simplifies administration by allowing you to set permissions once on multiple computers, then to change the membership of the group as your needs change. The change in group membership automatically takes effect everywhere. You can also use these groups as email distribution lists.Distribution: Distribution groups are intended to be used solely as email distribution lists. These lists are for use with email applications such as Microsoft Exchange or Outlook. You can add and remove contacts from the list so that they will or will not receive email sent to the distribution group. You can't use distribution groups to assign permissions on any objects, and you can't use them to filter group policy settings. TYPES OF PARTITION (Logical)■ Schema partition Contains definitions of objects that can be created in the forest and the attributes those objects can have. Objects in the schema partition must be replicated to all domain controllers in all domains in the forest. ■ Configuration partition Contains objects that represent the logical structure of the forest deployment, including the domain structure and replication topology. Objects in the configuration partition must be replicated to all domain controllers in all domains in the forest. ■ Domain partition Contains all of the objects stored in a domain. Objects in the domain partition can be replicated only to domain controllers within the domain.Application directory —-the Application directory partition—is available only to domain controllers in the Windows Server 2003 operating system. This partition is used by applications and services to store application-specific data, which can include any type of object except security principals (users, groups, and computers). The application partition can be configured to replicate objects to any set of domain controllers in the forest, not necessarily all in the same domain. This partition provides the capability to host data in Active Directory without significantly impacting network performance by providing control over the scope of replication and placement of replicas. Therefore, dynamic data from network services such as Remote Access Service (RAS), RADIUS, Dynamic Host Configuration Protocol (DHCP), and Common Open Policy Service (COPS) can reside in a directory, allowing applications to access them uniformly with one access methodology.Some domain controllers are global catalog servers. On these domain controllers, there is also stored a partial replica of directory partition objects from other domains, for the purpose of finding information throughout the domain tree or forest. A partial replica contains a subset of the attributes of a directory partition replica and is read-only.CountersStatistic counters = show totals per second, for example: DRA Inbound Properties Total/Sec, which is the total number of object properties received from inbound replication partners.Ratio counters = show percentage of total, for example: DS %Writes From LDAP, which is the percentage of directory writes coming from LDAP queryAccumulative counters = show totals since Active Directory was last started, for example: DRA Inbound Bytes Total Since Boot, which is the total number of bytes replicated in, the sum of the number of uncompressed bytes (never compressed) and the number of compressed bytes (after compressionDynamic Storage TermsA volume is a storage unit made from free space on one or more disks. It can be formatted with a file system and assigned a drive letter. Volumes on dynamic disks can have any of the following layouts: simple, spanned, mirrored, striped, or RAID-5. A simple volume uses free space from a single disk. It can be a single region on a disk or consist of multiple, concatenated regions. A simple volume can be extended within the same disk or onto additional disks. If a simple volume is extended across multiple disks, it becomes a spanned volume. A spanned volume is created from free disk space that is linked together from multiple disks. You can extend a spanned volume onto a maximum of 32 disks. A spanned volume cannot be mirrored and is not fault-tolerant. A striped volume is a volume whose data is interleaved across two or more physical disks. The data on this type of volume is allocated alternately and evenly to each of the physical disks. A striped volume cannot be mirrored or extended and is not fault-tolerant. Striping is also known as RAID-0. A mirrored volume is a fault-tolerant volume whose data is duplicated on two physical disks. All of the data on one volume is copied to another disk to provide data redundancy. If one of the disks fails, the data can still be accessed from the remaining disk. A mirrored volume cannot be extended. Mirroring is also known as RAID-1. A RAID-5 volume is a fault-tolerant volume whose data is striped across an array of three or more disks. Parity (a calculated value that can be used to reconstruct data after a failure) is also striped across the disk array. If a physical disk fails, the portion of the RAID-5 volume that was on that failed disk can be re-created from the remaining data and the parity. A RAID-5 volume cannot be mirrored or extended. The system volume contains the hardware-specific files that are needed to load Windows (for example, Ntldr, Boot.ini, and ). The system volume can be, but does not have to be, the same as the boot volume. The boot volume contains the Windows operating system files that are located in the %System root% and %Systemroot%\System32 folders. The boot volume can be, but does not have to be, the same as the system volume. RAID 0 – StripingRAID 1- Mirroring (minimum 2 HDD required)RAID 5 – Striping With Parity (Minimum 3 HDD required)RAID levels 1 and 5 only gives redundancyDifference between online and offline de-fragmentationThe size of NTDS.DIT will often be different sizes across the domain controllers in a domain. Remember that Active Directory is a multi-master independent model where updates are occurring in each of the domain controllers with the changes being replicated over time to the other domain controllers. The changed data is replicated between domain controllers, not the database, so there is no guarantee that the files are going to be the same size across all domain controllers. Windows 2000 and Windows Server 2003 servers running Directory Services (DS) perform a directory online defragmentation every 12 hours by default as part of the garbage-collection process. This defragmentation only moves data around the database file (NTDS.DIT) and doesn’t reduce the file’s size - the database file cannot be compacted while Active Directory is mounted. Active Directory routinely performs online database defragmentation, but this is limited to the disposal of tombstoned objects. The database file cannot be compacted while Active Directory is mounted (or online). An NTDS.DIT file that has been defragmented offline (compacted), can be much smaller than the NTDS.DIT file on its peers. However, defragmenting the NTDS.DIT file isn’t something you should really need to do. Normally, the database self-tunes and automatically tombstoning the records then sweeping them away when the tombstone lifetime has passed to make that space available for additional records. Defragging the NTDS.DIT file probably won’t help your AD queries go any faster in the long run. So why defrag it in the first place? One reason you might want to defrag your NTDS.DIT file is to save space, for example if you deleted a large number of records at one time. To create a new, smaller NTDS.DIT file and to enable offline defragmentation, perform the following steps:Back up Active Directory (AD). Reboot the server, select the OS option, and press F8 for advanced options. Select the Directory Services Restore Mode option, and press Enter. Press Enter again to start the OS. W2K will start in safe mode, with no DS running. Use the local SAM’s administrator account and password to log on. You’ll see a dialog box that says you’re in safe mode. Click OK. From the Start menu, select Run and type cmd.exe In the command window, you’ll see the following text. (Enter the commands in bold.) C:\> ntdsutilntdsutil: filesfile maintenance:info....file maintenance:compact to c:\temp You’ll see the defragmentation process. If the process was successful, enter quit to return to the command prompt. Then, replace the old NTDS.DIT file with the new, compressed version. (Enter the commands in bold.) C:\> copy c:\temp\ntds.dit %systemroot%\ntds\ntds.dit Restart the computer, and boot as normal.How to create application partition windows 2003 and its usage?An application directory partition is a directory partition that is replicated only to specific domain controllers. A domain controller that participates in the replication of a particular application directory partition hosts a replica of that partition. Only domain controllers running Windows Server?2003 can host a replica of an application directory partition.Applications and services can use application directory partitions to store application-specific data. Application directory partitions can contain any type of object, except security principals. TAPI is an example of a service that stores its application-specific data in an application directory partition.Application directory partitions are usually created by the applications that will use them to store and replicate data. For testing and troubleshooting purposes, members of the Enterprise Admins group can manually create or manage application directory partitions using the Ntdsutil command-line tool. How to use recovery console?The Windows?2000 Recovery Console is a command-line console that you can start from the Windows?2000 Setup program. Using the Recovery Console, you can start and stop services, format drives, read and write data on a local drive (including drives formatted to use NTFS), and perform many other administrative tasks. The Recovery Console is particularly useful if you need to repair your system by copying a file from a floppy disk or CD-ROM to your hard drive, or if you need to reconfigure a service that is preventing your computer from starting properly. Because the Recovery Console is quite powerful, advanced users who have a thorough knowledge of Windows?2000 should only use it. In addition, you must be an administrator to use the Recovery Console.There are two ways to start the Recovery Console:If you are unable to start your computer, you can run the Recovery Console from your Windows?2000 Setup disks or from the Windows?2000 Professional CD (if you can start your computer from your CD-ROM drive). As an alternative, you can install the Recovery Console on your computer to make it available in case you are unable to restart Windows?2000. You can then select the Recovery Console option from the list of available operating systemsTypes of backupCopy backupA copy backup copies all the files you select, but does not mark each file as having been backed up (in other words, the archive attribute is not cleared). Copying is useful if you want to back up files between normal and incremental backups because copying does not affect these other backup operations. Daily backupDaily backup copies all the files that you select that have been modified on the day the daily backup is performed. The backed-up files are not marked as having been backed up (in other words, the archive attribute is not cleared). Differential backupA differential backup copies files that have been created or changed since the last normal or incremental backup. It does not mark files as having been backed up (in other words, the archive attribute is not cleared). If you are performing a combination of normal and differential backups, restoring files and folders requires that you have the last normal as well as the last differential backup. Incremental backupAn incremental backup backs up only those files that have been created or changed since the last normal or incremental backup. It marks files as having been backed up (in other words, the archive attribute is cleared). If you use a combination of normal and incremental backups, you will need to have the last normal backup set as well as all incremental backup sets to restore your data. Normal backupA normal backup copies all the files you select and marks each file as having been backed up (in other words, the archive attribute is cleared). With normal backups, you only need the most recent copy of the backup file or tape to restore all of the files. You usually perform a normal backup the first time you create a backup set. Backing up your data using a combination of normal backups and incremental backups requires the least amount of storage space and is the quickest backup method. However, recovering files can be time-consuming and difficult because the backup set might be stored on several disks or tapes.Backing up your data using a combination of normal backups and differential backups is more time-consuming, especially if your data changes frequently, but it is easier to restore the data because the backup set is usually stored on only a few disks or tapes. How To Reset the Directory Services Restore Mode Administrator Account Password in Windows Server 2003To Reset the DSRM Administrator Password1. Click, Start, click Run, type ntdsutil, and then click OK. 2. At the Ntdsutil command prompt, type set dsrm password. 3. At the DSRM command prompt, type one of the following lines: ? To reset the password on the server on which you are working, type reset password on server null. The null variable assumes that the DSRM password is being reset on the local computer. Type the new password when you are prompted. Note that no characters appear while you type the password.-or- ? To reset the password for another server, type reset password on server servername, where servername is the DNS name for the server on which you are resetting the DSRM password. Type the new password when you are prompted. Note that no characters appear while you type the password. 4. At the DSRM command prompt, type q. 5. At the Ntdsutil command prompt, type q to exit.Paging A technique used by virtual memory operating systems to help ensure that the data you need is available as quickly as possible. The operating system copies a certain number of pages from your storage device to main memory. When a program needs a page that is not in main memory, the operating system copies the required page into memory and copies another page back to the mit chargeThe commit charge is the cumulative amount of memory used by all of your open/running applications and processes. As you continue to use programs, the amount of memory they use may grow; an abnormal increase in memory consumption could also be indicative of a "memory leak" in a programThe amount of virtual memory Windows is currently using, as reported in the Task Manager dialog under the Performance tab. The Commit Charge fluctuates as applications are opened and closed. TOTAL shows the current amount of virtual memory used, which is comprised of main memory (RAM) and disk (pagefile). TOTAL is also graphed in real time on the Page File Usage History chart. PEAK is the maximum amount this session, while LIMIT is the maximum amount available unless the pagefile is expanded by Windows.What Is Committed?Apparently, a certain amount of virtual memory has been "committed." As for "charge," who knows? What we do know is that people who come up with such names should be "committed" to a place prohibiting them from creating user interfaces. They should also be "charged" with dim-witted naming. How about "Virtual Memory Usage" instead of "Commit Charge?"Lost and Found Config This container holds objects that get orphaned during database replication. For instance, if a container is deleted during the same replication cycle that an object was created in the container, the object is sent to Lost and Found. Both the Domain and Configuration naming contexts have a Lost and Found container. The Schema naming context does not need one because Schema objects can never be deleted.Sysvol Files To meet its dual responsibilities of supporting modern group policies and classic system policies and scripts, Active Directory domain controllers host a special folder called Sysvol. The location of the folder is determined during Dcpromo. Sysvol must be on an NTFS volume because folders within Sysvol use reparse points, which are only supported by NTFS. Sysvol contains a folder with the name Domain that holds the group policy files in a folder called Policies and classic scripts in a folder called Scripts. The Scripts folder is shared as Netlogon to support downlevel clients. Modern scripts that are distributed as part of group policies are stored as part of a particular group policy under the Policies folder. Clients access Sysvol via a special fault tolerant share with the Universal Naming Convention (UNC) path of \\<domain_name>\Sysvol. For example, you can do a directory of \\\Sysvol from any client in the domain. Accessing fault tolerant shares requires that the Dfsclient service be running on the client. File Replication and Sysvol The contents of Sysvol are replicated to every domain controller in a domain. It is important that the contents stay in sync. Otherwise, users will get different group policies, system policies, and classic scripts when they log on to different domain controllers. A service called the File Replication Service, or FRS, is responsible for synchronizing the contents of Sysvol between domain controllers. (The actual service name is Ntfrs, which you may see in Event log entries.) FRS replicates an entire file when any changes are made to the file. To prevent race conditions that could occur if the file were locked, the file is first copied to a Staging folder then replicated to the other domain controllers.Windows DNS reverses the SRV record names to display them as a hierarchy of folders. Here are the functions of the SRV records based on their groupings in the DNS console: _MSDCS. This heading collects SRV records based on their status as domain controllers, domain invocations, global catalog servers, and primary domain controllers. Domain controllers and global catalog servers are broken down by site. This tells Active Directory clients very quickly where to find local services. Domain invocations support replication. Each domain controller gets a GUID that it uses when invoking replication. The PDC entry contains the SRV record for the domain controller assigned to be the PDC Emulator, a domain controller that acts as the PDC to downlevel NT BDCs. _SITES. A site represents an area of high-speed connectivity associated with one or more distinct IP subnets. By indexing domain controllers based on their site affiliation, clients can look in _SITES to find local services rather than sending their LDAP lookups across the WAN. Standard LDAP queries use port 389. Global Catalog queries use port 3268. _TCP. This heading collects all domain controllers in the DNS zone. The _TCP grouping acts as a catchall for clients that cannot find their specific site or that need to find a domain controller elsewhere in the network if none of those with local SRV records respond. _UDP. Kerberos v5 permits clients to use connectionless services to get tickets and change passwords. This is done via UDP ports that correspond to the TCP ports for the same services, UDP port 88 for ticketing and UDP 464 for password changes. Understanding Active Directory ServicesView the book table of contentsAuthor: William BoswellPublished: April 2003Copyright: 2003Publisher: Addison-Wesley Professional? Schema Definition Objects Individual objects are always instances of an object class. Achieving this design principle involves using a template that defines the attributes, schema rules, and class hierarchy for the objects within an object class. The same applies for attributes, which require a template to define the syntax rules. This suite of templates makes up the schema definitions for a directory service information store. Some directory services put the schema definitions into a separate file that is loaded at boot time or whenever the schema requires changing. In contrast, the Active Directory schema is self-referential. That is to say, all class definitions, attribute definitions, and schema rules are part of the schema itself. An appropriate title for an Active Directory schema self-help book would be Everything I Need to Know I Learned from Myself. The Active Directory schema contains two schema object classes, ClassSchema and AttributeSchema. Objects derived from these classes act like patterns in a lathe to turn out other objects. The schema objects are stored in the directory in the cn=Schema, cn=Configuration, dc=<domain_name>, dc=<domain_root> container. In addition to ClassSchema and ClassAttribute classes, the Schema container holds a class called SubSchema with one instance, an object called Aggregate. The distinguished name of this object is cn=aggregate, cn=schema, cn=configuration, dc=company, dc=com. The purpose of Aggregate is to provide a single point for LDAP clients to discover information about the Active Directory schema. Without this object, clients would be forced to perform expensive scans of the entire Schema container. Identifying Objects We’ve completed the overview of the schema structure, function, and rules. Before moving forward, let’s look at how Active Directory uniquely identifies objects. This information is crucial to understanding the more advanced Active Directory tools. Here is a brief attribute listing for a sample User object made using the LDIFDE utility. The unique identifiers are highlighted: C:\>ldifde -d cn=bgates, cn=users, dc=dotnet, dc=com -f conConnecting to "DC01. " Logging in as current user using SSPIExporting directory to file conSearching for entries. . . Writing out entries. dn: CN=bgates, CN=Users, DC=dotnet, DC=comchangetype: addobjectClass: topobjectClass: personobjectClass: organizationalPersonobjectClass: usercn: bgatesdistinguishedName: CN=bgates, CN=Users, DC=dotnet, DC=cominstanceType: 4whenCreated: 20020812134034. 0ZwhenChanged: 20020812134034. 0ZuSNCreated: 13772uSNChanged: 13774name: bgatesobjectGUID:: 7swJ8PXwqkWu8N2Qv+jQ+Q==userAccountControl: 512badPwdCount: 0codePage: 0countryCode: 0badPasswordTime: 0lastLogoff: 0lastLogon: 0pwdLastSet: 126736332347481024primaryGroupID: 513objectSid:: AQUAAAAAAAUVAAAAdbl1VBUlr0cWwOoyVQQAAA==accountExpires: 0logonCount: 0sAMAccountName: bgatesuserPrincipalName: bgates@dotnet. comsAMAccountType: 805306368objectCategory: CN=Person, CN=Schema, CN=Configuration, DC=dotnet, DC=comDistinguished Name Because LDAP uses an object-oriented database, it is important that each object has a unique path in the namespace, similar to the way that a filename and path must be unique in a file system. The Distinguished Name (DN) attribute of an object defines the LDAP path all the way to the root of the namespace; therefore, the DN must be unique. If you move an object to a different container in Active Directory, in reality, you are simply changing the DN. Globally Unique Identifier (GUID) In classic Exchange, Microsoft used the DN as the unique database row identifier for objects in the directory service store. This unfortunate engineering decision created a configuration problem for Exchange. When an object is moved, its DN changes, but a unique row identifier in a database cannot ever change. For this reason, in Exchange 5. 5 and earlier, mailbox recipients cannot be moved but must be freshly created and then linked to a User account in the SAM. To avoid that problem in Active Directory, Microsoft used a different unique row identifier called the Globally Unique Identifier, or GUID. A GUID is created using an algorithm that virtually guarantees its uniqueness within a system. Using a GUID permits you to move objects at will between containers in Active Directory without changing the unique row numbers for the objects, thereby maintaining internal referential integrity in the database. Keep this behavior in mind, because you’ll see it at work when we discuss the role of the Infrastructure Master in keeping track of group members from other domains. Other Uses for GUIDs Microsoft uses the GUID algorithm in a variety of different circumstances. You will see them in designators used to identify COM objects and OLE registrations. Group policies use the GUID algorithm to create a unique folder name for each policy. The operating system identifies hardware using GUIDs during Plug-and-Play enumeration. GUIDs also go by the names Universally Unique Identifier (UUID) and Class ID (CLSID). Security Identifier (SID) Three classes of Active Director objects can be placed on the access control lists (ACLs) used to protect security objects. These object classes are User, Computer, and Group. Together, they are termed security principals. A security principal is assigned a unique number called a Security Identifier, or SID. This is exactly the same SID used by NT to identify users, groups, and computers. A SID for a security principal is made up of the SID of the security principal’s domain and a unique suffix, called a Relative ID, or RID. The series of RIDs for security principals that can be created by an administrator start at decimal 1000. For example, the first User account created following the creation of a domain would be given RID 1000. The next object, call it a group, would be RID 1001, and so forth. The combination of a domain SID and a RID form a unique number within a domain and within a forest. The pool of RIDs is maintained by a specially designated Windows Server 2003 domain controller called a RID Master. SAM Account Name In an NT domain, every object in the SAM must have a unique name. This is true for computers, users, and groups. A unique name guarantees that the object will have a unique NetBIOS presence in the network as well as a one-to-one correspondence between the logon name (in the case of users and computers) and the SID used to control resource access. The same restriction is left in place in Windows 2000 and Windows Server 2003. Every user, computer, and group in a domain must have a unique name. This attribute is called SAMAccountName, although you might hear it called logon name or flat name. When you create a new security principal, regardless of the container where you place the object, it must have a unique flat name in the domain. User Principal Name (UPN) and Service Principal Name (SPN) Just as unique flat names identify security principals in NetBIOS, User Principal Names (UPNs) identify security principals within the hierarchical LDAP namespace in Active Directory. A UPN takes the form User@. Unique UPNs ensure that users can log on with their UPN rather than the classic domain\username construct. The Global Catalog is used to "crack" the UPN into its constituent parts. To assure uniqueness, when a security principal is created, the system refers to the Global Catalog to verify that the UPN has not already been used. If a GC server is not available, the system displays an error message prompting the administrator to wait until a GC is available so that uniqueness can be verified. In a Parent/Child trust configuration, the UPN suffix of the root domain is assigned to every security principal. In a Tree Root trust configuration, you must manually assign a common UPN suffix. This is done using the Properties window of the domain tree in the AD Domains and Trusts console. Object Identifier (OID) In addition to the attributes that assure uniqueness of a particular object, Active Directory needs a way to assure that objects of the same class all come from the same Schema object. This is done by assigning a unique Object Identifier, or Object Identifier (OID) to each object in the Schema naming context. ISO defines the structure and distribution of OIDs in ISO/IEC 8824:1990, "Information Technology—Open Systems Interconnection—Specification of Abstract Syntax Notation One (ASN. 1)." ASN.1 provides a mechanism for standards bodies in various countries to enumerate standard data items so that they do not conflict with one other. ASN.1 governs more than just directory services classes and attributes. For example, OIDs are used extensively in SNMP to build hierarchies of Management Information Base (MIB) numbers. They are also assigned to many items associated with the Internet. If you’re interested in the list of organizations that assign OID numbers and their hierarchy, it is available at ftp.isi.edu/in-notes/iana/assignments/enterprise-numbers.If you ever need to create a new attribute or object class in Active Directory, you must have a unique OID. There are a couple of ways to get one. The first is to apply to ANSI for your own numerical series. This costs a few thousand dollars and takes a while to process. The other is to use the OIDGEN utility from the Resource Kit. This will generate a Class and an Attribute OID out of Microsoft’s address space. The disadvantage to using OIDGEN is that the resultant number is very, very, very long. Here is an example: C:\>oidgenAttribute Base OID:1. 2. 840. 113556. 1. 4. 7000. 233. 180672. 443844. 62. 26102. 2020485. 1873967. 207938Class Base OID:1. 2. 840. 113556. 1. 5. 7000. 111. 180672. 443844. 62. 199519. 642990. 1996505. 1182366In Active Directory, what are the differences between universal, global, and domain local groups?Note: The following information is intended for registered local support providers (LSPs) at Indiana University. If you are an LSP and have questions regarding the information in this document, contact LSP Services at ?lsps@iu.edu?; otherwise, contact your campus Support Center. Domain local, global, and universal are group scopes, which allow you to use groups in different ways to assign permissions. The scope of a group determines from where in the network you can assign permissions to the group.Domain local groupsDomain local security groups are most often used to assign permissions for access to resources. You can assign these permissions only in the same domain where you create the domain local group. Members from any domain may be added to a domain local group.The domain local scope can contain user accounts, universal groups, and global groups from any domain. In addition, the scope can both contain and be a member of domain local groups from the same domain.Global groupsGlobal security groups are most often used to organize users who share similar network access requirements. Members can be added only from the domain in which the global group was created. A global group can be used to assign permissions for access to resources in any domain. The global scope can contain user accounts and global groups from the same domain, and can be a member of universal and domain local groups in any domain. Note: Groups created in the Active Directory at Indiana University should be global groups. Since there is a single ADS Domain at IU, this is the most appropriate group to use. Universal groupsUniversal security groups are most often used to assign permissions to related resources in multiple domains. Members from any domain may be added. Also, you can use a universal group to assign permissions for access to resources in any domain. Universal security groups are not available in mixed mode. The full feature set of Windows 2000 and later Microsoft NT-based operating systems is available only in native mode. The universal scope can contain user accounts, universal groups, and global groups from any domain. The scope can be a member of domain local or universal groups in any domain.Note: Though it is possible to create universal groups in the Active Directory at IU, it is unnecessary because the ADS at IU is a single domain. Global groups are preferable because they use fewer resources. Ntds.dit. This is the main AD database. NTDS stands for NT Directory Services. The DIT stands for Directory Information Tree. The Ntds.dit file on a particular domain controller contains all naming contexts hosted by that domain controller, including the Configuration and Schema naming contexts. A Global Catalog server stores the partial naming context replicas in the Ntds.dit right along with the full Domain naming context for its domain. Edb.log. This is a transaction log. Any changes made to objects in Active Directory are first saved to a transaction log. During lulls in CPU activity, the database engine commits the transactions into the main Ntds.dit database. This ensures that the database can be recovered in the event of a system crash. Entries that have not been committed to Ntds.dit are kept in memory to improve performance. Transaction log files used by the ESE engine are always 10MB. Edbxxxxx.log. These are auxiliary transaction logs used to store changes if the main Edb. log file gets full before it can be flushed to Ntds.dit. The xxxxx stands for a sequential number in hex. When the Edb. log file fills up, an Edbtemp. log file is opened. The original Edb. log file is renamed to Edb00001. log, and Edbtemp. log is renamed to Edb. log file, and the process starts over again. ESENT uses circular logging. Excess log files are deleted after they have been committed. You may see more than one Edbxxxxx. log file if a busy domain controller has many updates pending. Edb.chk. This is a checkpoint file. It is used by the transaction logging system to mark the point at which updates are transferred from the log files to Ntds.dit. As transactions are committed, the checkpoint moves forward in the Edb. chk file. If the system terminates abnormally, the pointer tells the system how far along a given set of commits had progressed before the termination. Res1.log and Res2.log. These are reserve log files. If the hard drive fills to capacity just as the system is attempting to create an Edbxxxxx. log file, the space reserved by the Res log files is used. The system then puts a dire warning on the screen prompting you to take action to free up disk space quickly before Active Directory gets corrupted. You should never let a volume containing Active Directory files get even close to being full. File fragmentation is a big performance thief, and fragmentation increases exponentially as free space diminishes. Also, you may run into problems as you run out of drive space with online database defragmentation (compaction). This can cause Active Directory to stop working if the indexes cannot be rebuilt. Temp.edb. This is a scratch pad used to store information about in-progress transactions and to hold pages pulled out of Ntds.dit during compaction. Schema.ini. This file is used to initialize the Ntds.dit during the initial promotion of a domain controller. It is not used after that has been accomplished. What is the ISTG? Who has that role by default??Inter-Site Topology Generator(istg)? is responsible for managing the inbound replication connection objects for all bridgehead servers in the site in which it is located. This domain controller is known as the Inter-Site Topology Generator (ISTG). The domain controller holding this role may not necessarily also be a bridgehead server.Windows 2000 Domain controllers each create Active Directory Replication connection objects representing inbound replication from intra-site replication partners. For inter-site replication, one domain controller per site has the responsibility of evaluating the inter-site replication topology and creating Active Directory Replication Connection objects for appropriate bridgehead servers within its site. The domain controller in each site that owns this role is referred to as the Inter-Site Topology Generator (ISTG).Q :15 What is LDP? What is REPLMON? What is ADSIEDIT? What is NETDOM? What is REPADMIN?A 15 : LDP : Label Distribution Protocol (LDP) is often used to establish MPLS LSPs when traffic engineering is not required. It establishes LSPs that follow the existing IP routing, and is particularly well suited for establishing a full mesh of LSPs between all of the routers on the network.Replmon : Replmon displays information about Active Directory Replication.ADSIEDIT :ADSIEdit is a Microsoft Management Console (MMC) snap-in that acts as a low-level editor for Active Directory. It is a Graphical User Interface (GUI) tool. Network administrators can use it for common administrative tasks such as adding, deleting, and moving objects with a directory service. The attributes for each object can be edited or deleted by using this tool. ADSIEdit uses the ADSI application programming interfaces (APIs) to access Active Directory. The following are the required files for using this tool: ADSIEDIT.DLLADSIEDIT.MSCNETDOM : NETDOM is a command-line tool that allows management of Windows domains and trust relationships. It is used for batch management of trusts, joining computers to domains, verifying trusts, and secure channels.REPADMIN :This command-line tool assists administrators in diagnosing replication problems between Windows domain controllers.Administrators can use Repadmin to view the replication topology (sometimes referred to as RepsFrom and RepsTo) as seen from the perspective of each domain controller. In addition, Repadmin can be used to manually create the replication topology (although in normal practice this should not be necessary), to force replication events between domain controllers, and to view both the replication metadata and up-to-dateness vectors.What’s the difference between LDIFDE and CSVDE? Usage considerations?A 30 : CSVDE is a command that can be used to import and export objects to and from the AD into a CSV-formatted file. A CSV (Comma Separated Value) file is a file easily readable in Excel. I will not go to length into this powerful command, but I will show you some basic samples of how to import a large number of users into your AD. Of course, as with the DSADD command, CSVDE can do more than just import users. Consult your help file for more info.Like CSVDE, LDIFDE is a command that can be used to import and export objects to and from the AD into a LDIF-formatted file. A LDIF (LDAP Data Interchange Format) file is a file easily readable in any text editor, however it is not readable in programs like Excel. The major difference between CSVDE and LDIFDE (besides the file format) is the fact that LDIFDE can be used to edit and delete existing AD objects (not just users), while CSVDE can only import and export objects.You want to standardize the desktop environments (wallpaper, My Documents, Start menu, printers etc.) on the computers in one department. How would you do that? How it is possibal.Login on client as Domain Admin user change whatever you need add printers etc go to system-User profiles copy this user profile to any location by select Everyone in permitted to use after copy change ntuser.dat to ntuser.man and assgin this path under user profileHow do you create a new application partitionANS:Use the DnsCmd command to create an application directory partition. To do this, use the following syntax:DnsCmd ServerName /CreateDirectoryPartition FQDN of partitionAN application diretcory partition is a directory partition that is replicated only to specific domain controller.Only domain controller running windows Server 2003 can host a replica of application directory partition.Using an application directory partition provides redundany,availabiltiy or fault tolerance by replicating data to specific domain controller pr any set of domain controllers anywhere in the forestTrying to look at the Schema, how can I do thatAns:type “adsiedit.msc” in run or command promptHow do you view all the GCs in the forest? AnsC:\>repadmin /showrepsdomain_controllerwhere domain_controller is the DC you want to query to determine whether it’s a GC. The output will include the text DSA Options: IS_GC if the DC is a GC. . . .Determining when intersite replication occursActive Directory preserves bandwidth between sites by minimizing the frequency of replication and by allowing you to schedule the availability of site links for replication. By default, intersite replication across each site link occurs every 180?minutes (3?hours). You can adjust this frequency to match your specific needs. Be aware that increasing this frequency increases the amount of bandwidth that is used by replication. In addition, you can schedule the availability of site links for use by replication. By default, a site link is available to carry replication traffic 24?hours a day, 7?days a week. You can limit this schedule to specific days of the week and times of day. You can, for example, schedule intersite replication so that it only occurs after normal business hours. For more information, see Configure replication availability on a site link .Building the intrasite replication topologyThe Knowledge Consistency Checker (KCC) on each ADAM instance automatically builds the most efficient replication topology for intrasite replication, using a bidirectional ring design. This bidirectional ring topology attempts to create at least two connections to each ADAM instance (for fault tolerance) and no more than three hops between any two ADAM instances (to reduce replication latency). To help prevent connections of more than three hops, the topology can include shortcut connections across the ring. The KCC updates the replication topology regularly. Determining when intrasite replication occursIntrasite replication is optimized for speed, rather than bandwidth, because bandwidth within a site is assumed to be high-speed. Replication within a site occurs automatically on the basis of change notification. Intrasite replication begins when a directory update occurs. By default, the source ADAM instance waits 15 seconds and then sends an update notification to its closest replication partner. If the source ADAM instance has more than one replication partner, subsequent notifications go out by default at 3-second intervals to each partner. After receiving notification of a change, a partner ADAM instance sends a directory update request to the source ADAM instance. The source ADAM instance responds to the request with a replication operation. The 3-second notification interval prevents the source ADAM instance from being overwhelmed with simultaneous update requests from its replication partners.If no directory updates have occurred within a given time period, intrasite replication still occurs, based on a scheduled interval. By default, this scheduled interval is once per hour. For information about modifying this time period, see Configure replication frequency within a site .What is a glue record?A glue record is the IP address of a name server held at the domain name registry.Glue records are required when you wish to set the name servers of a domain name to a hostname under the domain name itself.For example if you wished to set the name servers of to ns1. and ns2. you would need to also provide the glue records (i.e. the IP addresses) for ns1. and ns2..If you did not provide the glue records for these name servers then your domain name would not work as anyone requiring DNS information for it would get stuck in a loop: What is the name server for ? -> ns1.What is the IP address of ns1.? -> don't know, try looking at name server for What is the name server for ? -> ns1....and so on.With the glue record in place the registry will hold the IP address and the loop will not occur:What is the name server for ? -> ns1.What is the IP address of ns1.? -> [IP Address]28. How to view the existing Schema Master role assignment? 1. Open a command prompt, and enter regsvr32 schmmgmt.dll to register the schmmgmt.dll on the computer. 2. Click Start, Run, and enter mmc in the Run dialog box. Click OK.3. From the File menu, select Add/ Remove Snap-in and then select Add.4. In the list of available snap-ins, double-click Active Directory Schema.5. Click Close. Click OK. 6. Open the Active Directory Schema snap-in. 7. In the console tree, right-click Active Directory Schema and select Operations Masters from the shortcut menu. 8. The Change Schema Master dialog box opens. 9. You can view the name of the existing Schema Master in the Current Schema Master (Online) box. 10. Click Close. 29. How to view the existing Domain Naming Master role assignment? 1. Open the Active Directory Domains And Trusts console from the Administrative Tools menu. 2. In the console tree, right-click Active Directory Domains And Trusts and select Operations Masters from the shortcut menu. 3. The Change Operations Master dialog box opens. 4. You can view the name of the existing Domain Naming Master in the Domain Naming Operations Master box. 5. Click Close. 30. How to view the existing RI D Master role, PDC Emulator, and I nfrastructure Master role assignments? 1. Open the Active Directory Users And Computers console from the Administrative Tools menu. 2. In the console tree, right-click Active Directory Users And Computers and click All Tasks, and then Operations Masters from the shortcut menu. 3. The Operations Masters dialog box contains the following tabs: o RID tab: The name of the existing RID Master is displayed in the Operations Master box of this tab. o PDC tab: In the Operations Master box of the PDC tab, you can view the name of the existing PDC Emulator. o Infrastructure tab: The existing Infrastructure Master's name is displayed in the Operations Master box. 4. Click Close. 31. How to transfer the Schema Master role to another domain controller? Before you can transfer the Schema Master role to another domain controller, ensure that you have the required Schema Admins rights, and that both domain controllers you are planning to work with are available. Before you can use the Active Directory Schema MMC snap-in, you first have to add it to a MMC. To add the Active Directory Schema snap-in to a MMC1. Open a command prompt, and enter regsvr32 schmmgmt.dll to register the schmmgmt.dll on the computer. 2. Click Start, Run, and enter mmc in the Run dialog box. Click OK.3. From the File menu, select Add/ Remove Snap-in and then select Add.4. In the list of available snap-ins, double-click Active Directory Schema.5. Click Close. Click OK To transfer the Schema Master role, 1. Open the Active Directory Schema snap-in. 2. Right-click Active Directory Schema in the console tree, and select Change Domain Controller from the shortcut menu. 3. The options available when the Change Domain Controller dialog box opens are o Any DC: If this option is selected, Active Directory will select a new domain controller for the Schema Master role. o Specify Name: If this option is enabled, you have to enter the name of the new location for the Schema Master Role. 4. Click OK 5. Right-click Active Directory Schema in the console tree again, and choose Operations Master from the shortcut menu. 6. When the Change Schema Master dialog box opens, click Change. 7. Click OK when a message appears prompting for verification of the OM role transfer you want to perform. 8. Click OK to exit the Change Schema Master dialog box. 32. How to transfer the Domain Naming Master role to another domain controller? You have to be a member of the Enterprise Admin group to transfer the Domain Naming Master role to another domain controller. 1. Open the Active Directory Domains And Trusts console from the Administrative Tools menu. 2. In the console tree, right-click Active Directory Domains And Trusts and select Connect To Domain Controller from the shortcut menu. 3. The Connect To Domain Controller dialog box opens. This is where you specify the name of the new domain controller that should be assigned the Domain Naming Master role. 4. Click OK 5. In the console tree, right-click Active Directory Domains And Trusts and select Operations Masters from the shortcut menu. 6. When the Change Operations Master dialog box opens, click Change 7. Click Close 33. How to transfer the RI D Master role, PDC Em ulator role, or I nfrastructure Master role to another domain controller? 1. Open the Active Directory Users And Computers console from the Administrative Tools menu. 2. In the console tree, right-click Active Directory Users And Computers and click Connect To Domain from the shortcut menu. 3. When the Connect To Domain dialog box opens, enter the domain name that you want to work with. 4. Click OK 5. In the console tree, right-click Active Directory Users And Computers and click Connect To Domain Controller from the shortcut menu. 6. When the Connect To Domain Controller dialog box opens, specify the new domain controller for the OM role that you are transferring. 7. Click OK 8. In the console tree, right-click Active Directory Users And Computers and click All Tasks, and then click Operations Masters from the shortcut menu. 9. The Operations Masters dialog box opens. On one of the following tabs, o RID tab: Click Change to change the location of the RID Master o PDC tab: Click Change to change the location of the PDC Emulator o Infrastructure tab: Click Change to change the location of the Infrastructure Master. 10. Click Yes to verify that you want to transfer the particular OM role to a different domain controller. 11. Click OK. Click Close. 34. How to seize an Operations Master role? When you seize an OM role, you need to perform the following tasks: ? Verify that the new domain controller for the role is completely updated with changes performed on the existing domain controller of the particular role. You can use the Replication Diagnostics command-line utility for this verification. Repadmin.exe is included with the Windows Support Tools on the Windows Server 2003 CD-ROM. ? You would not use the Ntdsutil tool to seize the particular OM role. The Ntdsutil tool first attempts to transfer the role before it actually proceeds to seize the role. However, if you need to seize the PDC Emulator or Infrastructure FSMOs, you can use the Active Directory Users and Computers console. The Ntdsutil tool has to though be used to seize the other FSMOs – Schema Master role, Domain Naming Master role, and RID Master role. You can however also use the Ntdsutil tool to seize the PDC Emulator role or Infrastructure Master role. To seize the PDC Emulator or Infrastructure FSMOs using the Active Directory Users and Computers console, 1. Open the Active Directory Users and Computers console 2. In the console tree, right-click the domain object, and choose Connect to Domain Controller from the shortcut menu. 3. Enter the name of the other domain controller. Click OK 4. To perform the seizure of the role, right-click the domain object and choose Operations Masters from the shortcut menu. 5. Click either the PDC tab, or the Infrastructure tab 6. You will notice that the particular OM role is indicated as being offline. 7. Click Change. 8. Click OK to verify that you want to transfer the OM role. 9. Click Yes when prompted to verify that you want to perform a forced transfer. To seize any OM roles using the Ntdsutil tool, 1. Click Start, Command Prompt.2. Enter the following at the command prompt:n t d su t i l. Press Enter3. Enter the following at the ntdsutil prompt:r o l e s. Press Enter4. Enter the following at the fsmo maintenance prompt:co n n e ct i o n s. Press Enter5. Enter the following at the server connections prompt: connect to server, and the fully qualified domain name (FQDN). Press Enter 6. Enter the following at the server connections prompt:q u i t. Press Enter. 7. Enter one of the following at the fsmo maintenance prompt: o seize schema master. Press Enter o seize domain naming master. Press Enter o seize RID master. Press Enter o seize PDC. Press Enter o seize infrastructure master. Press Enter 8. Enterq u i t at the fsmo maintenance prompt. Press Enter 9. Enterq u i t at the ntdsutil prompt. 35. How to perform a metadata cleanup? The class objects and attribute objects of the schema are referred to asm et a d a t a. A metadata cleanup is usually performed when you are unable to restore a failed domain controller. The cleanup removes any references to the failed domain controller in Active Directory. To perform the metadata cleanup, 1. From the command prompt, entern t d su t i l and press Enter.2. Enter the following at the ntdsutil prompt: metadata cleanup. Press Enter3. Enter the following at the metadata cleanup prompt:co n n e ct i o n s. Press Enter4. Enter the following at the server connections prompt: connect to server, followed by the server name. Press Enter 5. Enterq u i t, and press Enter 6. Enter the following at the metadata cleanup prompt: select operation target. Press Enter 7. Enter list domains. Press Enter 8. Enter select domain, followed by the number of the domain that holds the server that you want to remove. Press Enter 9. Enter list sites. Press Enter10. Enter select site, followed by the number of the site that holds the server that you want to remove. Press Enter 11. Enter list servers in site. Press Enter 12. Enter select server, followed by the number of the server that you want to remove. Press Enter. 13. Enterq u i t and press Enter to return to the metadata cleanup prompt. 14. Enter remove selected server, and press Enter. 15. When a message box appears prompting you to verify whether the server should be removed, click Yes 16. Quit from Ntdsutil. 40. w hat is boot processing computer? As soon as the CPU is turned on, it initializes itself and looks for ROM BI OS for the first instruction which is the Power On Self-Test (POST). This process checks the BIOS chip and then the CMOS RAM. After checking everything and detecting no power failure, it checks the hardware devices and the storage device. Then CMOS looks through the boot sequence of drives to find the OS. The boot sequence is the sequence of drives which the CMOS scans to find OS and load it. Generally, OS is stored in C drive. If it is not found there, the next drive to scan is A drive that is the floppy drive. Hence on finding theO S, it is loaded. Its files are copied to main memory by BIOS, and from here, the Os takes the charge of boot process like loading device drivers etc. 72. How can I prohibit users from using the I nternet by using Group Policy in a Window s 2000 server? There is not a direct Group Policy setting that disables IE. There are three ways that I can think of to disable it from functioning to connect to the Internet. The first is using the IE policies. This method breaks IE, but does not prohibit it from running. This solution configures the Proxy Settings incorrectly. Give it a Proxy server name or address that does not exist, or a wrong port to use for the proxy. You can configure this setting under User Configuration->Windows Settings- >Internet Explorer Maintenance->Connection->Proxy Settings. IE will look for a Proxy server, but always fail. The other two ways target the IE application directly. First, you can configure the Don't Run Specified Windows Applications policy, which is located under User Configuration-> Administrative Templates-> System. Just add in Iexplore.exe to deny IE from running. The second way is to use a Software Restriction policy for Iexplore.exe. You could use a path rule here, but I would suggest using a hash rule, to ensure the file can't be moved or renamed. 71. What are Cold Backups and Hot Backups? Cold Backup and Hot Backup terms are used by Oracle. Cold Backup: Takes the Database offline and copy database files to different loction is called cold backup in Oracle. Hot Backup: Taking the Database backup when the Database is online62. What is Raid-Concatenation? Concatenations are also known as "Simple" RAIDs. A Concatenation is a collection of disks that are "welded" together. Data in a concatenation is layed across the disks in a linear fashion from on disk to the next. So if we've got 3 9G (gig) disks that are made into a Simple RAID, we'll end up with a single 27G virtual disk (volume). When you write data to the disk you'll write to the first disk, and you'll keep writing your data to the first disk until it's full, then you'll start writing to the second disk, and so on. All this is done by the Volume Manager, which is "keeper of the RAID". Concatenation is the cornerstone of RAID. Now, do you see the problem with this type of RAID? Because we're writing data linearly across the disks, if we only have 7G of data on our RAID we're only using the first disk! The 2 other disks are just sitting there bored and useless. This sucks. We got the big disk we wanted, but it's not any better than a normal disk drive you can buy off the shelves in terms of performance. There has got to be a better way.......... 63. What is Striping/ RAI D-0? Striping is similar to Concatenation because it will turn a bunch of little disks into a big single virtual disk (volume), but the difference here is that when we write data we write it across ALL the disks. So, when we need to read or write data we're moving really fast, in fact faster than any one disk could move. There are 2 things to know about RAID-0, they are: stripe width, and columns. If we're going to read and write across multiple disks in our RAID we need an organized way to go about it. First, we'll have to agree on how much data should be written to a disk before moving to the next; we call that our "stripe width". Then we'll need far cooler term for each disk, a term that allows us to visualize our new RAID better..... "Column" sounds cool! Alright, so each disk is a "column" and the amount of data we put on each "column" before moving to the next is our "stripe width" 64. What is Mirroring/ RAI D-1? Mirroring is a concept where you are creating same mirror of RAID, i.e. in order to create 27 G disk if you are using 3 X 9 G Disks to form a simple RAID(RAID-0), then for Mirroring/RAID-1 you have to use 6 X 9 G Disks. This is because the first 27 G will form a simple RAID and the remaining 27 G will become the Mirror of First one. What ever data that is being written into the first one will be replicated into second one, such that if the first RAID Fails then automatically the second will come to existence. 58. What is Multilevel I ncremental Backup? A more sophisticated incremental backup scheme involves multiple numbered backup levels. A full backup is level 0. A leveln backup will back up everything since the most recent leveln - 1 backup. Assume a level 0 backup was taken on a Sunday. A level 1 backup taken on Monday would only include changes made since Sunday. A level 2 backup taken on Tuesday would only include changes made since Monday. A level 3 backup taken on Wednesday would only include changes made since Tuesday. If a level 2 backup was taken on Thursday, it would include all changes made since Monday because Monday was the most recent level n-1 backup. 59. What is reverse I ncremental Backup? An incremental backup of the changes made between two instances of am i r r o ri s called a reverse incremental. By applying a reverse incremental to a mirror, the result will be a previous version of the mirror. 60. What is Synthetic full backup? A synthetic backup is a form of an incremental backup that is possible when there is a separate computer that manages the backups. The backup server takes a typical incremental backup of the system in question and combines this data with the previous backups to generate a new synthetic backup. This new synthetic backup is indistinguishable from a normal full backup and shares all the advantages, such as faster restore times. 61. What is RAI D? RAID-Redundant Array of Inexpensive Discs, It is a technique that was developed to provide speed, reliability, and increased storage capacity using multiple disks, rather than single disk solutions. RAID basically takes multiple hard drives and allows them to be used as one large hard drive with benefits depending on the scheme or level of RAID being used. 55. How can you authenticate betw een forests? Four types of authentication are used across forests: (1) Kerberos and NTLM network logon for remote access to a server in another forest; (2) Kerberos and NTLM interactive logon for physical logon outside the user’s home forest; (3) Kerberos delegation to N-tier application in another forest; and (4) user principal name (UPN) credentials. What are the requirements for installing AD on a new server? ? An NTFS partition with enough free space ? An Administrator's username and password ? The correct operating system version ? A NIC ? Properly configured TCP/IP (IP address, subnet mask and - optional - default gateway) ? A network connection (to a hub or to another computer via a crossover cable) ? An operational DNS server (which can be installed on the DC itself) ? A Domain name that you want to use ? The Windows 2000 or Windows Server 2003 CD media (or at least the i386 folder) ? Brains (recommended, not required...) [Type the document title] ADMINIBMIBM 1 :: What are some of the new tools and features provided by Windows Server 2008?Windows Server 2008 now provides a desktop environment similar to Microsoft Windows Vista and includes tools also found in Vista, such as the new backup snap-in and the BitLocker drive encryption feature. Windows Server 2008 also provides the new IIS7 web server and the Windows Deployment Service.2 :: What are the different editions of Windows Server 2008?The entry-level version of Windows Server 2008 is the Standard Edition. The Enterprise Edition provides a platform for large enterprisewide networks. The Datacenter Edition provides support for unlimited Hyper-V virtualization and advanced clustering services. The Web Edition is a scaled-down version of Windows Server 2008 intended for use as a dedicated web server. The Standard, Enterprise, and Datacenter Editions can be purchased with or without the Hyper-V virtualization technology.3 :: What two hardware considerations should be an important part of the planning process for a Windows Server 2008 deployment?Any server on which you will install Windows Server 2008 should have at least the minimum hardware requirement for running the network operating system. Server hardware should also be on the Windows Server 2008 Hardware Compatibility List to avoid the possibility of hardware and network operating system incompatibility.4 :: How does the activation process differ on Windows Server 2008 as compared to Windows Server 2003?You can select to have activation happen automatically when the Windows Server 2008 installation is complete. Make sure that the Automatically Activate Windows When I’m Online check box is selected on the Product Key page.5 :: What are the options for installing Windows Server 2008?You can install Windows Server 2008 on a server not currently configured with NOS, or you can upgrade existing servers running Windows 2000 Server and Windows Server 20036 :: How do you configure and manage a Windows Server 2008 core installation?This stripped-down version of Windows Server 2008 is managed from the command line.7 :: Which Control Panel tool enables you to automate the running of server utilities and other applications?The Task Scheduler enables you to schedule the launching of tools such as Windows Backup and Disk Defragmenter.8 :: What are some of the items that can be accessed via the System Properties dialog box?You can access virtual memory settings and the Device Manager via the System Properties dialog box.9 :: Which Windows Server utility provides a common interface for tools and utilities and provides access to server roles, services, and monitoring and drive utilities?The Server Manager provides both the interface and access to a large number of the utilities and tools that you will use as you manage your Windows server.10 :: How are local user accounts and groups created?Local user accounts and groups are managed in the Local Users and Groups node in the Server Manager. Local user accounts and groups are used to provide local access to a serve11 :: When a child domain is created in the domain tree, what type of trust relationship exists between the new child domain and the trees root domain?Child domains and the root domain of a tree are assigned transitive trusts. This means that the root domain and child domain trust each other and allow resources in any domain in the tree to be accessed by users in any domain in the tree.12 :: What is the primary function of domain controllers?The primary function of domain controllers is to validate users to the network. However, domain controllers also provide the catalog of Active Directory objects to users on the network.13 :: What are some of the other roles that a server running Windows Server 2008 could fill on the network?A server running Windows Server 2008 can be configured as a domain controller, a file server, a print server, a web server, or an application server. Windows servers can also have roles and features that provide services such as DNS, DHCP, and Routing and Remote Access.14 :: Which Windows Server 2008 tools make it easy to manage and configure a servers roles and features?The Server Manager window enables you to view the roles and features installed on a server and also to quickly access the tools used to manage these various roles and features. The Server Manager can be used to add and remove roles and features as needed.15 :: What Windows Server 2008 service is used to install client operating systems over the network?Windows Deployment Services (WDS) enables you to install client and server operating systems over the network to any computer with a PXE-enabled network interface.16 :: What domain services are necessary for you to deploy the Windows Deployment Services on your network?Windows Deployment Services requires that a DHCP server and a DNS server be installed in the domain.17 :: How is WDS configured and managed on a server running Windows Server 2008?The Windows Deployment Services snap-in enables you to configure the WDS server and add boot and install images to the server.18 :: What utility is provided by Windows Server 2008 for managing disk drives, partitions, and volumes?The Disk Manager provides all the tools for formatting, creating, and managing drive volumes and partitions.19 :: What is the difference between a basic and dynamic drive in the Windows Server 2008 environment?A basic disk embraces the MS-DOS disk structure; a basic disk can be divided into partitions (simple volumes).Dynamic disks consist of a single partition that can be divided into any number of volumes. Dynamic disks also support Windows Server 2008 RAID implementations.20 :: What is RAID in Windows Server 2008?RAID, or Redundant Array of Independent Disks, is a strategy for building fault tolerance into your file servers. RAID enables you to combine one or more volumes on separate drives so that they are accessed by a single drive letter. Windows Server 2008 enables you to configure RAID 0 (a striped set), RAID 1 (a mirror set), and RAID 5 (disk striping with parity).21 :: What is the most foolproof strategy for protecting data on the network?Regular backups of network data provides the best method of protecting you from data loss.22 :: What conceptual model helps provide an understanding of how network protocol stacks such as TCP/IP work?The OSI model, consisting of the application, presentation, session, transport, network, data link, and physical layers, helps describe how data is sent and received on the network by protocol stacks.23 :: What protocol stack is installed by default when you install Windows Server 2008 on a network server?TCP/IP (v4 and v6) is the default protocol for Windows Server 2008. It is required for Active Directory implementations and provides for connectivity on heterogeneous networks.24 :: When TCP/IP is configured on a Windows server (or domain client), what information is required?You must provide at least the IP address and the subnet mask to configure a TCP/IP client for an IPv4 client, unless that client obtains this information from a DHCP server. For IPv6 clients, the interface ID is generated automatically from the MAC hardware address on the network adapter. IPv6 can also use DHCP as a method to configure IP clients on the network.25 :: What are two command-line utilities that can be used to check TCP/IP configurations and IP connectivity, respectively?The ipconfig command can be used to check a computer’s IP configuration and also renew the client’s IP address if it is provided by a DHCP server. ping can be used to check the connection between the local computer and any computer on the network, using the destination computer’s IP address.26 :: What term is used to refer to the first domain created in a new Active Directory tree?The first domain created in a tree is referred to as the root domain. Child domains created in the tree share the same namespace as the root domain.27 :: How is a server running Windows Server 2008 configured as a domain controller, such as the domain controller for the root domain or a child domain?Installing the Active Directory on a server running Windows Server 2008 provides you with the option of creating a root domain for a domain tree or of creating child domains in an existing tree. Installing Active Directory on the server makes the server a domain controller.28 :: What are some of the tools used to manage Active Directory objects in a Windows Server 2008 domain?When the Active Directory is installed on a server (making it a domain controller), a set of Active Directory snap-ins is provided. The Active Directory Users and Computers snap-in is used to manage Active Directory objects such as user accounts, computers, and groups. The Active Directory Domains and Trusts snap-in enables you to manage the trusts that are defined between domains. The Active Directory Sites and Services snap-in provides for the management of domain sites and subnets.29 :: How are domain user accounts created and managed?The Active Directory Users and Computers snap-in provides the tools necessary for creating user accounts and managing account properties. Properties for user accounts include settings related to logon hours, the computers to which a user can log on, and the settings related to the user’s password.30 :: What type of Active Directory objects can be contained in a group?A group can contain users, computers, contacts, and other nested groups.31 :: What type of group is not available in a domain that is running at the mixed-mode functional level?Universal groups are not available in a mixed-mode domain. The functional level must be raised to Windows 2003 or Windows 2008 to make these groups available.32 :: What types of Active Directory objects can be contained in an Organizational Unit?Organizational Units can hold users, groups, computers, contacts, and other OUs. The Organizational Unit provides you with a container directly below the domain level that enables you to refine the logical hierarchy of how your users and other resources are arranged in the Active Directory.33 :: What are Active Directory sites in Windows Server 2008?Active Directory sites are physical locations on the network’s physical topology. Each regional domain that you create is assigned to a site. Sites typically represent one or more IP subnets that are connected by IP routers. Because sites are separated from each other by a router, the domain controllers on each site periodically replicate the Active Directory to update the Global Catalog on each site segment.34 :: How can client computer accounts be added to the Active Directory?Client computer accounts can be added through the Active Directory Users and Computers snap-in. You can also create client computer accounts via the client computer by joining it to the domain via the System Properties dialog box. This requires a user account that has administrative privileges, such as members of the Domain Administrator or Enterprise Administrator groups.35 :: What firewall setting is required to manage client computers such as Vista clients and Windows 2008 member servers?The Windows Firewall must allow remote administration for a computer to be managed remotely.36 :: Can servers running Windows Server 2008 provide services to clients when they are not part of a domain?Servers running Windows Server 2008 can be configured to participate in a workgroup. The server can provide some services to the workgroup peers but does not provide the security and management tools provided to domain controllers.37 :: What does the use of Group Policy provide you as a network administrator?Group Policy provides a method of controlling user and computer configuration settings for Active Directory containers such as sites, domains, and OUs. GPOs are linked to a particular container, and then individual policies and administrative templates are enabled to control the environment for the users or computers within that particular container.38 :: What tools are involved in managing and deploying Group Policy?GPOs and their settings, links, and other information such as permissions can be viewed in the Group Policy Management snap-in.39 :: How do you deal with Group Policy inheritance issues?GPOs are inherited down through the Active Directory tree by default. You can block the inheritance of settings from upline GPOs (for a particular container such as an OU or a local computer) by selecting Block Inheritance for that particular object. If you want to enforce a higher-level GPO so that it overrides directly linked GPOs, you can use the Enforce command on the inherited (or upline) GPO.40 :: How can you make sure that network clients have the most recent Windows updates installed and have other important security features such as the Windows Firewall enabled before they can gain full network access?You can configure a Network Policy Server (a service available in the Network Policy and Access Services role). The Network Policy Server can be configured to compare desktop client settings with health validators to determine the level of network access afforded to the client.41 :: What is the purpose of deploying local DNS servers?A domain DNS server provides for the local mapping of fully qualified domain names to IP addresses. Because the DNS is a distributed database, the local DNS servers can provide record information to remote DNS servers to help resolve remote requests related to fully qualified domain names on your network.42 :: What types of zones would you want to create on your DNS server so that both queries to resolve hostnames to IP addresses and queries to resolve IP addresses to hostnames are handled successfully?You would create both a forward lookup zone and a reverse lookup zone on your Windows Server 2008 DNS server.43 :: What tool enables you to manage your Windows Server 2008 DNS server?The DNS snap-in enables you to add or remove zones and to view the records in your DNS zones. You can also use the snap-in to create records such as a DNS resource record.44 :: In terms of DNS, what is a caching-only server?A caching-only DNS server supplies information related to queries based on the data it contains in its DNS cache. Caching-only servers are often used as DNS forwarders. Because they are not configured with any zones, they do not generate network traffic related to zone transfers.45 :: How is the range of IP addresses defined for a Windows Server 2008 DHCP server?The IP addresses supplied by the DHCP server are held in a scope. A scope that contains more than one subnet of IP addresses is called a superscope. IP addresses in a scope that you do not want to lease can be included in an exclusion range.46 :: What TCP/IP configuration parameters can be provided to a DHCP client?The DHCP server can supply a DHCP client an IP address and subnet mask. It also can optionally include the default gateway address, the DNS server address, and the WINS server address to the client.47 :: How can you configure the DHCP server so that it provides certain devices with the same IP address each time the address is renewed?You can create a reservation for the device (or create reservations for a number of devices). To create a reservation, you need to know the MAC hardware address of the device. You can use the ipconfig or nbstat command-line utilities to determine the MAC address for a network device such as a computer or printer.48 :: To negate rogue DHCP servers from running with a domain, what is required for your DHCP server to function?The DHCP server must be authorized in the Active Directory before it can function in the domain.ACTIVE DIRECTORY QUESTION AND ANSWERS? What is Active Directory?Active Directory is the central location for configuration information, authentication requests, and information about all of the objects that are stored within your forest. Using Active Directory, you can efficiently manage users, computers, groups, printers, applications, and other directory-enabled objects from one secure, centralized location.? What is LDAP?LDAP (Lightweight Directory Access Protocol) is a protocol for communications between LDAP Servers and LDAP clients. LDAP servers store "directories" which are access by LDAP clients.LDAP is called lightweight because it is a smaller and easier protocol which was derived from the X.500 DAP (Directory Access Protocol) defined in the OSI network protocol stack.LDAP servers store a hierarchical directory of information. In LDAP parlance, a fully-qualified name for a directory entry is called a Distinguished Name. Unlike DNS (Domain Name Service) FQDN's (Fully Qualified Domain Name), LDAP DN's store the most significant data to the right.What do you do if earlier application doesn’t run on Windows Server 2003?When an application that ran on an earlier legacy version of Windows cannot be loaded during the setup function or if it later malfunctions, you must run the compatibility mode function. This is accomplished by right-clicking the application or setup program and selecting Properties –> Compatibility –> selecting the previously supported operating system.If you uninstall Windows Server 2003, which operating systems can you revert to?Win ME, Win 98, 2000, XP. Note, however, that you cannot upgrade from ME and Windows 98 to Windows 2003.Where are the Windows NT Primary Domain Controller (PDC) and its Backup Domain Controller (BDC) in Server 2003?The Active Directory replaces them. Now all domain controllers share a multimaster peer-to-peer read and write relationship that hosts copies of the Active Directory.How Active Directory replication works in a domain setup?Only the changes are replicated, once a domain controller has been establishedThe controller the change was made on (after five minutes of stablilty), notifies its replication partners that a change was made. It sends a change notification to these partners, but only notifies one partner every 30 seconds so it is not overwhelmed with update requests. Each controller, in turn, when it is updated, sends a change notice to its respective replication partners.The replication partners each send an update request with a USN to the domain controller that the change was made on. The USN identifies the current state of the domain controller making the change. Each change has a unique USN. This way the domain controller that has the change knows the state of the domain controller requesting the changes and only the changes are required to be sent. The time on each controller, therefore, does not need to be synchronized exactly although timestamps are used to break ties regarding changes.When should you create a forest?Organizations that operate on radically different bases may require separate trees with distinct namespaces. Unique trade or brand names often give rise to separate DNS identities. Organizations merge or are acquired and naming continuity is desired. Organizations form partnerships and joint ventures. While access to common resources is desired, a separately defined tree can enforce more direct administrative and security restrictions.How can you authenticate between forests?Four types of authentication are used across forests: (1) Kerberos and NTLM network logon for remote access to a server in another forest; (2) Kerberos and NTLM interactive logon for physical logon outside the user’s home forest; (3) Kerberos delegation to N-tier application in another forest; and (4) user principal name (UPN) credentials.What snap-in administrative tools are available for Active Directory?Active Directory Domains and Trusts Manager, Active Directory Sites and Services , Active Directory Users and Computers, Active Directory Replication (optional, available from the Resource Kit), Active Directory Schema Master (optional, available from adminpak) ,DHCP,DNS,Group Policy Management Console (optional).What types of classes exist in Windows Server 2003 Active Directory?1. Structural class. The structural class is important to the system administrator in that it is the only type from which new Active Directory objects are created. Structural classes are developed from either the modification of an existing structural type or the use of one or more abstract classes.2. Abstract class. Abstract classes are so named because they take the form of templates that actually create other templates (abstracts) and structural and auxiliary classes. Think of abstract classes as frameworks for the defining objects.3. Auxiliary class. The auxiliary class is a list of attributes. Rather than apply numerous attributes when creating a structural class, it provides a streamlined alternative by applying a combination of attributes with a single include action.4. 88 class. The 88 class includes object classes defined prior to 1993, when the 1988 X.500 specification was adopted. This type does not use the structural, abstract, and auxiliary definitions, nor is it in common use for the development of objects in Windows Server 2003 environments.How do you delete a lingering object?Windows Server 2003 provides a command called Repadmin that provides the ability to delete lingering objects in the Active Directory.What is Global Catalog?A global catalog server is a domain controller. it is a master searchable database that contains information about every object in every domain in a forest. The global catalog contains a complete replica of all objects in Active Directory for its host domain, and contains a partial replica of all objects in Active Directory for every other domain in the forest. It have two important functions:o Provides group membership information during logon and authenticationo Helps users locate resources in Active DirectoryHow is user account security established in Windows Server 2003?When an account is created, it is given a unique access number known as a security identifier (SID). Every group to which the user belongs has an associated SID. The user and related group SIDs together form the user account’s security token, which determines access levels to objects throughout the system and network. SIDs from the security token are mapped to the access control list (ACL) of any object the user attempts to access.If I delete a user and then create a new account with the same username and password, would the SID and permissions stay the same?No. If you delete a user account and attempt to recreate it with the same user name and password, the SID will be different.What do you do with secure sign-ons in an organization with many roaming users? Credential Management feature of Windows Server 2003 provides a consistent single sign-on experience for users. This can be useful for roaming users who move between computer systems. The Credential Management feature provides a secure store of user credentials that includes passwords and X.509 certificates.Where are the documents and settings for the roaming profile stored?All the documents and environmental settings for the roaming user are stored locally on the system, and, when the user logs off, all changes to the locally stored profile are copied to the shared server folder. Therefore, the first time a roaming user logs on to a new system the logon process may take some time, depending on how large his profile folder is.What’s the difference between local, global and universal groups?Domain local groups assign access permissions to global domain groups for local domain resources. Global groups provide access to resources in other trusted domains. Universal groups grant access to resources in all trusted domains.· I am trying to create a new universal user group. Why can’t I?Universal groups are allowed only in native-mode Windows Server 2003 environments. Native mode requires that all domain controllers be promoted to Windows Server 2003 Active Directory.· What is LSDOU?It’s group policy inheritance model, where the policies are applied to Local machines, Sites, Domains and Organizational Units.· Why doesn’t LSDOU work under Windows NT?If the NTConfig.pol file exist, it has the highest priority among the numerous policies.· Where are group policies stored?%SystemRoot%System32\GroupPolicy· What is GPT and GPC?Group policy template and group policy container.· Where is GPT stored?%SystemRoot%\SYSVOL\sysvol\domainname\Policies\GUID· You change the group policies, and now the computer and user settings are in conflict. Which one has the highest priority?The computer settings take priority.· You want to set up remote installation procedure, but do not want the user to gain access over it. What do you do?gponame–> User Configuration–> Windows Settings–> Remote Installation Services–> Choice Options is your friend.· What’s contained in administrative template conf.adm?Microsoft NetMeeting policies· How can you restrict running certain applications on a machine?Via group policy, security settings for the group, then Software Restriction Policies.· You need to automatically install an app, but MSI file is not available. What do you do?A .zap text file can be used to add applications using the Software Installer, rather than the Windows Installer.· What’s the difference between Software Installer and Windows Installer?The former has fewer privileges and will probably require user intervention. Plus, it uses .zap files.· What can be restricted on Windows Server 2003 that wasn’t there in previous products?Group Policy in Windows Server 2003 determines a users right to modify network and dial-up TCP/IP properties. Users may be selectively restricted from modifying their IP address and other network configuration parameters.· How frequently is the client policy refreshed? 90 minutes give or take.· Where is secedit? It’s now gpupdate.· You want to create a new group policy but do not wish to inherit.Make sure you check Block inheritance among the options when creating the policy.· What is "tattooing" the Registry?The user can view and modify user preferences that are not stored in maintained portions of the Registry. If the group policy is removed or changed, the user preference will persist in the Registry.· How do you fight tattooing in NT/2000 installations? You can’t.· How do you fight tattooing in 2003 installations?User Configuration - Administrative Templates - System - Group Policy - enable - Enforce Show Policies Only.· What does IntelliMirror do?It helps to reconcile desktop settings, applications, and stored files for users, particularly those who move between workstations or those who must periodically work offline.· What’s the major difference between FAT and NTFS on a local machine?FAT and FAT32 provide no security over locally logged-on users. Only native NTFS provides extensive permission control on both remote and local files.· How do FAT and NTFS differ in approach to user shares? They don’t, both have support for sharing.· Explan the List Folder Contents permission on the folder in NTFS.Same as Read & Execute, but not inherited by files within a folder. However, newly created subfolders will inherit this permission.· I have a file to which the user has access, but he has no folder permission to read it. Can he access it?It is possible for a user to navigate to a file for which he does not have folder permission. This involves simply knowing the path of the file object. Even if the user can’t drill down the file/folder tree using My Computer, he can still gain access to the file using the Universal Naming Convention (UNC). The best way to start would be to type the full path of a file into Run… window.· For a user in several groups, are Allow permissions restrictive or permissive?Permissive, if at least one group has Allow permission for the file/folder, user will have the same permission.· For a user in several groups, are Deny permissions restrictive or permissive?Restrictive, if at least one group has Deny permission for the file/folder, user will be denied access, regardless of other group permissions.· What hidden shares exist on Windows Server 2003 installation? Admin$, Drive$, IPC$, NETLOGON, print$ and SYSVOL.· What’s the difference between standalone and fault-tolerant DFS (Distributed File System) installations?The standalone server stores the Dfs directory tree structure or topology locally. Thus, if a shared folder is inaccessible or if the Dfs root server is down, users are left with no link to the shared resources. A fault-tolerant root node stores the Dfs topology in the Active Directory, which is replicated to other domain controllers. Thus, redundant root nodes may include multiple connections to the same data residing in different shared folders.· We’re using the DFS fault-tolerant installation, but cannot access it from a Win98 box.Use the UNC path, not client, only 2000 and 2003 clients can access Server 2003 fault-tolerant shares.· Where exactly do fault-tolerant DFS shares store information in Active Directory? In Partition Knowledge Table, which is then replicated to other domain controllers.· Can you use Start->Search with DFS shares? Yes.· What problems can you have with DFS installed?Two users opening the redundant copies of the file at the same time, with no file-locking involved in DFS, changing the contents and then saving. Only one file will be propagated through DFS.· I run Microsoft Cluster Server and cannot install fault-tolerant DFS. Yeah, you can’t. Install a standalone one.· Is Kerberos encryption symmetric or asymmetric? Symmetric.· How does Windows 2003 Server try to prevent a middle-man attack on encrypted line?Time stamp is attached to the initial client request, encrypted with the shared key.· What hashing algorithms are used in Windows 2003 Server?RSA Data Security’s Message Digest 5 (MD5), produces a 128-bit hash, and the Secure Hash Algorithm 1 (SHA-1), produces a 160-bit hash.· What third-party certificate exchange protocols are used by Windows 2003 Server?Windows Server 2003 uses the industry standard PKCS-10 certificate request and PKCS-7 certificate response to exchange CA certificates with third-party certificate authorities.· What’s the number of permitted unsuccessful logons on Administrator account? Unlimited. Remember, though, that it’s the Administrator account, not any account that’s part of the Administrators group.· If hashing is one-way function and Windows Server uses hashing for storing passwords, how is it possible to attack the password lists, specifically the ones using NTLMv1?A cracker would launch a dictionary attack by hashing every imaginable term used for password and then compare the hashes.· What’s the difference betweenguest accounts in Server 2003 and other editions? More restrictive in Windows Server 2003.· How many passwords by default are remembered when you check "Enforce Password History Remembered"? User’s last 6 passwords.What is Active Directory Schema?The Active Directory schema contains formal definitions of every object class that can be created in an Active Directory forest it also contains formal definitions of every attribute that can exist in an Active Directory object.What is Global Catalog Server?· A global catalog server is a domain controller it is a master searchable database that contains information about every object in every domain in a forest. The global catalog contains a complete replica of all objects in Active Directory for its host domain, and contains a partial replica of all objects in Active Directory for every other domain in the forest. It have two important functions:o Provides group membership information during logon and authenticationo Helps users locate resources in Active DirectoryWhat is NTDS.dit default size?40 MBWhat are the standard ports for SMTP, POP3,IMAP4,RPC,LDAPand Global catalog?SMTP – 25, POP3 – 110, IMAP4 – 143, RPC – 135, LDAP – 389, Global Catalog – 3268What is a default gateway?The exit-point from one network and entry-way into another network, often the router of the network.Describe the lease process of DHCP?· DHCP Server leases the IP addresses to the clients as follows: DORAD (Discover) : DHCP Client sends a broadcast packets to identify the dhcp server, this packet will contain the source MAC.O (Offer) : Once the packet is received by the DHCP server, the server will send the packet containing Source IP and Source MAC.R (Request) : Client will now contact the DHCP server directly and request for the IP address.A (Acknowledge) : DHCP server will send an acknowledge packet which contains the IP address. HYPERLINK "" NetworkingWhat is a NIC?Ans: A network interface card, more commonly referred to as a NIC, is a device that allows computers to be joined together in a LAN, or local area network. Networked computers communicate with each other using a given protocol or agreed-upon language for transmitting data packets between the different machines, known as nodes. The network interface card acts as the liaison for the machine to both send and receive data on the LAN.The most common language or protocol for LANs is Ethernet, sometimes referred to as IEEE 802.3.Note: Ethernet is a standard communications protocol embedded in software and hardware devices, intended for building a local area network.What is a MAC Address?MAC address ( Media Access Control) is a unique value associated with a Network Interface Card. MAC address is also known as Hardware address or Physical Address. MAC address uniquely identifies a Network adaptor in the LAN.MAC addresses are 48 bits in length.When would you use a crosslink cable?Cross link cables are used to connect a PC to PC, this cable is special because there are a few wires switched that allow the computer to send and receive data packets with Network card.What is the difference between a Hub and a Switch?A hub is typically the least expensive, least intelligent, and least complicated device than Switch. Its job is very simple: anything that comes in one port is sent out to the others. Every computer connected to the hub "sees" everything that every other computer on the hub sees. The hub itself is blissfully ignorant of the data being transmitted.A switch does essentially what a hub does but more efficiently. By paying attention to the traffic that comes across it, it can "learn" where particular addresses are. For example, if it sees traffic from machine A coming in on port 2, it now knows that machine A is connected to that port and that traffic to machine A needs to only be sent to that port and not any of the others. The net result of using a switch over a hub is that most of the network traffic only goes where it needs to rather than to every port. On busy networks this can make the network significantly faster.On which OSI layer can a router be found?The OSI layer 2 and layer 3 router provides additional intelligence to networks by implementing the data link and network layers of the OSI model. The data link layer describes the logical organization of data bits transmitted on a particular medium; for example, this layer defines the framing, addressing, and cyclic redundancy checks of Ethernet packets. The network layer describes how a series of exchanges over various data links delivers data between any two nodes in a network and defines the addressing and routing structure of the Internet.What is CSMA/CD?CSMA/CD (Carrier Sense Multiple Access / Collision Detection) is the protocol used in Ethernet Network to ensure that only one network node is transmitting on the network wire at any one time.What is multicast?Multicasting may be used for streaming multimedia, video conferencing, shared white boards and more as the internet grows. Multicasting is still new to the internet and not widely supported by routers. New routing protocols are being developed to enable multicast traffic to be routed. Some of these routing protocols are:Hierarchical Distance Vector Multicast Routing Protocol (HDVMRP)Multicast Border GatewayProtocol Independent MulticastAn IP multicast address is in the range 224.0.0.0 through 239.255.255.255.?What is Broadcast?Broadcast - A transmission to all interface cards on the network.RFC 919 and 922 describe IP broadcast datagrams as,Limited Broadcast - Sent to all NICs on the some network segment as the source NIC. It is represented with the 255.255.255.255 TCP/IP address. This broadcast is not forwarded by routers so will only appear on one network segment.Direct broadcast - Sent to all hosts on a network. Routers may be configured to forward directed broadcasts on large networks. For network 192.168.0.0, the broadcast is 192.168.255.255.Below mentioned are examples of broadcastARP on IPDHCP on IPRouting table updates. Broadcasts sent by routers with routing table updates to other routers.The ethernet broadcast address in hexadecimal is FF:FF:FF:FF:FF:FF.There are several types of IP broadcasting:The IP limited broadcast address is 255.255.255.255. This broadcast is not forwarded by a router.A broadcast directed to a network has a form of x.255.255.255 where x is the address of a Class A network. This broadcast may be forwarded depending on the router program.A broadcast sent to all subnetworks. If the broadcast is 10.1.255.255 on network 10.1.0.0 and the network is subnetted with multiple networks 10.1.x.0, then the broadcast is a broadcast to all subnetworks.A broadcast sent to a subnet in the form 10.1.1.255 is a subnet broadcast if the subnet mask is 255.255.255.0.What is the difference between TCP and UDP?Describe some of the settings that are added by TCP and by UDP to the packet's header.What are TCP Ports? Name a few.What is a TCP Session?What three elements make up a socket?What will happen if you leave the default gateway information empty while manually configuring TCP/IP?What will happen if you execute the following command: "arp –d *"?What is ICMP?When would you use the ping command with the "-t" switch?Windows Active directory Interview Questions – User Submitted Part 10By?admin?|?Published:?June 26, 2012What is sites ? What are they used for ?One or more well-connected (highly reliable and fast) TCP/IP subnets.A site allows administrators to configure Active Directory access and replication topology to take advantage of the physical network.A Site object in Active Directory represents a physical geographic location that hosts networks. Sites contain objects called Subnets.Sites can be used to Assign Group Policy Objects, facilitate the discovery of resources, manage active directory replication, and manage network link traffic.Sites can be linked to other Sites. Site-linked objects may be assigned a cost value that represents the speed, reliability, availability, or other real property of a physical resource. Site Links may also be assigned a schedule.Trying to look at the Schema, how can I do that ?register schmmgmt.dll using this commandc:\windows\system32>regsvr32 schmmgmt.dllOpen mmc –> add snapin –> add Active directory schemaname it as schema.mscOpen administrative tool –> schema.mscWhat is the port no of Kerbrose ?88What is the port no of Global catalog ??3268What is the port no of LDAP ?389Explain Active Directory Schema ??Windows 2000 and Windows Server 2003 Active Directory uses a database set of rules called “Schema”. The Schema is defines as the formal definition of all object classes, and the attributes that make up those object classes, that can be stored in the directory. As mentioned earlier, the Active Directory database includes a default Schema, which defines many object classes, such as users, groups, computers, domains, organizational units, and so on.These objects are also known as “Classes”. The Active Directory Schema can be dynamically extensible, meaning that you can modify the schema by defining new object types and their attributes and by defining new attributes for existing objects. You can do this either with the Schema Manager snap-in tool included with Windows 2000/2003 Server, or programmatically.How can you forcibly remove AD from a server, and what do you do later? ? Can I get user passwords from the AD database??Dcpromo /forceremoval , an administrator can forcibly remove Active Directory and roll back the system without having to contact or replicate any locally held changes to another DC in the forest. Reboot the server then After you use the dcpromo /forceremoval command, all the remaining metadata for the demoted DC is not deleted on the surviving domain controllers, and therefore you must manually remove it by using the NTDSUTIL command.In the event that the NTDS Settings object is not removed correctly you can use the Ntdsutil.exe utility to manually remove the NTDS Settings object. You will need the following tool: Ntdsutil.exe, Active Directory Sites and Services, Active Directory Users and ComputersWhat are the FSMO roles? Who has them by default? What happens when each one fails??Flexible Single Master Operation (FSMO) role. Currently there are five FSMO roles:Schema masterDomain naming masterRID masterPDC emulatorInfrastructure masterWhat is domain tree ??Domain Trees: A domain tree comprises several domains that share a common schema and configuration, forming a contiguous namespace. Domains in a tree are also linked together by trust relationships. Active Directory is a set of one or more trees.Trees can be viewed two ways. One view is the trust relationships between domains. The other view is the namespace of the domain tree.What is forests ??A collection of one or more domain trees with a common schema and implicit trust relationships between them. This arrangement would be used if you have multiple root DNS addresses.How to Select the Appropriate Restore Method??You select the appropriate restore method by considering:Circumstances and characteristics of the failure. The two major categories of failure, From an Active Directory perspective, are Active Directory data corruption and hardware failure.Active Directory data corruption occurs when the directory contains corrupt data that has been replicated to all domain controllers or when a large portion of the Active Directory hierarchy has been changed accidentally (such as deletion of an OU) and this change has replicated to other domain controllers.Where are the Windows NT Primary Domain Controller (PDC) and its Backup Domain Controller (BDC) in Server 2003?The Active Directory replaces them. Now all domain controllers share a multimaster peer-to-peer read and write relationship that hosts copies of the Active Directory.?What is Global Catalog?The Global Catalog authenticates network user logons and fields inquiries about objects across a forest or tree. Every domain has at least one GC that is hosted on a domain controller. In Windows 2000, there was typically one GC on every site in order to prevent user logon failures across the network.?How long does it take for security changes to be replicated among the domain controllers?Security-related modifications are replicated within a site immediately. These changes include account and individual user lockout policies, changes to password policies, changes to computer account passwords, and modifications to the Local Security Authority (LSA).When should you create a forest?Organizations that operate on radically different bases may require separate trees with distinct namespaces. Unique trade or brand names often give rise to separate DNS identities. Organizations merge or are acquired and naming continuity is desired. Organizations form partnerships and joint ventures. While access to common resources is desired, a separately defined tree can enforce more direct administrative and security restrictions.?Describe the process of working with an external domain name ?If it is not possible for you to configure your internal domain as a subdomain of your external domain, use a stand-alone internal domain. This way, your internal and external domain names are unrelated. For example, an organization that uses the domain name for their external namespace uses the name corp.internal for their internal namespace.The advantage to this approach is that it provides you with a unique internal domain name. The disadvantage is that this configuration requires you to manage two separate namespaces. Also, using a stand-alone internal domain that is unrelated to your external domain might create confusion for users because the namespaces do not reflect a relationship between resources within and outside of your network.In addition, you might have to register two DNS names with an Internet name authority if you want to make the internal domain publicly accessibleWindows Active directory Interview Questions – User Submitted Part 8By?admin?|?Published:?June 26, 2012Got a list of some Active Directory Interview Questions?submitted by User : Noel.What is the default size of ntds.dit ?10 MB in Server 2000 and 12 MB in Server 2003 .Where is the AD database held and What are other folders related to AD ?AD Database is saved in %systemroot%/ntds. You can see other files also in this folder. These are the main files controlling the AD structure.ntds.ditedb.logres1.logres2.logedb.chkWhen a change is made to the Win2K database, triggering a write operation, Win2K records the transaction in the log file (edb.log). Once written to the log file, the change is then written to the AD database. System performance determines how fast the system writes the data to the AD database from the log file. Any time the system is shut down, all transactions are saved to the database.During the installation of AD, Windows creates two files: res1.log and res2.log. The initial size of each is 10MB. These files are used to ensure that changes can be written to disk should the system run out of free disk space. The checkpoint file (edb.chk) records transactions committed to the AD database (ntds.dit). During shutdown, a “shutdown” statement is written to the edb.chk file.Then, during a reboot, AD determines that all transactions in the edb.log file have been committed to the AD database. If, for some reason, the edb.chk file doesn’t exist on reboot or the shutdown statement isn’t present, AD will use the edb.log file to update the AD database. The last file in our list of files to know is the AD database itself, ntds.dit. By default, the file is located in\NTDS, along with the other files we’ve discussedWhat FSMO placement considerations do you know of ?Windows 2000/2003 Active Directory domains utilize a Single Operation Master method called FSMO (Flexible Single Master Operation), as described in Understanding FSMO Roles in Active Directory.In most cases an administrator can keep the FSMO role holders (all 5 of them) in the same spot (or actually, on the same DC) as has been configured by the Active Directory installation process.However, there are scenarios where an administrator would want to move one or more of the FSMO roles from the default holder DC to a different DC.Windows Server 2003 Active Directory is a bit different than the Windows 2000 version when dealing with FSMO placement.In this article I will only deal with Windows Server 2003 Active Directory, but you should bear in mind that most considerations are also true when planning Windows 2000 AD FSMO rolesWhat do you do to install a new Windows 2003 R2 DC in a Windows 2003 AD?If you’re installing Windows 2003 R2 on an existing Windows 2003 server with SP1 installed, you require only the second R2 CD-ROM.Insert the second CD and the r2auto.exe will display the Windows 2003 R2 Continue Setup screen. If you’re installing R2 on a domain controller (DC), you must first upgrade the schema to the R2 version (this is a minor change and mostly related to the new Dfs replication engine).To update the schema, run the Adprep utility, which you’ll find in the Components\r2\adprep folder on the second CD-ROM.Before running this command, ensure all DCs are running Windows 2003 or Windows 2000 with SP2 (or later).Here’s a sample execution of the Adprep /forestprepcommand:D:\CMPNENTS\R2\ADPREP>adprep /forestprepADPREP WARNING:Before running adprep, all Windows 2000 domain controllers in the forest should be upgraded to Windows 2000 Service Pack 1 (SP1) with QFE 265089, or to Windows 2000 SP2 (or later).QFE 265089 (included in Windows 2000 SP2 and later) is required to prevent potential domain controller corruption.[User Action] If ALL your existing Windows 2000 domain controllers meet this requirement, type C and then press ENTER to continue. Otherwise, type any other key and press ENT ER to quit.C Opened Connection to SAVDALDC01 SSPI Bind succeeded Current Schema Version is 30 Upgrading schema to version 31 Connecting to “SAVDALDC01″ Logging in as current user using SSPI Importing directory from file “C:\WINDOWS\system32\sch31.ldf” Loading entries… 139 entries modified successfully.The command has completed successfully Adprep successfully updated the forest-wide information.After running Adprep, install R2 by performing these steps:1. Click the “Continue Windows Server 2003 R2 Setup” link, as the figureshows.2. At the “Welcome to the Windows Server 2003 R2 Setup Wizard” screen, click Next.3. You’ll be prompted to enter an R2 CD key (this is different from your existing Windows 2003 keys) if the underlying OS wasn’t installed from R2 media (e.g., a regular Windows 2003 SP1 installation).Enter the R2 key and click Next. Note: The license key entered for R2 must match the underlying OS type, which means if you installed Windows 2003 using a volume-license version key, then you can’t use a retail or Microsoft Developer Network (MSDN) R2 key.4. You’ll see the setup summary screen which confirms the actions to be performed (e.g., Copy files). Click Next.5. After the installation is complete, you’ll see a confirmation dialog box. Click FinishWhat is OU ?Organization Unit is a container object in which you can keep objects such as user accounts, groups, computer, printer . applications and other (OU).In organization unit you can assign specific permission to the user’s. organization unit can also be used to create departmental limitation.Name some OU design considerations ?OU design requires balancing requirements for delegating administrative rights – independent of Group Policy needs – and the need to scope the application of Group Policy.The following OU design recommendations address delegation and scope issues:Applying Group Policy An OU is the lowest-level Active Directory container to which you can assign Group Policy settings.Delegating administrative authorityusually don’t go more than 3 OU levelsHow do you view replication properties for AD partitions and DCs?By using replication monitorgo to start > run > type repadmingo to start > run > type replmonWhy can’t you restore a DC that was backed up 4 months ago?Because of the tombstone life which is set to only 60 days.Different modes of AD restore ??A?nonauthoritative?restore is the default method for restoring Active Directory. To perform a nonauthoritative restore, you must be able to start the domain controller in Directory Services Restore Mode. After you restore the domain controller from backup, replication partners use the standard replication protocols to update Active Directory and associated information on the restored domain controller.An?authoritative?restore brings a domain or a container back to the state it was in at the time of backup and overwrites all changes made since the backup. If you do not want to replicate the changes that have been made subsequent to the last backup operation, you must perform an authoritative restore. In this one needs to stop the inbound replication first before performing the An authoritative restore.How do you configure a stand-by operation master for any of the roles??# Open Active Directory Sites and Services.# Expand the site name in which the standby operations master is located to display the Servers folder.# Expand the Servers folder to see a list of the servers in that site.# Expand the name of the server that you want to be the standby operations master to display its NTDS Settings.# Right-click NTDS Settings, click New, and then click Connection.# In the Find Domain Controllers dialog box, select the name of the current role holder, and then click OK.# In the New Object-Connection dialog box, enter an appropriate name for the Connection object or accept the default name, and click OK.What’s the difference between transferring a FSMO role and seizing ??Seizing an FSMO can be a destructive process and should only be attempted if the existing server with the FSMO is no longer available.If you perform a seizure of the FSMO roles from a DC, you need to ensure two things:the current holder is actually dead and offline, and that the old DC will NEVER return to the network. If you do an FSMO role Seize and then bring the previous holder back online, you’ll have a problem.An FSMO role TRANSFER is the graceful movement of the roles from a live, working DC to another live DC During the process, the current DC holding the role(s) is updated, so it becomes aware it is no longer the role holderI want to look at the RID allocation table for a DC. What do I do?dcdiag /test:ridmanager /s:servername /v (servername is the name of our DC)What is BridgeHead Server in AD ?A bridgehead server is a domain controller in each site, which is used as a contact point to receive and replicate data between sites. For intersite replication, KCC designates one of the domain controllers as a bridgehead server. In case the server is down, KCC designates another one from the domain controller. When a bridgehead server receives replication updates from another site, it replicates the data to the other domain controllers within its site.I am upgrading from NT to 2003. The only things that are NT are the PDC and BDCs; everything else is 2000 or 2003 member servers. My question is, when I upgrade my NT domain controllers to 2003, will I need to do anything else to my Windows 2000/2003 member servers that were in the NT domain?Your existing member servers, regardless of operating system, will simply become member servers in your upgraded AD domain. If you will be using Organizational Units and Group Policy (and I hope you are), you’ll probably want to move them to a specific OU for administration and policy application, since they’ll be in the default “Computers” container immediately following the upgrade.How do I use Registry keys to remove a user from a group?In Windows Server 2003, you can use the dsmod command-line utility with the -delmbr switch to remove a group member from the command line. You should also look into the freeware utilities available from . ADFind and ADMod are indispensable tools in my arsenal when it comes to searching and modifying Active Directory.Why are my NT4 clients failing to connect to the Windows 2000 domain?Since NT4 relies on NetBIOS for name resolution, verify that your WINS server (you do have a WINS server running, yes?) contains the records that you expect for the 2000 domain controller, and that your clients have the correct address configured for the WINS server.How to add your first Windows 2003 DC to an existing Windows 2000 domain ?The first step is to install Windows 2003 on your new DC. This is a straighforward process, so we aren?t going to discuss that here.Because significant changes have been made to the Active Directory schema in Windows 2003, we need to make our Windows 2000 Active Directory compatible with the new version. If you already have Windows 2003 DCs running with Windows 2000 DCs, then you can skip down to the part about DNS.Before you attempt this step, you should make sure that you have service pack 4 installed on your Windows 2000 DC. Next, make sure that you are logged in as a user that is a member of the Schema Admin and Enterprise Admin groups.Next, insert the Windows 2003 Server installation CD into the Windows 2000 Server.Bring up a command line and change directories to the I386 directory on the installation CD. At the command prompt, type: Code :adprep /forestprep?After running this command, make sure that the updates have been replicated to all existing Windows 2000 DCs in the forest. Next, we need to run the following command: Code : adprep /domainprepThe above command must be run on the Infrastructure Master of the domain by someone who is a member of the Domain Admins group.Once this is complete, we move back to the Windows 2003 Server. Click ?start? then ?run? – type in dcpromo and click OK. During the ensuing wizard, make sure that you select that you are adding this DC to an existing domain.After this process is complete, the server will reboot. When it comes back online, check and make sure that the AD database has been replicated to your new server.Next, you will want to check and make sure that DNS was installed on your new server.If not, go to the control panel,click on ?Add or Remove Programs?, and click the ?Add/Remove Windows Components? button.In the Windows Components screen, click on ?Networking Services? and click the details button.In the new window check ?Domain Name System (DNS)? and then click the OK button. Click ?Next? in the Windows Components screen.This will install DNS and the server will reboot. After reboot, pull up the DNS Management window and make sure that your DNS settings have replicated from the Windows 2000 Server. You will need to re-enter any forwarders or other properties you had set up, but the DNS records should replicate on their own.The next 2 items, global catalog and FSMO roles, are important if you plan on decomissioning your Windows 2000 server(s). If this is the case, you need to tansfer the global catalog from the old server to the new one.First, let?s create a global catalog on our new server. Here are the steps:1. On the domain controller where you want the new global catalog, start the Active Directory Sites and Services snap-in.To start the snap-in, click ?Start?, point to ?Programs?, point to ?Administrative Tools?, and then click ?Active Directory Sites and Services?.2. In the console tree, double-click ?Sites?, and then double-click ?sitename?.3. Double-click ?Servers?, click your domain controller, right-click ?NTDS Settings?, and then click ?Properties?.4. On the General tab, click to select the Global catalog check box to assign the role of global catalog to this server.5. Restart the domain controller.Make sure you allow sufficient time for the account and the schema information to replicate to the new global catalog server before you remove the global catalog from the original DC or take the DC offline.After this is complete, you will want to transfer or seize the FSMO roles for your new server.For instructions, read Using Ntdsutil.exe to transfer or seize FSMO roles to a domain controller.After this step is complete, we can now run DCPROMO on the Windows 2000 Servers in order to demote them.Once this is complete, copy over any files you need to your new server and you should have successfully replaced your Windows 2000 server(s) with a new Windows 2003 server.How do you change the DS Restore admin password ?In Windows 2000 Server, you used to have to boot the computer whose password you wanted to change in Directory Restore mode, then use either the Microsoft Management Console (MMC) Local User and Groups snap-in or the command net user administrator * to change the Administrator password.Win2K Server Service Pack 2 (SP2) introduced the Setpwd utility, which lets you reset the Directory Service Restore Mode password without having to reboot the computer. (Microsoft refreshed Setpwd in SP4 to improve the utility?s scripting options.)In Windows Server 2003, you use the Ntdsutil utility to modify the Directory Service Restore Mode Administrator password.To do so, follow these steps:1. Start Ntdsutil (click Start, Run; enter cmd.exe; then enter ntdsutil.exe).2. Start the Directory Service Restore Mode Administrator password-reset utility by entering the argument ?set dsrm password? at the ntdsutil prompt: ntdsutil: set dsrm password.3. Run the Reset Password command, passing the name of the server on which to change the password, or use the null argument to specify the local machine.For example, to reset the password on server testing, enter the following argument at the Reset DSRM Administrator Password prompt: Reset DSRM Administrator Password: reset password on server testingTo reset the password on the local machine, specify null as the server name:Reset DSRM Administrator Password: reset password on server null4. You?ll be prompted twice to enter the new password. You?ll see the following messages:5. Please type password for DS Restore Mode Administrator Account:6. Please confirm new password:Password has been set successfully.7. Exit the password-reset utility by typing ?quit? at the following prompts:8. Reset DSRM Administrator Password: quitntdsutil: quitExplain about Trusts in AD ?To allow users in one domain to access resources in another, Active Directory uses trusts. Trusts inside a forest are automatically created when domains are created.The forest sets the default boundaries of trust, not the domain, and implicit, transitive trust is automatic for all domains within a forest. As well as two-way transitive trust, AD trusts can be a shortcut (joins two domains in different trees, transitive, one- or two-way), forest (transitive, one- or two-way), realm (transitive or nontransitive, one- or two-way), or external (nontransitive, one- or two-way) in order to connect to other forests or non-AD domains.Trusts in Windows 2000 (native mode)One-way trust –?One domain allows access to users on another domain, but the other domain does not allow access to users on the first domain.Two-way trust –?Two domains allow access to users on both domains.Trusting domain –?The domain that allows access to users from a trusted domain.Trusted domain –?The domain that is trusted; whose users have access to the trusting domain.Transitive trust –?A trust that can extend beyond two domains to other trusted domains in the forest.Intransitive trust –?A one way trust that does not extend beyond two domains.Explicit trust –?A trust that an admin creates. It is not transitive and is one way only.Cross-link trust –?An explicit trust between domains in different trees or in the same tree when a descendant/ancestor (child/parent) relationship does not exist between the two domains.Windows 2000 Server – supports the following types of trusts:Two-way transitive trusts.One-way intransitive trusts.Additional trusts can be created by administrators. These trusts can be:ShortcutWindows Server 2003 offers a new trust type – the forest root trust. This type of trust can be used to connect Windows Server 2003 forests if they are operating at the 2003 forest functional level. Authentication across this type of trust is Kerberos based (as opposed to NTLM). Forest trusts are also transitive for all the domains in the forests that are trusted. Forest trusts, however, are not transitive.Difference between LDIFDE and CSVDE?CSVDE is a command that can be used to import and export objects to and from the AD into a CSV-formatted file. A CSV (Comma Separated Value) file is a file easily readable in Excel. I will not go to length into this powerful command, but I will show you some basic samples of how to import a large number of users into your AD. Of course, as with the DSADD command, CSVDE can do more than just import users. Consult your help file for more info.LDIFDE is a command that can be used to import and export objects to and from the AD into a LDIF-formatted file. A LDIF (LDAP Data Interchange Format) file is a file easily readable in any text editor, however it is not readable in programs like Excel. The major difference between CSVDE and LDIFDE (besides the file format) is the fact that LDIFDE can be used to edit and delete existing AD objects (not just users), while CSVDE can only import and export objects.What is tombstone lifetime attribute ?The number of days before a deleted object is removed from the directory services. This assists in removing objects from replicated servers and preventing restores from reintroducing a deleted object. This value is in the Directory Service object in the configuration NIC.What are application partitions? When do I use them ?AN application diretcory partition is a directory partition that is replicated only to specific domain controller.Only domain controller running windows Server 2003 can host a replica of application directory partition.Using an application directory partition provides redundany,availability or fault tolerance by replicating data to specific domain controller pr any set of domain controllers anywhere in the forest.How do you create a new application partition ?Use the DnsCmd command to create an application directory partition.To do this, use the following syntax:DnsCmd ServerName /CreateDirectoryPartition FQDN of partitionHow do you view all the GCs in the forest??C:\>repadmin /showreps domain_controller where domain_controller is the DC you want to query to determine whether it?s a GC.The output will include the text DSA Options: IS_GC if the DC is a GC.Can you connect Active Directory to other 3rd-party Directory Services? Name a few options.?Yes, you can use dirXML or LDAP to connect to other directories.In Novell you can use E-directory.What is IPSec PolicyIPSec provides secure gateway-to-gateway connections across outsourced private wide area network (WAN) or Internet-based connections using L2TP/IPSec tunnels or pure IPSec tunnel mode. IPSec Policy can be deployed via Group policy to the Windows Domain controllers 7 Servers.What are the different types of Terminal Services??User Mode & Application Mode.What is RsOPRsOP is the resultant set of policy applied on the object (Group Policy).What is the System Startup process??Windows 2K boot process on a Intel architecture.1. Power-On Self Tests (POST) are run.2. The boot device is found, the Master Boot Record (MBR) is loaded into memory, and its program is run.3. The active partition is located, and the boot sector is loaded.4. The Windows 2000 loader (NTLDR) is then loaded.The boot sequence executes the following steps:1. The Windows 2000 loader switches the processor to the 32-bit flat memory model.2. The Windows 2000 loader starts a mini-file system.3. The Windows 2000 loader reads the BOOT.INI file and displays the operating system selections (boot loader menu).4. The Windows 2000 loader loads the operating system selected by the user. If Windows 2000 is selected, NTLDR runs . For other operating systems, NTLDR loads BOOTSECT.DOS and gives it control.5. scans the hardware installed in the computer, and reports the list to NTLDR for inclusion in the Registry under the HKEY_LOCAL_MACHINE_HARDWARE hive.6. NTLDR then loads the NTOSKRNL.EXE, and gives it the hardware information collected by . Windows NT enters the Windows load phases.What are the Groups types available in active directory ?Security groups:?Use Security groups for granting permissions to gain access to resources. Sending an e-mail message to a group sends the message to all members of the group. Therefore security groups share the capabilities of distribution groups.Distribution groups:?Distribution groups are used for sending e-main messages to groups of users. You cannot grant permissions to security groups. Even though security groups have all the capabilities of distribution groups, distribution groups still requires, because some applications can only read distribution groups.Explain about the groups scope in AD ??Domain Local Group:?Use this scope to grant permissions to domain resources that are located in the same domain in which you created the domain local group. Domain local groups can exist in all mixed, native and interim functional level of domains and forests. Domain local group memberships are not limited as you can add members as user accounts, universal and global groups from any domain. Just to remember, nesting cannot be done in domain local group. A domain local group will not be a member of another Domain Local or any other groups in the same domain.Global Group:?Users with similar function can be grouped under global scope and can be given permission to access a resource (like a printer or shared folder and files) available in local or another domain in same forest. To say in simple words, Global groups can be use to grant permissions to gain access to resources which are located in any domain but in a single forest as their memberships are limited. User accounts and global groups can be added only from the domain in which global group is created. Nesting is possible in Global groups within other groups as you can add a global group into another global group from any domain. Finally to provide permission to domain specific resources (like printers and published folder), they can be members of a Domain Local group. Global groups exist in all mixed, native and interim functional level of domains and forests.Universal Group Scope:?These groups are precisely used for email distribution and can be granted access to resources in all trusted domain as these groups can only be used as a security principal (security group type) in a windows 2000 native or windows server 2003 domain functional level domain. Universal group memberships are not limited like global groups. All domain user accounts and groups can be a member of universal group. Universal groups can be nested under a global or Domain Local group in any domain.What is REPLMON ?The Microsoft definition of the Replmon tool is as follows; This GUI tool enables administrators to view the low-level status of Active Directory replication, force synchronization between domain controllers, view the topology in a graphical format, and monitor the status and performance of domain controller replication.What is ADSIEDIT ??ADSIEDIT :ADSIEdit is a Microsoft Management Console (MMC) snap-in that acts as a low-level editor for Active Directory. It is a Graphical User Interface (GUI) tool. Network administrators can use it for common administrative tasks such as adding, deleting, and moving objects with a directory service. The attributes for each object can be edited or deleted by using this tool. ADSIEdit uses the ADSI application programming interfaces (APIs) to access Active Directory. The following are the required files for using this tool: ADSIEDIT.DLL ADSIEDIT.What is NETDOM ?NETDOM is a command-line tool that allows management of Windows domains and trust relationships. It is used for batch management of trusts, joining computers to domains, verifying trusts, and secure channels.What is REPADMIN?This command-line tool assists administrators in diagnosing replication problems between Windows domain controllers.Administrators can use Repadmin to view the replication topology (sometimes referred to as RepsFrom and RepsTo) as seen from the perspective of each domain controller. In addition, Repadmin can be used to manually create the replication topology (although in normal practice this should not be necessary), to force replication events between domain controllers, and to view both the replication metadata and up-to-dateness vectors.How to take backup of AD ?For taking backup of active directory you have to do this : first go START -> PROGRAM ->ACCESORIES -> SYSTEM TOOLS -> BACKUP OR Open run window and ntbackup and take systemstate backup when the backup screen is flash then take the backup of SYSTEM STATE it will take the backup of all the necessary information about the syatem including AD backup , DNS ETC.What are the DS* commands ?The following DS commands: the DS family built in utility .DSmod – modify Active Directory attributes.DSrm – to delete Active Directory objects.DSmove – to relocate objectsDSadd – create new accountsDSquery – to find objects that match your query attributes.DSget – list the properties of an objectWhat are the requirements for installing AD on a new server??An NTFS partition with enough free space.An Administrator’s username and password.The correct operating system version.A NIC Properly configured TCP/IP (IP address, subnet mask and – optional – default gateway).A network connection (to a hub or to another computer via a crossover cable) .An operational DNS server (which can be installed on the DC itself) .A Domain name that you want to use .The Windows 2000 or Windows Server 2003 CD media (or at least the i386 folder) .What is the difference between Windows 2000 Active Directory and Windows 2003 Active Directory? Is there any difference in 2000 Group Polices and 2003 Group Polices? What is meant by ADS and ADS services in Windows 2003?Windows 2003 Active Directory introduced a number of new security features, as well as convenience features such as the ability to rename a domain controller and even an entire domainWindows Server 2003 also introduced numerous changes to the default settings that can be affected by Group Policy – you can see a detailed list of each available setting and which OS is required to support it by downloading the?Group Policy Settings Reference.ADS stands for Automated Deployment Services, and is used to quickly roll out identically-configured servers in large-scale enterprise environments. You can get more information from the?ADS homepage.I want to setup a DNS server and Active Directory domain. What do I do first? If I install the DNS service first and name the zone ‘’ can I name the AD domain ‘’ too?Not only can you have a?DNS?zone and an Active Directory domain with the same name, it’s actually the preferred way to go if at all possible. You can install and configure DNS before installing?Active Directory, or you can allow the Active Directory Installation Wizard (dcpromo) itself install DNS on your server in the background.How do I determine if user accounts have local administrative access?You can use the net localgroup administrators command on each workstation (probably in a login script so that it records its information to a central file for later review). This command will enumerate the members of the Administrators group on each machine you run it on. Alternately, you can use the Restricted Groups feature of?Group Policy?to restrict the membership of Administrators to only those users you want to belong.Why am I having trouble printing with XP domain users?In most cases, the inability to print or access resources in situations like this one will boil down to an issue with name resolution, either DNS or WINS/NetBIOS. Be sure that your Windows XP clients’ wireless connections are configured with the correct DNS and WINS name servers, as well as with the appropriate?NetBIOS over TCP/IP?settings. Compare your wireless settings to your wired LAN settings and look for any discrepancies that may indicate where the functional difference may lie.What is the ISTG? Who has that role by default?Windows 2000 Domain controllers each create Active Directory Replication connection objects representing inbound replication from intra-site replication partners. For inter-site replication, one domain controller per site has the responsibility of evaluating the inter-site replication topology and creating Active Directory Replication Connection objects for appropriate bridgehead servers within its site. The domain controller in each site that owns this role is referred to as the Inter-Site Topology Generator (ISTG).What is difference between Server 2003 vs 2008?1. Virtualization. (Windows Server 2008 introduces Hyper-V (V for Virtualization) but only on 64bit versions. More and more companies are seeing this as a way of reducing hardware costs by running several ‘virtual’ servers on one physical machine.)2. Server Core (provides the minimum installation required to carry out a specific server role, such as for a DHCP, DNS or print server)3. Better security.4. Role-based installation.5. Read Only Domain Controllers (RODC).6. Enhanced terminal services.7. Network Access Protection – Microsoft’s system for ensuring that clients connecting to Server 2008 are patched, running a firewall and in compliance with corporate security policies.8. PowerShell – Microsoft’s command line shell and scripting language has proved popular with some server administrators.9. IIS 7 .10. Bitlocker – System drive encryption can be a sensible security measure for servers located in remote branch offices. >br> The main difference between 2003 and 2008 is Virtualization, management. 2008 has more in-build components and updated third party drivers.11. Windows Aero.What are the requirements for installing AD on a new server?1 The Domain structure.2 The Domain Name .3 storage location of the database and log file.4 Location of the shared system volume folder.5 DNS config Methode.6 DNS configuration.What is LDP??LDP : Label Distribution Protocol (LDP) is often used to establish MPLS LSPs when traffic engineering is not required. It establishes LSPs that follow the existing IP routing, and is particularly well suited for establishing a full mesh of LSPs between all of the routers on the network.Why doesn’t LSDOU work under Windows NT ?If the?NTConfig.pol?file exist, it has the highest priority among the numerous policies.What’s the number of permitted unsuccessful logons on Administrator account??Unlimited. Remember, though, that it’s the Administrator account, not any account that’s part of the Administrators group.What’s the difference between guest accounts in Server 2003 and other editions?More restrictive in Windows Server 2003.How many passwords by default are remembered when you check “Enforce Password History Remembered”?User’s last 6 passwords.Can GC Server and Infrastructure place in single server If not explain why??No, As Infrastructure master does the same job as the GC. It does not work together.Which is service in your windows is responsible for replication of Domain controller to another domain controller.KCC generates the replication topology.Use SMTP / RPC to replicate changes.What Intrasite and Intersite Replication??Intrasite is the replication with in the same site & intersite the replication between sites.What is lost & found folder in ADS??It’s the folder where you can find the objects missed due to conflict.Ex: you created a user in OU which is deleted in other DC & when replication happed ADS didn’t find the OU then it will put that in Lost & Found Folder.What is Garbage collection??Garbage collection is the process of the online defragmentation of active directory. It happens every 12 Hours.What System State data contains??Contains Startup files,RegistryCom + Registration DatabaseMemory Page fileSystem filesAD informationCluster Service informationSYSVOL FolderWhat is Active Directory ??Active Directory is a Meta Data. Active Directory is a data base which store a data base like your user information, computer information and also other network object info. It has capabilities to manage and administor the complite Network which connect with AD.What is domain ??Windows NT and Windows 2000, a domain is a set of network resources (applications, printers, and so forth) for a group of users. The user need only to log in to the domain to gain access to the resources, which may be located on a number of different servers in the network. The ‘domain’ is simply your computer address not to confused with an URL. A domain address might look something like 211.170.469.What is domain controller ??A Domain controller?(DC) is a?server?that responds to security authentication requests (logging in, checking permissions, etc.) within the?Windows Server domain.?A domain is a concept introduced in Windows NT whereby a user may be granted access to a number of computer resources with the use of a single username and password combination.What is LDAP ??Lightweight Directory Access Protocol LDAP is the industry standard directory access protocol, making Active Directory widely accessible to management and query applications. Active Directory supports LDAPv3 and LDAPv2.What is KCC ??KCC ( knowledge consistency checker ) is used to generate replication topology for inter site replication and for intrasite replication.with in a site replication traffic is done via remote procedure calls over ip, while between site it is done through either RPC or SMTP.Where is the AD database held? What other folders are related to AD?The AD data base is store in c:\windows\ntds\NTDS.DIT.What is the SYSVOL folder?The sysVOL folder stores the server’s copy of the domain’s public files. The contents such as group policy, users etc of the sysvol folder are replicated to all domain controllers in the domain.What are the Windows Server 2003 keyboard shortcuts ?Winkey opens or closes the Start menu. Winkey + BREAK displays the System Properties dialog box. Winkey + TAB moves the focus to the next application in the taskbar. Winkey + SHIFT + TAB moves the focus to the previous application in the taskbar. Winkey + B moves the focus to the notification area. Winkey + D shows the desktop. Winkey + E opens Windows Explorer showing My Computer. Winkey + F opens the Search panel. Winkey + CTRL + F opens the Search panel with Search for Computers module selected. Winkey + F1 opens Help. Winkey + M minimizes all. Winkey + SHIFT+ M undoes minimization. Winkey + R opens Run dialog. Winkey + U opens the Utility Manager. Winkey + L locks the computer.Where are the Windows NT Primary Domain Controller (PDC) and its Backup Domain Controller (BDC) in Server 2003 ?The Active Directory replaces them. Now all domain controllers share a multimaster peer-to-peer read and write relationship that hosts copies of the Active Directory.I am trying to create a new universal user group. Why can’t I ?Universal groups are allowed only in native-mode Windows Server 2003 environments. Native mode requires that all domain controllers be promoted to Windows Server 2003 Active Directory.What is LSDOU ??It’s group policy inheritance model, where the policies are applied toLocal machines,?Sites,?Domains and?Organizational?Units.What is Active Directory?An active directory is a directory structure/service used on Microsoft Windows based computers and servers to store information and data about networks and domains.A directory is similar to a dictionary; it enables the look up of a name and information associated with that name.There is support for the Lightweight Directory Access Protocol (LDAP) to enable inter-directory operabilityDistribution: Distribution groups are intended to be used solely as email distribution listsSecurity: Security groups allow you to manage user and computer access to shared resources.In order to synchronize the time on your Windows computer with main Active Directory domain controllers, use the following command at a command prompt: net time \\ads.iu.edu /set /yWhat is LDAP?LDAP is an Internet standard protocol used by applications to access information in a directory. It runs directly over TCP, and can be used to access a standalone LDAP directory service or to access a directory service that is back-ended by X.500.The LDAP directory service model is based on entries. An entry is a collection of attributes that describing it. Each attribute has a name, type and one or more values.LDAP based implementations are:Edirectory,Red Had Directory server,Apples open Directory, Apache Directory Server, Oracle Internet Directory, CA Directory, Sun Java System Directory Server, IBM Tivoli Directory Server ,Windows NT Directory Services (NTDS)Can you connect Active Directory to other 3rd-party Directory Services? Name a few options.Yes you can connect other vendors Directory Services with Microsoft’s version.Yes. Microsoft Identity Integration Server (MIIS) is used to connect Active Directory to other 3rd-party Directory Services (including directories used by SAP, Domino, etc).Where is Active Directory database held? What other folders are related to AD?AD Database is saved in %systemroot%/ntds. You can see other files also in this folder.These are the main files controlling the AD structure? ntds.dit? edb.log? res1.log? res2.log? edb.chkWhen a change is made to the Win2K database, triggering a write operation, Win2K records the transaction in the log file (edb.log). Once written to the log file, the change is then written to the AD database. System performance determines how fast the system writes the data to the AD database from the log file. Any time the system is shut down, all transactions are saved to the database.During the installation of AD, Windows creates two files: res1.log and res2.log. The initial size of each is 10MB. These files are used to ensure that changes can be written to disk should the system run out of free disk space. The checkpoint file (edb.chk) records transactions committed to the AD database (ntds.dit). During shutdown, a “shutdown” statement is written to the edb.chk file. Then, during a reboot, AD determines that all transactions in the edb.log file have been committed to the AD database. If, for some reason, the edb.chk file doesn’t exist on reboot or the shutdown statement isn’t present, AD will use the edb.log file to update the AD database.The last file in our list of files to know is the AD database itself, ntds.dit. By default, the file is located in\NTDS, along with the other files we’ve discussedWhat is the SYSVOL folder?The Windows Server 2003 System Volume (SYSVOL) is a collection of folders and reparse points in the file systems that exist on each domain controller in a domain. SYSVOL provides a standard location to store important elements of Group Policy objects (GPOs) and scripts so that the File Replication service (FRS) can distribute them to other domain controllers within that domain.You can go to SYSVOL folder by typing : %systemroot%/sysvolName the AD NCs [naming contexts] and replication issues for each NC*Schema NC, *Configuration NC, * Domain NCSchema NC This NC is replicated to every other domain controller in the forest. It contains information about the Active Directory schema, which in turn defines the different object classes and attributes within Active Directory.Configuration NC Also replicated to every other DC in the forest, this NC contains forest-wide configuration information pertaining to the physical layout of Active Directory, as well as information about display specifiers and forest-wide Active Directory quotas.Domain NC This NC is replicated to every other DC within a single Active Directory domain. This is the NC that contains the most commonly-accessed Active Directory data: the actual users, groups, computers, and other objects that reside within a particular Active Directory domain.What are application partitions? When do I use themAn application directory partition is a directory partition that is replicated only to specific domain controllers. A domain controller that participates in the replication of a particular application directory partition hosts a replica of that partition. Only domain controllers running Windows Server 2003 can host a replica of an application directory partition.Application directory partitions are usually created by the applications that will use them to store and replicate data. For testing and troubleshooting purposes, members of the Enterprise Admins group can manually create or manage application directory partitions using the Ntdsutil command-line tool.One of the benefits of an application directory partition is that, for redundancy, availability, or fault tolerance, the data in it can be replicated to different domain controllers in a forest1. How to check AD configured properly?Ans: Check NTDS and SYSVOL shared folder at %systemroot%windows\.2. How to transfer global catalog to another domain?Ans: We can not transfer the global catalog; we can only remove the global catalog from one server and enable other server as a global catalog.3. How to configure global catalog server?Ans: Go to Active directory site and services and expand till your desire server’s NTDS settings and then right click; property and check mark the Global catalog check box.4. What are the fsmo roles and it gets down what will impact?Ans: Flexible Single Master Operation, There are five roles.Domain Naming Master (Forest wide role)Schema Master (Forest wide role)PDC Emulator (Domain wide role)RID Master (Domain wide role)Infrastructure Master (Domain wide role)5. What is the RID pool?Ans: RID Master provides the RID (Relative Identifier) pool to Domain controller of the Domain. When an object is create in a domain, a Unique SID (Security ID) is assigned to it which consisting of a RID (Unique ID) and a SID (Common ID for all Object), A RID pool contain 500 RIDs.6. How to check FSMO roles running on which server??Ans: By using “DCdiag /test:Knowsofroleholders /v” command.ii) Type “Netdom query fsmo”7. How to transfer FSMO role one domain controller to another domain controller command prompt and GUI?Ans: Go to Startà Run à dsa.mscà go the property of users and computers and transfer the RID, PDC, and Infrastructure roles.Go to Start à Runà à go to the property of the active directory domain and trust and transfer the Domain naming master roleFor transferring schema master role, first we have to register the schema master by using “regsvr32 schmgmt.dll” command in run. Than Go start à Runà MMCàAdd Active directory schema and transfer the schema master role.8. What is AD data base file and log file where it stored is and what is the use of log file?Ans: AD Data base is NTDS.DIT and its location is %system root%\windows\NTDS\ntds.dit. AD Log files are EDB.log ,EDB.chk and REG.log and the location of there files are %system root%\windows\NTDS\ntds.dit.9. How to recover corrupted AD data base file?10. Is it possible to rename domain name in windows 2003?Ans: Yes, We can rename the domain name in windows 2003.11. What are the two types of replication?Ans: Inter-site replication, Intra-site replication.12. What are the protocols used in replication?13. What is default time for replication?Ans: KCC (Knowledge Consistency Checker) is the algorithm and the two protocols used are RPC over IP and SMTP over IP. They replicate in every 15 min.14. What is the difference between the two types of replication i.e. intrasite and intersite??Intersite replication is for replication with in the site and Intra-site replication is for the replication between the sites.15. What are replication partition and tell about partition?Ans: FSMO role PartitionSchema CN=Schema,CN=configuration, DC=Domain Naming Master CN=configuration,DC=PDC DC=RID DC=Infrastructure DC=Replication partitions are.Schema PartitionConfiguration PartitionDomain PartitionApplication Partition16. Is application partition available in windows 2003?Ans: Yes, Windows 2003 contains application partition, mainly application partition contains the application information like: DNS17. What is the DNS?Ans: Domain Naming System.Used to resolve the host name (FQDN) name to IP Address and Vice Versa18. What are types of DNS and zones?(i)Primary DNS zone(ii)Secondary DNS zone(iii)Active directory integrated zone(IV)Stub zone19. What is the authority’s record and is the use?20. What are records available in dns?Ans: Address records, Host Records, MX Records, and CNAME records.21. Explain about SRV, MX and CNAME records?22. Where DNS file stored and data base of DNS?Ans: %SYSTEMROOT%\Windows\System32\DNS23. How do configure DHCP Server and steps?24. How to reserve IP address?Ans: We can assign a particular IP address to the MAC address of a machine using IP reservation in DHCP.25. Why do we need two subnets?To segment or restrict one type of traffic to one segment.26. Two different subnet, how to configure it in single DHCP server?Two different scopes are created for two subnets.27. What is the use of relay agent?A router drops the DHCP packet as its a broadcast packet. The relay agent helps in sending it over to the destined subnet.28. What is the group policy?Ans: It is way to provide the desirable predefined environment to all users and it is centrally manageable.29. My requirement is to need disable USB port, how will you do?Through Group policy.30. How to take backup group policy?Ans: We can use GPMC (Group Policy Management Console), right click on the GPO and select backup and take backup on destination folder31. You are administrator; my requirement is to configure active directory for four different locations. How will you plan it?Ans: Depending on the requirement I' ll configure one parent domain and three child domains, or One domain with four sites, or four different domains (least preferred).32. What are the two type’s terminal servers?User mode and applciation mode.33. What is the default security group, groups give explanations?Ans:34. You are maintaining remote servers that u can take remote but you can’t to ping them, now how to troubleshoot?35. What is use of Kerberos protocol?Ans: Kerberos protocol is an authentication protocol.36. What is the version Kerberos protocol?Ans: We are using Kerberos V 5.0.37. What is the authentication protocol in Windows NT?Ans:Windows NT supported two kinds of challenge/response authentication:LanManager (LM) challenge/responseWindows NT challenge/response (also known as NTLM challenge/response)38. What are RAID levels?Ans: Main RAID levels are RAID-0, RAID-1, RAID-5 and RAID-10.39. Which RAID you will recommend and why?Ans: RAID-1 for O.S - mirroringRAID-5 for DATA partition- Stripe set with parity.40. What are the different RAID1 and RAID 5?RAID-1:- In RAID-1 two hard disk are there and the data on one is mirrored to another. So even if one fails other one is there with the same data for service continuity.?RAID-5: We can use minimum three hard disk and maximum depend upon RAID controller card, Data written on disk in stripes with distributed parity set.41. What are the Different between and disk mirroring and disk duplex?42. What is the dynamic disk?43. What is disk striping?44. What are the backup types?Ans: (i) Normal or full Backup(ii) Deferential Backup(iii)Incremental Backup(iv)Copy backup(v)Daily Backup45. Which type backup reset archive bits?Ans:- The bit which have checked mark on that folder which have been normal backuped.46. What is the use of DFS?Ans: Distributed File System, It is used for the fault tolerance because it makes the duplicate copy of every DFS root. Not only that the domain login process uses DFS to find out the nearest DC to login.47. Do you know about FRS?Ans: File Replication Services.Example: Replication of SYSVOL folder.48. What are difference between TCP and UDP protocol?Ans: TCP is a connection orientated protocol while UDP is not a connection orientated protocol.49. What is different between HUB and Switch?Ans: HUB broadcast the data packet but Switches multicast the data packet into the network which reduces the collision of data packets.50. Which layer working in router?Ans: One layer Three (Network layer)51. You are going to migrate the domain how to plan?52. For project requirement you going to share 20 folders what is the step you will take?53. Why is it requiring VLAN?Ans: To divide/restrict the traffic to one segment of the network.54. Right required to transfer FSMO roles?Ans. logged-on user should be a member of the Enterprise Administrators group to transfer Schema master or Domain naming master roles, or a member of the Domain Administrators group of the domain where the PDC emulator, RID master and the Infrastructure master roles are being transferred.55. Write down the command line to transfer all the FSMO roles to other server?Ans: Click Start, click Run, type ntdsutil in the Open box, and then click OKType roles, and then press ENTER.Type connections, and then press ENTER.Type connect to server servername, and then press ENTER, where servername is the name of the domain controller that you want to assign the FSMO role to.At the server connections prompt, type q, and then press ENTER.Type transfer role, where role is the role that you want to transfer. For example,To transfer the RID master role, type transfer schema masterTo transfer the RID master role, type transfer domain naming masterTo transfer the RID master role, type transfer rid masterTo transfer the RID master role, type transfer pdcTo transfer the RID master role, type transfer infrastructure master7. At the fsmo maintenance prompt, type q, and then press ENTER to gain access to the ntdsutil prompt.56. Write down the command line to seize all the FSMO roles to a server?Ans:Click Start, click Run, type ntdsutil in the Open box, and then click OKType roles, and then press ENTER.Type connections, and then press ENTER.Type connect to server servername, and then press ENTER, where servername is the name of the domain controller that you want to assign the FSMO role to.At the server connections prompt, type q, and then press ENTER.Type seize role, where role is the role that you want to seize. For example,To seize the RID master role, type seize schema masterTo seize the RID master role, type seize domain naming masterTo seize the RID master role, type seize rid masterTo seize the RID master role, type seize pdcTo seize the RID master role, type seize infrastructure master.7. At the fsmo maintenance prompt, type q, and then press ENTER to gain access to the ntdsutil prompt.57. Command for removing active directory?Ans: dcpromo /forceremoval58. How to test whether a domain controller is also a global catalog server:?Click Start, point to Programs, point to Administrative Tools, and then click Active Directory Sites and Services.Double-click Sites in the left pane, and then locate the appropriate site or click Default-first-site-name if no other sites are available.Open the Servers folder, and then click the domain controller.In the domain controller's folder, double-click NTDS Settings.On the Action menu, click Properties.On the General tab, view the Global Catalog check box to see if it is selected.>What is dhcp ?Dynamic Host Configuration Protocol (DHCP) is a network protocol that enables a server to automatically assign an IP address to a computer from a defined range of numbers (i.e., a scope) configured for a given network.>What is the dhcp process for client machine?1. A user turns on a computer with a DHCP client.2.?The client computer sends a broadcast request (called a DISCOVER or DHCPDISCOVER), looking for a DHCP server to answer.3.?The router directs the DISCOVER packet to the correct DHCP server.4.?The server receives the DISCOVER packet. Based on availability and usage policies set on the server, the server determines an appropriate address (if any) to give to the client. The server then temporarily reserves that address for the client and sends back to the client an OFFER (or DHCPOFFER) packet, with that address information. The server also configures the client's DNS servers, WINS servers, NTP servers, and sometimes other services as well.5.?The client sends a REQUEST (or DHCPREQUEST) packet, letting the server know that it intends to use the address.6.?The server sends an ACK (or DHCPACK) packet, confirming that the client has a been given a lease on the address for a server-specified period of time.>What is dhcp scope ?DHCP scopes are used to define ranges of addresses from which a DHCP server can assign IP addresses to clients.>Types of scopes in windows dhcp ?Normal Scope - Allows A, B and C Class IP address ranges to be specified including subnet masks, exclusions and reservations. Each normal scope defined must exist within its own subnet.Multicast Scope - Used to assign IP address ranges for Class D networks. Multicast scopes do not have subnet masks, reservation or other TCP/IP options.?Multicast scope address ranges require that a Time To Live (TTL) value be specified (essentially the number of routers a packet can pass through on the way to its destination).Superscope - Essentially a collection of scopes grouped together such that they can be enabled and disabled as a single entity.>What is Authorizing DHCP Servers in Active Directory ?If a DHCP server is to operate within an Active Directory domain (and is not running on a domain controller) it must first be authorized.?This can be achieved either as part of the DHCP Server role installation, or subsequently using either DHCP console or at the command prompt using the netsh tool.If the DHCP server was not authorized during installation, invoke the DHCP console (Start -> All Programs -> Administrative Tools -> DHCP),right click on the DHCP to be authorized and select Authorize. To achieve the same result from the command prompt, enter the following command:?netsh dhcp server serverID initiate auth?In the above command syntax, serverID is replaced by the IP address or full UNC name of system on which the DHCP server is installed.>What ports are used by DHCP and the DHCP clients ??Requests are on UDP port 68, Server replies on UDP 67 .>Benefits of using DHCP?DHCP provides the following benefits for administering your TCP/IP-based network:?Safe and reliable configuration.DHCP avoids configuration errors caused by the need to manually type in values at each computer. Also, DHCP helps prevent address conflicts caused by a previously assigned IP address being reused to configure a new computer on the network.?Reduces configuration management.Using DHCP servers can greatly decrease time spent to configuring and reconfiguring computers on your network. Servers can be configured to supply a full range of additional configuration values when assigning address leases. These values are assigned using DHCP options. Also, the DHCP lease renewal process helps assure that where client configurations need to be updated often (such as users with mobile or portable computers who change locations frequently), these changes can be made efficiently and automatically by clients communicating directly with DHCP servers.The following section covers issues that affect the use of the DHCP Server service with other services or network configurations. Using DNS servers with DHCP Using Routing and Remote Access servers with DHCP Multihomed DHCP servers.>Describe the process of installing a DHCP server in an AD infrastructure ?Open Windows Components Wizard. Under Components , scroll to and click Networking Services. Click Details . Under Subcomponents of Networking Services , click Dynamic Host Configuration Protocol (DHCP) and then click OK .Click Next . If prompted, type the full path to the Windows Server 2003 distribution files, and then click Next. Required files are copied to your hard disk.Windows Server DHCP Interview QuestionsBy?admin?|?Published:?July 3, 2012Below is the list of Basic Windows Server DHCP Interview Questions asked in Interviews for the post of Windows System Administrator/ L1/L2/L3 Windows Support Engineer.What is dhcp ?Dynamic Host Configuration Protocol (DHCP) is a network protocol that enables a server to automatically assign an IP address to a computer from a defined range of numbers (i.e., a scope) configured for a given network.?What is the dhcp process for client machine?1. A user turns on a computer with a DHCP client.2.?The client computer sends a broadcast request (called a DISCOVER or DHCPDISCOVER), looking for a DHCP server to answer.3.?The router directs the DISCOVER packet to the correct DHCP server.4.?The server receives the DISCOVER packet. Based on availability and usage policies set on the server, the server determines an appropriate address (if any) to give to the client. The server then temporarily reserves that address for the client and sends back to the client an OFFER (or DHCPOFFER) packet, with that address information. The server also configures the client’s DNS servers, WINS servers, NTP servers, and sometimes other services as well.5.?The client sends a REQUEST (or DHCPREQUEST) packet, letting the server know that it intends to use the address.6.?The server sends an ACK (or DHCPACK) packet, confirming that the client has a been given a lease on the address for a server-specified period of time.?What is dhcp scope ?DHCP scopes are used to define ranges of addresses from which a DHCP server can assign IP addresses to clients.Types of scopes in windows dhcp ?Normal Scope – Allows A, B and C Class IP address ranges to be specified including subnet masks, exclusions and reservations. Each normal scope defined must exist within its own subnet.Multicast Scope – Used to assign IP address ranges for Class D networks. Multicast scopes do not have subnet masks, reservation or other TCP/IP options.Multicast scope address ranges require that a Time To Live (TTL) value be specified (essentially the number of routers a packet can pass through on the way to its destination).Superscope – Essentially a collection of scopes grouped together such that they can be enabled and disabled as a single entity.What is Authorizing DHCP Servers in Active Directory ?If a DHCP server is to operate within an Active Directory domain (and is not running on a domain controller) it must first be authorized.This can be achieved either as part of the DHCP Server role installation, or subsequently using either DHCP console or at the command prompt using the netsh tool.If the DHCP server was not authorized during installation, invoke the DHCP console (Start -> All Programs -> Administrative Tools -> DHCP),right click on the DHCP to be authorized and select Authorize. To achieve the same result from the command prompt, enter the following command:netsh dhcp server serverID initiate authIn the above command syntax, serverID is replaced by the IP address or full UNC name of system on which the DHCP server is installed.What ports are used by DHCP and the DHCP clients ??Requests are on UDP port 68, Server replies on UDP 67 .List some Benefits of using DHCP?DHCP provides the following benefits for administering your TCP/IP-based network:Safe and reliable configuration.DHCP avoids configuration errors caused by the need to manually type in values at each computer. Also, DHCP helps prevent address conflicts caused by a previously assigned IP address being reused to configure a new computer on the network.Reduces configuration management.Using DHCP servers can greatly decrease time spent to configuring and reconfiguring computers on your network. Servers can be configured to supply a full range of additional configuration values when assigning address leases. These values are assigned using DHCP options. Also, the DHCP lease renewal process helps assure that where client configurations need to be updated often (such as users with mobile or portable computers who change locations frequently), these changes can be made efficiently and automatically by clients communicating directly with DHCP servers.The following section covers issues that affect the use of the DHCP Server service with other services or network configurations. Using DNS servers with DHCP Using Routing and Remote Access servers with DHCP Multihomed DHCP servers.Describe the process of installing a DHCP server in an AD infrastructure ?Open Windows Components Wizard. Under Components , scroll to and click Networking Services. Click Details . Under Subcomponents of Networking Services , click Dynamic Host Configuration Protocol (DHCP) and then click OK .Click Next . If prompted, type the full path to the Windows Server 2003 distribution files, and then click Next. Required files are copied to your hard disk.How to authorize a DHCP server in Active Directory Open DHCP ?.?In the console tree, click DHCP. On the Action menu, click Manage authorized servers.. The Manage Authorized Servers dialog box appears. Click Authorize.. When prompted, type the name or IP address of the DHCP server to be authorized, and then click OK.What is DHCPINFORM??DHCPInform is a DHCP message used by DHCP clients to obtain DHCP options. While PPP remote access clients do not use DHCP to obtain IP addresses for the remote access connection, Windows 2000 and Windows 98 remote access clients use the DHCPInform message to obtain DNS server IP addresses, WINS server IP addresses, and a DNS domain name.The DHCPInform message is sent after the IPCP negotiation is concluded. The DHCPInform message received by the remote access server is then forwarded to a DHCP server. The remote access server forwards DHCPInform messages only if it has been configured with the DHCP Relay Agent.Describe the integration between DHCP and DNS??Traditionally, DNS and DHCP servers have been configured and managed one at a time. Similarly, changing authorization rights for a particular user on a group of devices has meant visiting each one and making configuration changes.DHCP integration with DNS allows the aggregation of these tasks across devices, enabling a company’s network services to scale in step with the growth of network users, devices, and policies, while reducing administrative operations and costs. This integration provides practical operational efficiencies that lower total cost of ownership.Creating a DHCP network automatically creates an associated DNS zone, for example, reducing the number of tasks required of network administrators. And integration of DNS and DHCP in the same database instance provides unmatched consistency between service and management views of IP address-centric network services data.>What is the main purpose of a DNS server?DNS servers are used to resolve FQDN hostnames into IP addresses and vice versa.>What is the port no of dns ?53.>What is a Forward Lookup?Resolving Host Names to IP Addresses.>What is Reverse Lookup?It?s a file contains host names to IP mapping information.>What is a Resource Record?It is a record provides the information about the resources available in the N/W infrastructure.>What are the diff. DNS Roles?Standard Primary, Standard Secondary, & AD Integrated.>What is a Zone?Zone is a sub tree of DNS database.>Secure services in your network require reverse name resolution to make it more difficult to launch successful attacks against the services. To set this up, you configure a reverse lookup zone and proceed to add records. Which record types do you need to create??PTR Records>SOA records must be included in every zone. What are they used for ?SOA records contain a TTL value, used by default in all resource records in the zone. SOA records contain the e-mail address of the person who is responsible for maintaining the zone. SOA records contain the current serial number of the zone, which is used in zone transfers.>By default, if the name is not found in the cache or local hosts file, what is the first step the client takes to resolve the FQDN name into an IP address ??Performs a recursive search through the primary DNS server based on the network interface configuration .> What is primary, Secondary, stub & AD Integrated Zone?Primary Zone: - zone which is saved as normal text file with filename (.dns) in DBS folder. Maintains a read, write copy of zone database.Secondary Zone: - maintains a read only copy of zone database on another DNS server. Provides fault tolerance and load balancing by acting as backup server to primary server.Stub zone: - contains a copy of name server and SOA records used for reducing the DNS search orders. Provides fault tolerance and load balancing.> How do you manually create SRV records in DNS??This is on windows server go to run ---> dnsmgmt.msc rightclick on the zone you want to add srv record to and choose "other new record" and choose service location(srv).> What is the main purpose of SRV records ??SRV records are used in locating hosts that provide certain network services.> Before installing your first domain controller in the network, you installed a DNS server and created a zone, naming it as you would name your AD domain. However, after the installation of the domain controller, you are unable to locate infrastructure SRV records anywhere in the zone. What is the most likely cause of this failure ?The zone you created was not configured to allow dynamic updates. The local interface on the DNS server was not configured to allow dynamic updates.> Which of the following conditions must be satisfied to configure dynamic DNS updates for legacy clients ??The zone to be used for dynamic updates must be configured to allow dynamic updates. The DHCP server must support, and be configured to allow, dynamic updates for legacy clients.> At some point during the name resolution process, the requesting party received authoritative reply. Which further actions are likely to be taken after this reply ??After receiving the authoritative reply, the resolution process is effectively over.> Name 3 benefits of using AD-integrated zones.?Active Directory integrated DNS enables Active Directory storage and replication of DNS zone databases. Windows 2000 DNS server, the DNS server that is included with Windows 2000 Server, accommodates storing zone data in Active Directory.When you configure a computer as a DNS server, zones are usually stored as text files on name servers that is, all of the zones required by DNS are stored in a text file on the server computer.These text files must be synchronized among DNS name servers by using a system that requires a separate replication topology and schedule called a zone transfer However, if you use Active Directory integrated DNS when you configure a domain controller as a DNS name server, zone data is stored as an Active Directory object and is replicated as part of domain replication.> Your company uses ten domain controllers, three of which are also used as DNS servers. You have one companywide AD-integrated zone, which contains several thousand resource records. This zone also allows dynamic updates, and it is critical to keep this zone up-to-date. Replication between domain controllers takes up a significant amount of bandwidth. You are looking to cut bandwidth usage for the purpose of replication. What should you do?Change the replication scope to all DNS servers in the domain.?>You are administering a network connected to the Internet. Your users complain that everything is slow. Preliminary research of the problem indicates that it takes a considerable amount of time to resolve names of resources on the Internet. What is the most likely reason for this?DNS servers are not caching replies.. Local client computers are not caching replies… The cache.dns file may have been corrupted on the server.>What are the benefits of using Windows 2003 DNS when using AD-integrated zones?If your DNS topology includes Active Directory, use Active Directory integrated zones. Active Directory integrated zones enable you to store zone data in the Active Directory database.Zone information about any primary DNS server within an Active Directory integrated zone is always replicated.Because DNS replication is single-master, a primary DNS server in a standard primary DNS zone can be a single point of failure. In an Active Directory integrated zone, a primary DNS server cannot be a single point of failure because Active Directory uses multimaster replication.Updates that are made to any domain controller are replicated to all domain controllers and the zone information about any primary DNS server within an Active Directory integrated zone is always replicated.?Active Directory integrated zones:?Enable you to secure zones by using secure dynamic update.Provide increased fault tolerance. Every Active Directory integrated zone can be replicated to all domain controllers within the Active Directory domain or forest. All DNS servers running on these domain controllers can act as primary servers for the zone and accept dynamic updates.Enable replication that propagates changed data only, compresses replicated data, and reduces network traffic. If you have an Active Directory infrastructure, you can only use Active Directory integrated zones on Active Directory domain controllers.If you are using Active Directory integrated zones, you must decide whether or not to store Active Directory integrated zones in the application directory partition.You can combine Active Directory integrated zones and file-based zones in the same design. For example, if the DNS server that is authoritative for the private root zone is running on an operating system other than Windows Server 2003 or Windows 2000, it cannot act as an Active Directory domain controller. Therefore, you must use file-based zones on that server. However, you can delegate this zone to any domain controller running either Windows Server 2003 or Windows 2000.>You installed a new AD domain and the new (and first) DC has not registered its SRV records in DNS. Name a few possible causes.The machine cannot be configured with DNS client her own?.The DNS service cannot be run.>What are the benefits and scenarios of using Stub zones?Understanding stub zones?A stub zone is a copy of a zone that contains only those resource records necessary to identify the authoritative Domain Name System (DNS) servers for that zone.?A stub zone is used to resolve names between separate DNS namespaces. This type of resolution may be necessary when a corporate merger requires that the DNS servers for two separate DNS namespaces resolve names for clients in both namespaces.A stub zone consists of:?? The start of authority (SOA) resource record, name server (NS) resource records, and the glue A resource records for the delegated zone. The IP address of one or more master servers that can be used to update the stub zone. The master servers for a stub zone are one or more DNS servers authoritative for the child zone, usually the DNS server hosting the primary zone for the delegated domain name.Use stub zones to:?? Keep delegated zone information current.?By updating a stub zone for one of its child zones regularly, the DNS server hosting both the parent zone and the stub zone will maintain a current list of authoritative DNS servers for the child zone.? Improve name resolution.?Stub zones enable a DNS server to perform recursion using the stub zone's list of name servers without needing to query the Internet or internal root server for the DNS namespace.? Simplify DNS administration.?By using stub zones throughout your DNS infrastructure, you can distribute a list of the authoritative DNS servers for a zone without using secondary zones. However, stub zones do not serve the same purpose as secondary zones and are not an alternative when considering redundancy and load sharing.There are two lists of DNS servers involved in the loading and maintenance of a stub zone:? The list of master servers from which the DNS server loads and updates a stub zone. A master server may be a primary or secondary DNS server for the zone. In both cases, it will have a complete list of the DNS servers for the zone.? The list of the authoritative DNS servers for a zone. This list is contained in the stub zone using name server (NS) resource records. When a DNS server loads a stub zone, such as widgets., it queries the master servers, which can be in different locations, for the necessary resource records of the authoritative servers for the zone widgets.. The list of master servers may contain a single server or multiple servers and can be changed anytime.>What are the benefits and scenarios of using Conditional Forwarding??Rather than having a DNS server forward all queries it cannot resolve to forwarders, the DNS server can forward queries for different domain names to different DNS servers according to the specific domain names that are contained in the queries. Forwarding according to these domain-name conditions improves conventional forwarding by adding a second condition to the forwarding process.A conditional forwarder setting consists of a domain name and the IP address of one or more DNS servers. To configure a DNS server for conditional forwarding, a list of domain names is set up on the Windows Server 2003-based DNS server along with the DNS server IP address. When a DNS client or server performs a query operation against a Windows Server 2003- based DNS server that is configured for forwarding, the DNS server looks to see if the query can be resolved by using its own zone data or the zone data that is stored in its cache, and then, if the DNS server is configured to forward for the domain name that is designated in the query (a match), the query is forwarded to the IP address of a DNS Server that is associated with the domain name. If the DNS server has no domain name listed for the name that is designated in the query, it attempts to resolve the query by using standard recursion.>What is the 224.0.1.24 address used for??WINS server group address. Used to support auto discovery and dynamic configuration of replication for WINS servers. For more information, see WINS replication overview WINS server group address. Used to support auto discovery and dynamic configuration of replication for WINS servers.> Describe the importance of DNS to AD ?When Microsoft began development on Active Directory, full compatibility with the domain name system (DNS) was a critical priority. Active Directory was built from the ground up not just to be fully compatible with DNS but to be so integrated with it that one cannot exist without the other. Microsoft's direction in this case did not just happen by chance, but because of the central role that DNS plays in Internet name resolution and Microsoft's desire to make its product lines embrace the Internet.While fully conforming to the standards established for DNS, Active Directory can expand upon the standard feature set of DNS and offer some new capabilities such as AD-Integrated DNS, which greatly eases the administration required for DNS environments. In addition, Active Directory can easily adapt to exist in a foreign DNS environment, such as Unix BIND, as long as the BIND version is 8.2.x or higher. When Microsoft began development on Active Directory, full compatibility with the domain name system (DNS) was a critical priority.Active Directory was built from the ground up not just to be fully compatible with DNS but to be so integrated with it that one cannot exist without the other. Microsoft's direction in this case did not just happen by chance, but because of the central role that DNS plays in Internet name resolution and Microsoft's desire to make its product lines embrace the Internet.While fully conforming to the standards established for DNS, Active Directory can expand upon the standard feature set of DNS and offer some new capabilities such as AD-Integrated DNS, which greatly eases the administration required for DNS environments. In addition, Active Directory can easily adapt to exist in a foreign DNS environment, such as Unix BIND, as long as the BIND version is 8.2.x or higher> What is the "in-addr.arpa" zone used for??In a Domain Name System (DNS) environment, it is common for a user or an application to request a Reverse Lookup of a host name, given the IP address. This article explains this process. The following is quoted from RFC 1035: "The Internet uses a special domain to support gateway location and Internet address to host mapping. Other classes may employ a similar strategy in other domains. The intent of this domain is to provide a guaranteed method to perform host address to host name mapping, and to facilitate queries to locate all gateways on a particular network on the Internet."The domain begins at IN-ADDR.ARPA and has a substructure which follows the Internet addressing structure. "Domain names in the IN-ADDR.ARPA domain are defined to have up to four labels in addition to the IN-ADDR.ARPA suffix. Each label represents one octet of an Internet address, and is expressed as a character string for a decimal value in the range 0-255 (with leading zeros omitted except in the case of a zero octet which is represented by a single zero)."Host addresses are represented by domain names that have all four labels specified." Reverse Lookup files use the structure specified in RFC 1035.For example, if you have a network which is 150.10.0.0, then the Reverse Lookup file for this network would be 10.150.IN-ADDR.ARPA. Any hosts with IP addresses in the 150.10.0.0 network will have a PTR (or 'Pointer') entry in 10.150.IN- ADDR.ARPA referencing the host name for that IP address. A single IN- ADDR.ARPA file may contain entries for hosts in many domains. Consider the following scenario. There is a Reverse Lookup file 10.150.IN-ADDR.ARPA with the following contents: Exp : 1.20 IN PTR WS1..> What are the requirements from DNS to support AD??When you install Active Directory on a member server, the member server is promoted to a domain controller. Active Directory uses DNS as the location mechanism for domain controllers, enabling computers on the network to obtain IP addresses of domain controllers. During the installation of Active Directory, the service (SRV) and address (A) resource records are dynamically registered in DNS, which are necessary for the successful functionality of the domain controller locator (Locator) mechanism.?To find domain controllers in a domain or forest, a client queries DNS for the SRV and A DNS resource records of the domain controller, which provide the client with the names and IP addresses of the domain controllers. In this context, the SRV and A resource records are referred to as Locator DNS resource records.When adding a domain controller to a forest, you are updating a DNS zone hosted on a DNS server with the Locator DNS resource records and identifying the domain controller. For this reason, the DNS zone must allow dynamic updates (RFC 2136) and the DNS server hosting that zone must support the SRV resource records (RFC 2782) to advertise the Active Directory directory service. For more information about RFCs, see DNS RFCs.If the DNS server hosting the authoritative DNS zone is not a server running Windows 2000 or Windows Server 2003, contact your DNS administrator to determine if the DNS server supports the required standards. If the server does not support the required standards, or the authoritative DNS zone cannot be configured to allow dynamic updates, then modification is required to your existing DNS infrastructure.?For more information, see Checklist: Verifying DNS before installing Active Directory and Using the Active Directory Installation Wizard.Important?The DNS server used to support Active Directory must support SRV resource records for the Locator mechanism to function. For more information, see Managing resource records. It is recommended that the DNS infrastructure allows dynamic updates of Locator DNS resource records (SRV and A) before installing Active Directory, but your DNS administrator may add these resource records manually after installation. After installing Active Directory, these records can be found on the domain controller in the following location: systemroot\System32\Config\Netlogon.dns .> What does a zone consist of & why do we require a zone?Zone consists of resource records and we require zone for representing sites.> What is Caching Only Server?When we install 2000 & 2003 server it is configured as caching only server where it maintains the frequently accessed sites information and again when we access the same site for next time it is obtain from cached information instead of going to the actual site.> What is forwarder?When one DNS server can?t receive the query it can be forwarded to another DNS once configured as forwarder.> What is secondary DNS Server?It is backup for primary DNS where it maintains a read only copy of DNS database.> How to enable Dynamic updates in DNS??Start>Program>Admin tools> DNS >Zone properties.> What are the properties of DNS server??INTERFACES, FORWARDERS, ADVANCED, ROUTINGS, SECURITY, MONITORING, LOGGING, DEBUG LOGGING.> Properties of a Zone ??General, SOA, NAMESERVER, WINS, Security, and ZONE Transfer.> What is scavenging?Finding and deleting unwanted records.> What are SRV records??SRV are the service records, there are 6 service records. They are useful for locating the services.> What are the types of SRV records?MSDCS:Contains DCs information.TCP:Contains Global Catalog, Kerberos & LDAP information.UDP:Contains Sites information.Sites:Contains Sites information.Domain DNS Zone:Conations domain?s DNS specific information.Forest DNS zone:Contains Forest?s Specific Information.> Where does a Host File Reside?c:\windows\system32\drivers\etc.> What is SOA?Start of Authority: useful when a zone starts. Provides the zone startup information.> What is a query?A request made by the DNS client to provide the name server information.> What are the diff. types of Queries?Recursion, iteration.> Tools for troubleshooting DNS?DNS Console, NSLOOKUP, DNSCMD, IPCONFIG, Logs.> What is WINS server? where we use WINS server? difference between DNS and WINS?WINS is windows internet name service used to resolve the NetBIOS(computer name)name to IP address.This is proprietary for Windows.You can use in LAN.DNS is a Domain Naming System, which resolves Host names to IP addresses. It uses fully qualified domain names. DNS is an Internet standard used to resolve host names.> What is new in Windows Server 2003 regarding the DNS management?When DC promotion occurs with an existing forest, the Active Directory Installation Wizard contacts an existing DC to update the directory and replicate from the DC the required portions of the directory.If the wizard fails to locate a DC, it performs debugging and reports what caused the failure and how to fix the problem. In order to be located on a network, every DC must register in DNS DC locator DNS records. The Active Directory Installation Wizard verifies a proper configuration of the DNS infrastructure. All DNS configuration debugging and reporting activity is done with the Active Directory Installation Wizard.> SOA records must be included in every zone. What are they used for?SOA records contain a TTL value, used by default in all resource records in the zone. SOA records contain the e-mail address of the person who is responsible for maintaining the zone. SOA records contain the current serial number of the zone, which is used in zone transfers.By default, if the name is not found in the cache or local hosts file, what is the first step the client takes to resolve the FQDN name into an IP address? Performs a recursive search through the primary DNS server based on the network interface configuration.> How do I clear the DNS cache on the DNS server??Go to cmd prompt and type ipconfig /flushdns .> What is the main purpose of SRV records?SRV records are used in locating hosts that provide certain network services.> Before installing your first domain controller in the network, you installed a DNS server and created a zone, naming it as you would name your AD domain. However, after the installation of the domain controller, you are unable to locate infrastructure SRV records anywhere in the zone. What is the most likely cause of this failure?The zone you created was not configured to allow dynamic updates. The local interface on the DNS server was not configured to allow dynamic updates.> What is the "." zone in my forward lookup zone?This setting designates the Windows 2000 or Windows Server 2003 DNS server to be a root hint server and is usually deleted. If you do not delete this setting, you may not be able to perform external name resolution to the root hint servers on the Internet.> Do I need to configure forwarders in DNS?No. By default, Windows 2000 DNS uses the root hint servers on the Internet; however, you can configure forwarders to send DNS queries directly to your ISP's DNS server or other DNS servers. Most of the time, when you configure forwarders, DNS performance and efficiency increases, but this configuration can also introduce a point of failure if the forwarding DNS server is experiencing problems.The root hint server can provide a level of redundancy in exchange for slightly increased DNS traffic on your Internet connection. Windows Server 2003 DNS will query root hints servers if it cannot query the forwarders.> Should I point the other Windows 2000-based and Windows Server 2003-based computers on my LAN to my ISP's DNS servers??No. If a Windows 2000-based or Windows Server 2003-based server or workstation does not find the domain controller in DNS, you may experience issues joining the domain or logging on to the domain. A Windows 2000-based or Windows Server 2003-based computer's preferred DNS setting should point to the Windows 2000 or Windows Server 2003 domain controller running DNS.If you are using DHCP, make sure that you view scope option #15 for the correct DNS server settings for your LAN.> Do I need to point computers that are running Windows NT 4.0 or Microsoft Windows 95, Microsoft Windows 98, or Microsoft Windows 98 Second Edition to the Windows 2000 or Windows Server 2003 DNS server?Legacy operating systems continue to use NetBIOS for name resolution to find a domain controller; however it is recommended that you point all computers to the Windows 2000 or Windows Server 2003 DNS server for name resolution.> What if my Windows 2000 or Windows Server 2003 DNS server is behind a proxy server or firewall?If you are able to query the ISP's DNS servers from behind the proxy server or firewall, Windows 2000 and Windows Server 2003 DNS server is able to query the root hint servers. UDP and TCP Port 53 should be open on the proxy server or firewall.> What should I do if the domain controller points to itself for DNS, but the SRV records still do not appear in the zone?Check for a disjointed namespace, and then run Netdiag.exe /fix.You must install Support Tools from the Windows 2000 Server or Windows Server 2003 CD-ROM to run Netdiag.exe.> How do I set up DNS for a child domain?To set up DNS for a child domain, create a delegation record on the parent DNS server for the child DNS server. Create a secondary zone on the child DNS server that transfers the parent zone from the parent DNS server.Note Windows Server 2003 has additional types of zones, such as Stub Zones and forest-level integrated Active Directory zones, that may be a better fit for your environment. Set the child domain controller to point to itself first. As soon as an additional domain controller is available, set the child domain controller to point to this domain controller in the child domain as its secondary.What is group policy in active directory ? What are Group Policy objects (GPOs)?Group Policy objects, other than the local Group Policy object, are virtual objects. The policy setting information of a GPO is actually stored in two locations: the Group Policy container and the Group Policy template.The Group Policy container is an Active Directory container that stores GPO properties, including information on version, GPO status, and a list of components that have settings in the GPO.The Group Policy template is a folder structure within the file system that stores Administrative Template-based policies, security settings, script files, and information regarding applications that are available for Group Policy Software Installation.The Group Policy template is located in the system volume folder (Sysvol) in the \Policies subfolder for its domain.What is the order in which GPOs are applied ?Group Policy settings are processed in the following order:1.Local Group Policy object :??Each computer has exactly one Group Policy object that is stored locally. This processes for both computer and user Group Policy processing.2.Site :??Any GPOs that have been linked to the site that the computer belongs to are processed next. Processing is in the order that is specified by the administrator, on the Linked Group Policy Objects tab for the site in Group Policy Management Console (GPMC). The GPO with the lowest link order is processed last, and therefore has the highest precedence.3.Domain:??Processing of multiple domain-linked GPOs is in the order specified by the administrator, on the Linked Group Policy Objects tab for the domain in GPMC. The GPO with the lowest link order is processed last, and therefore has the highest precedence.anizational units :??GPOs that are linked to the organizational unit that is highest in the Active Directory hierarchy are processed first, then POs that are linked to its child organizational unit, and so on. Finally, the GPOs that are linked to the organizational unit that contains the user or computer are processed.At the level of each organizational unit in the Active Directory hierarchy, one, many, or no GPOs can be linked. If several GPOs are linked to an organizational unit, their processing is in the order that is specified by the administrator, on the Linked Group Policy Objects tab for the organizational unit in GPMC.The GPO with the lowest link order is processed last, and therefore has the highest precedence.This order means that the local GPO is processed first, and GPOs that are linked to the organizational unit of which the computer or user is a direct member are processed last, which overwrites settings in the earlier GPOs if there are conflicts. (If there are no conflicts, then the earlier and later settings are merely aggregated.)How to backup/restore Group Policy objects ??Begin the process by logging on to a Windows Server 2008 domain controller, and opening the Group Policy Management console. Now, navigate through the console tree to Group Policy Management | Forest:?| Domains |?| Group Policy Objects.When you do, the details pane should display all of the group policy objects that are associated with the domain. In Figure A there are only two group policy objects, but in a production environment you may have many more. The Group Policy Objects container stores all of the group policy objects for the domain.Now, right-click on the Group Policy Objects container, and choose the Back Up All command from the shortcut menu. When you do, Windows will open the Back Up Group Policy Object dialog box.As you can see in Figure B, this dialog box requires you to provide the path to which you want to store the backup files. You can either store the backups in a dedicated folder on a local drive, or you can place them in a folder on a mapped network drive. The dialog box also contains a Description field that you can use to provide a description of the backup that you are creating.You must provide the path to which you want to store your backup of the group policy objects.To initiate the backup process, just click the Back Up button. When the backup process completes, you should see a dialog box that tells you how many group policy objects were successfully backed up. Click OK to close the dialog box, and you're all done.?When it comes to restoring a backup of any Group Policy Object, you have two options. The first option is to right-click on the Group Policy Object, and choose the Restore From Backup command from the shortcut menu. When you do this, Windows will remove all of the individual settings from the Group Policy Object, and then implement the settings found in the backup.Your other option is to right-click on the Group Policy Object you want to restore, and choose the Import Settings option. This option works more like a merge than a restore.Any settings that presently reside within the Group Policy Object are retained unless there is a contradictory settings within the file that is being imported.You want to standardize the desktop environments (wallpaper, My Documents, Start menu, printers etc.) on the computers in one department. How would you do that??go to Start->programs->Administrative tools->Active Directory Users and ComputersRight Click on Domain->click on preopertiesOn New windows Click on Group PolicySelect Default Policy->click on Editon group Policy consolego to User Configuration->Administrative Template->Start menu and TaskbarSelect each property you want to modify and do the sameWhat?s the difference between software publishing and assigning?Assign Users :The software application is advertised when the user logs on. It is installed when the user clicks on the software application icon via the start menu, or accesses a file that has been associated with the software application.Assign Computers :The software application is advertised and installed when it is safe to do so, such as when the computer is next restarted.Publish to users : The software application does not appear on the start menu or desktop. This means the user may not know that the software is available. The software application is made available via the Add/Remove Programs option in control panel, or by clicking on a file that has been associated with the application. Published applications do not reinstall themselves in the event of accidental deletion, and it is not possible to publish to computers.What are administrative templates??Administrative Templates are a feature of Group Policy, a Microsoft technology for centralised management of machines and users in an Active Directory environment. Administrative Templates facilitate the management of registry-based policy. An ADM file is used to describe both the user interface presented to the Group Policy administrator and the registry keys that should be updated on the target machines.An ADM file is a text file with a specific syntax which describes both the interface and the registry values which will be changed if the policy is enabled or disabled.ADM files are consumed by the Group Policy Object Editor (GPEdit). Windows XP Service Pack 2 shipped with five ADM files (system.adm, inetres.adm, wmplayer.adm, conf.adm and wuau.adm). These are merged into a unified "namespace" in GPEdit and presented to the administrator under the Administrative Templates node (for both machine and user policy).Can I deploy non-MSI software with GPO?create the fiile in .zap extension.Name some GPO settings in the computer and user parts ?Group Policy Object (GPO) computer=Computer Configuration, User=User ConfigurationName some GPO settings in the computer and user parts.A user claims he did not receive a GPO, yet his user and computer accounts are in the right OU, and everyone else there gets the GPO. What will you look for??make sure user not be member of loopback policy as in loopback policy it doesn't effect user settings only computer policy will applicable. if he is member of gpo filter grp or not?You may also want to check the computers event logs. If you find event ID 1085 then you may want to download the patch to fix this and reboot the computer.How can I override blocking of inheritance ?What can I do to prevent inheritance from above?Name a few benefits of using GPMC.?How frequently is the client policy refreshed ??90 minutes give or take.Where is?secedit???It’s now?gpupdate.What can be restricted on Windows Server 2003 that wasn’t there in previous products ??Group Policy in Windows Server 2003 determines a users right to modify network and dial-up TCP/IP properties. Users may be selectively restricted from modifying their IP address and other network configuration parameters.You want to create a new group policy but do not wish to inherit.Make sure you check?Block inheritance?among the options when creating the policy.How does the Group Policy 'No Override' and 'Block Inheritance' work ?Group Policies can be applied at multiple levels (Sites, domains, organizational Units) and multiple GP's for each level. Obviously it may be that some policy settings conflict hence the application order of Site - Domain - Organization Unit and within each layer you set order for all defined policies but you may want to force some polices to never be overridden (No Override) and you may want some containers to not inherit settings from a parent container (Block Inheritance).A good definition of each is as follows:No Override - This prevents child containers from overriding policies set at higher levelsBlock Inheritance - Stops?containers?inheriting policies from parent containersNo Override takes precedence over Block Inheritance so if a child container has Block Inheritance set but on the parent a group policy has No Override set then it will get applied.Also the highest No Override takes precedence over lower No Override's set.To block inheritance perform the following:Start the Active Directory Users and Computer snap-in (Start - Programs - Administrative Tools - Active Directory Users and Computers)Right click on the container you wish to stop inheriting settings from its parent and select?Select the 'Group Policy' tabCheck the 'Block Policy inheritance' optionClick Apply then OKTo set a policy to never be overridden perform the following:Start the Active Directory Users and Computer snap-in (Start -?- Administrative Tools - Active Directory Users and Computers)Right click on the container you wish to set a Group Policy to not be overridden and select PropertiesSelect the 'Group Policy' tabClick OptionsCheck the 'No Override' optionClick OKClick Apply then OKL2 Interview Question for Windows?No commentsEmail ThisBlogThis!Share to TwitterShare to Facebook1) What is the Difference between Win NT and Win 2000?Ans:Win NTWin 2000No concept of Active directoryConcept of Active directoryPDC,BDC--(read only copy)DC,ADC--(read ,write copy)Database stored in SAM(fixed size-40 MB)Database stored in NTDS.DIT(Not fixed)Not supported RISSupported RIS2) What is the Difference between Win 2000 and Win 2003?Ans:Win 2000Win 2003Can’t rename the DomainCan rename the DomainNo authorization with DHCPAuthorization with DHCPCan’t create new domain tree in existing forestCan create new domain tree in existing forest3) What are the versions in Win 2000?Ans: win 2000 server and win adv 2000 server and win 2000 Data center server.4) What are the versions in Win 2003?Ans: standard version and enterprise version and web version and data center server5) How much RAM, Processor supported by Win 2000 versions?Ans: 2000Server: 4GBRAM, 4 Processors, 2000Advanced server: 8GB RAM, 8 Processors, data center server: 64 GB RAM, 32 Processors6) How much RAM, Processors supported by Win 2003 versions?Ans: standard – 4Gb , Web- 2 Gb,2 Proce, Enterprise-32 Gb,8 Processors, Data Center – 64 Gb, 32 processors7) What is the diff between win 2000server and Advanced server?Ans: Network load balancing and clustering8) Can I rename the win 2003 DC?Ans: If you have a Windows 2003 DC, you can use the Netdom tool to rename the DC. The Netdom provides a secure and supported methodology to rename one or more domains. You can find the tool from the Windows 2003 installation CD-ROM9) What is Privilege mode?Ans: A protected Memory Space Allocated for the win 2000 kernel that cannot be directly accessed by software applications.9) In win2000, what is the partition Size, File Size in FAT 16?Ans: 4 GB partition size and 2 GB File Size.10) In win2000, what is the partition Size, File Size in FAT 32?Ans: 2 GB to 2 TB partition size and 4GB file Size11) In win2000, what is the Partition Size, File Size in NTFS?Ans: 2 TB Partition size, File size is theoretically 16 Exabytes.12)what is the difference between FAT and NTFS?Ans:FAT does not support Data compression and encryption13) what is the difference between win98 and Windows XP?Supports Fat16 and Fat32Supports Fat16 and Fat32,NTFSNo disk quotasDisk quotasOnly Disk compressionSupports Data compression and encryptionNo remote assistance and remote desktopremote assistance and remote desktop14)What is System restore?15)What is the difference between Basic Disk and dynamic Disk?16)Can you convert dynamic to basic?17)What is the difference between system restore and last known configuration?18)What is the difference between remote assistance and remote desktop?19)What is the difference between IP4.0 and IP 6.0?20)what is the difference between router and switch?21)what is the difference between switch and hub?22) Hub works in which layer?23) switch works in which Layer?24) router works in which Layer?25) Describe all layers?26)what is the port numbers of FTP,SMTP,Telnet,SMTP,DNS,DHCP,POP3,TFTP,SNTP?L2 Interview Question for Windows1) What is the Difference between Win NT and Win 2000?Ans:?Win NTWin 2000No concept of Active directoryConcept of Active directoryPDC,BDC--(read only copy)DC,ADC--(read ,write copy)Database stored in SAM(fixed size-40 MB)Database stored in NTDS.DIT(Not fixed)Not supported RISSupported RIS2) What is the Difference between Win 2000 and Win 2003?Ans:Win 2000Win 2003Can’t rename the DomainCan rename the DomainNo authorization with DHCPAuthorization with DHCPCan’t create new domain tree in existing forestCan create new domain tree in existing forest3) What are the versions in Win 2000?Ans: win 2000 server and win adv 2000 server and win 2000 Data center server.4) What are the versions in Win 2003?Ans: standard version and enterprise version and web version and data center server5) How much RAM, Processor supported by Win 2000 versions?Ans: 2000Server: 4GBRAM, 4 Processors, 2000Advanced server: 8GB RAM, 8 Processors, data center server: 64 GB RAM, 32 Processors6) How much RAM, Processors supported by Win 2003 versions?Ans: standard – 4Gb , Web- 2 Gb,2 Proce, Enterprise-32 Gb,8 Processors, Data Center – 64 Gb, 32 processors7) What is the diff between win 2000server and Advanced server?Ans: Network load balancing and clustering8) Can I rename the win 2003 DC?Ans: If you have a Windows 2003 DC, you can use the Netdom tool to rename the DC. The Netdom provides a secure and supported methodology to rename one or more domains. You can find the tool from the Windows 2003 installation CD-ROM9) What is Privilege mode?Ans: A protected Memory Space Allocated for the win 2000 kernel that cannot be directly accessed by software applications.9) In win2000, what is the partition Size, File Size in FAT 16?Ans: 4 GB partition size and 2 GB File Size.10) In win2000, what is the partition Size, File Size in FAT 32?Ans: 2 GB to 2 TB partition size and 4GB file Size11) In win2000, what is the Partition Size, File Size in NTFS?Ans: 2 TB Partition size, File size is theoretically 16 Exabytes.12)what is the difference between FAT and NTFS?Ans:FAT does not support Data compression and encryption13) what is the difference between win98 and Windows XP??Supports Fat16 and Fat32Supports Fat16 and Fat32,NTFSNo disk quotasDisk quotasOnly Disk compressionSupports Data compression and encryptionNo remote assistance and remote desktopremote assistance and remote desktop14)What is System restore?15)What is the difference between Basic Disk and dynamic Disk?16)Can you convert dynamic to basic?17)What is the difference between system restore and last known configuration?18)What is the difference between remote assistance and remote desktop?19)What is the difference between IP4.0 and IP 6.0?20)what is the difference between router and switch?21)what is the difference between switch and hub?22) Hub works in which layer?23) switch works in which Layer?24) router works in which Layer?25) Describe all layers?26)what is the port numbers of FTP,SMTP,Telnet,SMTP,DNS,DHCP,POP3,TFTP,SNTP?PROFILES1) What is profile?Ans: Windows maintains a group of settings for each individual user that logs into he system. This group setting is known as a user ‘profile’.2) Where are the documents and settings for the roaming profile stored?Ans: All the documents and environmental settings for the roaming user are stored locally on the system, and, when the user logs off, all changes to the locally stored profile are copied to the shared server folder. Therefore, the first time a roaming user logs on to a new system the logon process may take some time, depending on how large his profile folder is.3) What is Roaming and Mandatory profile?Ans: Roaming user profile: A user profile that is copied to a network server so that it can be downloaded each workstation where the user logonMandatory profile: A user profile set up by the server administrator that is loaded from the server to the client each times the user logon. Changes that user makes to the profile are not savedActive directory:1) What is the organizational unit?Ans: OU are additional container objects that can store users, computers, groups&other OU’s.2) What is the use of organizational unit?Ans: Uses:1) To control replication traffic2) To make authentication faster and more efficient.3) To locate the nearest server providing directory enabled services3) What is the active directory??Ans: Active directory is a centralized hierarchical directory database and it’s a directory service which contains information of all user accounts and shared resources on a network.4) What are the main roles in active directory?Ans: FSOM stands for flexible Single operation Master:1)Domain naming master2)Schema master3)PDC Emulator4) RID master5)Infrastructure master5) What is the location & file system type where the active directoryInformation is installed?Ans: On NTFS partition, c:\windows\ntds.dit&c:\windows\sysvolv.6) For the replication between DC&ADC some file are used, what is the location of that Directory?Ans: c:\windows\sysvolv.7)What is Kerberos?Ans: this protocol is an internet standard authentication protocol that provides a higher level of security. More efficient than windows NT LAN Manager8)What is Win NT LAN Manager (NTLM)?Ans: This protocol enables users of win95 and win98 and Win NT client’s computers to be authenticated to win 2000 domains. This protocol is only available when win 2000 Active Directory is configured to operate in mixed-mode9) Which protocol plays the security role for the authentication in 2000&2003?Ans: KEREBROS10) What is version of kerebros in 2003 o/s?Ans: KEREBROS v 5.511) What is the protocol used by the active directory to perform it’s function?Ans: LDAP: Lightweight directory access protocol base on TCP/IP.12) What is the command, which display the DC? Adc, Member server?Ans: Net accounts.13) What is the command to make a server into domain controller in win 2000&2003?Ans: DCPROMO14) what is the type of backup is used to take the active directory?Ans: system state data backup.15) What command line utility is used on windows 2000 servers domain controllers before they upgrade to plan win2003 domain controllers?Ans:1) adprep /forest prep.(This command must be issued on win 2000server holding schema master role in forest root domain to prepare existing schema to support win2003AD.)2)adprep /domain prep(Infrastructure master to be deployed on win 2003 serverNote: adprep tool on win 2003 CD ROM i386 directoryPOLICIES :1) What is group policy?Ans:2) Is Win NT supports Group policy?Ans: NO, Supports only system Policy.3) What is system policy?4) What is difference between system policy and group policy?5) What is policy order?Ans: Local Group Policy-Site level Policy-Domain level policy-Organizational level policy6) Will group policy applicable for win 98,win 95 and winNt workstation?Ans: No, Only applicable for system policy?7) In Win NT, where policies are stored?Ans: NTCONFIG.POL8) Suppose your sever is win 2000 and clients are win98and win95 which policy applicable? And where it is stored?Ans: System policy and policies stored in CONFIG.POL9) In win 2000, After Assigning policies, which command is to update policies?Ans: Secedit /refresh policy user-policy/ enforceSecedit /refresh policy machine-policy/ enforce10) In win 2003, After Assigning policies, which command is to update policies?Ans: GPUPDATE11)what is the order in which group policy is applied?Ans: Local—Site Level—Domain Level---Organizational UnitBACKUP:1)what is user data?2)what is system state data?3)what are three primary tasks you can perform using backup?4)what is emergency repair disk?5)who can take backup?6)what are the 2 types of restore you can perform on active directory?Ans: Authoritative,Non- Authoritative.7)list 3 win2k tools use to recover a system failure?8)what is the tool used to create ERD ?Ans: Backup programme.9)which type of backup reduce the time In order to take backup daily?Ans: Incremental backup will take least amount of time.10)which win2k tool is used to restore of user, data on a DC?Ans: Backup.11)what is the command used to add recovery console to the boot loader menu?Ans: Winnt32 /cmdcons.12) what is command is used to perform authoritative restore before booting?Ans: ntdsutilAuthoritative restoreRestore data baseRestore sub tree13)what is the type of mode in which you try to restore system state data or active directory data base?Ans: Directory Services restore mode.14) what is the extension used for a backup file?Ans: .bkf15)Name 5 standard types of backups?Ans: Normal, daily, incremental, differential, copy.16)Is it possible to backup & restore data on network drive?Ans: Yes , it is possible.17)Is it possible to restore system state data on networked pc’s?Ans: No , It is not possible.18)what is non authoritative ?Ans:?19)what is normal backup?Ans: It is full and complete backup used to backup all selected files and folders. It removes the archive bit form backed up files and folders.?20)what is copy backup?Ans: A copy backup backs up all selected files and folders .but it does not affect remove or otherwise affect the archive bit.21) What is incremental?Ans: It is used to backup all selected files and folders that have changed since last normal backup or incremental backup. It removes archive bit from the backed up file and folders.?It is not cumulative. It takes less time to backup .multiple backup sets are required at the time of restore.?22) What is differential backup?Ans: It backups all selected files and folders that have changed since last normal backup.It does not remove the archive bit. It is commulative backup. It takes much time to backup. last backup set is used to restore23) What is daily backup?Ans: A daily backup backups all selected files and folders that have changed during the day the back is made.24) Back utility advanced mode features?Ans: 1) Backup wizard2) Restore wizard?3) ERD?25)Backup WizardBackup every thing.Backup selected files, drives.Only backup system state data.?26) What is non authoritative?Tape drives & ModelsHP DDS3 Dat Tape drive HP DDS3 Dat Tape drive?Model C1537 Model C1537ESCSI Internal 50 Pin SCSI External 50 PinCapacity 12/24 GB Capacity 12/24 GBPrint Management & Administration1) What is a printer in win2k terminology?Ans: it is the software interface between win 2k o/s & the device that produces the printer output.?2) Which win2k printing term is defined as a printer that has multiple ports and multiple print devices assigned to it?Ans: printer Pool3) Name 3 printer permissions?Ans: Print, Manage Documents, Manage printers?4) What is EMF?5) Print Process:Ans: User starts print processUsing an application ex (Ms word)Print job (Data & commands to print a document)Graphical user InterfaceRequest to driversDriver converts file in to EMF or RAWBacks again into GDIWin 2k spoolerDetermines local or networkLocal printer provider NetworkPrint processor Network localPrint monitor HDD spoolerCommunicates Directly to print device Print ProcessorPrint monitorPrint device?6) What is print spooler?Ans: printer spooler is a temporary storage area for print jobs waiting to be sent to a print device. Systemroot\system32\spool\printers7) Who can add printers and manage printer?Ans: administrators or power users (built in)?8) Adding printer on a remote computerAns: start windows explorer>click my network places>entire network>domain or work group>select computer>highlight printer folder> double click printer folder.9) Adding printers to printer poolAns: ports 1) lpt1 2) lpt2 3) lpt3 Enable printer pooling10) Printer properities?Ans: 99 highest for managers1 lowest for employees?Note: if managers and employees send print jobs to same print device you can set priorities?11) Print permissions arePrint: send only print jobs to printerManage Documents: resume and restart and delete print jobs.Manage printers: perform all tasks also share printers can change spooler settings and can assign printer permissions.12)What is a printer?Ans: printer is software which acts as a interface between the print device and the operating system.13)What is print device?Ans: print device is a hardware component which is attached to the system to the print documents.?14)What is local print device?Ans: print device which is attached to the local system.15)What is network print device?Ans:print device which is there in the network.16) What is print server?Ans:The computer responsible for managing the print queues for group of printers.17) What is print queue?Ans: The collection of print jobs waiting to be printed by a specific printer.DHCP (Dynamic Host Configuration Protocol) port: 671)What is DHCP?Ans: DHCP is a TCP/IP protocol that provides that provides way to dynamically allocated IP address to computers on the network.2)Advantages of DHCP?Ans: Centrally manages IP address allocationHelps prevent address conflictsReduces administrative effortHelp converse IP addresses3)What is SCOPE?Ans: It is range of IP Address which is assigned to computers requesting for a Dynamic IP Address.4)What is authorization?Ans: It is Security precaution that ensures that only authorized DHCP Servers Can run in the network..To avoid computers running illegal DHCP Servers in the network.5) We’ve installed a new Windows-based DHCP server, however, the users do not seem to be getting DHCP leases off of it.Ans: The server must be authorized first with the Active Directory.6)How can you force the client to give up the dhcp lease if you have access to the client PC?Ans: ipconfig /release7)Cannot find DHCP ServerAns: Cause: DHCP service is stopped or disable.8)How to restore or move a DHCP into another computerAns:The DHCP database is contained in the Dhcp.mdb file located in the %SystemRoot%\System32\Dhcp folder. The DHCP server uses this file to record and store information concerning active leases and reservations. After you install a new DHCP, you can copy Dhcp.mdb into the above mentioned location.9) Describe how the DHCP lease is obtained. It’s a four-step process consisting of?Ans(a) IP request, (b) IP offer, ? IP selection and (d) acknowledgement.10) What is super scope?Ans: the super scope is assigned a range of IP addresses that can be assigned to DHCP clients that reside on multiple subnets.11) What is multicast scope?Ans: the multicast scope contains a range of classD multicast IP address ,and is used to assign these addresses to client computers that request them.?12) What is difference between scope and super scope?Ans: A scope is assigned a range of IP address that can be assigned to DHCP clients that reside on a single subnet. Where the super scope is assigned a range of IP addresses that can be assigned to DHCP clients that reside on multiple subnets.13) What is BOOTP?14) What is range of multicast scope?Ans: Only IP address range from 224.0.0.0 to 239.255.255.255DNS (Domain Naming Service) port -53What is the difference between WINS and DNS?Ans: WINS resolves NETBIOS Names to IP address where DNS resolves Host names to IP address1)List the types of DNS servers?Ans: Standard primary, standard secondary, active directory integrated zone, root?4)what is the primary purpose of DNS?Ans: For host resolution.5) what is start of authority?Ans: It contains serial no. , this indicates the modification done to the zone.6)what is Dynamic DNS?Ans: Dynamically update the service records7)what is the maximum character size of DNS?Ans:63What is the maximum character size of WINS?9)what is zone or zone file?Ans: A zone is a Database for either a DNS domain or for a DNS domain and one or more of it’s Sub domains. This storage database is special text file called zone or zone file.11)why multiple DNS services are created for the same zone?Ans: load balancing, fault tolerance.12)what is caching only server?Ans: Caching only servers does not stores only zones.it resolves host namesTo IP address for client computers and stores the resulting mapping information in it’s cache. this DNS server provides the cached information to the client computer with contacting other DNS servers to resolve the query.It is the temporary storage of zone information.13)what is zone transfer?Ans: The process of copying zone to a standard DNS server is called zone transfer.14)what is master DNS server?Ans: As the DNS contains the master copy of the zone information is called Master DNS.15)what is forwarders?Ans: The queries of one server will be forwarded to other DNS act as forwarder by internal name resolution.17)which protocol is supported by DNS server?Ans: Dynamic Updated protocol.18)what are four service records?Ans: _msdcs,_sites,_tcp,_udp19) what are six service records in win 2003?Ans: -msdcs: (Microsoft Domain controller service)It contains the information which domain controller is hosting the zone.Site: In which site the zone has been configured.Tcp& Udp: These are two protocols that are responsible for communicating with active directory.Domain DNS Zones & Forest DNS Zones:In which domain & Forest, DNS has be configured the information.19) What is Resource record?Ans: The entries are in zone is called Resource record. The entry may be host name IP address mapping entry.20) What is the primary thing you have to do on a DNS server before it starts resolution of host name?21) When will you configure root DNS server?Ans: : A root server should be used only when a network is not connected to the internet or when a network is connected to the internet or when a network is connected to the internet by using a proxy server22)what is forward lookup zone?Ans:Resolves hostnames to ip address.23)what is reverse look up zone?Ans: Resolves ip address to hostnames.24)what is standard primary zone?Ans: Standard primary DNS server stores DNS entries(IP address to host mapping and other DNS resource records ) in zone file that is maintained on the server. The primary server maintains the master copy of zone file. When changes need to be the zone they should be made only standard primary server.25)what is standard secondary zone?Ans: Standard secondary DNS server stores copies of zones from the standard primary.26) what is root server?Ans:Root server contains a copy of a zone for the root domain – either the root domain for the internet, or the root domain for a company private, internal network. the purpose of the root server is to enable other DNS servers on a network to access the second level domains on the internet.Note: A root server should be used only when a network is not connected to the internet or when a network is connected to the internet or when a network is connected to the internet by using a proxy server27)what is round robin?Ans: Round robin is used when multiple servers (such as web servers) have identical configurations and identical host names ,but different IP addresses.?28) can you configure root server to use a forwarder?Ans: NO.29)what are Root hints?Ans:Root hints are server names and ip address combination that point to the root servers located either on the internet or on your organization private network.Root hint tab contains list of DNS Servers can contract to resolve client DNS queries.Maintains all the information of 13 root servers.32)what is Active Directory integrated zone?Ans: Active directory integrated DNS server just like standard primary except DNS entries stored in active directory data store rather than in a zone file. Active directory supports multi master replication when changes need to be made to the zone. They can be on any active directory –integrated DNS server that containg the zone.?33)what is simple query?Ans: A simple query is a query that DNS server can resolve without contacting any other DNS servers.34) what is recursive query?Ans: a recursive is a query that can’t resolve it self it must be contract one or more additional DNS servers to resolve the query.35) what is scavenging?Ans: Scavenging is the process of searching for and Deletes stele resource records in a zonePTR: Pointer resource recordSRV: Service locator resource record36)What is SRV?Ans: Used to map specific service (tcp/ip) to list of servers that provide that service.37) What is CNAME?Ans: Alias resource record .used to map an additional host name to the actual name of the host.?38) What is stub zone in 2003?Ans: stub zone contains the information of Name Server & start of authority. It gives the information in which system, in which server, in which domain DNS has been configuredThe properties of DNS in Advanced Tab(Disable Recursion or disable forwarder)By default this option is unchecked telling that recursive propertyis present.BIND Secondaries:The zone transfers between the primary & secondary (replication between primary and secondary) BIND is responsible.Fail on load if bad zone data:This option is unchecked telling that even if the zone contains some errors it will be loaded if it is checked the zone will not be loaded.Enable Round Robin:?If the same zone is present in the same subnet the query will be passed on round robin passion until it gets resolved.Enable Net Mask ordering:This option is utilized for DNS Server maintained on multihome pc (A pc having multiple NIC cards) and solving the queries of diff clients subnets?>What new attributes support the RODC Password Replication Policy?Password Replication Policy is the mechanism for determining whether a user or computer’s credentials are allowed to replicate from a writable domain controller to an RODC. The Password Replication Policy is always set on a writable domain controller running SERVER 2008.The following attributes have been added to the Active Directory schema to expedite the functionality that is required for RODC caching operations:msDS-Reveal-OnDemandGroup.?This attribute points to the distinguished name (DN) of the Allowed List. The credentials of the members of the Allowed List are permitted to replicate to the RODC.msDS-NeverRevealGroup.?This attribute points to the distinguished names of security principals whose credentials are denied replication to the RODC. This has no impact on the ability of these security principals to authenticate using the RODC. The RODC never caches the credentials of the members of the Denied List. A default list of security principals whose credentials are denied replication to the RODC is provided. This improves the security of RODCs that are deployed with default settings.msDS-RevealedList.?This attribute is a list of security principals whose current passwords have been replicated to the RODC.msDS-AuthenticatedToAccountList.?This attribute contains a list of security principals in the local domain that have authenticated to the RODC. The purpose of the attribute is to help an administrator determine which computers and users are using the RODC for logon. This enables the administrator to refine the Password Replication Policy for the RODC.?>How can you clear a password that is cached on an RODC?There is no mechanism to erase passwords after they are cached on an RODC. If you want to clear a password that is stored on an RODC, an administrator should reset the password in the hub site. This way, the password that is cached in the branch will no longer be valid for accessing any resources in the hub site or other branches.In the branch that contains the RODC on which the password may have been compromised, the password will still be valid for authentication purposes until the next replication cycle, at which time its value that is stored on the RODC will be changed to Null. The new password will be cached only after the user authenticates with it—or the new password is prepopulated on the RODC—and if the PRP has not been changed.In the event that an RODC is compromised, you should reset the passwords for all accounts that have cached passwords and then rebuild the RODC.>Can an RODC replicate to other RODCs?No, an RODC can only replicate from a writable Windows Server?2008 domain controller. In addition, two RODCs for the same domain in the same site do not share cached credentials. You can deploy multiple RODCs for the same domain in the same site, but it can lead to inconsistent logon experiences for users if the WAN to the writeable domain controller in a hub site is offline.This is because the credentials for a user might be cached on one RODC but not the other. If the WAN to a writable domain controller is offline and the user tries to authenticate with an RODC that does not have the user’s credentials cached, then the logon attempt will fail.>What operations fail if the WAN is offline, but the RODC is online in the branch office?If the RODC cannot connect to a writable domain controller running Windows Server?2008 in the hub, the following branch office operations fail:Password changesAttempts to join a computer to a domainComputer renameAuthentication attempts for accounts whose credentials are not cached on the RODCGroup Policy updates that an administrator might attempt by running the?gpupdate /forcecommand.>What operations succeed if the WAN is offline, but the RODC is online in the branch office?If the RODC cannot connect to a writable domain controller running Windows Server?2008 in the hub, the following branch office operations succeed:Authentication and logon attempts, if the credentials for the resource and the requester are already cached.Local RODC server administration performed by a delegated RODC server administrator.>Will RODC support my Active?Directory–integrated application?Yes, RODC supports an?Active Directory–integrated application if the application conforms to the following rules:If the application performs write operations, it must support referrals (enabled by default on clients).The application must tolerate Write outages when the hub is offline.>Does an RODC contain all of the objects and attributes that a writable domain controller contains?Yes, an RODC contains all the objects that a writable domain controller contains. If you compare the LDAP store on a writable domain controller to the LDAP store of an RODC, they are identical, except that the RODC does not contain all of the credentials or attributes that are defined in the RODC filtered attribute set.>Why does the RODC not have a relative ID (RID)?pool?All writable domain controllers can allocate RIDs from their respective RID pools to create security principals as needed. Because an RODC cannot create security principals, it cannot provide any RIDs, and it is never allocated a RIDpool.>Can I list the krbtgt account that is used by each RODC in the domain?Yes. To list the krbtgt account that is used by each RODC in the domain, type the following command at a command line, and then press ENTER:Repadmin /showattr?<WritableDcName> <distinguished name of the domain partition>?/subtree /filter:”(&(objectclass=computer)(msDS-Krbtgtlink=*))” /atts:msDS-krbtgtlink>How does the client DNS update referral mechanism work?Because the DNS server that runs on an RODC cannot directly register client updates, it has to refer the client to a DNS server that hosts a primary or Active?Directory-integrated copy of the zone file. This server is sometimes referred to as a “writable DNS server.” When a client presents a Find Authoritative Query, which is the precursor to an update request, the DNS server on the RODC uses the domain controller Locator to find domain controllers in the closest site.The RODC then compares the list of domain controllers that is returned with the list of name server (NS) resource records that it has. The RODC returns to the client the NS resource record of a writable DNS server that the client can use to perform the update. The client can then perform its update.If no domain controller in the closest site matches an entry in the list of NS records for the zone, the RODC attempts to discover?any?domain controller in the forest that matches an entry in the list.Suppose that a new client is introduced to a site that has a DNS server running only on an RODC. In this case, the RODC DNS server tries to replicate the DNS record that the client has tried to update on the writable DNS server. This occurs approximately five minutes after the RODC provides a response to the original Find Authoritative Query.If the DNS client on the RODC attempts a DNS update, a writable domain controller running Windows Server?2008 is returned so that the RODC can perform the update.>Why doesn’t the KCC on writable domain controllers try to build?connections?from an RODC??To build the replication topology, the Knowledge Consistency Checker (KCC) examines the following:All the sites that contain domain controllersThe directory partitions that each domain controller holdsThe cost that is associated with the site links to build a least-cost spanning treeThe KCC determines if there is a domain controller in a site by querying AD?DS for objects of the?NTDS-DSA?category—the?objectcategory?attribute value of the NTDS Settings object. The NTDS Settings objects for RODCs do not have this object category. Instead, they support a new?objectcategory?value named?NTDS-DSA-RO.As a result, the KCCs on writable domain controllers never consider an RODC as part of the replication topology. This is because the NTDS Settings objects are not returned in the query.However, the KCC on an RODC also needs to consider the local domain controller (itself) to be part of the replication topology to build inbound connection objects. This is achieved by a minor logic change to the algorithm that the KCC uses on all domain controllers running Windows Server?2008 that forces it to add the NTDS Settings object of the local domain controller to the list of potential domain controllers in the topology. This makes it possible for the KCC on an RODC to add itself to the topology. However, the KCC on an RODC does not add any other RODCs to the list of domain controllers that it generates.>How does the KCC build inbound connections locally on an RODC when the RODC is supposed to be read-only?An RODC is completely read-only from the perspective of external clients, but it can internally originate changes for a limited set of objects. It permits replicated write operations and a limited set of originating write operations.Both the KCC and the replication engine are special “writers” on an RODC. The replication engine performs replicated write operations on an RODC in exactly the same way as it does on the read-only partitions of a global catalog server that runs Windows?Server?2003. The KCC is permitted to perform originating write operations of the objects that are required to perform Active Directory replication, such as connection objects.>Why does an RODC have two inbound connection objects?This is because File Replication Service (FRS) requires its own pair of connection objects in order to function correctly. In previous versions of Windows?Server, FRS was able to utilize the existing connection objects between two domain controllers to support its replication of SYSVOL content.However, because an RODC only performs inbound replication of Active Directory data, a reciprocal connection object on the writable replication partner is not needed.Consequently, the Active Directory Domain Services Installation Wizard generates a special pair of connection objects to support FRS replication of SYSVOL when you install an RODC. The FRS connection objects are not required by DFS Replication.>How does RODC connection failover work?If the bridgehead replication partner of an RODC becomes unavailable, the KCC on the RODC builds a connection to another partner. By default, this happens after about two hours, which is the same for a writable domain controller. However, the FRS connection object on an RODC must use the same target as the connection object that the KCC generates on the RODC for Active?Directory replication. To achieve this, the?fromServer?value on the two connections is synchronized.However, the trigger for changing the?fromServer?value on the FRS connection object is not the creation of the new connection; instead, it is the removal of the old connection. The removal step happens some hours after the new connection object is created. Consequently, the?fromServer?value continues to reference the original partner until the old connection is removed by the KCC.A side effect of this is that while Active?Directory replication works successfully against the new partner, FRS replication fails during this period. The additional delay is by design—it avoids causing FRS to perform an expensive VVJoin operation against the new partner, which is unnecessary if the outage of the original partner is only temporary.>How can an administrator delete a connection object locally on an RODC?The KCC on an RODC will build inbound connection objects for Active Directory replication. These objects cannot be seen on other writeable domain controllers because they are not replicated from the RODC.You cannot use the Active Directory Sites and Services snap-in to remove these connection objects, but you can use Ldp.exe or Adsiedit.msc. The KCC on the RODC will then rebuild a connection. This way, you can trigger redistribution of connection objects across a set of RODCs that have site links to a single hub site that has multiple bridgehead servers.>How can an administrator trigger replication to an RODC?You can use the following methods:By running the?repadmin /replicate?or?repadmin /syncall?operations.By using the Active Directory Sites and Services snap-in. In this case, you can right-click the connection object and click?Replicate Now.You can use Active Directory Sites and Services on a writable domain controller to create an inbound replication connection object on any domain controller, including an RODC, even if no inbound connection exists on the domain controller.This is similar to running a?repadmin /add?operation.>How are writable directory partitions differentiated from read-only directory partitions?This comes from an attribute on the directory partition head called?instancetype. This is a bit mask. If bit 3 (0×4) is set, the directory partition is writable. If the bit is not set, the directory partition is read only.>Why can an RODC only replicate the domain directory partition from a domain controller running Windows Server?2008 in the same domain?This is how the filtering of secrets is enforced during inbound replication to an RODC. A domain controller running Windows Server?2008 is programmed not to send secret material to an RODC during replication, unless the Password Replication Policy permits it. Because a domain controller running Windows Server?2003 has no concept of the Password Replication Policy, it sends all secrets, regardless of whether they are permitted.>How does the KCC differentiate between domain controllers running? HYPERLINK "" \t "_blank" Windows Server 2003?and domain controllers running Windows Server?2008?The NTDS-DSA object has an?msDS-Behavior-Version?attribute. A value of 2 indicates that the domain controller is running Windows Server?2003. A value of 3 indicates that it is running Windows Server?2008.>Why are built-in groups such as Account Operators and Server Operators specified separately in the Denied List attribute, but not in the Denied RODC Password Replication Group?The Allowed RODC Password Replication Group and the Denied RODC Password Replication Group are domain local groups. Domain local groups cannot contain built-in groups.>What actually happens when you add a user to an Administrator Role Separation role?The configuration adds entries to the following registry subkey:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\control\lsa\rodcrolesName: 544Data type: REG_MULTI_SZValue: S-1-5-21-760266474-1386482297-4237089879-1107The role is denoted by the entry name—544, for example, is the well known RID for the builtin\administrators group. Then, each value represents the security identifier (SID) of a user who has been assigned to the role.>How can an administrator determine the closest site for any given site?Look at the site link costs that appear in Active Directory Sites and Services.-or-After an RODC is installed successfully in an Active Directory site, run the?nltest?command against the RODC.The following example shows the command and the results:C:\>nltest /dsgetdc:rodc /server:rodc-dc-02 /try_next_closest_site /avoidselfDC: \\HUB-DC-01Address: \\2001:4898:28:4:5e1:903a:7987:eea5Dom Guid: 00e80237-c5ce-4143-b0b8-cfa5c83a5654Dom Name: RODCForest Name: rodc.nttest.Dc Site Name: HubFlags: PDC GC DS LDAP KDC TIMESERV GTIMESERV WRITABLE DNS_FOREST CLOSE_SITE FULL_SECRETThe command completed successfully.>Why does %logonserver% have the name of a domain controller in my hub site rather than the RODC in my site??If your user account password cannot be replicated to the RODC in your site or if the RODC does not currently have your password, the Kerberos AS_REQ is forwarded to a hub domain controller that provides your TGT.The process that updates the environment variables uses the hub domain controller as the logon server for the environment variable. The %logonserver% environment variable is?not?updated for the duration of that logon session, even though the user is forced to reauthenticate against the RODC.>Password changes are not always “chained” by an RODC. Why?Some password-change operations, such as a user initiating a password-change request by pressing Ctrl+Alt+Del, specifically require a writable domain controller. When the client computer detects that the RODC is not writable, it locates a writable domain controller instead. Other password-change operations, such as a user’s password expiring and when the user is prompted to change it at logon, do not specifically require a writable domain controller.>How does a hub domain controller recognize that a request to replicate a password is coming from an RODC?The RODC does a bind and calls the “replicate single object” application programming interface (API). The binding handle shows that it is an RODC account.>Why does an RODC replicate in a cached password both by RSO operation and normal replication?When a single object is replicated to the RODC in the branch site, the update sequence number (USN) and the high-water mark are not updated. As a result, the object is replicated to the branch site again at a later time.>Does an RODC perform password validation forwarding even when it has a password for a user?Yes, in the case where a user presents a password that does not match what the RODC has stored locally, the RODC will forward the authentication request. The RODC forwards the request to the writable Windows Server?2008 domain controller that is its replication partner, which in turn forwards the request to the PDC emulator if required. If the authentication is validated at the writable Windows Server?2008 domain controller or the PDC emulator, the RODC will purge the currently stored password and replicate the new password by RSO operation.>Can you remove the last domain controller in a domain if there are unoccupied (or disabled) RODC accounts in the domain?As for all previous versions of Windows?Server, it is a requirement that all other domain controllers have been removed from the domain before you can remove the last domain controller. For Windows Server?2008, this requirement includes the removal of all RODCs and the removal of any precreated but unused RODC accounts.>What relevant RODC event log entries are there?If an RODC attempts a Replicate Single Object (RSO) operation to cache a password that the Password Replication Policy prevents from replicating to the RODC, the hub domain controller that the RODC contacts logs event ID 1699.The details for event ID 1699 include:Log Name: Directory ServiceSource: NTDS ReplicationDate: 5/2/2006 2:37:39 PMEvent ID: 1699Task Category: ReplicationLevel: ErrorKeywords: ClassicUser: RODC\RODC-DC-02$Computer: HUB-DC-01Description:This directory service failed to retrieve the changes requested for the following directory partition. As a result, it was unable to send change requests to the directory service at the following network address.Directory partition:CN=test10,OU=Branch1,OU=Branches,DC=rodc,DC=nttest,DC=contoso,DC=comNetwork address:c6ef8d14-f015-4cd0-94cc-c7f5c9c834ba._msdcs.rodc.nttest.Extended request code:7Additional DataError value:8453 Replication access was denied.A successful logon logs event ID 4768 on the hub domain controller and on the RODC.The details of event ID 4768 on the hub domain controller include the following:Log Name: SecuritySource: Microsoft-Windows-Security-AuditingDate: 5/2/2006 3:58:05 PMEvent ID: 4768Task Category: Kerberos Ticket EventsLevel: InformationKeywords: Audit SuccessUser: N/AComputer: hub-dc-01.rodc.nttest.Description:Authentication Ticket Request:Account Name: test10Supplied Realm Name: RODCUser ID: S-1-5-21-3503915162-2421288034-2003080229-1128Service Name: krbtgtService ID: S-1-5-21-3503915162-2421288034-2003080229-502Ticket Options: 0×40810010Result Code: 0×0Ticket Encryption Type: 0×17Pre-Authentication Type: 2Client Address: 2001:4898:28:4:6182:4acd:65c9:283aClient Port: 55763Certificate Issuer Name:Certificate Serial Number:Certificate Thumbprint:At the default Event log settings, no replication event shows that the password has replicated to the RODC.DHCP : Dynamic Host Configuration ProtocolHi Friends,Let’s support our organizations using simple way of IP Management. DHCP stands for Dynamic Host Configuration Protocol.?Dynamic = AutomaticHost Configuration = Basic Network Configuration?Protocol = Rules which needs to be followed to make this happen.?DHCP is an application which is either installed on Windows Server Operating system or on UNIX OS to service an enterprise in the aspect of IP configuration and management. Its main goal is to provide & configure the client computers with specific ip configuration to enable identification and communication in the network. Prior to DHCP another protocol have been used, it is called BOOTP. BOOTP(Boot Protocol) has only one future that is Reservation. So the administrators who are worked with BOOTP, need to get all the MAC addresses and write them on a notepad to enable the use of BOOTP. After writing all the MAC addresses, the same need to be added to BOOTP table with corresponding IP addresses. That makes lot of work for administrators, even though its an automated process, but admin’s need to work a lot to get the MAC addresses of all the machines in the network. Later it has gained lot of improvements to serve the network and became DHCP.How to Install and Configure DHCP??It very simple and straight forward process. First you need to install the application from Add/Remove Windows Components. After installing you will have a console in the Administrative Tools. I think instead of giving lot of steps.. i will post a simple video of 7mins, just watch it for better understanding of this concept.?Video LinkNow you are ready with your DHCP server installed and configured. so lets talk about why and how it is used? As i said previously it is used for Automatic assignment of IP addresses to client computers which are in the same network with DHCP server. This is the way it will be used. Whenever a computer powered on, it will check itself for the network configuration, if it is configured with manual ip address, the machine broadcasts a message that it was powered on. If it is configured to get the ip automatically, then the machine broadcast a message in search of DHCP server. Then starts the process. It is simply called as “DORA” process.D = Discovery – Request for discovering DHCP server from client machine.O = Offer – Respective DHCP server Offers the IP Configuration.R = Received – Client receives the IP configuration.?A = Acknowledgement? - Client Acknowledges that it has received the IP configuration.Once the client gets the IP configuration, it will then broadcasts another message to all other clients in the network with its identity.?Interview Questions related to DHCP1. Explain the DORA process2. What is an exclusion range and reservation?An exclusion range is a range of IP addresses which needs to be excluded from DHCP scope, so that these IP’s never assigned automatically. A reservation is an IP address will be reserved for a server every time it boots up and it has been done using the MAC address of that server. Before configuring reservations, we need to exclude them from DHCP scope.?3. How do you configure the AD Server, DNS Server, IIS Server and FTP Server using the DHCP server?Using the reservations only, so that every time the same address will be assigned to the server. If you take a DNS server, it should have same IP all the time, because it is responsible for name resolutions in that network.? If the IP address getting changed every time, its very difficult to the clients which are requesting name resolutions. That is the reason, it should have same IP all the time, we can do that automatically using reservations.?4. What is DHCP relay agent??DHCP relay agent, is an option configured on DHCP server. Which enables the client machine requests to go through the routers. That means, if the DHCP server is in one network and the client is in another network, these networks are connected by routers. By default the routes will never allow the DHCP packets through them, by configuring this option, these requests will pass between two networks.?ShareinShareDownload SocButtonsDHCP Server - Core Interview Questions and AnswersDefine DHCP process.DHCP Discovery:The client broadcasts on the local physical subnet to find available servers. Network administrators can configure a local router to forward DHCP packets to a DHCP server on a different subnet. This client-implementation creates a UDP packet with the broadcastdestination of 255.255.255.255 or subnet broadcast address and also requests its last-known IP address (in the example below, 192.168.1.100) although the server may ignore this optional parameter....DHCP Offers:When a DHCP server receives an IP lease request from a client, it extends an IP lease offer.This is done by reserving an IP address for the client and broadcasting a DHCPOFFER message across the network. This message contains the client's MAC address, followed by the IP address that the server is offering, the subnet mask, the lease duration, and the IP address of the DHCP server making the offer.The server determines the configuration, based on the client's hardware address as specified in the CHADDR field. Here the server, 192.168.1.1, specifies the IP address in the YIADDR field.DHCP Requests:Whenever a computer comes on line, it checks to see if it currently has an IP address leased. If it does not, it requests a lease from a DHCP server. Because the client computer does not know the address of a DHCP server, it uses 0.0.0.0 as its own IP address and 255.255.255.255 as the destination address. Doing so allows the client to broadcast a DHCPDISCOVER messageacross the network. Such a message consists of the client computer's Media Access Control (MAC) address (the hardware address built into the network card) and its NetBIOS name.The client selects a configuration out of the DHCP "Offer" packets it has received and broadcasts it on the local subnet. Again, this client requests the 192.168.1.100 address that the server specified. In case the client has received multiple offers it specifies the server from which it has accepted the offer.DHCP Acknowledgement:When the DHCP server receives the DHCPREQUEST message from the client, it initiates the final phase of the configuration process. This acknowledgement phase involves sending a DHCPACK packet to the client. This packet includes the lease duration and any other configuration information that the client might have requested. At this point, the TCP/IP configuration process is complete.The server acknowledges the request and sends the acknowledgement to the client. The system as a whole expects the client to configure its network interface with the supplied options.What is DNS?DNS stands for Domain Naming Server, it is a standard of naming domains in any operational environment (Windows,Linux,Solaris,Any environment). It is a server which contains a database of all the domains and all the servers which are associated with those domains.Why it is Used?Its a service dedicated? to identify all the machines (domains & member servers) in a network. To make this possible, every machine has to be registered in the authoritative DNS server of that network. That means every operational network should have a dedicated DNS server to enable identification and communication between the machines.How it works?As i said, it is dedicatedly used for identification, in technical words for?“name resolution”. Every machine in a network has a dedicated IP address & hostname as its identity. Whenever a machine tries to communicate with another machine on the network it should first identify the second machine, that means it should know the ip address of that particular machine. After knowing the identity (i.e ip address), it will directly communicates with the second machine. So to speak, a machine should know the ip address of the another machine, with which its going to communicate before it starts. Another question… Why the hostnames are used, if the machine already have an identity in the terms of IP address? Hostname is an English word which is useful for Human remembrance. It is impossible for a human being to remember lots of? IP addresses, but it is possible to remember English names of the same hosts (as we configure the hostnames generally with employee name or department name or location name etc). For example we can remember?but not its ip address, because we are not having only one website on the internet. To sum up Hostnames and IP addresses both are used to identification and communication between two machines in a network. But machines are only able to communicate with the IP addresses and which are impossible to remember for Humans (Keep in mind machines never communicate with hostnames). To solve this situation DNS was implemented. It basically contains a database of host records in a network. A host record contains “Hostname : IP address”, see the image below for better under standing. Out Internet is purely depended on DNS, when we access a particular website we will give its English name, when we press ENTER immediately the machines starts finding the IP address of the website using the DNS server configured on it. I will explain the name resolution process in details. And one more thing about the DNS is, it is the only largest database on the internet which changes every second. If this database goes down by a chance, we must remember all the ip addresses to access the internet. hahaha it will not happen, why because we have so many backup solutions already implemented.How the name resolution takes place?I will explain this concept with internet as an example. Before that i want you to check some settings on your machine. Check the TCP/IP properties and see whether DNS server is configured or not. If you are seeing obtain automatically option, open command prompt and type “ipconfig /all” and press Enter. You will get DNS servers information along with your machine’s IP address. Now lets talk about the scenario, When you try to open a website like?, what happens next? how your machine gets? IP address of the?. Here it goes….1. The request sent to the DNS server which is configured on your machine.2. The DNS server checks for the host record of??in its database, if it contains a record for, it will directly send response with the IP address of?. Otherwise it starts requesting another DNS server.3. Before it goes to another DNS server, how it identifies which DNS server is responsible for this request ? It checks the entire hostname (it is called as FQDN : Fully Qualified Domain Name), i.e in google’s case?. (note the FQDN ends with a period, and this period is called as root domain).left04. Every DNS server contains a roothint file associated with it, and the same will be used to identify the responsible DNS server. Root hint file contains Master DNS servers information. Here you go it looks like this. These are the master DNS servers for .com, .net, .edu, .org domains etc.5. So in your case, the domain is .com, DNS server sends request to .com master DNS server (for ex: assume it as 198.41.0.4), the .com master DNS server contains name server records for all machines ending with .com . That means it definitely contains DNS server IP address for . In the same way it contains all .com servers , & so on.6. It does not contain the IP address of , it contains DNS server IP of .7. So then the request is forwarded to DNS server, in that server you will have a host record with the name www and its IP address. Finally you reached it. With the found IP address the request comes back as a response in the same reverse way to the DNS server which is configured in your machine, that DNS server tells the IP address of?to your machine.?????8. This process happens in milliseconds in the background. i.e by the time you will get “Website found waiting for reply” message in the status bar of your internet explorer.9. Oh my god!!!! Is that simple? Yes it is. The same process occurs in corporate networks also. But the requests are handled by their local DNS servers only.10. See the below animation for better understanding.Understanding DNS : Part - IIHi Guys,left0In my previous discussion about?Understanding DNS, you learned most of the basic things related to DNS. In this post i want to elaborate more about DNS. Let's start...DNS RecordsThere are so many records associated with a DNS Server. Name resolution process does not happen in a proper way with out these records.As you know the DNS server main purpose is to resolve the host names to IP's and vice versa.A Record : Contains information about IP address. It is helpful in resolving host names to IP addresses.PTR Record : Pointer record, contains information about host name. It is helpful in resolving IP address to AME Record : Alias of A Record. It is helpful in giving multiple names to a single host. Which means, the same host is able to provide multiple services. In that case, for segregation of service and to communicate with that service we need to give different names to each service. Even though these services are hosted on a single server, but we can send our request to the target service. CNAME record was helpful in identifying and communicating with that service on that server.MX Record : It is a record helpful in identifying the mail server in a DNS domain (for that organization)NS Record : It is a record helpful in identifying the DNS server in a DNS domain (for that organization)SRV Record : This record is created when we install a service which is DNS dependent. It is automatically generated and will be associated with a specific IP address. It is called as Service record.SOA Record : Start of Authority record, this is not a record associated with any IP address. But it is associated with a number, which determines the update number. What ever the update, when ever it is done this number will be incremented.These are the records associated with each and every server in this world. A fact is that?" DNS is the biggest database in the world and that is the only one which gets updated every second "?And this database is not located at a single place, it is spread across the world in different places like, different companies, different ISP's, different homes etc. And the name resolution process is explained in my previous post?Understanding DNS. That is the reason why, a DNS request goes to different location to get the correct answer.>What is Active Directory ??Active Directory is a Meta Data. Active Directory is a data base which store a data base like your user information, computer information and also other network object info. It has capabilities to manage and administor the complite Network which connect with AD.>What is domain ??Windows NT and Windows 2000, a domain is a set of network resources (applications, printers, and so forth) for a group of users. The user need only to log in to the domain to gain access to the resources, which may be located on a number of different servers in the network. The 'domain' is simply your computer address not to confused with an URL. A domain address might look something like 211.170.469.>What is domain controller ??A Domain controller?(DC) is a?server?that responds to security authentication requests (logging in, checking permissions, etc.) within the?Windows Server domain.?A domain is a concept introduced in Windows NT whereby a user may be granted access to a number of computer resources with the use of a single username and password combination.>What is LDAP ??Lightweight Directory Access Protocol LDAP is the industry standard directory access protocol, making Active Directory widely accessible to management and query applications. Active Directory supports LDAPv3 and LDAPv2.>What is KCC ??KCC ( knowledge consistency checker ) is used to generate replication topology for inter site replication and for intrasite replication.with in a site replication traffic is done via remote procedure calls over ip, while between site it is done through either RPC or SMTP.>Where is the AD database held? What other folders are related to AD?The AD data base is store in c:\windows\ntds\NTDS.DIT.>What is the SYSVOL folder?The sysVOL folder stores the server's copy of the domain's public files. The contents such as group policy, users etc of the sysvol folder are replicated to all domain controllers in the domain.>What are the Windows Server 2003 keyboard shortcuts ???Winkey opens or closes the Start menu. Winkey + BREAK displays the System Properties dialog box. Winkey + TAB moves the focus to the next application in the taskbar. Winkey + SHIFT + TAB moves the focus to the previous application in the taskbar. Winkey + B moves the focus to the notification area. Winkey + D shows the desktop. Winkey + E opens Windows Explorer showing My Computer. Winkey + F opens the Search panel. Winkey + CTRL + F opens the Search panel with Search for Computers module selected. Winkey + F1 opens Help. Winkey + M minimizes all. Winkey + SHIFT+ M undoes minimization. Winkey + R opens Run dialog. Winkey + U opens the Utility Manager. Winkey + L locks the computer.>Where are the Windows NT Primary Domain Controller (PDC) and its Backup Domain Controller (BDC) in Server 2003 ??The Active Directory replaces them. Now all domain controllers share a multimaster peer-to-peer read and write relationship that hosts copies of the Active Directory.>I am trying to create a new universal user group. Why can’t I ?Universal groups are allowed only in native-mode Windows Server 2003 environments. Native mode requires that all domain controllers be promoted to Windows Server 2003 Active Directory.>What is LSDOU ??It’s group policy inheritance model, where the policies are applied toLocal machines,?Sites,?Domains and?Organizational?Units.>Why doesn’t LSDOU work under Windows NT ??If the?NTConfig.pol?file exist, it has the highest priority among the numerous policies.>What’s the number of permitted unsuccessful logons on Administrator account??Unlimited. Remember, though, that it’s the Administrator account, not any account that’s part of the Administrators group.> What’s the difference between guest accounts in Server 2003 and other editions??More restrictive in Windows Server 2003.> How many passwords by default are remembered when you check "Enforce Password History Remembered"??User’s last 6 passwords.> Can GC Server and Infrastructure place in single server If not explain why???No, As Infrastructure master does the same job as the GC. It does not work together.> Which is service in your windows is responsible for replication of Domain controller to another domain controller.KCC generates the replication topology.Use SMTP / RPC to replicate changes.> What Intrasite and Intersite Replication???Intrasite is the replication with in the same site & intersite the replication between sites.> What is lost & found folder in ADS???It’s the folder where you can find the objects missed due to conflict.Ex: you created a user in OU which is deleted in other DC & when replication happed ADS didn’t find the OU then it will put that in Lost & Found Folder.> What is Garbage collection???Garbage collection is the process of the online defragmentation of active directory. It happens every 12 Hours.> What System State data contains???Contains?Startup?files,RegistryCom +?Registration?DatabaseMemory Page fileSystem filesAD informationCluster Service informationSYSVOL Folder>What is the difference between Windows 2000 Active Directory and Windows 2003 Active Directory? Is there any difference in 2000 Group Polices and 2003 Group Polices? What is meant by ADS and ADS services in Windows 2003?Windows 2003 Active Directory introduced a number of new security features, as well as convenience features such as the ability to rename a domain controller and even an entire domain?Windows Server 2003 also introduced numerous changes to the default settings that can be affected by Group Policy - you can see a detailed list of each available setting and which OS is required to support it by downloading the?Group Policy Settings Reference.ADS stands for Automated Deployment Services, and is used to quickly roll out identically-configured servers in large-scale enterprise environments. You can get more information from the?ADS homepage.>I want to setup a DNS server and Active Directory domain. What do I do first? If I install the DNS service first and name the zone '' can I name the AD domain '' too?Not only can you have a?DNS?zone and an Active Directory domain with the same name, it's actually the preferred way to go if at all possible. You can install and configure DNS before installing?Active Directory, or you can allow the Active Directory Installation Wizard (dcpromo) itself install DNS on your server in the background.>How do I determine if user accounts have local administrative access?You can use the net localgroup administrators command on each workstation (probably in a login script so that it records its information to a central file for later review). This command will enumerate the members of the Administrators group on each machine you run it on. Alternately, you can use the Restricted Groups feature of?Group Policy?to restrict the membership of Administrators to only those users you want to belong.>Why am I having trouble printing with XP domain users?In most cases, the inability to print or access resources in situations like this one will boil down to an issue with name resolution, either DNS or WINS/NetBIOS. Be sure that your Windows XP clients' wireless connections are configured with the correct DNS and WINS name servers, as well as with the appropriate?NetBIOS over TCP/IP?settings. Compare your wireless settings to your wired LAN settings and look for any discrepancies that may indicate where the functional difference may lie.>What is the ISTG? Who has that role by default?Windows 2000 Domain controllers each create Active Directory Replication connection objects representing inbound replication from intra-site replication partners. For inter-site replication, one domain controller per site has the responsibility of evaluating the inter-site replication topology and creating Active Directory Replication Connection objects for appropriate bridgehead servers within its site. The domain controller in each site that owns this role is referred to as the Inter-Site Topology Generator (ISTG).?>What is difference between Server 2003 vs 2008?1. Virtualization. (Windows Server 2008 introduces Hyper-V (V for Virtualization) but only on 64bit versions. More and more companies are seeing this as a way of reducing hardware costs by running several 'virtual' servers on one physical machine.)?2. Server Core (provides the minimum installation required to carry out a specific server role, such as for a DHCP, DNS or print server)3. Better security.?4. Role-based installation.?5. Read Only Domain Controllers (RODC).?6. Enhanced terminal services.?7. Network Access Protection - Microsoft's system for ensuring that clients connecting to Server 2008 are patched, running a firewall and in compliance with corporate security policies.?8. PowerShell - Microsoft's command line shell and scripting language has proved popular with some server administrators.9. IIS 7 .10. Bitlocker - System drive encryption can be a sensible security measure for servers located in remote branch offices. >br> The main difference between 2003 and 2008 is Virtualization, management. 2008 has more in-build components and updated third party drivers.?11. Windows Aero.>What are the requirements for installing AD on a new server?1 The Domain structure.2 The Domain Name .3 storage location of the database and log file.?4 Location of the shared system volume folder.5 DNS config Methode.6 DNS configuration.?>What is LDP??LDP : Label Distribution Protocol (LDP) is often used to establish MPLS LSPs when traffic engineering is not required. It establishes LSPs that follow the existing IP routing, and is particularly well suited for establishing a full mesh of LSPs between all of the routers on the network>What are the Groups types available in active directory ?Security groups:?Use Security groups for granting permissions to gain access to resources. Sending an e-mail message to a group sends the message to all members of the group. Therefore security groups share the capabilities of distribution groups.Distribution groups:?Distribution groups are used for sending e-main messages to groups of users. You cannot grant permissions to security groups. Even though security groups have all the capabilities of distribution groups, distribution groups still requires, because some applications can only read distribution groups.>Explain about the groups scope in AD ??Domain Local Group:?Use this scope to grant permissions to domain resources that are located in the same domain in which you created the domain local group. Domain local groups can exist in all mixed, native and interim functional level of domains and forests. Domain local group memberships are not limited as you can add members as user accounts, universal and global groups from any domain. Just to remember, nesting cannot be done in domain local group. A domain local group will not be a member of another Domain Local or any other groups in the same domain.Global Group:?Users with similar function can be grouped under global scope and can be given permission to access a resource (like a printer or shared folder and files) available in local or another domain in same forest. To say in simple words, Global groups can be use to grant permissions to gain access to resources which are located in any domain but in a single forest as their memberships are limited. User accounts and global groups can be added only from the domain in which global group is created. Nesting is possible in Global groups within other groups as you can add a global group into another global group from any domain. Finally to provide permission to domain specific resources (like printers and published folder), they can be members of a Domain Local group. Global groups exist in all mixed, native and interim functional level of domains and forests.Universal Group Scope:?These groups are precisely used for email distribution and can be granted access to resources in all trusted domain as these groups can only be used as a security principal (security group type) in a windows 2000 native or windows server 2003 domain functional level domain. Universal group memberships are not limited like global groups. All domain user accounts and groups can be a member of universal group. Universal groups can be nested under a global or Domain Local group in any domain.>What is REPLMON ?The Microsoft definition of the Replmon tool is as follows; This GUI tool enables administrators to view the low-level status of Active Directory replication, force synchronization between domain controllers, view the topology in a graphical format, and monitor the status and performance of domain controller replication.>What is ADSIEDIT ??ADSIEDIT :ADSIEdit is a Microsoft Management Console (MMC) snap-in that acts as a low-level editor for Active Directory. It is a Graphical User Interface (GUI) tool. Network administrators can use it for common administrative tasks such as adding, deleting, and moving objects with a directory service. The attributes for each object can be edited or deleted by using this tool. ADSIEdit uses the ADSI application programming interfaces (APIs) to access Active Directory. The following are the required files for using this tool: ADSIEDIT.DLL ADSIEDIT.>What is NETDOM ?NETDOM is a command-line tool that allows management of Windows domains and trust relationships. It is used for batch management of trusts, joining computers to domains, verifying trusts, and secure channels.>What is REPADMIN?This command-line tool assists administrators in diagnosing replication problems between Windows domain controllers.Administrators can use Repadmin to view the replication topology (sometimes referred to as RepsFrom and RepsTo) as seen from the perspective of each domain controller. In addition, Repadmin can be used to manually create the replication topology (although in normal practice this should not be necessary), to force replication events between domain controllers, and to view both the replication metadata and up-to-dateness vectors.>How to take backup of AD ?For taking backup of active directory you have to do this : first go START -> PROGRAM ->ACCESORIES -> SYSTEM TOOLS -> BACKUP OR Open run window and ntbackup and take systemstate backup when the backup screen is flash then take the backup of SYSTEM STATE it will take the backup of all the necessary information about the syatem including AD backup , DNS ETC.>What are the DS* commands ?The following DS commands: the DS family built in utility .DSmod - modify Active Directory attributes.DSrm - to delete Active Directory objects.DSmove - to relocate objectsDSadd - create new accountsDSquery - to find objects that match your query attributes.DSget - list the properties of an object>What are the requirements for installing AD on a new server??An NTFS partition with enough free space.An Administrator's username and password.The correct operating system version.A NIC Properly configured TCP/IP (IP address, subnet mask and - optional - default gateway).A network connection (to a hub or to another computer via a crossover cable) .An operational DNS server (which can be installed on the DC itself) .A Domain name that you want to use .The Windows 2000 or Windows Server 2003 CD media (or at least the i386 folder) .?Active Directory enables single sign on to access resources on the network such as desktops, shared files, printers etc. Active Directory provides advanced security for the entire network and network resources. ?Active Directory is more scalable and flexible for administration.Functional levels help the coexistence of Active Directory versions such as, Windows NT, Windows 2000 Server, Windows Server 2003 and Windows Server 2008. The functional level of a domain or forest controls which advanced features are available in the domain or forest. Although lowest functional levels help to coexist with legacy Active Directory, it will disable some of the new features of Active Directory. But if you are setting up a new Active Directory environment with latest version of Windows Server and AD, you can set to the highest functional level, thus all the new AD functionality will be enabled.Windows Server 2003 Domain Functional Levels: Windows 2000 mixed (Default), Windows 2000 native, Windows Server 2003 interim, and Windows Server 2003.Forest Functional Levels: Windows 2000 (default), Windows Server 2003 interim, Windows Server.Windows Server 2008 Domain Functional Levels: Windows 2000 Native, Windows Server 2003, Windows Server 2008, Windows Server 2008 R2.Forest Functional Levels: Windows 2000, Windows Server 2008, Windows Server 2008 R2.?It is possible to take a backup copy of existing Domain Controller, and restore it in Windows Server machine in the remote locations with slower WAN link.?Active Directory is designed for Server Operating System, and it cannot be installed on Windows 7.Windows Server Operating System. Free hard disk space with NTFS partition. Administrator's privilege on the computer. Network connection with IP address, Subnet Mask, Gateway and DNS address. A DNS server, that can be installed along with first Domain Controller. Windows Server intallation CD or i386 folder.Flexible Single-Master Operation (FSMO) roles,manage an aspect of the domain or forest, to prevent conflicts, which are handled by Single domain controllers in domain or forest. The tasks which are not suited to multi-master replication, There are 5 FSMO roles, and Schema Master and Domain naming master roles are handled by a single domain controller in a forest, and PDC, RID master and Infrastructure master roles are handled by a single domain controller in each domain.Infrastrcture master role is a domain-specific role and its purpose is to ensure that cross-domain object references are correctly handled. For example, if you add a user from one domain to a security group from a different domain, the Infrastructure Master makes sure this is done properly.Intrastrcuture master does not have any functions to do in a single domain environment.If the Domain controller with Infrastructure master role goes down in a single domain environemt, there will be no impact at all. Where as, in a complex environment with multiple domains, it may imact creation and modification of groups and group authentication.Schema Master role and Domain Naming Master role.PDC EmulatorYou should be a member of Enterprise Admins group or the Domain Admins group. Also you should be member of local Administrators group of the member server which you are going to promote as additional Domain Controller.Use?netdom query /domain:YourDomain FSMO command. It will list all the FSMO role handling domain controllers.No, there should be only one Domain Controller handling RID master role in a Domain.There should be only one Domain Controller handling Infrastructure master role in a domain. Hence if you have two domains in a forest, you can configure two Infrastructure masters, one in each domain.If PDC emulator crashes, there will be immediate impact on the environment. User authentication will fail as password changes wont get effected, and there will be frequent account lock out issues. Network time synchronization will be impacted. It will also impact DFS consistency and Group policy replication as well.Domain controllers and Sites. Domain controllers are physical computers which is running Windows Server operating system and Active Directory data base. Sites are a network segment based on geographical location and which contains multiple domain controllers in each site.Domains, Organizational Units, trees and forests are logical components of Active Directory.Active Directory database is divided into different partitions such as Schema partition, Domain partition, and Configuration partition. Apart from these partitions, we can create Application partition based on the requirement.Adding one group as a member of another group is called 'group nesting'. This will help for easy administration and reduced replication traffic.Group types are categorized based on its nature. There are two group types: Security Groups and Distribution Groups. Security groups are used to apply permissions to resources where as distribution groups are used to create Exchange server email communication groups. Group scopes are categorized based on the usage. There are three group types: Domain Local Group, Global Group and Universal Group.Domain local groups are mainly used for granting access to network resources.A Domain local group can contain accounts from any domain, global groups from any domain and universal groups from any domain. For example, if you want to grant permission to a printer located at Domain A, to 10 users from Domain B, then create a Global group in Domain B and add all 10 users into that Global group. Then, create a Domain local group at Domain A, and add Global group of Domain B to Domain local group of Domain A, then, add Domain local group of Domain A to the printer(of Domain A) security ACL.Active Directory is backed up along with System State data. System state data includes Local registry, COM+, Boot files, NTDS.DIT and SYSVOL folder. System state can be backed up either using Microsoft's default NTBACKUP tool or third party tools such as Symantech NetBackup, IBM Tivoli Storage Manager etc.There are two types of Active Directory restores, Authoritative restore and Non-Authoritative restore.Non-Authoritative means, a normal restore of a single Domain controller in case that particular domain controller OS or hardware crashed. After non-authoritative restoration completed, compares its data base with peer domain controllers in the network and accepts all the directory changes that have been made since the backup. This is done through multi master replication.?Where as, in Authoritative restore, a restored data base of a Domain controller forcefully replicated to all the other domain controllers. Authoritative restore is performed to recover an active directory resource or object(eg. an Organizational Unit) which accidentally deleted and it needs to be restored.We can use NTDSUTIL command line to perform Authoritative restore of Active Directory. First, start a domain controller in 'Directory Service Restore Mode'. Then, restore the System State data of Domain controller using NTBACKUP tool. This is non-authoritative restore. Once non-authoritative restore is completed, we have to perform authoritative restore immediately before restarting the Domain Controller.?Open command prompt and type NTDSUTIL and enter, then type authoritative restore and press enter, then type restore database and press enter, click OK and then click Yes. This will restore all the data in authoritative restore mode. If you want to restore only a specific object or sub-tree, you can type below command instead of 'restore database'.restore subtree ou=OU_Name,dc=Domain_Name,dc=xxxAuthoritative restore, Configurable settings, Partition management, Set DSRM Password etc.A tombstone is a container object for deleted items from Active Directory database, even if objects are deleted, it will be kept hidden in the active directory data base for a specific period. This period is known as tombstone lifetime. Tombstone lifetime is 180 days on Windows Server 2003 SP1 and later versions of Windows Server.Garbage collection is a process of Active Directory. This process starts by removing the remains of previously deleted objects from the database. These objects are known as tombstones. Then, the garbage collection process deletes unnecessary log files. And the process starts a defragmentation thread to claim additional free space. The garbage collection process is running on all the domain controllers in an interval of 12 hours.In multimaster replication method, replication conflicts can happen. Objects with replication conflicts will be stored in a container called 'Lost and Found' container. This container also used to store orphaned user accounts and other objects.Lost and Found container can be viewed by enabling advanced features from View menu of Active Directory User and Computers MMC.Yes, it is included.[Never say no] We had set up an additional domain for a new subsidiary of the firm, and I was a member of the team who handled installation and configuration of domain controllers for the sub domain.[or] I was supporting an existing Active Directory network environment of the company, but I have installed and configured Active Directory in test environment several occasions.No one installs Active Directory in a cluster. There is no need of clustering a domain controller. Because Active Directory provides total redundancy with two or more servers.Active Directory Recycle bin is? a feature of Windows Server 2008 AD. It helps to restore accidentally deleted Active Directory objects without using a backed up AD database, rebooting domain controller or restarting any services.Read only domain controller (RODC) is a feature of Windows Server 2008 Operating System. RODC is a read only copy of Active Directory database and it can be deployed in a remote branch office where physical security cannot be guaranteed. RODC provides more improved security and faster log on time for the branch office.To find out forest and domain functional levels in GUI mode, open ADUC, right click on the domain name and take properties. Both domain and forest functional levels will be listed there. TO find out forest and domain functional levels, you can use DSQUERY command.KCC can be expanded as Knowledge Consistency Checker. It is a protocol procecss running on all domain controllers, and it generates and maintains the replication topology for replication within sites and between sites.We can use command line tools such as repadmin and dcdiag. GUI tool REPLMON can also be used for replication monitoring and troubleshooting.SYSVOL is a folder exits on each domain controller, which contains Actvie Directory related files and folders. SYSVOL mainly stores important elements of Group Policy Objects and scripts, and it is being replicated among domain controllers using File Replication Service (FRS).Kerberos is a network authentication protocol. Active Directory uses Kerberos for user and resource authentication and trust relationship functionality. Kerberos uses port number 88.All versions of Windows Server Active Directory use Kerberos 5.Kerberos 88, LDAP 389, DNS 53, SMB 445.FQDN can be expanded as Fully Qualified Domain Name.It is a hierarchy of a domain name system which points to a device in the domain at its left most end. For example in system.Dsadd - to add an object to the directory, Dsget - displays requested properties of an object in AD, Dsmove - Used to move one object from one location to another in the directory, DSquery - To query specific objects.A tree in Active Directory is a collection of one or more domains which are interconnected and sharing global resources each other. If a tree has more than one domain, it will have contiguous namespace. When we add a new domain in an existing tree, it will be called a child domain.A forest is a collection of one or more trees which trust each other and sharing a common schema.It also shares common configuration and global catalog. When a forest contains more than one tree, the trees will not form a contiguous namespace.Replication between domain controllers inside a single site is called Intrasite replication, where as replication between domain controllers located in different sites is called Intersite replication. Intrasite replication will be very frequent, where as Intersite replication will be with specific interval and in a controlled fashion just to preserve network bandwidth.Shortcut trust is a manually created transitive trust which is configured to enable fast and optimized authentication process.For example, If we create short cut trust between two domains of different trees, they can quickly authenticate each other without traveling through the entire parent domains. short cut trust can be either one-way or two-way.Selective authentication is generally used in forest trust and external trusts. Selective authentication is a security setting which allows administrators to grant access to shared resources in their organization’s forest to a limited set of users in another organization’s forest. Selective authentication method can decide which groups of users in a trusted forest can access shared resources in the trusting forest.Trusts can be categorized by its nature. There can be two-way trust or one-way trust,implicit or explicit trust, transitive or non transitive trust. Trust can be categorized by types, such as parent and child, tree root trust, external trust, realm trust forest trust and shortcut trust.ADAC- Active Directory Administrative Center is a new GUI tool came with Windows Server 2008 R2, which provides enhanced data management experience to the admin. ADAC helps administrators to perform common Active Directory object management task across multiple domains with the same ADAC instance.ADSIEDIT- Active Directory Service Interfaces Editor is a GUI tool which is used to perform advanced AD object and attribute management. This Active Directory tool helps us to view objects and attributes that are not visible through normal? Active Directory Management Consoles. ADSIEDIT can be downloaded and installed along with Windows Server 2003 Support Tools.This is due to domain functional level. If domain functional level of Windows Server 2003 AD is Windows 2000 Mixed, Universal Group option will be greyed out. You need to raise domain functional level to Windows 2000 native or above.ADMT - Active Directory Migration Tool, is a tool which is used for migrating Active Directory objects from one domain to another. ADMT is an effective tool that simplifies the process of migrating users, computers, and groups to new domains.When a domain controller is disconnected for a period that is longer than the tombstone life time, one or more objects that are deleted from Active Directory on all other domain controllers may remain on the disconnected domain controller. Such objects are called lingering objects. Lingering objects can be removed from Windows Server 2003 or 2008 using REPADMIN utility.The Global catalog is a container which contains a searchable partial replica of all objects from all domains of the forest, and full replica of all objects from the domain where it is situated. The global catalog is stored on domain controllers that have been designated as global catalog servers and is distributed through multimaster replication. Global catalogs are mostly used in multidomain, multisite and complex forest environment, where as Global catalog does not function in a single domain forest.In a forest that contains only a single Active Directory domain, there is no harm in placing both GC and Infrastructure master in same DC, because Infrastructure master does not have any work to do in a single domain environment. But in a forest with multiple and complex domain structure, the infrastructure master should be located on a DC which is not a Global Catalog server. Because the global catalog server holds a partial replica of every object in the forest, the infrastructure master, if placed on a global catalog server, will never update anything, because it does not contain any references to objects that it does not mand line method:? nslookup gc._msdcs.<forest root DNS Domain Name>, nltest /dsgetdc:corp /GC. GUI method: Open DNS management, and under ‘Forward Lookup Zone’, click on GC container. To check if a server is GC or not, go to Active Directory Sites and Services MMC and under ‘Servers’ folder, take properties of NTDS settings of the desired DC and find Global Catalog option is checked.As per Microsoft, a single AD domain controller can create around 2.15?billion objects during its lifetime.When a user enters a user name and password, the computer sends the user name to the KDC. The KDC contains a master database of unique long term keys for every principal in its realm. The KDC looks up the user's master key (KA), which is based on the user's password. The KDC then creates two items: a session key (SA) to share with the user and a Ticket-Granting Ticket (TGT). The TGT includes a second copy of the SA, the user name, and an expiration time. The KDC encrypts this ticket by using its own master key (KKDC), which only the KDC knows. The client computer receives the information from the KDC and runs the user's password through a one-way hashing function, which converts the password into the user's KA. The client computer now has a session key and a TGT so that it can securely communicate with the KDC. The client is now authenticated to the domain and is ready to access other resources in the domain by using the Kerberos protocol.Lightweight Directory Access Protocol (LDAP) is an Internet standard protocol which is used as a standard protocol for Active Directory functions. It runs directly over TCP, and can be used to access a standalone LDAP directory service or to access a directory service that is back-ended by X.500.Active Directory related files are by default located at %SystemRoot%\ntds folder. NTDS.DIT is the main Active Directory database file. Apart from this other files such as EDB.LOG, EDB.CHK, RES1.LOG, TEMP.EDB etc. are also located at the same folder.Global Catalog servers produce huge traffic related to the replication process.There for making all the domain controllers in the forest as Global Catalog servers will cause network bandwidth poroblem. GCs should be placed based on Network bandwidth and user or application requirement.What is DNS?DNS stands for Domain Naming Server, it is a standard of naming domains in any operational environment (Windows,Linux,Solaris,Any environment). It is a server which contains a database of all the domains and all the servers which are associated with those domains.Why it is Used?Its a service dedicated? to identify all the machines (domains & member servers) in a network. To make this possible, every machine has to be registered in the authoritative DNS server of that network. That means every operational network should have a dedicated DNS server to enable identification and communication between the machines.How it works?As i said, it is dedicatedly used for identification, in technical words for?“name resolution”. Every machine in a network has a dedicated IP address & hostname as its identity. Whenever a machine tries to communicate with another machine on the network it should first identify the second machine, that means it should know the ip address of that particular machine. After knowing the identity (i.e ip address), it will directly communicates with the second machine. So to speak, a machine should know the ip address of the another machine, with which its going to communicate before it starts. Another question… Why the hostnames are used, if the machine already have an identity in the terms of IP address? Hostname is an English word which is useful for Human remembrance. It is impossible for a human being to remember lots of? IP addresses, but it is possible to remember English names of the same hosts (as we configure the hostnames generally with employee name or department name or location name etc). For example we can remember?but not its ip address, because we are not having only one website on the internet. To sum up Hostnames and IP addresses both are used to identification and communication between two machines in a network. But machines are only able to communicate with the IP addresses and which are impossible to remember for Humans (Keep in mind machines never communicate with hostnames). To solve this situation DNS was implemented. It basically contains a database of host records in a network. A host record contains “Hostname : IP address”, see the image below for better under standing. Out Internet is purely depended on DNS, when we access a particular website we will give its English name, when we press ENTER immediately the machines starts finding the IP address of the website using the DNS server configured on it. I will explain the name resolution process in details. And one more thing about the DNS is, it is the only largest database on the internet which changes every second. If this database goes down by a chance, we must remember all the ip addresses to access the internet. hahaha it will not happen, why because we have so many backup solutions already implemented.How the name resolution takes place?I will explain this concept with internet as an example. Before that i want you to check some settings on your machine. Check the TCP/IP properties and see whether DNS server is configured or not. If you are seeing obtain automatically option, open command prompt and type “ipconfig /all” and press Enter. You will get DNS servers information along with your machine’s IP address. Now lets talk about the scenario, When you try to open a website like?, what happens next? how your machine gets? IP address of the?. Here it goes….1. The request sent to the DNS server which is configured on your machine.2. The DNS server checks for the host record of??in its database, if it contains a record for, it will directly send response with the IP address of?. Otherwise it starts requesting another DNS server.3. Before it goes to another DNS server, how it identifies which DNS server is responsible for this request ? It checks the entire hostname (it is called as FQDN : Fully Qualified Domain Name), i.e in google’s case?. (note the FQDN ends with a period, and this period is called as root domain).left04. Every DNS server contains a roothint file associated with it, and the same will be used to identify the responsible DNS server. Root hint file contains Master DNS servers information. Here you go it looks like this. These are the master DNS servers for .com, .net, .edu, .org domains etc.5. So in your case, the domain is .com, DNS server sends request to .com master DNS server (for ex: assume it as 198.41.0.4), the .com master DNS server contains name server records for all machines ending with .com . That means it definitely contains DNS server IP address for . In the same way it contains all .com servers , & so on.6. It does not contain the IP address of , it contains DNS server IP of .7. So then the request is forwarded to DNS server, in that server you will have a host record with the name www and its IP address. Finally you reached it. With the found IP address the request comes back as a response in the same reverse way to the DNS server which is configured in your machine, that DNS server tells the IP address of?to your machine.?????8. This process happens in milliseconds in the background. i.e by the time you will get “Website found waiting for reply” message in the status bar of your internet explorer.9. Oh my god!!!! Is that simple? Yes it is. The same process occurs in corporate networks also. But the requests are handled by their local DNS servers only.10. See the below animation for better understanding.Understanding DNS : Part - IIHi Guys,left0In my previous discussion about?Understanding DNS, you learned most of the basic things related to DNS. In this post i want to elaborate more about DNS. Let's start...DNS RecordsThere are so many records associated with a DNS Server. Name resolution process does not happen in a proper way with out these records.As you know the DNS server main purpose is to resolve the host names to IP's and vice versa.A Record : Contains information about IP address. It is helpful in resolving host names to IP addresses.PTR Record : Pointer record, contains information about host name. It is helpful in resolving IP address to AME Record : Alias of A Record. It is helpful in giving multiple names to a single host. Which means, the same host is able to provide multiple services. In that case, for segregation of service and to communicate with that service we need to give different names to each service. Even though these services are hosted on a single server, but we can send our request to the target service. CNAME record was helpful in identifying and communicating with that service on that server.MX Record : It is a record helpful in identifying the mail server in a DNS domain (for that organization)NS Record : It is a record helpful in identifying the DNS server in a DNS domain (for that organization)SRV Record : This record is created when we install a service which is DNS dependent. It is automatically generated and will be associated with a specific IP address. It is called as Service record.SOA Record : Start of Authority record, this is not a record associated with any IP address. But it is associated with a number, which determines the update number. What ever the update, when ever it is done this number will be incremented.These are the records associated with each and every server in this world. A fact is that?" DNS is the biggest database in the world and that is the only one which gets updated every second "?And this database is not located at a single place, it is spread across the world in different places like, different companies, different ISP's, different homes etc. And the name resolution process is explained in my previous post?Understanding DNS. That is the reason why, a DNS request goes to different location to get the correct answer.Windows Active Directory migration from 2008 R2 to 2012 R2. Main requirementsExisting 2008 server must be service packFunctional level must be higher like Windows 2008 or Windowas 2008 R2DNS server installed and configured on both zonesStatic IP address configuredFull edition of 2012 DVDRun AdprepTransfer FSMO rolesRemove existing 2008 server1.Run AdprepInsert Window 2012 DVDSuppose if our DVD drive is d DriveFollow the below commandsD:\>support\adprep\adprep /forestprepType C and enter"" Adprep successfully updated the forest wide information".D:\>support\adprep\adprep /domainprep"" Adprep successfully updated the domain wide information".2.Change functional levelNavigate to "Active Directory users and computer"Active directory users and computers> right click on domain "nkglobal.nk" and select raise domain functional level select domain functional level as "Window 2008 R2"Navigate to "Active Directory domain and trust"Active directory domain and trust> right click on domain "nkglobal.nk" and select raise domain functional level select domain functional level as "Window 2008 R2"Go to the Windows 2012 server and make primary DC first.In windows 2012 server go to run and type ncpa.cplgo to the n\w adaptor and type 192.168.1.2 and in the DNS suffix type nkglobal.nkselect below 2 check boxes1. Register the connection address in DNS2. use the connection DNS suffix in DNS registrationAfter that in 2012 server go to computer property and change the domain name to nkglobal.rkInstall ADDS in 2012 serverConfigure ADDSClick on promote this server to domain controllerAdd domain controller to existing domainType Directory service restore mode password3.Transfer FSMO role one by one.ADUC>Right click on domain and select operations masters>Click on change button.Repeat for RID, PDC and infrastructure roles.ADDT>Change Active Directory domain controller>change the domain controllerADDT>Right click on domain and select operations masters>Click on change button.regsvr32.schmmgmt.mscnetdom query fsmotype mmc>Active Directory SchemaOnce schema console openRight click on Active Directory schema> change the domain controllerADSchena>Right click on domain and select operations masters>Click on change buttonGlobal CatalogADSS>site>servers>DC2Make sure that global catalog is enabled on DC2 server.4.Removing Existing serverLogin to window 2008 boxADSS>site>servers>DC1make sure that global catalog is disabled on the DC1 server.Go to command prompt of 2008 server type dcpromoRemove the Domain controller from 2008 server. ................
................

In order to avoid copyright disputes, this page is only a partial summary.

Google Online Preview   Download