interview q and a 2
TRANSCRIPT
Windows 2008 R2 Questions DNS questions DHCP questions OPS Manager questions Soft skill questions Active Directory questions
1. What is Active Directory?Active Directory is a network-based object store and service that locates and manages resources, and makes these resources available to authorized users and groups. An underlying principle of the Active Directory is that everything is considered an objectpeople, servers, workstations, printers, documents, and devices. Each object has certain attributes and its own security access control list (ACL).
2. What is LDAP?"LDAP is a client-server protocol for accessing a directory service. It was initially used as a frontend to X.500, but can also be used with stand-alone and other kinds of directory servers." LDAP lets you "locate organizations, individuals, and other resources such as files and devices in a network, whether on the Internet or on a corporate intranet," and whether or not you know the domain name, IP address, or geographic whereabouts. An LDAP directory can be distributed among many servers on a network, then replicated and synchronized regularly. An LDAP server is also known as a Directory System Agent (DSA).
LDAP (Lightweight Directory Access Protocol) is a software protocolfor enabling anyone to locate organizations, individuals, and other resources such as files and devices in a network, whether on the public Internetor on a corporate intranet. LDAP is a "lightweight" (smaller amount of code) version of Directory Access Protocol (DAP), which is part of X.500, a standard for directoryservices in a network. LDAP is lighter because in its initial version it did not include security features
An LDAP directory is organized in a simple "tree" hierarchy consisting of the following levels:y
The root directory (the starting place or the source of the tree), which branches out to
y y y y
Countries, each of which branches out to Organizations, which branch out to Organizational units (divisions, departments, and so forth), which branches out to (includes an entry for) Individuals (which includes people, files, and shared resources such as printers)
3. Where is the AD database held? What other folders are related to AD?Default location %systemroot%\NTDS Ntds.dit Active Directory database Edb*.log Transaction log files Checkpoint file to check data Edb.chk not yet written to database Res*.log Reserved transaction log files (10MB each to reserve space in case disk fills up) System State Includes everything that AD depends on, not just database files Database and log files SYSVOL shared folder Registry System startup files Class registration database Certificate Services database
4. Talk about all the AD-related roles in Windows Server 2008/R2.Flexibility Schema Operations Master (FSMO) Roles in 2008 Server As we are all aware that certain tasks needs to be performed by single one, so as far AD 2008 goes some tasks are performed by single domain controller and they jointly called as FSMO roles. There are five roles: They are further classified in two
1. Forest Roles
y
y
Schema Master - As name suggests, the changes that are made while creation of any object in AD or changes in attributes will be made by single domain controller and then it will be replicated to another domain controllers that are present in your environment. There is no corruption of AD schema if all the domain controllers try to make changes. This is one of the very important roles in FSMO roles infrastructure. Domain Naming Master - This role is not used very often, only when you add/remove any domain controllers. This role ensures that there is a unique name of domain controllers in environment.
2. Domain Rolesy y y
Infrastructure Master - This role checks domain for changes to any objects. If any changes are found then it will replicate to another domain controller. RID Master - This role is responsible for making sure each security principle has a different identifier. PDC emulator - This role is responsible for Account policies such as client password changes and time synchronization in the domain
Where these roles are configured?1. Domain wide roles are configured in Active Directory users and computers. Right click and select domain and here option is operations master. 2. Forest roles Domain Naming master is configured in active directory domain and trust right click and select operations master. It will let you know the roles. 3. (c)Forest roles Schema Master is not accessible from any tool as they want to prevent this. Editing schema can create serious problem in active directory environment. To gain access you need to create snap-in and register dll file by regsvr32 schmmgmt.dll.
Seizing of RolesIn case of failures of any server you need to seize the roles. This is how it can be done:
For Schema Master:Go to cmd prompt and type ntdsutil 1. Ntdsutil: prompt type roles to enter fsmo maintenance. 2. Fsmo maintenance: prompt type connections to enter server connections. 3. Server connections: prompt, type connect to server domain controller, where Domain controller is the name of the domain controller to which you are going to transfer the role 4. Server connections: prompt, type quit to enter fsmo maintenance. 5. Fsmo maintenance: prompt, type seize schema master. After you have Seize the role, type quit to exit NTDSUtil.
For Domain Naming Master:Go to cmd prompt and type ntdsutil 1. Ntdsutil: prompt type roles to enter fsmo maintenance. 2. Fsmo maintenance: prompt type connections to enter server connections. 3. Server connections: prompt, type connect to server domain controller, where Domain controller is the name of the domain controller to which you are going to transfer the role 4. Server connections: prompt, type quit to enter fsmo maintenance. 5. Fsmo maintenance: prompt, type seize domain naming master. After you have Seize the role, type quit to exit NTDSUtil.
For Infrastructure Master Role:Go to cmd prompt and type ntdsutil 1. Ntdsutil: prompt type roles to enter fsmo maintenance. 2. Fsmo maintenance: prompt type connections to enter server connections. 3. Server connections: prompt, type connect to server domain controller, where Domain controller is the name of the domain controller to which you are going to transfer the role 4. Server connections: prompt, type quit to enter fsmo maintenance. 5. Fsmo maintenance: prompt, type seize infrastructure master. After you have Seize the role, type quit to exit NTDSUtil.
For RID Master Role:Go to cmd prompt and type ntdsutil 1. Ntdsutil: prompt type roles to enter fsmo maintenance. 2. Fsmo maintenance: prompt type connections to enter server connections. 3. Server connections: prompt, type connect to server domain controller, where Domain controller is the name of the domain controller to which you are going to transfer the role 4. Server connections: prompt, type quit to enter fsmo maintenance. 5. Fsmo maintenance: prompt, type seize RID master. After you have Seize the role, type quit to exit NTDSUtil.
For PDC Emulator Role:Go to cmd prompt and type ntdsutil
1. Ntdsutil: prompt type roles to enter fsmo maintenance. 2. Fsmo maintenance: prompt type connections to enter server connections. 3. Server connections: prompt, type connect to server domain controller, where Domain controller is the name of the domain controller to which you are going to transfer the role 4. Server connections: prompt, type quit to enter fsmo maintenance. 5. Fsmo maintenance: prompt, type seize PDC. After you have Seize the role, type quit to exit NTDSUtil.
5. What are the new Domain and Forest Functional Levels in Windows Server 2008/R2?Windows Server 2008 R2 was released in August, and it introduced new functional levels for Active Directory. This article takes a look back at the different functional levels of the past and what is new in the latest release of the server operating system for Active Directory (yes, a recycle bin for AD objects!). Functional levels were first introduced when Active Directory made its appearance in Windows 2000 Server. They allowed you to run different versions of domain controllers in your environment, and when all the domain controllers were brought up to a certain version of Windows, you could raise the functional levels to gain the added features of that operating system version. Now that Windows 2008 R2 is released, it is unlikely that you will mass deploy this new operating system to your entire forest or domain. Instead, youll deploy a single domain controller and kick the tires, so to speak. The time will eventually come when youve upgraded every domain controller to R2, and at that point you can raise the functional level to 2008 R2 to take advantage of the new features. Functional levels can be raised in domains or, as of Windows 2003 Server, in the forest, providing different features in each. They are differentiated by labeling them Domain Functional Level and Forest Functional Level.
Whats new in 2008 R2Domain Functional LevelThere are two features added when raising the domain functional level to 2008 R2. They are Authentication Mechanism Assurance and Automatic SPN Management. Authentication mechanism assurance is meant for domains that utilize federation services (ADFS) or certificatebased authentication methods, such as smart card or token-based authentication. This mechanism adds information to the users kerberos token on the type of authentication used. This allows administrators to modify group membership based on how the user authenticates. For example, a user can have access to different resources if they log in with a certificate versus when they log in with just their username and password. Automatic SPN management provides a method for managing service accounts for applications such as Exchange, SQL and IIS. In the past, regular domain accounts were used for these purposes, adding management headaches in terms of password management and service principle names (SPNs). This new feature provides the following benefits:
y
A class of domain accounts can be used to manage and maintain services on local computers.
y y y
Passwords for these accounts will be reset automatically. Do not have to complete complex SPN management tasks to use managed service accounts. Administrative tasks for managed service accounts can be delegated to non-administrators.
Forest Functional LevelThere is one new feature in raising the forest functional level to Server 2008 R2, and it is long overdue. It is the Active Directory recycle bin. In the days of old, when an IT administrator or help desk operator accidentally deleted an OU filled with user or computer objects (this has happened more times than you would think), there would be a scramble to perform a restore. The delete replicates to all domain controllers, so an authoritative restore in Active Directory restore mode from a good backup using NTDSutil would be in order. With 2008 R2 forest functional level, a powershell cmd-let will undo this instantly. Note that this feature is not enabled automatically when raising forest functional level. Additionally, you must run the following command in the Active Directory Module for Powershell.
Enable-ADOptionalFeature Identity CN=Recycle Bin Feature,CN=Optional Features,CN=Directory Service,CN=Windows NT,CN=Services,CN=Configuration, DC=mydomain,DC=com Scope ForestOrConfigurationSet Target mydomain.com
Functional levels of previous versionThe following are the previous functional levels and what features they added, as documented in Technet.
Domain Functional Levels:Windows 2000 Native:y y y yUniversal groups are enabled for both distribution groups and security groups. Group nesting. Group conversion is enabled, which makes conversion between security groups and distribution groups possible. Security identifier (SID) history.
Windows Server 2003y y y yThe availability of the domain management tool, Netdom.exe, to prepare for domain controller rename. Update of the logon time stamp. The lastLogonTimestamp attribute will be updated with the last logon time of the user or computer. This attribute is replicated within the domain. The ability to set the userPassword attribute as the effective password on inetOrgPerson and user objects. The ability to redirect Users and Computers containers. By default, two well-known containers are provided for housing computer and user/group accounts: namely, cn=Computers, and cn=Users,. This feature makes possible the definition of a new well-known location for these accounts. Makes it possible for Authorization Manager to store its authorization policies in Active Directory Domain Services (AD DS). Includes constrained delegation so that applications can take advantage of the secure delegation of user credentials by means of the Kerberos authentication protocol. Delegation can be configured to be allowed only to specific destination services.
y y
y
Supports selective authentication, through which it is possible to specify the users and groups from a trusted forest who are allowed to authenticate to resource servers in a trusting forest.
Windows Server 2008y y y yDistributed File System (DFS) Replication support for SYSVOL, which provides more robust and detailed replication of SYSVOL contents. Advanced Encryption Services (AES 128 and 256) support for the Kerberos authentication protocol. Last Interactive Logon Information, which displays the time of the last successful interactive logon for a user, from what workstation, and the number of failed logon attempts since the last logon. Fine-grained password policies (FGPP), which make it possible for password and account lockout policies to be specified for users and global security groups in a domain.
Forest Functional Levels:Windows 2000:There were no forest functional levels, just domain.
Windows Server 2003:y y yForest trust. Domain rename. Linked-value replication (changes in group membership store and replicate values for individual members instead of replicating the entire membership as a single unit). This change results in lower network bandwidth and processor usage during replication and eliminates the possibility of lost updates when different members are added or removed concurrently at different domain controllers. The ability to deploy a read-only domain controller (RODC) that runs Windows Server 2008. Improved Knowledge Consistency Checker (KCC) algorithms and scalability. The Intersite Topology Generator (ISTG) uses improved algorithms that scale to support forests with a greater number of sites than can be supported at the Windows 2000 forest functional level. The improved ISTG election algorithm is a less intrusive mechanism for choosing the ISTG at the Windows 2000 forest functional level. An improved ISTG algorithm (better scaling of the algorithm that the ISTG uses to connect all sites in the forest). The ability to create instances of the dynamic auxiliary class called dynamicObject in a domain directory partition. The ability to convert an inetOrgPerson object instance into a User object instance, and the reverse. The ability to create instances of the new group types, called application basic groups and Lightweight Directory Access Protocol (LDAP) query groups, to support role-based authorization. Deactivation and redefinition of attributes and classes in the schema.
y y
y y y y y
Windows Server 2008:No forest functional level changes occurred from Windows 2003 to Windows 2008.
6. What is the SYSVOL folder?The Sysvol folder on a Windows domain controller is used to replicate file-based data among domain controllers. Because junctions are used within the Sysvol folder structure, Windows NT file system (NTFS) version 5.0 is required on domain controllers throughout a Windows distributed file system (DFS) forest. This is a quote from microsoft themselves, basically the domain controller info stored in files like your group policy stuff is replicated through this folder structure
7. What are the AD naming contexts (partitions)s and replication issues for each NC?Active Directory NC (Naming Context's)y y y y
Active Directory consists of three partitions or naming contexts (NC) o Domain, Configuration and Schema Naming Contexts Each are replicated independently An Active Directory forest has single schema and configuration o Every domain controller (DC) holds a copy of each (schema, configuration NC's) Forest can have multiple domains o Every domain controller in a domain holds a copy of the domain NC
8. What are application partitions?Active Directory supports application directory partitions. Typically, data in a given application directory partition is managed through the application that created it or that uses it. Application directory partitions provide the ability to control the scope of replication and allow the placement of replicas in a manner more suitable for dynamic data. As a result, the application directory partition provides the capability of hosting dynamic data in Active Directory, thus allowing ADSI/LDAP access to it, without significantly impacting network performance. Application directory partitions hold the data that is used by applications. An application directory partition can contain a hierarchy of any type of objects, except security principals, and can be configured to replicate to any set of domain controllers in the forest. Unlike a domain partition, an application directory partition is not required to replicate to all domain controllers in a domain and the partition can replicate to domain controllers in different domains of the forest. As an example of application partition, if you use a Domain Name System (DNS) that is integrated with Active Directory you have two application partitions for DNS zones ForestDNSZones and DomainDNSZones
9. What applications or services use AD application partitions? Name a couple.Application directory partitions are usually created by the applications that will use them to store and replicate data. TAPI is an example it. For testing and troubleshooting purposes, members of the Enterprise Admins group can manually create or manage application directory partitions using the Ntdsutil command-line tool.
10. How do you create a new application partition?Application directory partitions are usually created by the applications that will use them to store and replicate data. TAPI is an example it. For testing and troubleshooting purposes, members of the Enterprise Admins group can manually create or manage application directory partitions using the Ntdsutil command-line tool.
11. What are the requirements for installing AD on a new server?An NTFS partition with enough free space (250MB minimum) An Administrator's username and password The correct operating system version A NIC Properly configured TCP/IP (IP address, subnet mask and - optional - default gateway) A network connection (to a hub or to another computer via a crossover cable) An operational DNS server (which can be installed on the DC itself) A Domain name that you want to use
12. What can you do to promote a server to DC if you're in a remote location with slow WANlink?Take a System State Backup from another DC and restore locally to the server that are going to be the next Domain Controller. Run DCPromo /adv which will prompt in the next screen to specify the path to restore the System Backup. This will prevent replication of the entire configuration over the slow network.
13. How do you view replication properties for AD partitions and DCs?By using replication monitor go to start > run > type repadmin go to start > run > type replmon
14. What is the Global Catalog?The GC is a special form of a Windows 2000 domain controller (DC) that holds a complete set of objects (i.e., user accounts, contacts, distribution groups, and configuration data) from all domains in a Win2K forest. The GC stores read-only partial copies of objects from other domains alongside read/write full copies of objects from the GC's home domain. Partial copies include the important attributes of an Exchange mailbox (e.g., email address, phone numbers) but not all the mailbox attributes. In a singledomain implementation, all DCs are effectively GCs, but single-domain implementations are unusual in large, distributed enterprises. GCs come into their own in large enterprises.
15. How do you view all the GCs in the forest?C:\>repadmin /showreps domain_controller OR You can use Replmon.exe for the same purpose. OR AD Sites and Services and nslookup gc._msdcs. To find the in GC from the command line you can try using DSQUERY command. dsquery server -isgc to find all the gc's in the forest you can try dsquery server -forest -isgc.
16. Why not make all DCs in a large forest as GCs?There can be only one GC. If we make all DCs as GC then There will be huge amount network traffic which can choke the network There will be problems in replications There will be issues in consistency of objects in the forest There would be issues in authentications There will be chances of duplicate objects in the domains That is why there is only ONE GC per forest which has all the info about the objects groups etc.
17. Talk about GCs and Universal Groups.
18. Describe the time synchronization mechanism in AD.the serverthat holds the primarydomain controller (PDC) emulator role acts as the default time source foryour entire network. Each workstation and server in this network will try tolocate a time source for synchronization. Using an internal algorithm designedto reduce network traffic, systems will make up to six attempts to find a timesource. Here's a look at the order of these attempts:y y y y y y
Parent domain controller (on-site) Local domain controller (on-site) Local PDC emulator (on-site) Parent domain controller (off-site) Local domain controller (off-site) Local PDC emulator (off-site)
To ensure that your servers are finding the proper time, youmust configure your PDC emulator to receive the time from a valid and accuratetime source. To configure this role, follow these steps: 1. Log on to the domain controller. 2. Enter the following at the command line:W32tm /config /manualpeerlist: /syncfromflags:manual
is a space-delimited list of DNS and/or IP addresses. When specifying multiple timeservers, enclose the list in quotation marks. 3. Update the Windows Time Service configuration. At the command line, you can either enter W32tm /config /update, or you can enter the following:Net stop w32timeNet start w32time
19. What is ADSIEDIT? What is NETDOM? What is REPADMIN?
20. LDP : Label Distribution Protocol (LDP) is often used to establish MPLS LSPs when traffic engineering is not required. It establishes LSPs that follow the existing IP routing, and is particularly well suited for establishing a full mesh of LSPs between all of the routers on the network. Replmon : Replmon displays information about Active Directory Replication. ADSIEDIT :ADSIEdit is a Microsoft Management Console (MMC) snap-in that acts as a low-level editor for Active Directory. It is a Graphical User Interface (GUI) tool. Network administrators can use it for common administrative tasks such as adding, deleting, and moving objects with a directory service. The attributes for each object can be edited or deleted by using this tool. ADSIEdit uses the ADSI application programming interfaces (APIs) to access Active Directory. The following are the required files for using this tool: ADSIEDIT.DLL ADSIEDIT.MSCNETDOM : NETDOM is a command-line tool that allows management of Windows domains and trust relationships. It is used for batch management of trusts, joining computers to domains, verifying trusts, and secure channels. REPADMIN : This command-line tool assists administrators in diagnosing replication problems between Windows domain controllers.Administrators can use Repadmin to view the replication topology (sometimes referred to as RepsFrom and RepsTo) as seen from the perspective of each domain controller. In addition, Repadmin can be used to manually create the replication topology (although in normal practice this should not be necessary), to force replication events between domain controllers, and to view both the replication metadata and up-to-dateness vectors.
21. What is DCDIAG? When would you use it?This command-line tool analyzes the state of one or all domain controllers in a forest and reports any problems to assist in troubleshooting. DCDiag.exe consists of a variety of tests that can be run individually or as part of a suite to verify domain controller health.
22. What are sites? What are they used for?One or more well-connected (highly reliable and fast) TCP/IP subnets. A site allows administrators to configure Active Directory access and replication topology to take advantage of the physical network. B: A Site object in Active Directory represents a physical geographic location that hosts networks. Sites contain objects called Subnets.[3] Sites can be used to Assign Group Policy Objects, facilitate the discovery of resources, manage active directory replication, and manage network link traffic. Sites can be linked to other Sites. Site-linked objects may be assigned a cost value that represents the speed, reliability, availability, or other real property of a physical resource. Site Links may also be assigned a schedule.
23. What's the difference between a site link's schedule and interval?Schedule enables you to list weekdays or hours when the site link is available for replication to happen in the give interval. Interval is the re occurrence of the inter site replication in given minutes. It ranges from 15 - 10,080 mins. The default interval is 180 mins.
24. What is the KCC?With in a Site, a Windows server 2003 service known as the KCC automatically generates a topology for replication among the domain controllers in the domain using a ring structure.Th Kcc is a built in process that runs on all domain controllers. The KCC analyzes the replication topology within a site every 15 minute to ensure that it still works. If you add or remove a domain controller from the network or a site, the KCC reconfigures the topology to relect the change.
25. What is the ISTG? Who has that role by default?Intersite Topology Generator (ISTG), which is responsible for the connections among the sites. By default Windows 2003 Forest level functionality has this role. By Default the first Server has this role. If that server can no longer preform this role then the next server with the highest GUID then takes over the role of ISTG.
26. Talk about sites and GCs.
27. Talk about sites and Exchange Server 2007/2010.
28. What is GPO?In the Windows 2000 operating system, a Group Policy Object (GPO) is a collection of settings that define what a system will look like and how it will behave for a defined group of users. Microsoft provides a program snap-in that allows you to use the Group Policy Microsoft Management Console (MMC). The selections result in a Group Policy Object. The GPO is associated with selected Active Directory containers, such as sites, domains, or organizational units (OUs). The MMC allows you to
create a GPO that defines registry-based polices, security options, software installation and maintenance options, scripts options, and folder redirection options.
Group Policy gives you administrative control over users and computers in your network. By using Group Policy, you can define the state of a user's work environment once, and then rely on Windows Server 2003 to continually force the Group Policy settings that you apply across an entire organization or to specific groups of users and computers.
Group Policy Advantages You can assign group policy in domains, sites and organizational units. All users and computers get reflected by group policy settings in domain, site and organizational unit. No one in network has rights to change the settings of Group policy; by default only administrator has full privilege to change, so it is very secure. Policy settings can be removed and can further rewrite the changes. Where GPO's store Group Policy Information Group Policy objects store their Group Policy information in two locations: Group Policy Container: The GPC is an Active Directory object that contains GPO status, version information, WMI filter information, and a list of components that have settings in the GPO. Computers can access the GPC to locate Group Policy templates, and domain controller does not have the most recent version of the GPO, replication occurs to obtain the latest version of the GPO. Group Policy Template: The GPT is a folder hierarchy in the shared SYSVOL folder on a domain controller. When you create GPO, Windows Server 2003 creates the corresponding GPT which contains all Group Policy settings and information, including administrative templates, security, software installation, scripts, and folder redirection settings. Computers connect to the SYSVOL folder to obtain the settings. The name of the GPT folder is the Globally Unique Identifier (GUID) of the GPO that you created. It is identical to the GUID that Active Directory uses to identify the GPO in the GPC. The path to the GPT on a domain controller is systemroot\SYSVOL\sysvol. Managing GPOs To avoid conflicts in replication, consider the selection of domain controller, especially because the GPO data resides in SYSVOL folder and the Active Directory. Active Directory uses two independent replication techniques to replicate GPO data among all domain controllers in the domain. If two administrator's changes can overwrite those made by other administrator, depends on the replication latency. By default the Group Policy Management console uses the PDC Emulator so that all administrators can work on the same domain controller. WMI Filter WMI filters is use to get the current scope of GPOs based on attributes of the user or computer. In this way, you can increase the GPOs filtering capabilities beyond the security group filtering mechanisms that were previously available.
Linking can be done with WMI filter to a GPO. When you apply a GPO to the destination computer, Active Directory evaluates the filter on the destination computer. A WMI filter has few queries that active Directory evaluates in place of WMI repository of the destination computer. If the set of queries is false, Active Directory does not apply the GPO. If set of queries are true, Active Directory applies the GPO. You write the query by using the WMI Query Language (WQL); this language is similar to querying SQL for WMI repository. Planning a Group Policy Strategy for the Enterprise When you plan an Active Directory structure, create a plan for GPO inheritance, administration, and deployment that provides the most efficient Group Policy management for your organization. Also consider how you will implement Group Policy for the organization. Be sure to consider the delegation of authority, separation of administrative duties, central versus decentralized administration, and design flexibility so that your plan will provide for ease of use as well as administration. Planning GPOs Create GPOs in way that provides for the simplest and most manageable design -- one in which you can use inheritance and multiple links. Guidelines for Planning GPOs Apply GPO settings at the highest level: This way, you take advantage of Group Policy inheritance. Determine what common GPO settings for the largest container are starting with the domain and then link the GPO to this container. Reduce the number of GPOs: You reduce the number by using multiple links instead of creating multiple identical GPOs. Try to link a GPO to the broadest container possible level to avoid creating multiple links of the same GPO at a deeper level. Create specialized GPOs: Use these GPOs to apply unique settings when necessary. GPOs at a higher level will not apply the settings in these specialized GPOs. Disable computer or use configuration settings: When you create a GPO to contain settings for only one of the two levels-user and computer-disable the logon and prevents accidental GPO settings from being applied to the other area.
Read more: http://wiki.answers.com/Q/What_are_GPOs#ixzz1NYp4SAFa
29. Describe the way GPO is applied throughout the domain.Local, Site, Domain, OU Group Policy settings are processed in the following order: 1:- Local Group Policy object-each computer has exactly one Group Policy object that is stored locally. This processes for both computer and user Group Policy processing. 2:- Site-Any GPOs that have been linked to the site that the computer belongs to are processed next. Processing is in the order that is specified by the administrator, on the Linked Group Policy Objects tab for the site in Group Policy Management Console (GPMC). The GPO with the lowest link order is processed last, and therefore has the highest precedence. 3:- Domain-processing of multiple domain-linked GPOs is in the order specified by the administrator, on the Linked Group Policy Objects tab for the domain in GPMC. The GPO with the lowest link order is processed last, and therefore has the highest precedence. 4:- Organizational units-GPOs that are linked to the organizational unit that is highest in the Active Directory hierarchy are processed first, then GPOs that are linked to its child organizational unit, and so on. Finally, the GPOs that are linked to the organizational unit that contains the user or computer are processed. At the level of each organizational unit in the Active Directory hierarchy, one, many, or no GPOs can be linked. If several GPOs are linked to an organizational unit, their processing is in the order that is specified by the administrator, on the Linked Group Policy Objects tab for the organizational unit in GPMC. The GPO with the lowest link order is processed last, and therefore has the highest precedence. This order means that the local GPO is processed first, and GPOs that are linked to the organizational unit of which the computer or user is a direct member are processed last, which overwrites settings in the earlier GPOs if there are conflicts. (If there are no conflicts, then the earlier and later settings are merely aggregated.)
30. What can you do to prevent inheritance from above?
31. How can you override blocking of inheritance?
32. Name some of the major changes in GPO in Windows Server 2008.The following changes are available in Windows Server 2008 R2 and in Windows 7 with Remote Server Administration Tools (RSAT): Windows PowerShell Cmdlets for Group Policy: Ability to manage Group Policy from the Windows PowerShell command line and to run PowerShell scripts during logon and startup Group Policy Preferences: Additional types of preference items Starter Group Policy Objects: Improvements to Starter GPOs Administrative Template Functionality: Improved user interface Administrative Template Settings: New and changed policy settings
y
y y y y
33. What are ADM files? What replaced them in Windows Server 2008?in Windows Server 2003, then you know that group policies are stored in the .ADM file format. In Windows Vista and Longhorn Server, this file format has been replaced by .ADMX file format. The .ADMX file format it is based on XML, whereas .ADM files used their own proprietary file format. There are several major differences between the way that .ADMX files and .ADM files are implemented. One major difference is that while .ADM files were all encompassing, there are actually two different files used by their .ADMX counterparts. ADMX files are divided into language neutral files and language specific files. This allows .ADMX files to be used in a variety of different languages. The language neutral file contains the actual policy components. The language specific file simply provides the text associated with the policy in various localizations. For example, you could have English, French, and Japanese language specific files that all apply to the same language neutral file. The location in which these files are stored has also changed. In Windows Server 2003, ADM files were stored in the %systemroot%\inf folder. In Windows Vista and in Longhorn Server, the language neutral .ADMX files are stored in the %systemroot%\policyDefinitions folder. The language specific files are stored in a subfolder whose name reflects the files' localization. For example, language specific files for the English-language are stored in the %systemroot%\policyDefinition\en-us folder.
34. What's the GPO repository?
35. How do you use it? 36. What are GPO Preferences? 37. Which client OSs can use GPO Preferences? 38. What are GPO 39. Templates? 40. What are WMI Filters? 41. What is the concept behind GPO Filtering? 42. How can you determine what GPO was and was not applied for a user? Name a few ways todo that.1. Group Policy Management Console (GPMC) can provide assistance when you need to troubleshoot GPO behaviour. It allows you to examine the settings of a specific GPO, and is can also be used to determine how your GPOs are linked to sites, domains, and OUs. The Group Policy Results report collects information on a computer and user, to list the policy settings which are enabled. To create a Group Policy Results report, right-click Group Policy Results, and select Group Policy Results Wizard on the shortcut menu. This launches the Group Policy Results Wizard, which guides you through various pages to set parameters for the information that should be displayed in the Group Policy Results report. 2. Gpresult.exe Click Start > RUN > CMD > gpresult, this will also give you information of applied group policies.
43. A user claims he did not receive a GPO, yet his user and computer accounts are in the rightOU, and everyone else there gets the GPO. What will you look for?Here interviewer want to know the troubleshooting steps what gpo is applying ? if it applying in all user and computer? what gpo are implemented on ou? make sure user not be member of loopback policy as in loopback policy it doesn't effect user settings only computer policy will applicable. if he is member of gpo filter grp or not?
You may also want to check the computers event logs. If you find event ID 1085 then you may want to download the patch to fix this and reboot the computer. =============================================== Answer 2: Start Troubleshooting by running RSOP.MSC (Resultant Set of Policy) or gpresult /z to verify whether relevant GPO actually apply to that user?. This also can be a reason of slow network, you can change the default setting by using the Group Policy MMC snap-in. This feature is enabled by default, but you can disable it by using the following policy: Administrative Templates\System\Logon\Always wait for the network at computer startup and logon. Identify which GPOs they correspond to, verify that they are applicable to the computer/user (based on the output of RSOP.MSC/gpresult)
44. You want to standardize the desktop environments (wallpaper, My Documents, Start menu,printers etc.) on the computers in one department. 45. How would you do that? 46. What are the major changes in AD in Windows Server 2008?The following changes are available in Windows Server 2008 R2: Active Directory Recycle Bin Information technology (IT) professionals can use Active Directory Recycle Bin to undo an accidental deletion of an Active Directory object. Accidental object deletion causes business downtime. Deleted users cannot log on or access corporate resources. This is the number one cause of Active Directory recovery scenarios. Active Directory Recycle Bin works for both AD DS and Active Directory Lightweight Directory Services (AD LDS) objects. This feature is enabled in AD DS at the Windows Server 2008 R2 forest functional level. For AD LDS, all replicas must be running in a new "application mode." For more information, see What's New in AD DS: Active Directory Recycle Bin. Active Directory module for Windows PowerShell and Windows PowerShell cmdlets The Active Directory module for Windows PowerShell provides command-line scripting for administrative, configuration, and diagnostic tasks, with a consistent vocabulary and syntax. It provides predictable discovery and flexible output formatting. You can easily pipe cmdlets to build complex operations. The Active Directory module enables end-to-end manageability with Exchange Server, Group Policy, and other services. For more information, see What's New in AD DS: Active Directory Module for Windows PowerShell. Active Directory Administrative Center
y
y
y
The Active Directory Administrative Center has a task-oriented administration model, with support for larger datasets. The Active Directory Administrative Center can help increase the productivity of IT professionals by providing a scalable, task-oriented user experience for managing AD DS. In the past, the lack of a task-oriented user interface (UI) could make certain activities, such as resetting user passwords, more difficult than they had to be. The Active Directory Administrative Center enumerates and organizes the activities that you perform when you manage a system. These activities may be maintenance tasks, such as backup; event-driven tasks, such as adding a user; or diagnostic tasks that you perform to correct system failures. For more information, see What's New in AD DS: Active Directory Administrative Center. Active Directory Best Practices Analyzer The Active Directory Best Practices Analyzer (BPA) identifies deviations from best practices to help IT professionals better manage their Active Directory deployments. BPA uses Windows PowerShell cmdlets to gather run-time data. It analyzes Active Directory settings that can cause unexpected behavior. It then makes Active Directory configuration recommendations in the context of your deployment. The Active Directory BPA is available in Server Manager. For more information, see What's New in AD DS: Active Directory Best Practices Analyzer. Active Directory Web Services Active Directory Web Services (ADWS) provides a Web service interface to Active Directory domains and AD LDS instances, including snapshots, that are running on the same Windows Server 2008 R2 server as ADWS. For more information, see What's New in AD DS: Active Directory Web Services. Authentication mechanism assurance Authentication mechanism assurance makes it possible for applications to control resource access based on authentication strength and method. Administrators can map various properties, including authentication type and authentication strength, to an identity. Based on information that is obtained during authentication, these identities are added to Kerberos tickets for use by applications. This feature is enabled at the Windows Server 2008 R2domain functional level. For more information, see What's New in AD DS: Authentication Mechanism Assurance. Offline domain join Offline domain join makes provisioning of computers easier in a datacenter. It provides the ability to preprovision computer accounts in the domain to prepare operating system images for mass deployment. Computers are joined to the domain when they first start. This reduces the steps and time necessary to deploy computers in a datacenter. For more information, see What's New in AD DS: Offline Domain Join. Managed Service Accounts Managed Service Accounts provide simple management of service accounts. At the Windows Server 2008 R2 domain functional level, this feature provides better management of service principal names (SPNs). Managed Service Accounts help lower total cost of ownership (TCO) by reducing service outages (for manual password resets and related issues). You can run one Managed Service Account for each service that is running on a server, without any human intervention for password management. For more
y
y
y
y
y
information, see the Service Accounts Step-by-Step Guide (http://go.microsoft.com/fwlink/?LinkId=134695). Active Directory Management Pack The Active Directory Management Pack enables proactive monitoring of availability and performance of AD DS. It discovers and detects computer and software states, and it is aligned with the health state definitions. The Active Directory Management Pack works with Windows Server 2008 and Windows Server 2008 R2 and Microsoft Systems Center Operations Manager 2007. Bridgehead Server Selection The bridgehead server selection process enables domain controllers to load balance incoming connections. The new logic for bridgehead server selection allows for even distribution of workload among bridgehead servers. For more information see, Bridgehead Server Selection (http://go.microsoft.com/fwlink/?LinkId=208721).
y
y
47. What are the major changes in AD in Windows Server 2008 R2? 48. What is the AD Recycle Bin?Starting in Windows Server 2008 R2, Active Directory now implements a true recycle bin. No longer will you need an authoritative restore to recover deleted users, groups, OU s, or other objects. Instead, it is now possible to use PowerShell commands to bring back objects with all their attributes, backlinks, group memberships, and metadata. AD Recycle Bin (ADRB) was a long time coming and it definitely has its idiosyncrasies
49. How do you use it?
50. What is tombstone lifetime attribute?51. The number of days before a deleted object is removed from the directory services. This assists in removing objects from replicated servers and preventing restores from reintroducing a deleted object. This value is in the Directory Service object in the configuration NIC by default 2000 (60 days) 2003 (180 days)
52. What are AD Snapshots?
This feature is currently known as the Database Mounting Tool (DMT), which is better than the previous name of Data Mining Tool. Who knows what well end up calling this at RTM, but I like the previous name Snapshot Viewer the best so this is what I entitled the post. DMT allows you to quickly take snapshots of your AD database at any point in time and view those snapshots using the LDP viewer of your choice. At first I was extremely excited about this feature, but after realizing the command-line action you have to go through in order to do this (see below), it killed my buzz a little bit. If you compare this to automating ldifde/csvde backups of your AD, I can see these advantages to snapshots:
y y y
You can mount a snapshot and attach GUI LDP tools to it. Ldifde/csvde method doesnt do this. You can backup the entire database in one shot. Ldifde/csvde only allows a single DN or partition per shot. The ldifde/csvde dump of your entire partition is in clear text and snapshots are not. However, from a security standpoint theres not much difference considering if someone has the snapshot file they can also open it up but not as easily.
53. How do you use them? 54. What is Offline Domain Join?
55. How do you use it? 56. What are Fine-Grained Passwords?You can use fine-grained password policies to specify multiple password policies within a single domain. You can use fine-grained password policies to apply different restrictions for password and account lockout policies to different sets of users in a domain. For example, you can apply stricter settings to privileged accounts and less strict settings to the accounts of other users. In other cases, you might want to apply a special password policy for accounts whose passwords are synchronized with other data sources
57. How do you use them?
58. Talk about Restartable Active Directory Domain Services in Windows Server 2008/R2. Whatis this feature good for?
Restartable AD DS is a feature in Windows Server 2008 that you can use to perform routine maintenance tasks on a domain controller, such as applying updates or performing offline defragmentation, without restarting the server. While AD DS is running, a domain controller running Windows Server 2008 behaves the same way as a domain controller running Microsoft Windows 2000 Server or Windows Server 2003. While AD DS is stopped, you can continue to log on to the domain by using a domain account if other domain controllers are available to service the logon request. You can also log on to the domain with a domain account while the domain controller is started in Directory Services Restore Mode (DSRM) if other domain controllers are available to service the logon request. If no other domain controller is available, you can log on to the domain controller where AD DS is stopped in Directory Services Restore Mode (DSRM) only by using the DSRM Administrator account and password by default, as in Windows 2000 Server Active Directory or Windows Server 2003 Active Directory. You can change the default by modifying the DsrmAdminLogonBehavior registry entry. By modifying the value for that registry entry, you can log on using the DSRM Administrator account in normal startup mode to a domain controller that has AD DS stopped even if no other domain controller is available. You do not need to start the domain controller in DSRM. This can help prevent you from getting inadvertently locked out of a domain controller to which you have logged on locally and stopped the AD DS service. For more information, see Modifying the default logon behavior. You cannot run the dcpromo command normally to remove AD DS from a domain controller while AD DS is stopped. However, you can run dcpromo /forceremoval to forcefully remove AD DS from a domain controller while AD DS is stopped. For more information about how to forcefully remove AD DS, see the Step-by-Step Guide for Windows Server 2008 Active Directory Domain Services Installation and Removal
59. What are the changes in auditing in Windows Server 2008/R2? 60. How can you forcibly remove AD from a server, and what do you do later? 61. Can I get user passwords from the AD database?The passwords in AD are not stored encrypted by default, so they cannot be decrypted. They are hashed. The only way to recover the data from a hash is with some sort of a hacking algorithm that attempts to crack the hash (such tools exist).
62. What tool would I use to try to grab security related packets from the wire?you must use sniffer-detecting tools to help stop the snoops. ... A good packet sniffer would be "ethereal
(wireshark, tcpdump)
63. Talk about PowerShell and AD.
64. How do you backup AD?Backing up Active Directory is essential to maintain an Active Directory database. You can back up Active Directory by using the Graphical User Interface (GUI) and command-line tools that the Windows Server 2003 family provides.
You frequently backup the system state data on domain controllers so that you can restore the most current data. By establishing a regular backup schedule, you have a better chance of recovering data when necessary. To ensure a good backup includes at least the system state data and contents of the system disk, you must be aware of the tombstone lifetime. By default, the tombstone is 60 days. Any backup older than 60 days is not a good backup. Plan to backup at least two domain controllers in each domain, one of at least one backup to enable an authoritative restore of the data when necessary. System State Data Several features in the windows server 2003 family make it easy to backup Active Directory. You can backup Active Directory while the server is online and other network function can continue to function. System state data on a domain controller includes the following components: Active Directory system state data does not contain Active Directory unless the server, on which you are backing up the system state data, is a domain controller. Active Directory is present only on domain controllers. The SYSVOL shared folder: This shared folder contains Group policy templates and logon scripts. The SYSVOL shared folder is present only on domain controllers. The Registry: This database repository contains information about the computer's configuration. System startup files: Windows Server 2003 requires these files during its initial startup phase. They include the boot and system files that are under windows file protection and used by windows to load, configure, and run the operating system. The COM+ Class Registration database: The Class registration is a database of information about Component Services applications. The Certificate Services database: This database contains certificates that a server running Windows server 2003 uses to authenticate users. The Certificate Services database is present only if the server is operating as a certificate server. System state data contains most elements of a system's configuration, but it may not include all of the information that you require recovering data from a system failure. Therefore, be sure to backup all boot and system volumes, including the System State, when you back up your server.
Restoring Active Directory In Windows Server 2003 family, you can restore the Active Directory database if it becomes corrupted or is destroyed because of hardware or software failures. You must restore the Active Directory database when objects in Active Directory are changed or deleted. Active Directory restore can be performed in several ways. Replication synchronizes the latest changes from every other replication partner. Once the replication is finished each partner has an updated version of Active Directory. There is another way to get these latest updates by Backup utility to restore replicated data from a backup copy. For this restore you don't need to configure again your domain controller or no need to install the operating system from scratch. Active Directory Restore Methods You can use one of the three methods to restore Active Directory from backup media: primary restore, normal (non authoritative) restore, and authoritative restore. Primary restore: This method rebuilds the first domain controller in a domain when there is no other way to rebuild the domain. Perform a primary restore only when all the domain controllers in the domain are lost, and you want to rebuild the domain from the backup. Members of Administrators group can perform the primary restore on local computer, or user should have been delegated with this responsibility to perform restore. On a domain controller only Domain Admins can perform this restore. Normal restore: This method reinstates the Active Directory data to the state before the backup, and then updates the data through the normal replication process. Perform a normal restore for a single domain controller to a previously known good state. Authoritative restore: You perform this method in tandem with a normal restore. An authoritative restore marks specific data as current and prevents the replication from overwriting that data. The authoritative data is then replicated through the domain. Perform an authoritative restore individual object in a domain that has multiple domain controllers. When you perform an authoritative restore, you lose all changes to the restore object that occurred after the backup. Ntdsutil is a command line utility to perform an authoritative restore along with windows server 2003 system utilities. The Ntdsutil command-line tool is an executable file that you use to mark Active Directory objects as authoritative so that they receive a higher version recently changed data on other domain controllers does not overwrite system state data during replication.
65. How do you restore AD?
66. Talk about Windows Backup and AD backups. 67. How do you change the DS Restore admin password?1. Click, Start, click Run, type ntdsutil, and then click OK.
2. At the Ntdsutil command prompt, type set dsrm password. 3. At the DSRM command prompt, type one of the following lines: o To reset the password on the server on which you are working, type reset password on server null. The null variable assumes that the DSRM password is being reset on the local computer. Type the new password when you are prompted. Note that no characters appear while you type the password. -orTo reset the password for another server, type reset password on server servername, where servername is the DNS name for the server on which you are resetting the DSRM password. Type the new password when you are prompted. Note that no characters appear while you type the password. 4. At the DSRM command prompt, type q. 5. At the Ntdsutil command prompt, type q to exit.o
68. Why can't you restore a DC that was backed up 7 months ago?Because of the tombstone life which is set to only 60 days
69. What's NTDSUTIL? When do you use it?Ntdsutil.exe is a command-line tool that provides management facilities for Active Directory Domain Services (AD DS) and Active Directory Lightweight Directory Services (AD LDS). You can use the ntdsutil commands to perform database maintenance of AD DS, manage and control single master operations, and remove metadata left behind by domain controllers that were removed from the network without being properly uninstalled. This tool is intended for use by experienced administrators
70. What are RODCs?When physical security is lacking, it becomes essential to increase the focus on data security. Windows Server 2008 and R2 provide some new ways to do so that seem uniquely tailored for environments like remote offices where physical security may not be as tight. Read-only domain controllers (RODCs) are a new feature of the Active Directory Domain Services (AD DS) in the Windows Server systems. They represent a fundamental change to how you'd typically use domain controllers (DCs). Because many of RODCs' new capabilities impact key aspects of the design and deployment process, it's important to understand how you can leverage them in your enterprise. There are also critical design and planning considerations you must take into account before introducing them into your environment. RODCs are DCs that host complete, read-only copies of Active Directory database partitions, a read-only copy of SYSVOL, and a Filtered Attribute Set (FAS) that restricts the inbound replication of certain application data from writable DCs. The most common environments for RODCs using AD DS are still branch offices. These types of environments are typically end points in a hub-and-spoke network topology. They're widely distributed geographically, in large numbers, and they individually host small user populations, connect to hub sites by slow, unreliable network links. Additionally, they often lack local, experienced administrators.
For branch offices already hosting writable DCs, it's probably unnecessary to deploy RODCs. In this scenario, however, RODCs may not only meet existing AD DS-related requirements, but also exceed them with regard to tighter security, enhanced management, simplified architecture and lower total cost of ownership (TCO). For locations where security or manageability requirements prohibit using DCs, RODCs can help you introduce DCs into the environment and provide a number of beneficial, localized services. Although the new features and benefits make evaluating RODCs compelling, there are additional factors to consider, like application compatibility issues and service impact conditions. These could render RODC deployments unacceptable for certain environments. For example, because many directory-enabled applications and services read data from AD DS, they should continue to function and work with an RODC. However, if certain applications require writable access at all times, an RODC may not be acceptable. RODCs also depend on network connectivity to a writable DC for write operations. Although failed write operations may be the cause of most well-known application-related issues, there are other issues to consider, such as inefficient or failed read operations, failed write-read-back operations, and general application failures associated with the RODC itself. Besides application issues, fundamental user and computer operations can be affected when connectivity to a writable DC is disrupted or lost. For example, basic authentication services may fail if account passwords are not both cacheable and cached locally on the RODC. You can easily mitigate this issue by making accounts cacheable through an RODC's Password Replication Policy (PRP), and then caching the passwords through pre-population. Performing these steps also requires connectivity to a writable DC. Along with other authentication issues, password expirations and account lockouts are significantly impacted when connectivity to a writable DC is unavailable. Password change requests and any attempts to manually unlock a locked account will continue to fail until connectivity to a writable DC is restored. Understanding these dependencies and subsequent changes in operational behavior is critical to ensuring your requirements and any service level agreements (SLAs). There are several general scenarios in which you can deploy RODCs. They're useful in locations that don't have existing DCs, or in locations that currently host DCs that will either be replaced or upgraded to a newer version of Windows. Although there are comprehensive planning considerations specific to each scenario, we'll focus here on non-specific approaches. They are, however, distinct to RODCs, rather than to traditional writable DCs.
71. What are the major benefits of using RODCs? 72. How do you install an RODC? 73. Talk about RODCs and passwords. 74. What is Read Only DNS?
DNS Server and DNS Server Roles OverviewBefore DNS, HOSTS files were used to resolve host names to IP addresses. The HOSTS files were manually maintained by administrators. The HOSTS file was located on a centrally administered server on the Internet. Because of the shortcomings of the HOSTS files, DNS was designed and introduced. From the days of Windows NT Server 4.0, DNS has been included with the operating system. DNS is a hierarchically distributed and scalable database. DNS provides name registration, name resolution and service location for Windows 2000 and Windows Server 2003 clients.
A DNS zone is the contiguous portion of the DNS domain name space over which a DNS server has authority, or is authoritative. A zone is a portion of a namespace it is not a domain. A domain is a branch of the DNS namespace. A DNS zone can contain one or more contiguous domains. A DNS server can be authoritative for multiple DNS zones. A DNS server is a computer running the DNS Server service, or BIND; that provides domain name services. The DNS server manages the DNS database that is located on it. The DNS server program, whether it is the DNS Server service or BIND; manages and maintains the DNS database located on the DNS server. The information in the DNS database of a DNS server pertains to a portion of the DNS domain tree structure or namespace. This information is used to provide responses to client requests for name resolution. When a DNS server is queried for name resolution, it can respond to the request directly by providing the requested information, provide a pointer (referral) to another DNS server that can assist in resolving the query, or respond that the information is unavailable or that is does not exist. A DNS server is authoritative for the contiguous portion of the DNS namespace over which it resides. You can configure different server roles for your DNS servers. The server role that you configure for a name server affects the following operations of the server:y y y
The way in which the DNS server stores DNS data The way in which the DNS server maintains data Whether the DNS data in the database file can be directly edited.
In DNS, a standard primary DNS server is the authoritative DNS server for a DNS zone. There are a number of zones used in Windows Server 2003 DNS:y
y y
Primary zone: This is only zone type that can be directly updated or edited because the data in the zone is the original source of the data for all domains in the zone. Updates made to the primary zone are made by the DNS server that is authoritative for the specific primary zone. Secondary zone: This is a read-only copy of the zone that was copied from the master server during zone transfer Active Directory-integrated zone: This is an authoritative primary zone that stores its data in Active Directory. Active Directory-integrated zones can be regarded as enhanced standard primary zones.
y
Stub zone: Stub zones only contain those resource records necessary to identify the authoritative DNS servers for the master zone
Standard secondary DNS servers are usually implemented to provide a number of features for the DNS environment, including:y
y y
Provide redundancy: It is recommended to install one primary DNS server, and one secondary DNS server for each DNS zone (minimum requirement). Install the DNS servers on different subnets so that if one DNS server fails, the other DNS server can continue to resolve queries. Distribution of DNS processing load: Implementing secondary DNS servers assist in reducing the load on the primary DNS server. Provide fast access for clients in remote locations: Secondary DNS servers can also assist in preventing clients from transversing slow links for name resolution requests.
In addition to two server roles just mentioned, you can als configure the DNS server as a DNS forwarder, or as a caching-only DNS server. The remainder of this Article focuses on the different DNS server roles that you can configure for your DNS servers.
Understanding Standard Primary DNS ServersA standard primary DNS server is a name server that obtains zone data from the local DNS database. This makes the primary DNS server authoritative for the zone data that it contains. When a change needs to be made to the resource records of the zone, it has to be done on the primary DNS server so that is can be included in the local zone database. A DNS primary server is created when a new primary zone is added. The primary server that is created becomes the mechanism for updating the specific primary zone. When a query is sent to the standard primary DNS server for name resolution, the following events take place: 1. The request for name resolution is sent to the primary DNS server. 2. The primary DNS server compares the requested name to the information it contains in its local zone database. 3. If the primary DNS server locates a match for the queried name, the requested information is returned to the client. 4. If the DNS server cannot find a matching record in its local zone database file, the DNS server then attempts a number of name resolution methods to resolve the request on behalf of the client. 5. If all attempts for name resolution in unsuccessful, the DNS server returns an error message to the client.
Understanding Standard Secondary DNS ServersThis DNS server type obtains a read-only copy of zone information through DNS zone transfers. A secondary DNS server cannot make any changes to the information contained in its read-only zone copy. A secondary DNS server can however resolve queries for name resolution. Secondary DNS servers are usually implemented to provide fault tolerance, provide fast access for clients in remote locations, and to distribute the DNS server processing load evenly. If a secondary DNS server is implemented, that DNS server can continue to handle queries when the primary DNS becomes unavailable. Secondary DNS servers also assist in reducing the processing load of the primary DNS server. It is recommended to install at least one primary DNS server, and one secondary DNS server for each DNS zone. A secondary DNS server obtains its data from the primary DNS server's zone database, as a copy of that database. During zone transfer, the primary DNS server's zone database is replicated to the secondary DNS server. A secondary DNS server cannot make changes to its zone information. All changes have to be made on the primary zone, and then have to be replicated to the secondary DNS server through DNS zone transfer. DNS Notify is a mechanism that enables a primary DNS server to inform secondary DNS servers when its database has been updated. The mechanism informs the secondary DNS servers when they need to initiate a zone transfer so that the updates of the primary DNS server can be replicated to them. When a secondary DNS server receives the notification from the primary DNS server, it can start an incremental zone transfer or a full zone transfer to pull zone changes from the primary DNS server.
Understanding Caching-Only DNS ServersThe main characteristics of caching-only DNS servers are:y y y
Caching-only DNS servers do not host zones. They are not authoritative for any DNS domain. The information stored by caching-only DNS servers is the name resolution data that it has collected through name resolution queries.
A caching-only DNS server just performs queries and then stores the results of these queries. All information stored on the caching-only DNS server is therefore only that data which has been cached while the server performed queries. Caching-only DNS servers only cache information when the queries have been resolved. when a caching-only DNS servers starts or the first time, it has no cached information. The caching-only DNS server collects information as it sends and resolves queries. One of the main advantages of implementing caching-only DNS servers is that they are excluded from the zone transfer process, and therefore do not generate network traffic from zone transfers.
Understanding Master DNS ServersThe servers from which secondary DNS servers obtain zone information in the DNS hierarchy are called master servers. When a secondary DNS server is configured, you have to specify the master server from whom it will obtain zone information. Zone transfer enables a secondary DNS server to obtain zone information from its configured primary DNS server, and enables these servers to continue handling queries if the primary DNS server fails. In this case, the primary DNS server is the master server of the secondary DNS server. A secondary DNS server can also transfer its zone data to other secondary DNS servers, who are beneath it in the DNS hierarchy. In this case, the secondary DNS server is regarded as the master server to the other subordinate secondary DNS servers. A secondary DNS server initiates the zone transfer process from its particular master server when it is brought online.
Understanding Dynamic DNS ServersWindows 2000, Windows XP and Windows Server 2003 computers can dynamically update the resource records of a DNS server when a client's IP addressing information is added, or renewed via Dynamic Host Configuration Protocol (DHCP). Both DHCP and Dynamic DNS (DDNS) updates make this possible. When dynamic DNS updates are enabled, a client sends a message to the DNS server when changes are made to its IP addressing data. This indicates to the DNS server that the A type resource record of the client needs to be updated.
How to implement a caching-only DNS server1. Open Control Panel 2. Double-click Add/Remove Programs., and then click Add/Remove Windows Components. 3. The Windows Components Wizard starts. 4. Click Networking Services, and then click Details. 5. In the Networking Services dialog box, select the checkbox for Domain Name System (DNS) in the list. 6. Click OK. Click Next. 7. Click Finish. 8. Do not add or configure any zones for the DNS server. The DNS Server service functions as a caching-only DNS server by default. This basically means no configuration is necessary to set up a caching-only DNS server. 9. You should verify that the server root hints are configured correctly.
How to add a new zone to a DNS server1. Click Start, Administrative Tools, and then click DNS to open the DNS console. 2. In the console tree, find and select the DNS server that you want to create a new DNS zone. 3. From the Action menu, click the New Zone option.
4. On the initial page of the New Zone Wizard, click Next. 5. Select the zone type that you want to create. The options are: o Primary, to create a new standard primary zone. o Secondary, to create a copy of the primary zone. o Stub, to create a copy of zone but for only the NS record, SOA record, and the glue A record. 6. Select the default selected option Primary zone. 7. To integrate the new zone with Active Directory, and if the DNS server is a domain controller; then you can select the Store the zone in Active Directory (available only if DNS server is a domain controller) checkbox. 8. Click Next. 9. On the Active Directory Zone Replication Scope page, accept the default setting for DNS replication: To all domain controllers in the Active Directory domain. Click Next. 10. Select the Forward lookup zone option on the following page which is displayed by the New Zone Wizard, and then click Next. 11. Enter a zone name for the new zone. Click Next. The options that you can select on the following page with regar to dynamic updates are: o Allow only secure dynamic updates (recommended for Active Directory) option: This option is only available if you are using Active Directory-integrated zones. o Allow both non-secure and secure dynamic updates option: Select this option with caution! o Do not allow dynamic updates option: You have to manually update zone information and resource records. 12. Choose the best option for your circumstance, and then click Next. 13. Click Finish to add the new zone to your DNS server.
How to enable dynamic updating on your DNS serversActive Directory- integrated zones are set up to only allow secure dynamic updates. 1. Click Start, Administrative Tools, and then click DNS to open the DNS console. 2. In the console tree, expand the DNS server node that contains the authoritative zone that you want to work with. 3. Expand the Forward Lookup Zones folder. 4. Locate the specific zone that you want to configure. 5. Right-click the zone, and then select Properties on the shortcut menu. 6. When the Zone's Properties dialog box opens, leave the General tab displayed. 7. The options available in the Dynamic updates: list box are: o None o Non-secure and secure o Secure only 8. Select the Secure only option, and then click OK.
How to disable dynamic updates for a host computer or interface
You can also disable dynamic updates for a host computer, for a specific interface on that computer, or for multiple interfaces on the computer. 1. Open the Registry Editor tool. 2. In the left pane, expand the HKEY_LOCAL_MACHINE key, expand System, expand CurrentControlSet, and then expand Services. 3. Locate Tcpip, and then expand this node as well. 4. Find the Parameters node. 5. To disable dynamic updates for the host computer, click the Parameters node. In the details pane, double-click the DisableDynamicUpdate entry. Change the value data of DisableDynamicUpdate to 1 to disable dynamic updates. Click OK. 6. To disable dynamic updates for a single interface, expand the Parameters node, and then expand the Interface node. Select the interface, and then double-click the DisableDynamicUpdate entry in the details pane. Change the value data of DisableDynamicUpdate to 1 to disable dynamic updates. Click OK.
How to test a query on a DNS server1. Click Start, Administrative Tools, and then click DNS to open the DNS console. 2. In the console tree, right-click the DNS server that you want to test and then select Properties on the shortcut menu. 3. When the DNS Server's Properties dialog box opens, click the Monitoring tab. 4. You can choose to perform a simple query test, a recursive query test, or you can specify that the DNS server automatically performs testing at an interval that you set. 5. In the Select A Test Type area of the Monitoring tab, select the A Simple Query Against This DNS Server checkbox. 6. Click the Test Now button. 7. The Test Results area of the tab displays the results of the test. 8. Click OK.
75. What happens when a remote site with an RODC loses connectivity to the main site? 76. Talk about Server Core and AD.Server Core is a new feature in the Windows Server world. It installs a command-line administration-only version of Windows Server 2008 that helps reduce the attack surface of the server. Traditionally, there are many attack options on a Microsoft server, and you, the administrator, need to be aware of that and take action to ensure security. However, with Server Core, less code is installed (that is, there is a smaller footprint), and with that reduction in code comes a reduction in the number of places an attacker can hit. Fewer moving parts equals fewer vulnerabilities.
The supported roles in Server Core include the following:y y y y y y y y y
Active Directory Domain Services (ADDS) Active Directory Lightweight Directory Services (AD LDS) DHCP Server DNS Server File Services Internet Information Services (IIS) Print Services Streaming Media Services Windows Virtualization (Hyper-V)
77. How do you promote a Server Core to DC? 78. What are the FSMO roles? Who has them by default? What happens when each one fails? 79. How can you tell who holds each FSMO role? Name a 2-3 of methods. 80. What FSMO placement considerations do you know of? 81. You want to look at the RID allocation table for a DC. What do you need to do?1.install support tools from OS disk(OS Inst: Disk=>support=>tools=>suptools.msi) 2.In Command prompt type dcdiag /test:ridmanager /s:system1 /v (system1 is the name of our DC)
82. What's the difference between transferring a FSMO role and seizing one? Which one shouldyou NOT seize? Why?Seizing an FSMO can be a destructive process and should only be attempted if the existing server with the FSMO is no longer available.
If the domain controller that is the Schema Master FSMO role holder is temporarily unavailable, DO NOT seize the Schema Master role.
If you are going to seize the Schema Master, you must permanently disconnect the current Schema Master from the network.
If you seize the Schema Master role, the boot drive on the original Schema Master must be completely reformatted and the operating system must be cleanly installed, if you intend to return this computer to the network.
NOTE: The Boot Partition contains the system files (\System32). The System Partition is the partition that contains the startup files, NTDetect.com, NTLDR, Boot.ini, and possibly Ntbootdd.sys.
The Active Directory Installation Wizard (Dcpromo.exe) assigns all 5 FSMO roles to the first domain controller in the forest root domain. The first domain controller in each new child or tree domain is assigned the three domain-wide roles. Domain controllers continue to own FSMO roles until they are reassigned by using one of the following methods:y y y
An administrator reassigns the role by using a GUI administrative tool. An administrator reassigns the role by using the ntdsutil /roles command. An administrator gracefully demotes a role-holding domain controller by using the Active Directory Installation Wizard. This wizard reassigns any locally-held roles to an existing domain controller in the forest. Demotions that are performed by using the dcpromo /forceremoval command leave FSMO roles in an invalid state until they are reassigned by an administrator.
We recommend that you transfer FSMO roles in the following scenarios:y y y
The current role holder is operational and can be accessed on the network by the new FSMO owner. You are gracefully demoting a domain controller that currently owns FSMO roles that you want to assign to a specific domain controller in your Active Directory forest. The domain controller that currently owns FSMO roles is being taken offline for scheduled maintenance and you need specific FSMO roles to be assigned to a "live" domain controller. This may be required to perform operations that connect to the FSMO owner. This would be especially true for the PDC Emulator role but less true for the RID master role, the Domain naming master role and the Schema master roles.
We recommend that you seize FSMO roles in the following scenarios:
y y y
The current role holder is experiencing an operational error that prevents an FSMO-dependent operation from completing successfully and that role cannot be transferred. A domain controller that owns an FSMO role is force-demoted by using the dcpromo /forceremoval command. The operating system on the computer that originally owned a specific role no longer exists or has been reinstalled.
As replication occurs, non-FSMO domain controllers in the domain or forest gain full knowledge of changes that are made by FSMO-holding domain controllers. If you must transfer a role, the best candidate domain controller is one that is in the appropriate domain that last inbound-replicated, or recently inbound-replicated a writable copy of the "FSMO partition" from the existing role holder. For example, the Schema master role-holder has a distinguished name path of CN=schema,CN=configuration,dc=, and this mean that roles reside in and are replicated as part of the CN=schema partition. If the domain controller that holds the Schema master role experiences a hardware or software failure, a good candidate role-holder would be a domain controller in the root domain and in the same Active Directory site as the current owner. Domain controllers in the same Active Directory site perform inbound replication every 5 minutes or 15 seconds. The partition for each FSMO role is in the following list:
Collapse this tableExpand this table FSMO role Partition Schema CN=Schema,CN=configuration,DC= Domain Naming Master CN=configuration,DC= PDC DC= RID DC= Infrastructure DC=
A domain controller whose FSMO roles have been seized should not be permitted to communicate with existing domain controllers in the forest. In this scenario, you should either format the hard disk and reinstall the operating system on such domain controllers or forcibly demote such domain controllers on a private network and then remove their metadata on a surviving domain controller in the forest by using the ntdsutil /metadata cleanup command. The risk of introducing a former FSMO role holder whose role has been seized into the forest is that the original role holder may continue to operate as before until it inbound-replicates knowledge of the role seizure. Known risks of two domain controllers owning the same FSMO roles include creating security principals that have overlapping RID pools, and other problems. Back to the top
Transfer FSMO rolesTo transfer the FSMO roles by using the Ntdsutil utility, follow these steps:
1. Log on to a Windows 2000 Server-based or Windows Server 2003-based member computer or domain controller that is located in the forest where FSMO roles are being transferred. We recommend that you log on to the domain controller that you are assigning FSMO roles to. The logged-on user should be a member of the Enterprise Administrators group to transfer Schema master or Domain naming master roles, or a member of the Domain Administrators group of the domain where the PDC emulator, RID master and the Infrastructure master roles are being transferred. 2. Click Start, click Run, type ntdsutil in the Open box, and then click OK. 3. Type roles, and then press ENTER. Note To see a list of available commands at any one of the prompts in the Ntdsutil utility, type ?, and then press ENTER. Type connections, and then press ENTER. Type connect to server servername, and then press ENTER, where servername is the name of the domain controller you want to assign the FSMO role to. At the server connections prompt, type q, and then press ENTER. Type transfer role, where role is the role that you want to transfer. For a list of roles that you can transfer, type ? at the fsmo maintenance prompt, and then press ENTER, or see the list of roles at the start of this article. For example, to transfer the RID master role, type transfer rid master. The one exception is for the PDC emulator role, whose syntax is transfer pdc, not transfer pdc emulator. At the fsmo maintenance prompt, type q, and then press ENTER to gain access to the ntdsutil prompt. Type q, and then press ENTER to quit the Ntdsutil utility.
4. 5. 6. 7.
8.
Back to the top
Seize FSMO rolesTo seize the FSMO roles by using the Ntdsutil utility, follow these steps: 1. Log on to a Windows 2000 Server-based or Windows Server 2003-based member computer or domain controller that is located in the forest where FSMO roles are being seized. We recommend that you log on to the domain controller that you are assigning FSMO roles to. The logged-on user should be a member of the Enterprise Administrators group to transfer schema or domain naming master roles, or a member of the Domain Administrators group of the domain where the PDC emulator, RID master and the Infrastructure master roles are being transferred. 2. Click Start, click Run, type ntdsutil in the Open box, and then click OK. 3. Type roles, and then press ENTER. 4. Type connections, and then press ENTER. 5. Type connect to server servername, and then press ENTER, where servername is the name of the domain controller that you want to assign the FSMO role to. 6. At the server connections prompt, type q, and then press ENTER. 7. Type seize role, where role is the role that you want to seize. For a list of roles that you can seize, type ? at the fsmo maintenance prompt, and then press ENTER, or see the list of roles at
the start of this article. For example, to seize the RID master role, type seize rid master. The one exception is for the PDC emulator role, whose syntax is seize pdc, not seize pdc emulator. 8. At the fsmo maintenance prompt, type q, and then press ENTER to gain access to the ntdsutil prompt. Type q, and then press ENTER to quit the Ntdsutil utility. Noteso
o
o
o o
Under typical conditions, all five roles must be assigned to "live" domain controllers in the forest. If a domain controller that owns a FSMO role is taken out of service before its roles are transferred, you must seize all roles to an appropriate and healthy domain controller. We recommend that you only seize all roles when the other domain controller is not returning to the domain. If it is possible, fix the broken domain controller that is assigned the FSMO roles. You should determine which roles are to be on which remaining domain controllers so that all five roles are assigned to a single domain controller. For more information about FSMO role placement, click the following article number to view the article in the Microsoft Knowledge Base: 223346 (http://support.microsoft.com/kb/223346/ ) FSMO placement and optimization on Windows 2000 domain controllers If the domain controller that formerly held any FSMO role is not present in the domain and if it has had its roles seized by using the steps in this article, remove it from the Active Directory by following the procedure that is outlined in the following Microsoft Knowledge Base article: 216498 (http://support.microsoft.com/kb/216498/ ) How to remove data in active directory after an unsuccessful domain controller demotion Removing domain controller metadata with the Windows 2000 version or the Windows Server 2003 build 3790 version of the ntdsutil /metadata cleanup command does not relocate FSMO roles that are assigned to live domain controllers. The Windows Server 2003 Service Pack 1 (SP1) version of the Ntdsutil utility automates this task and removes additional elements of domain controller metadata. Some customers prefer not to restore system state backups of FSMO role-holders in case the role has been reassigned since the backup was made. Do not put the Infrastructure master role on the same domain controller as the global catalog server. If the Infrastructure master runs on a global catalog server it stops updating object information because it does not contain any references to objects that it does not hold. This is because a global catalog server holds a partial replica of every object in the forest.
To test whether a domain controller is also a global catalog server: 1. Click Start, point to Programs, point to Administrative Tools, and then click Active Directory Sites and Services. 2. Double-click Sites in the left pane, and then locate the appropriate site or click Default-first-sitename if no other sites are available. 3. Open the Servers folder, and then click the domain controller. 4. In the domain controller's folder, double-click NTDS Settings. 5. On the Action menu, click Properties. 6. On the General tab, view the Global Catalog check box to see if it is selected.
1. What is Active Directory? Active Directory is Microsoft implementation of LDAP being used in Windows Server platform post NT and built around DNS. It is a distributed and hierarchical directory service which stores information about the resources on the network and provide t