windows q&a final
TRANSCRIPT
KCCThe KCC is a built-in process that runs on all domain controllers and generates replication topology for the Active Directory forest. The KCC creates separate replication topologies depending on whether replication is occurring within a site (intrasite) or between sites (intersite). The KCC also dynamically adjusts the topology to accommodate new domain controllers, domain controllers moved to and from sites, changing costs and schedules, and domain controllers that are temporarily unavailable.
How do you view replication properties for AD?By using Active Directory Replication Monitor.Start--> Run--> Replmon
what are sites? What are they used for?Its one or more well-connected (highly reliable and fast) TCP/IP subnets. A site allows administrators to configure Active Directory access and replication topology to take advantage of the physical network.
Name some OU design considerations?OU design requires balancing requirements for delegating administrative rights - independent of Group Policy needs - and the need to scope the application of Group Policy. The following OU design recommendations address delegation and scope issues:Applying Group Policy An OU is the lowest-level Active Directory container to which you can assign Group Policy settings. Delegating administrative authority usually don't go more than 3 OU levelshttp://technet.microsoft.com/en-us/library/cc783140.aspx
What are FMSO Roles? List them.Fsmo roles are server roles in a ForestThere are five types of FSMO roles1-Schema master2-Domain naming master3-Rid master4-PDC Emullator5-Infrastructure master
Logical Diagram of Active Directory ?, What is the difference between child domain & additional domain Server?Well, if you know what a domain is then you have half the answer. Say you have the domain Microsoft.com. Now microsoft has a server named server1 in that domain, which happens to the be parent domain. So it's FQDN is server1.microsoft.com. If you add an additional domain server and name it server2, then it's FQDN is server2.microsoft.com.Now Microsoft is big so it has offices in Europe and Asia. So they make child domains for them and their FQDN would look like this: europe.microsoft.com & asia.microsoft.com. Now lets say each of them have a server in those child domains named server1. Their FQDN
would then look like this: server1.europe.microsoft.com & server1.asia.microsoft.com.
What are Active Directory Groups?Groups are containers that contain user and computer objects within them as members. When security permissions are set for a group in the Access Control List on a resource, all members of that group receive those permissions. Domain Groups enable centralized administration in a domain. All domain groups are created on a domain controller.In a domain, Active Directory provides support for different types of groups and group scopes. The group type determines the type of task that you manage with the group. The group scope determines whether the group can have members from multiple domains or a single domain.
Group Types* Security groups: Use Security groups for granting permissions to gain access to resources. Sending an e-mail message to a group sends the message to all members of the group. Therefore security groups share the capabilities of distribution groups.* Distribution groups: Distribution groups are used for sending e-main messages to groups of users. You cannot grant permissions to security groups. Even though security groups have all the capabilities of distribution groups, distribution groups still requires, because some applications can only read distribution groups.
Group ScopesGroup scope normally describe which type of users should be clubbed together in a way which is easy for there administration. Therefore, in domain, groups play an important part. One group can be a member of other group(s) which is normally known as Group nesting. One or more groups can be member of any group in the entire domain(s) within a forest.* Domain Local Group: Use this scope to grant permissions to domain resources that are located in the same domain in which you created the domain local group. Domain local groups can exist in all mixed, native and interim functional level of domains and forests. Domain local group memberships are not limited as you can add members as user accounts, universal and global groups from any domain. Just to remember, nesting cannot be done in domain local group. A domain local group will not be a member of another Domain Local or any other groups in the same domain.* Global Group: Users with similar function can be grouped under global scope and can be given permission to access a resource (like a printer or shared folder and files) available in local or another domain in same forest. To say in simple words, Global groups can be use to grant permissions to gain access to resources which are located in any domain but in a single forest as their memberships are limited. User accounts and global groups can be added only from the domain in which global group is created. Nesting is possible in Global groups
within other groups as you can add a global group into another global group from any domain. Finally to provide permission to domain specific resources (like printers and published folder), they can be members of a Domain Local group. Global groups exist in all mixed, native and interim functional level of domains and forests.* Universal Group Scope: these groups are precisely used for email distribution and can be granted access to resources in all trusted domain as these groups can only be used as a security principal (security group type) in a windows 2000 native or windows server 2003 domain functional level domain. Universal group memberships are not limited like global groups. All domain user accounts and groups can be a member of universal group. Universal groups can be nested under a global or Domain Local group in any domain.
What are the types of backup? Explain each?IncrementalA "normal" incremental backup will only back up files that have been changed since the last backup of any type. This provides the quickest means of backup, since it only makes copies of files that have not yet been backed up. For instance, following our full backup on Friday, Monday’s tape will contain only those files changed since Friday. Tuesday’s tape contains only those files changed since Monday, and so on. The downside to this is obviously that in order to perform a full restore, you need to restore the last full backup first, followed by each of the subsequent incremental backups to the present day in the correct order. Should any one of these backup copies be damaged (particularly the full backup), the restore will be incomplete.
DifferentialA cumulative backup of all changes made after the last full backup. The advantage to this is the quicker recovery time, requiring only a full backup and the latest differential backup to restore the system. The disadvantage is that for each day elapsed since the last full backup, more data needs to be backed up, especially if a majority of the data has been changed.
What is the SYSVOL folder?The Windows Server 2003 System Volume (SYSVOL) is a collection of folders and reparse points in the file systems that exist on each domain controller in a domain. SYSVOL provides a standard location to store important elements of Group Policy objects (GPOs) and scripts so that the File Replication service (FRS) can distribute them to other domain controllers within that domain.You can go to SYSVOL folder by typing : %systemroot%/sysvol
What is the ISTG Who has that role by default?The first server in the site becomes the ISTG for the site, The domain controller holding this role may not necessarily also be a bridgehead server.
What is the order in which GPOs are applied?Local, Site, Domain, OU
UNC Universal Naming Convention \\servername\shared name (It is used to access the shared
folder)MAC Media Access Control PDC Primary Domain ControllersBDC Backup Domain ControllersSMP Symmetric Multi ProcessorsAMP Asymmetric Multi ProcessingEFS Encrypted File SystemFAT File Allocation TableHCL Hardware Compatibility ListIIS Internet Information ServiceLSA Local Security AuthorityMMC Microsoft Management ConsoleOU Organizational UnitRAS Remote Access ServiceRDP Remote Desktop Protocol (used for Terminal Services)RRAS Routing and Remote Access ServiceSID Security IdentifierWINS Windows Internet Name ServiceGUID Globally Unique identifierIAS Internet Authentication ServiceUPN User Principle Name ([email protected])BIOS Basic Input Output SystemNet BIOS Network Basic Input/Output SystemARP Address Resolution ProtocolDVD Digital Video DiskGPO Group Policy Object (LGPO Local Group Policy Object)IPsec Internet Protocol SecurityISP Internet Service ProviderNAT Network Address TranslationMBT Master Boot RecordUSB Universal Serial BusPOST Power On Self TestSCSI Small Computer System InterfaceSMTP Simple Mail Transfer ProtocolURL Uniform Resource LocatorRAID Redundant Array of Independent DiskIDE Intelligent drive Electronics or Integrated Drive ElectronicsFQDN Fully Qualified Domain Name (full computer name)
[computername.domainname.com]OSPF Open Shortest Path First (these two are routing protocols)RIP Routing Information ProtocolPOP3 Post Office Protocol (used to receive the mails)SMTP Simple Mail Transfer Protocol (Used to send the mails)SMPS Switch Mode Power SupplyPING Packet Internet GroperVNC Virtual Network ComputingEULA End User License Agreement
CAL Client Access LicenseTSCAL Terminal Services Client Access LicenseUPS Uninterruptible Power SupplyBIND Berkeley Internet Name DomainPXE Pre boot eXecutable Environment UDF Uniqueness Database fileLDAP Light weight Directory Access ProtocolISDN Integrated Services Digital Network VLSM Variable Length Subnet MaskCIDR Classless Inter Domain RoutingIGMP Internet Group Management ProtocolFSMO Flexible Single Master OperationsAPIPA Automatic IP addressingNetBEUI Net Bios Enhanced User InterfaceUDP User Datagram ProtocolFTP File Transfer ProtocolMbps Mega bits per secondNtds.dit Nt directory services.directory information tree.ICMP Internet Control message ProtocolIGMP Internet group Management ProtocolNNTP Network News Transfer ProtocolRADIUS Remote Authentication Dial In User serviceSNMP Simple Network Management protocolVPN Virtual Private NetworkL2TP Layer2 Tunneling ProtocolPPTP Point to Point Tunneling ProtocolADSI Active Directory Service InterfacesSUS Software Update ServiceSMS System Management ServiceWUS Windows Update serviceTFTP Trivial File Transfer Protocol
List of important port numbers
15 Netstat21 FTP23 Telnet25 SMTP42 WINS53 DNS67 Bootp68 DHCP80 HTTP88 Kerberos101 HOSTNAME110 POP3119 NNTP123 NTP (Network time protocol)139 NetBIOS161 SNMP180 RIS
389 LDAP (Lightweight Directory Access Protocol)443 HTTPS (HTTP over SSL/TLS)520 RIP79 FINGER37 Time3389 Terminal services443 SSL (https) (http protocol over TLS/SSL)220 IMAP33268 AD Global Catalog3269 AD Global Catalog over SSL 500 Internet Key Exchange, IKE (IPSec) (UDP 500)diskpart.exe This command is used for disk management in Windows 2003.nltest /dsgetdc:domainnamereplacing domainname with the name of the domain that you are trying to log on to. Thiscommand verifies that a domain controller can be located. Nltest is included in SupportTools
How to synchronize manually a client computer to a domain controller?Windows 2000 (Win2K) and later computers in a domain should automatically synchronize time with a domain controller. But some times you may get a situation to synchronize manually.To manually synchronize time, open a command-line window, and runNet stop w32timeRunw32time –updateRunNet start w32timeManually verify the synchronization between the client computer and a domain controller. Also check the System event log to ensure that the W32Time service has not logged additional error messages.
What are the icons available in Control Panel?Around 27 icons are available in control panelAccessibility options, Add/Remove Hard ware, Add/Remove Programs, Administrative tools, Automatic updates.Key board, mouse, printer, Phone and modem, Scanner and cameras, Power optionsSystem, Display, Network and dial up connections, Internet options, folder optionsDate and time, Sounds and multi media, Regional settings, Users and passwords, Scheduled tasks
What are the icons that don’t get delete option on the Desktop (up to 2000 O. S.)?
My ComputerMy Network Places
Recycle BinNote: In Windows 2003 you can delete My computer, My network places. You can also get back them.Right click on Desktop Properties Click on Desktop tab click on customize desktop select the appropriate check boxes.Even in 2003 you cannot delete Recycle bin.Note: You can delete any thing (even Recycle bin) from the desktop by using registry settings in 2000/2003.
What are the properties of Recycle bin?General
Check box for Display delete confirmation dialogue boxCheck box for whether to move a deleted to Recycle bin or
directly deleteGlobal options (applies to all drives)
Individual Partitions (for each partition there exist one partition)
How to configure the DNS?Open the DNS Console Then you will find there DNS
Server nameForward Lookup ZoneReverse Lookup Zone
Note: If you have selected create automatically zones during the setup, then it creates the root zone and domain zone under forward lookup zone.
If no zones are there under forward lookup zone first create root zone then create domain zone.
How to create a zone?Right click on forward lookup zone new zone
Active Directory IntegratedPrimarySecondary
Select any one of above.Note: The option Active Directory Integrated Zone is available on when you have installed the Active Directory; if you have not installed Active Directory the option is disabled.Note: If you want to select a Secondary zone u should have already a primary zone or Active Directory Integrated zone.
DNS Name [____________________]Give the DNS nameNote: If you r creating a root zone then just type in the name box “.” (only dot)Then click NextFinish
After creating the root zone then create another zone with Domain Name
Right click on Forward Lookup zone New zone Active Directory Integrated (you can choose any one) DNS Name [___]Next Finish
Creation of zone in Reverse lookup zoneRight Click on Reverse lookup zoneNew zone Type Network IdNext Name Finish
After thisRight Click on zone select Create associate Ptr (pointer) record Next finish
What tabs are there on properties of Domain?GeneralStart of Authority (SOA)Named serversWINSZone transfers
What tabs are there on properties of sever?InterfaceForwardersAdvanced Root hintsLoggingMonitoring
Where to create the primary, secondary, Active Directory Integrated zones?
If you want to create an Active Directory integrated zone, the server must be Domain Controller.If you want to create the Primary DNS, you can create on Domain Controller or Member server. But if create on member you could not get 4 options under the domain which are meant for Active directory.You can create Secondary zone on a Member Server or on a Domain Controller. There is no difference between them.
What are the advantages with Windows 2000 DNS?OrWhat are the features of Widows 2000 DNS?
Supports SRV (service) recordsSupports Dynamic UpdatesSupports IXFR (Incremental Zone Transfer)Supports security
Explain each one of the above?In windows 2000 Domain you need to have a DNS server to find
different services. The SRV records identify these services.When you enable the Dynamic updates, all the records in the
zone are automatically created. As we add a computer to the domain,
as we add a Domain controller to the domain the corresponding records are automatically created. I.e., you need to create a record in the DNS zone manually to identify those computers or services.
When an update is made in the Master it has to be replicated to the Secondary. Previous we used to transfer the entire zone (which is called AXFR (entire zone transfer)). But with Windows 2000 domain we transfer on the records that have been modified. This is called IXFR (Incremental Zone Transfer).
We get the security with Active Directory Integrated zone. We can set permission on Active Directory like who can use and who can't use the DNS. And also we have Secure Dynamic updates with Active Directory Integrated zone. By this only specified computers only can dynamically update the records in the zone.
What are the commands do we use for DNS?Nslookup (and all interactive mode commands)Ipconfig /fulshdnsIpconfig /registerdns
Note: A best strategy of using DNS in corporate network is use two DNS servers. One is on internal network and another one is between two firewalls. For more security keep the zone as secondary in the DNS server which is between firewalls.
How we make more available our DNS?By adding more tuple servers or By windows 2000 clustering.
What is the purpose of forward lookup?It resolves the Host names (Friendly Name) to IP addresses
What is the purpose of Reverse lookup zone?It resolves the IP addresses to Host names
What is the difference between Primary zone and Secondary zone?Primary zone has read and write permissions, where as Secondary zone has read only permission.Note: Secondary zone is used for Backup and Load balancing.
How to check whether DNS is working or not?Type the command “nslookup” at command promptThen it gives the DNS server name and its IP address
What is Dynamic Updates in DNS?Generally we need to create a host record for newly joined computer (either client or Member server or Domain controller). If you enable dynamic Update option, then DNS it self creates associated host record for newly joined computers.
How to get Dynamic Update option?
Right Click on any zone properties on General tab u will get Allow Dynamic Updates? [_Yes/No/Secure Updates]
Note: Put always Dynamic Updates “YES”Note: If it is Active Directory Integrated zone you will get above three options.But if it is Primary or Secondary zone you will get only “YES/NO” (You won’t get secure updates)
What is name Resolution?The process of translating the name into some object or information that the name represents is called name resolution. A telephone book forms a namespace in which the names of telephone subscribers can be resolved to the phone numbers.
What is BIND?
What are the ports numbers used for Kerberos, LDAP etc in DNS?
What is a zone?A database of records is called a zone.Also called a zone of authority, a subset of the Domain Name System (DNS) namespace that is managed by a name server.
What is an iterative query?The query that has been sent to the DNS server from a Client is called iterative query.(i. e., iterative query is nothing but give the answer for my question, don’t ask to contact that person or this person or don’t say some thing else. Simply just answer to my question. That’s all)
What is Recursive query?Now your DNS server requests the root level DNS server for specific IP address. Now DNS server says that I don’t know but I can give the address other person who can help you in finding IP address.
What Type of Records do you find in DNS database?Host RecordMail Exchange Record (MX record)Alias
How to convert a Domain Controller to a member server?Go to registry Hkey_local_machine systemcontolset001 controlproductoptions
In that change product type from “lanmanNt” to “serverNt”
Or Go to Registry then search for lanmanNt then change it as serverNt
Is there any possibility to have two Primary DNS zones?No, you should not have two primary DNS zones. Why because if u have two primary DNS zones some clients contacts first one, some clients contacts second one according to their configuration in TCP/IP properties. Then you will get problems. Actually Primary DNS zone means Single master. i.e., master is only one that is only one primary DNS zone. But you can have as many as Secondary zones.To overcome from above problem (i.e., single master problem) in Windows 2000 we have Active Directory Integrated zones, which are multi masters.
How to create a Secondary DNS zone?To create a secondary zone you should have Primary DNS zone or Active Directory Integrated DNS zone.
You have to follow the same procedure as same as primary DNS configuration.But at the time selection, select Secondary zone instead of primary zone. After that it asks the primary DNS zone address provide that address.
Create forward lookup zone and reverse lookup zone as usual.Then,
Right click on forward lookup zone New zoneActive Directory IntegratedPrimarySecondary
Select Secondary zone(Note:-The option Active Directory Integrated Zone is available on when you have installed the Active Directory; if you have not installed Active Directory the option is disabled.)
Then it asks for Primary DNS zone details, provide those details then click on finish.
Now go to Primary or Active Directory integrated zone then right click on zone name properties click on zone transfer Tab
Select allow zone TransfersHere you can see three options.
To any serverOnly to servers listed on the Name servers tabOnly to the following servers
Select anyone and give the details of secondary zone (only in case of second and third option).Click on apply, then OK
Note: In zone transfers tab you can find another option Notify, this is to automatically notify secondary severs when the zone changes. Here also you can select appropriate options.
Note: In secondary zone you cannot modify any information. Every one has read only permission.Whenever Primary DNS is in down click on “change” tab on general tab of properties, to change as primary, then it acts as primary, there you can write permission also.
What is the default time setting in primary zone to refresh, Retry, Expire intervals for secondary zone? The default settings are
To Refresh interval 10 minutesTo Retry interval, 15 minutesTo Expire after 1 day
Suppose the Secondary zone is Expired then, how to solve the problem?
First go to primary zone check primary zone is working or not.IF primary zone is working then go to secondary zone, Right click on zone name select the “Transfer from Master” then it automatically contacts the primary DNS, if any updates are there then it takes the updates from the Primary.
How to know whether the recent changes in Primary are updated to secondary zone or not?
Compare the Serial Number on Start of Authority tab in both secondary on primary DNS zone properties.If both are same then recent updates are made to secondary zone.If not (i.e., secondary is less then primary) click on “Transfer from Master”
How to change form Primary to Secondary or Secondary to primary or Active directory integrated to secondary or primary like that (simply one type of zone to another type of zone)?
Go to the properties of the zone click on general tab, there you can find the option called “Change” click on it then select appropriate option.Then click on OK
How to pause the zone?Go to properties of a zone click on General tab click on Pause button.
What system is used before DNS to resolve this host names?
How to know whether a DNS name is exist or not in the internet?
Iterative queryThe query that has been sent to my DNS server from my computer.Recursive queryThe query that has been sent to other DNS servers to know the IP address of a particular server from my DNS server.
When you install a Windows 2000 DNS server, you immediately get all of the records of root DNS servers. So every windows 2000 DNS server installed on Internet has pre configured with the address of root DNS servers. So every single DNS server in the Internet can get root servers.
DNS requirements:First and foremost has to support SRV records (SRV record identifies a particular service in a particular computer) (in windows 2000 we use SRV records to identify Domain controllers, identifying Global Catalogue, etc.
Second and third are not requirements but recommended.Second is Dynamic UpdatesThird one is IXFR (Incremental Zone Transfer)
Note: Most DNS servers support AXFR (i.e., Entire zone transfer)In incremental we transfer only changes, but in AXFR we transfer whole.
How does DNS server know the root domain server addresses?Every DNS server that has installed on Internet has pre configured with root DNS server addresses.Every single server can get to the root. So that only every DNS server on the Internet first contacts root DNS servers for name resolution.
Where can you find the address of root servers in the DNS server?Open the DNS console Right click on the domain name drag down to properties click on Root hints. Here you can find different root server addresses.
Note: When you install DNS service in a 2000 server operating system (still you have not configured anything on DNS server), then it starts its functionality as caching only DNS server. What is caching only DNS server?
What is a forwarder? (Open DNS console Right click on Domain name Click on forwarder tab)A forwarder is server, which has more access than the present DNS server. May be our present DNS server is located in internal network and it cannot resolve the Internet names. May be it is behind a firewall or may it is using a proxy server or NAT server to get to the Internet.
Then this server forwards the query to another DNS server that can resolve the Internet names.
What is DHCP?Dynamic Host Configuration Protocol (DHCP) is a network protocol that enables a server to automatically assign an IP address to a computer from a defined range of numbers (i.e., a scope) configured for a given network.
How to install DHCP?
We can install DHCP by two ways
1) While installing Operating System
While installing Operating System, It asks at Network Settings whether u want Typical settings or Custom SettingsSelect Custom SettingsSelect Network Servicesclick on DetailsSelect DHCPclick on OK
2) Independently
Programs Settings Control Panel Add/Remove Programs Add/Remove Windows Components Select the Network ServicesClick on properties Select DHCP OK(During the installation it asks for CD)
Note: When you have installed DHCP a icon will appear in Administrative Tools (DHCP)
How to uninstall DHCP?Programs Settings Control Panel Add/Remove Programs Add/Remove Windows Components Select the Network ServicesClick on properties Deselect DHCP OK
How to open DHCP?StartProgramsAdministrative ToolsDHCPOr StartRundhcpmgmt.msc
How to configure DHCP?Open DHCP console by typing “dhcpmgmt.msc” at run promptNow you will find in DHCP console
DHCP
Right Click on DHCP Click on Add Server
Then you will get a window
This server
[________________] BROWSE
Select the DHCP server
OK
Now you will get
DHCP Servername.domain.com [IP address]
Note: Some time the window comes automatically with creating the “Add Server”. Such cases check the IP address whether it is correct or not. If it is wrong delete it and recreate it. Now you have DHCP server.
Now you have to authorize the DHCP Server to provide IP addresses to the clients.
Who can authorize DHCP server in the entire domain?An Enterprise administrator can only authorize DHCP server. No other person in the domain can authorize the DHCP server. Even if u r Administrator without enterprise administrator privileges you can’t authorize the DHCP server.
Note: If it is not authorized a red symbol (down red arrow) will appear, if u authorize it then a green up arrow will appear.
How to authorize the DHCP server?Login with Enterprise administrator privileges.
Right Click on Servername.Domainname.comClick on Authorize Then it will be authorized (Indication is you will get green up arrow)
Now you have to create scope.Note: A scope is range of IP addresses that you want to allocate to the clients.
How to create a scope?Right click on servername.Domainname.comClick on New Scope.Click on Next.Type Name [ ______________________]
Description [_______________________]
Note: Generally we give the name as Network ID.
Click on Next.
Start IP address [______________________]End IP address [______________________]
(Provide the starting IP address and End IP address)
Click on Next
Note: If you want to any exclusion you can do.
Starting IP address [______________] Ending IP address [__________]
Add Remove
What is the default lease duration, minimum lease duration and maximum lease duration? By default any system will get 8 lease days to use IP address.Note: You can increase or decrease the Lease duration, You have assign at least minimum duration of 1 second and you can assign Maximum duration of 999 days 23 hours 59 minutes.Note: If you haven’t log on for 50% of the duration continuously the IP address will be released. Click NextNow you will get a Window asking whether you want to configure the options (DNS, WINS, and Router etc.) You can configure the options now itself or you can authorize after completion of this.Select any one then click Next.
Click Finish.
Note: If u have selected “NO” in the above window you can configure above things anytime like below
Click on server optionconfigure options Select the required onesEnter server name, IP addressClick OK
Now you have to activate the “Scope”
Right click on Scope Click on Activate
Note: You can reserve IP address for specific Clients. Or You can Exclude IP address (without allocation) for future purpose.
The above things all are in server.
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
Now you have to configure Client system.
Go to Client System
Right click on My Network Places drag down to properties Right click on Local area connection drag down to properties select TCP/IP click on properties
Now you will get one window containing TCP/IP properties
In that select “assign IP address automatically” and select “assign DNS address automatically”Click on “More” delete the DNS suffix if anything is there.
Click OK
Then the client takes IP address automatically from DHCP server.The DHCP server also provides DNS, WINS, ROUTER addresses also.
Note: You must assign a static IP address for DHCP server.(Generally in real time people will assign static IP address not only for DHCP server but also for all servers. Because if you assign automatic IP Address if DHCP is down then all servers will not function properly.)
Note: The DHCP server assigns IP address to the clients. But apart from that it also provides DNS address, default gateway, WINS address and so on, which are configured in DHCP server.
What is the protocol that is used for DHCP process?Bootp
Why DHCP Relay Agent is used?To extend DHCP services beyond routers (IF “bootp” is not installed in router)
What are the commands used for DHCP?IpconfigIpconfig /allIpconfig /releaseIpconfig /renew
What is the process of assigning IP address by DHCP service?There are four stages in assigning IP address to a host by DHCP server.
1) DHCP discover2) DHCP offer3) DHCP request4) DHCP Acknowledge
DHCP Discover:When ever client has to obtain an IP address from a DHCP server
it will broadcast a message called “DHCP discover” , which contains
destination address 255.255.255.255 and source IP address as 0.0.0.0 and its MAC address.DHCP offer:
The DHCP server on the network will respond to DHCP discover by sending a DHCP offer message to the client requesting an IP address.DHCP request:
The client after receiving offer message will send a “DHCP request” message asking the DHCP server to confirm the IP address it has offered to it through DHCP offer message.DHCP Acknowledge:
DHCP server will respond to the “DHCP request” message by sending acknowledge message through which it confirms the IP address to other machine.
Note: You can also enable DHCP in work group for dynamic allocation of IP addresses.Configure the server operating system in work group as a DHCP then go for client in TCP/IP properties select obtain IP address automatically. Then the client gets IP address from the DHCP server.Note: You need not to configure DNS or anything.Using APIPAOn occasion, a network PC boots up and finds that the DHCP server is not available. When this happens, the PC continues to poll for a DHCP server using different wait periods.
The Automatic Private IP Addressing (APIPA) service allows the DHCP client to automatically configure itself until the DHCP server is available and the client can be configured to the network. APIPA allows the DHCP client to assign itself an IP address in the range of 169.254.0.1 to 169.254.254.254 and a Class B subnet mask of 255.255.0.0. The address range that is used by APIPA is a Class B address that Microsoft has set aside for this purpose.
What is the family of Windows 2000? Windows 2000 Professional (Desktop Operating System) Windows 2000 Server (Server Operating System) Windows 2000 Advanced Server (Server Operating System) Windows 2000 Data center Server (Server Operating System)
What is the family of Windows NT? Windows NT workstation (Desktop) Windows NT 4.0 server (Server) Windows NT 4.0 Enterprise server (Server)
What is the family of Widows 2003
family?
■ Windows Server 2003, Web Edition ■Windows Server 2003, Standard Edition ■ Windows Server 2003, Enterprise Edition
■ Windows Server 2003, Data center Edition
What is the Difference between Desktop and Server?
In desktop system we cannot load Active directory.In server system we can load Active directory. So that we can create a Domain in server, advanced server, Data center server.In professional there is no fault tolerance on the hard drive (i.e., disk mirroring, RAID 5).In server we have fault tolerance on the hard drive. What is the difference between windows 2000 server and Windows 2000 advanced server, Data center server?In Windows 2000 server we don’t have Clustering, Network load balancing.Where as in Windows 2000 advanced server and in Data center server we have Clustering and Network load balancing.In 2000-Advanced server and Data center server we have more RAM and more Processors.
What are the minimum and Maximum configurations for Windows family?
Windows 2000 Operating System family
OS Name Processor RAM (min.)
RAM (rec.)
Free Hard disk
space
Supportedno. of Pros.
RAM
Windows 2000 Professional
Pentium / 133MHz
32 MB 64 MB 650 MB1 GB (rec.)
2 4 GB
Windows 2000 Server
Pentium / 133MHz
128 MB 256 MB
Approx.1 GB
(Rec. 2 GB)
4 4 GB
Windows 2000 Advanced Server
Pentium / 133MHz
128 MB 256 MB
Approx 1 GB
(Rec. 2 GB)
8 8 GB
Windows 2000 Datacenter Server
Pentium / 133MHz
128 MB 256 MB
Approx 1 GB
(Rec. 2 GB)
32 64 GB
CPU Requirements for Windows Server 2003
SpecificationWindows
Server 2003, Standard Edition
Windows Server 2003, Enterprise
EditionMinimum recommended CPU speed
550 MHz 550 MHz
Number of CPUs supported
1–4 1–8
Minimum and Maximum RAM for Windows Server 2003
RAM SpecificationWindows
Server 2003, Standard Edition
Windows Server 2003, Enterprise
EditionMinimum recommended RAM
256 megabytes(MB)
256 MB
Maximum RAM 4 gigabytes (GB) 32 GB
What are the differences between windows 2000 professional and server versions?In professional we don’t have fault tolerance (Mirroring, RAID5) where as in all server versions we have.In professional we cannot load Active Directory where as in all server versions we can.In professional and 2000 server we don’t clustering and network load balancing where as in 2000 advanced server and in Data centre server we have Clustering and NLB.As you move from server to advanced server, advanced server to data centre server we get more RAM and more Processors.
What are the features of Windows 2000 professional?Windows 2000 Professional improves the capabilities of previous versions of Windows in five main areas: ease of use, simplified management, increased hardware support, enhanced file management, and enhanced security features.
What are the Operating Systems can u upgrade to Windows 2000?We cannot upgrade window 3.1 to windows 2000.We can upgrade directly from windows 95/98/NT 3.51/NT 4.0 to Windows 2000.If we have Windows NT 3.1/NT 3.50 first we need to upgrade to Windows NT3.51 or NT 4.0 then we can upgrade to windows 2000.
What is the primary difference between a workgroup and a domain?
A workgroup is a distributed directory maintained on each computer within the workgroup. A domain is a centralized directory of resources maintained on domain controllers and presented to the user through Active Directory services.
What is a Stand-alone computer?A computer that belongs to a workgroup, not a domain, is called a stand-alone computer.
What is Domain Controller and Member server?With Windows 2000, servers in a domain can have one of two roles:
Domain controllers, which contain matching copies of the user accounts and other Active Directory data in a given domain.Member servers, which belong to a domain but do not contain a copy of the ActiveDirectory data.
Member servers running Windows 2000 Server: A member server is a server that isn't configured as a domain controller. A member server doesn't store Directory information and can't authenticate users. Member servers provide shared resources such as shared folders or printers.
Client computers running Windows 2000 Professional: Client computers run a user's desktop environment and allow the user to gain access to resources in the domain.
Can you change the Name of a Domain Controller?You cannot change the name of a server while it is a domain controller in windows 2000 domain. Instead, you must change it to a member or stand-alone server, change the name, and finally make the server a domain controller once again.But you can change the name of a domain controller in windows 2003 Operating System.
Why do we need Multiple Domain Controllers?If you have multiple domain controllers, it provides better support for users than having only one. Multiple domain controllers provide automatic backup for user accounts and other Active Directory data, and they work together to support domain controller functions (such as validating logons).
What is the structure and purpose of a directory service?A directory service consists of a database that stores information about network resources, such as computer and printers, and the services that make this information available to users and applications.
What is Active Directory?Active Directory is a directory service, which stores information about network resources such as users, groups, computes, printers, and shares. Active Directory provides single point for organization, control, management. Note: In a lay man language Active Directory is some thing like Yellow Pages. What roles does a Main Domain Controller (the first domain controller in the entire forest) will have by default?By default it gets 5 roles.
Schema Master Domain Naming Master PDC Emulator Relative Identifier (RID) Infrastructure Master (IM)
Note: The above roles are called operations master roles.
What are the roles an Additional Domain controller will have by default?By default you cannot get any role. But if you want to assign any role you can transfer from master.
What are the roles a Child Main Domain Controller will have by default?By default it gets only three roles.
PDC Emulator Relative Identifier(RID) Infrastructure Master (IM)
What are the roles a Child additional Domain controller will have by default?By default it won’t get any role. But if want to assign you can transfer from main child domain controller.
Explain the activities of each role?1) Schema Master:
It will govern the Active Directory to all the Domain Controllers in a forest.2) Domain Naming Master:
Maintains the unique Domain Naming System in a forest to avoid duplication.3) RID master:
It assigns unique ID to every user account. (Domain + RID)4) PDC Emulator:
If PDC is upgraded to windows 2000 it will send data to BDC’s on the network. (Replication of user Database)If the user password is not matching in a particular Domain, then it will contact PDC emulator of first Domain Controller (Master Domain controller)
5) Infrastructure Master: Maintains the infrastructure group proper files on the master
Domain controller.
What are the roles must be on the same server?Domain Naming Master and Global catalogue
What are the roles those must not be on the same Domain Controller?Infrastructure Master and Global CatalogueNote: If you have only one domain then you won’t get any problem even if you have both of them in the same server. If you have two or more domains in a forest then they shouldn’t be in the same server.
What is Global Catalogue?This is a database on one or more domain controllers. Each copy of the database contains a replica of every object in the Active Directory but with a limited number of each object's attributes.
Use of Global catalogueContains partial replica of all objects in the entire forestContains universal groupsValidates user principle names (UPN) when you are creating. This checks that any UPN exists with this name or not in the entire forest.
How to check the above roles to which server they have assigned?Install support tools from CDProgramssupport toolstoolscmd prompt (Go to the command prompt in this way only)At command prompt type “netdom query fsmo”
What is FSMO?Flexible Single Master OperationsNote: The above five roles are called FSMO roles.
How to check which server is having Global Catalogue?First load support toolsRun cmd ldpThen you will get a window there Click on file Select connect to type the required server Then you will get some information, at the bottom you can find “Global Catalogue” TRUE/FALSE. If TRUE is there then it is a global catalogue server. If FALSE is there then it is not a global catalogue server.
Note: By default the Global Catalogue service is enabled in Main Domain controller. And by default the Global Catalogue service is disabled in additional Domain Controllers. If you want to transfer Global Catalogue service from Main Domain Controller to Additional Domain Controller, then you can transfer.
How to transfer a role from on Domain Controller to another Domain controller?Start Programs Administrative tools Active Directory sites and services Right click on Domain Name First connect to the required server by the option “connect to”. Then Right click on Domain Name select Operations Masters there you will get 3 roles tabs. Select the required one click on change tab OK
How to start/stop a service from command prompt?Go to the command prompt, type “Net start service name” (To start a service) “Net stop service name” (To stop a service)Ex: “net start netlogon” “Net stop netlogon”
What is a Domain controller?Domain controllers, which contain matching copies of the user accounts and other Active Directory data in a given domain.
What is a Member server?Member servers, which belong to a domain but do not contain a copy of the Active Directory data.What is standalone server?A server that belongs to a workgroup, not a domain, is called a stand-alone server.
What is standalone computer?A computer that belongs to a workgroup, not a domain, is called a stand-alone computer.Note: With Windows 2000, it is possible to change the role of a server back and forth from domain controller to member server (or stand-alone server), even after Setup is complete.
What is a client?A client is any device, such as personal computer, printer or any other server, which requests services or resources from a server. The most common clients are workstations.
What is a server?A server is a computer that provides network resources and services to workstations and other clients.
What is Main Domain Controller?The first computer in the entire forest on which you have performed DCPROMO
What is additional Domain controller?To share or reduce the work load on primary DC additional requires
What is child domain controller?The main difference of child and additional domain is additional domain is the backup domain which is used for load balancing and for fault tolerance and child domain is the sub domain. And both will be having the different roles.
How to know whether a server is Domain Controller or not?You can find in three ways
1) By log on dialogue boxIf it is a Domain Controller at Domain Names you won’t get “this computer” option.If you get “this computer” option in a server Operating System that must be a Member Server.
2) By My computer Properties
On Network Identification tab, the Properties button will be disabled.
3) By typing DCPROMOIf it is already a Domain Controller you will uninstallation wizard for Active Directory.If it is not a Domain Controller you will get installation wizard for Active Directory.
4. You should see the share of netlog and sysvol … just type netshare at the cmd prompt
5. You should be able o see the ntds setting in the winnt directory
6. You should see the ntds folder in regedit ..
Who will replicate the Password changes?PDC emulator (immediately it replicates to all the Domain Controllers)
What are the file systems we have in windows?FAT/FAT16/FAT32/NTFS 4.0/NTFS 5.0
How to convert from FAT to NTFS?Convert drive /fs:ntfs
What is a forest?Collection of one or more domain trees that do not form a contiguous namespace. Forests allow organizations to group divisions that operate independently but still need to communicate with one another.
All trees in a forest share common Schema, configuration partitions and Global Catalog. All trees in a give forest trust each other with two way transitive trust relations.
What is a Domain?A group of computers that are part of a network and shares a common directory and security policies. In Windows 2000 a domain is a security boundary and permissions that are granted in one domain are not carried over to other domains
What is a user principle [email protected]
What is Fully Qualified Domain Name?Hostname.domainname.com (this is also referred as computer name)
How many hard disks can you connect to a system at a time?Maximum we can connect four Hard disks (If we don’t have CD ROM).
What are they?Primary MasterPrimary SlaveSecondary MasterSecondary Slave
Note: We cannot have two of same type at a time.
How types of disks are there in windows 2000?Basic DiskDynamic DiskDynamic disk format does not work on a computer that contains more than one operating system. The only operating system that can access a hard disk using dynamic disk format is windows 2000.
What is a partition?Disk Partition is a way of dividing your Physical Disk so that each section functions as a separate unit. A partition divides a disk into sections that function as separate units and that can be formatted for use by a file system.
How many types of partitions are there?Two types of partitions are there.Primary partitionExtended partition.
What is the difference between primary and secondary partition?A primary partition or system partition is one on which you can install the files needed to load an operating system.
How many partitions can you create maximum? (Among that how many primary and how many Extended?)Maximum we can create 4 partitions in basic disk. Among that we can create maximum 1 extended partition. You can create 4 primary partitions if you do not have Extended.
What is a volume?Disk volume is a way of dividing your Physical Disk so that each section functions as a separate unit.
How many types of volumes are there?There are 5 types of volumes are there.SimpleSpannedStriped (also called RAID 0)Mirror (Also called RAID 1)RAID 5 (Also called striped volumes with parity)
What is the difference between partition and volume?You have limitations on number of Partitions.You don’t have limitations on number of volumes.You cannot extend the size of a partition.You can extend the size of a volume.
What is active (system) partition?The partition in which your current Operating System boot files are there.
What is system volume and boot volume?The system volume is the one in which your boot files are there.Whatever partition is marked as active that partition is called system partition.The boot volume is the one in which your system files are there.
Note: In Windows NT and Windows 2000 by default the system files will be copied to winnt directory and in Windows 2003 by default they are copied into Windows directory.
What can you understand by seeing Logon Dialogue box?IF it is windows 2000 professional operating system, that may be standalone computer or a client in a domain.If you can see the domain name, then it is client. If not it is standalone.If it is Windows 2000 server family operating system, that may be standalone computer or member server or Domain controller.If you can see the domain name, then it is either member server or Domain controller.If not it is standalone computer.You have domain name but you don’t have this computer option then it must be domain controller.You have domain name and also you have this computer option then it is member server.
1. I have a file to which the user has access, but he has no folder permission to read it. Can he access it? It is possible for a user to navigate to a file for which he does not have folder permission. This involves simply knowing the path of the file object. Even if the user can’t drill down the file/folder tree using My Computer, he can still gain access to the file using the Universal Naming Convention (UNC). The best way to start would be to type the full path of a file into Run… window.
What are Unicast, Multicast, and Broad cast?Unicast: Just from one computer to one computer.Multicast: Those who ever register for a particular multicast group to those only.Broadcast: To all the computers.
What is BIOS?A computer's basic input/output system (BIOS) is a set of software through which the operating system (or Setup) communicates with the computer's hardware devices.
What is the advantage of NTFS over FAT?You must use the NTFS file system on domain controllers. In addition, any servers that have any partition formatted with FAT or FAT32 will lack many security features. For example, on FAT or FAT32 partitions, a shared folder can be protected only by the permissions set on the
share, not on individual files, and there is no software protection against local access to the partition.
File and folder level security We can do disk compression We can do disk quotas We can encrypt files We can do remote storage We can do dynamic volume We can mount volumes to folders We can support Macintosh files POSIX sub system
Note: When you format the operating system with NTFS then Windows NT and Windows 2000 are only the operating systems that can read the data.
Note: The only reason to use FAT or FAT32 is for dual booting with previous versions windows 2000 O. S.
What is NetMeeting? What is the use of NetMeeting?NetMeeting enables you to communicate with others over the Internet or your local intranet. Using NetMeeting you can:
Talk to others Use video to see others and let others see you Share applications and documents with others Collaborate with others in shared applications Send files to others Draw with others in a shared Whiteboard Send messages to others in chat
What are the features will you get when you upgrade from Windows NT to Windows 2000?Active Directory includes the following features:
* Simplified management of network-resource information and user information. * Group Policy, which you can use to set policies that apply across a given site, domain, or organizational unit in Active Directory. * Security and authentication features, including support for Kerberos V5, Secure Sockets Layer v3, and Transport Layer Security using X.509v3 certificates. * Directory consolidation, through which you can organize and simplify the management of users, computers, applications, and devices, and make it easier for users to find the information they need. You can take advantage of synchronization support through interfaces based on the Lightweight Directory Access Protocol (LDAP), and work wit directory consolidation requirements specific to your applications.
* Directory-enabled applications and infrastructure, which make it easier to configure and manage applications and other directory-enabled network components. * Scalability without complexity, a result of Active Directory scaling to millions of objects per domain and using indexing technology and advanced replication techniques to speed performance. * Use of Internet standards, including access through Lightweight Directory Access Protocol and a namespace based on the Domain Name System (DNS). * Active Directory Service Interfaces (ADSI), a powerful development environment. * Additional features
Features Available with Upgrade of Any ServerThe features in the following list are available when member servers are upgraded in a domain, regardless of whether domain servers have been upgraded. The features available when domain controllers are upgraded include not only the features in the following list, but also the features in the previous one.
* Management tools: Microsoft Management Console Plug and Play Device Manager Add/Remove Hardware wizard (in Control Panel) Support for universal serial bus New Backup utility
* File system support: Enhancements to the latest version of the NTFS file system include support for disk quotas, the ability to defragment directory structures, and compressed network I/O.
* Application services: Win32 Driver Model DirectX 5.0 Windows Script Host
* Printer protocol support: Device and protocol support allowing choices from more than 2,500 different printers. Other printing enhancements are included, for example, Internet Printing Protocol support, which allows users to print directly to a URL over an intranet or the Internet.
* Scalability and availability: Improved symmetric multiprocessor support
* Security: Encrypting file system
Is there any situation to use the file system FAT or FAT32?There is one situation in which you might want to choose FAT or FAT32 as your file system. If it is necessary to have a computer that will sometimes run an earlier operating system and sometimes run Windows 2000, you will need to have a FAT or FAT32 partition as the primary (or startup) partition on the hard disk.
Note: For anything other than a situation with multiple operating systems, however, the recommended file system is NTFS.
NTFSSome of the features you can use when you choose NTFS are: * Active Directory, which you can use to view and control network resources easily. * Domains, which are part of Active Directory, and which you can use to fine-tune security options while keeping administration simple. Domain controllers require NTFS. * File encryption, which greatly enhances security. * Permissions that can be set on individual files rather than just folders. * Sparse files. These are very large files created by applications in such a way that only limited disk space is needed. That is, NTFS allocates disk space only to the portions of a file that are written to. * Remote Storage, which provides an extension to your disk space by making removable media such as tapes more accessible. * Recovery logging of disk activities, which helps you restore information quickly in the event of power failure or other system problems. * Disk quotas, which you can use to monitor and control the amount of disk space used by individual users. * Better scalability to large drives. The maximum drive size for NTFS is much greater than that for FAT, and as drive size increases, performance with NTFS doesn't degrade as it does with FAT.
Note:It is recommended that you format the partition with NTFS rather than converting from FAT or FAT32. Formatting a partition erases all data on the partition, but a partition that is formatted with NTFS rather than converted from FAT or FAT32 will have less fragmentation and better performance.
What are the options do u get when you are shut downing?Log offRestartShut downStand byHibernateDisconnectStandby: Turns off your monitor and hard disks, and your
computer use less power. A state, in which your computer consumes less electric power
when it is idle, but remains available for immediate use. Typically, you’d put your computer on stand by to save power instead of leaving it on for extended periods.
In stand by mode, information in computer memory is not saved on your hard disk. If the computer loses power, the information in memory will be lost.
This option appears only if your computer supports this feature and you have selected this option in Power Options. See Power Options overview in Help.
Hibernation: Turns off your monitor and hard disk, saves everything in memory on disk, and turns off your computer. When you restart your computer, your desktop is restored exactly as you left it.
A state in which your computer saves any Windows settings that you changed, writes any information that is currently stored in memory to your hard disk, and turns off your computer. Unlike shutting down, when you restart your computer, your desktop is restored exactly as it was before hibernation.
Hibernate appears only if your computer supports this feature and you have selected the Enable hibernate support option in Power Options. See Power Options overview in Help.
DisconnectA state, in which your Terminal Services session is disconnected,
but remains active on the server. When you reconnect to Terminal Services, you are returned to the same session, and everything looks exactly as it did before you disconnected.
Disconnect appears only if you are connected to a Windows 2000 Server running Terminal Services.
Shut downA state in which your computer saves any Windows settings that
you changed and writes any information that is currently stored in memory to your hard disk. This prepares your computer to be turned off.
RestartA state in which your computer saves any Windows settings that
you changed, writes any information that is currently stored in memory to your hard disk, and then restarts your computer.
Log offA state in which your computer closes all your programs,
disconnects your computer from the network, and prepares your computer to be used by someone else.
When connected to a Windows 2000 Server running Terminal Services, Log off closes all programs running in your Terminal Services session, disconnects your session, and returns you to your Windows desktop.
What are the setup files that are used to install windows 2000?If you are installing from the Operating system DOS the setup file is winnt.If you are installing from Operating system windows 95/98, Win NT, Win 2000, the setup file is winnt32.
What is the error message do u get when you run “winnt” instead of winnt32 on 32 bit windows operating system (like Win 95/98, Win NT, and Win 2000)?
You will get the following message in DOS mode screen.Windows 2000 Setup ════════════════════ This program does not run on any 32-bit version of Windows.Use WINNT32.EXE instead.Setup cannot continue. Press ENTER to exit.
What is the location of “hcl.txt” (Hard ware compatibility list)?In Windows 2000 (either professional or any kind of server) CD, there is a folder called “support”. In the support folder the HCL.txt is placed.
What is the location of winnt and winnt32?They are located in “i386” folder.
Where is the location of support tools?In Windows 2000 (either professional or any kind of server) CD, there is a folder called “support”. In the support folder there is a sub folder called “Tools”
How to load support tools?In the Windows 2000 CD (either professional or any kind of server), Click on support Click on tools Click on setup.exe
How to load Admin Pack?In windows 2000 CD (Only server family),Click on i386 folder Click on adminpak.msiOrGo to command prompt (in server operating system only) Go to winnt/system32 directory type adminpak.msi or type Msiexec /i adminpak.msi
Note: Adminpak.msi is not included in the professional CD.If you want to load the administrative tools in the local computer you can load. But you must have administrative permissions for the local computer to install and run Windows 2000 Administration Tools.
How do you install the Windows 2000 deployment tools, such as the Setup Manager Wizard and the System Preparation tool? To install the Windows 2000 Setup Tools, display the contents of the Deploy. cab file, which is located in the Support\Tools folder on the Windows 2000 CD-ROM. Select all the files you want to extract, right-click a selected file, and then select Extract from the menu. You will be prompted for a destination, the location and name of a folder, for the extracted files.
How to create a boot floppy?To create a boot floppy, open windows 2000 CD.Click on boot disk folder click on either makeboot or makebt32Note: If you want to boot from MS-DOS then create floppy disk by using the commandMakeboot.
What is Desktop?The desktop, which is the screen that you see after you log on to Windows 2000, is one of the most important features on your computer. The desktop can contain shortcuts to your most frequently used programs, documents, and printers.
Suppose if your CD is auto play CD. Then what is the key that is used to stop the auto play of the CD?Hold the shift key for some time immediately after inserting the CD.
What is Netware?Netware is a computer network operating system developed by Novell.
What is Network?A network is a group of computers that can communicate with each other, share resources such as hard disks and printers, and access remote hosts or other networks.
The basic components of a network are: One or more servers Workstations Network Interface Cards Communication media Peripheral devices (such as printers)
What is network Interface card?A Network Interface Card is a circuit board installed on each computer to allow servers and workstations to communicate with each other.
What are peripheral devices?Peripheral devices are computer related devices, such as local printers, disk drivers and modems.
What is LAN driver?The LAN driver controls the workstation’s Network Interface card.A LAN driver serves as a link between an operating system of a station and the physical network parts.
Why should we logon?Login enables the user to use the resources and services, such as files, printers and messaging, which are available in the Network.
When the user Identity is authenticated and his or her rights to resources and services are determined.
When the user logs out, he or she is then disconnected from all parts of the network.
Drive Letters:Each workstation can assign up to 26 letters to regular drive
mappings. Drive letters that are not used by local devices are available for network drives.
Generally the Drive letters A and B represents floppy disk drives and C represents the local hard disk.
What do you call the right hand side portion (i.e., where the clock and other icons exist) of task bar?System Tray or Notification area
What is Plug and Play?Plug and Play hardware, which Windows 2000 automatically detects, installs, and configures.
What is the command to encrypt a file from command prompt?Cipher.exe
What is the minimum and maximum configuration to create a partition in NTFS?The minimum size to create a partition in NTFS is 8 MB.The maximum size to create a partition in NTFS is the disk capacity.
How many ways can you install Windows 2000?1) Insert the CD, boot from the CD, and install the O.S. (This is the best way)
2) Boot from the floppy, insert the CD, and install the O.S.
3) Install over the network or install over the Hard disk. For this you have to run the files WinNT or winnt32.
Note: WinNT is used when you r installing from the operating system other than Windows NT or 2000. (I.e., DOS, windows 95/98 or any other)Winnt32 is used if you are installing from O.S. Windows NT or Windows 2000.
What is WINS and what it does?WINS stands for Windows Internet Naming Service. It resolves
NETBIOS names to IP addresses. WINS is used only when you need to access the NETBIOS resources.
What is there in the network before wins?
Initially the computers in the network used to communicate with broadcast. If there is less number of hosts, then there is no problem. But when there is more number of hosts on the network more traffic will be generated. So later they invented lmhost file (LAN Manager Host file). By this they configure the lmhost file of each computer with the entries of each computer’s IP address and NETBIOS name. So each computer will look into its lmhost file to resolve NETBIOS names. But configuring each computer lmhost file manually is time consuming and more difficult. Later then invented centralized lmhost file. By this they configure lmhost on one server, and tell each computer to use that lmhost file. But in this you need to configure the centralized lmhost file manually. So Microsoft introduced WINS. By this you need to install WINS on a server in the network and configure the computers to use that WINS server. That’s all, you need not configure any thing on WINS server. The WINS server makes an entry automatically when a client is initialized to use WINS. Note: A UNIX does not have ability to register into WINS database. But if a UNIX server is there in network and you need to resolve it, then for this you need to configure manually the entry of that UNIX server in the WINS server. What is NETBIOS?NETBIOS stands for Network Basic Input Output System. It is a naming interface, it is interface by which client can connect to access the lower level of the TCP/IP model to be able to communicate and access those resources.
We share resources with the NETBIOS interface in windows NT. This means that we are using NetBIOS name to connect the client to the server.
What is the length of NETBIOS name?A NETBIOS name is 16 characters long. The first fifteen
characters you can use for the server name, the 16th character is an identifier for what type of service it is registering.
What is the location of lmhost file (LAN Manager Host file) in windows 2000?Winnt/system32/drivers/etc/lmhost.samNote: Extension represents that it is a sample file. You can create lmhost file with out that extension.
What are Windows 2000 WINS enhancements when compare to the previous versions? Better Management interface Better clients Replication can maintain persistent connections. Supports automatic partner discovery Integrates with DNS and DHCP Supports burst mode handling
What is the port used for Terminal Services?3389
How to know 3389 is working or not? Netstat -a (Displays all connections and listening of ports)
What are the different sub net classes are there?Class A Addresses 1-126.x.x.xClass B Addresses 128-
191.x.x.xClass C Addresses 192-
223.x.x.xClass D Addresses 224-
239.x.x.xClass E Addresses 240-
254.x.x.x
What are the features and benefits of windows 2000 professional?
Windows 2000 professional is an upgrade of Windows NT workstation. So we have the base code of Windows NT rather than Windows 95/98. So you get the security and stability of Windows NT. But from Windows 2000 we get some of the features of 95/98. Specifically Plug and Play, Device manager.
We have personalized start menus with windows 2000. We can deploy software automatically. We also have Widows installer package. We have synchronization manager. We have Internet printing protocol. We have Kerberos V5 protocol technology. We have EFS (Encrypting file system). We have IPSec protocol. We have a support for smart card. We have secondary log on service. Kerberos 5 security protocol
And many moreNote: Suppose you have a computer in remote location. In that you have multiple operating systems. You want to restart it from here with a specific operating system. Then go to Properties of My computer Advanced tab settings At this place set default operating system as required operating system. Then restart the computer.
Note: In windows 2000 if you want to update objects immediately we use secedit /refreshpolicy refresh_machine and another one. In windows 2003 the alternate command for this is gpupdate, type this command at run prompt then it updates automatically.
How can you know that Active directory is installed properly?It will create a folder called sysvol under c:\windows. With in the sysvol folder you should have four folders, namely Domain, staging,
sysvol, staging area. Apart form this you should have NTDS folder (In c:\windows) containing ntds.dit file and four log files.
How can you see the post screen when the system started?When the system starts press the Break key. Then it post screen is stopped there only, to continue press Enter. When a user logs on the start up options will be loaded. How to stop them? (The notification area icons)When a user types user name and password, and presses enter immediately hold down Shift key. Then the above things will not be loaded.
What are the features of Active directory?See the “benefits of Active directory” document in this folder.
What is the range of addresses in the classes of internet addresses?
Class A 0.0.0.0 - 127.255.255.255Class B 128.0.0.0 - 191.255.255.255Class C 192.0.0.0 - 223.255.255.255Class D 224.0.0.0 - 239.255.255.255Class E 240.0.0.0 - 254.255.255.255
Note: Class A, Class B, Class C are used to assign IP addresses. Class D is used for Multicasting. Class E is reserved for the future (Experimental).
What is hot swapping?Replacing the hard disks other than active disk, when the computers on.
What commands do you need to execute before upgrading to windows 2000 to windows 2003?Before upgrading to windows 2000 to windows 2003 insert the CD of windows 2003 then open 1386 folder, then at command prompt type the following commands.Adprep /forestprepAdprep /domainprep (i. e., f:\1386(2003)>adprep /forestprep and f:\1386(2003)>adprep /domainprep)
If you are upgrading entire forest type the adprep /forestprep at root domain.
If you are upgrading only a domain then type the adprep /domainprep at root domain.Note: You have to type the above commands on the server which has IM role.
Then only you have to upgrade your systems.
How to take backup?
StartProgramsAccessoriesSystem tools backup click on backup tabThere you can select the required one.The system state backup includes the following files
Boot files Com+ class registration database Registry
If the system is domain controller then apart from above files it takes backup of the following files also.
Active directory Sys vol
Note: If you want to restore the system state backup on a domain controller you have to restart the computer in Directory Services restore mode, because you are restoring Active Directory when it is in active. If you want to restore Active Directory it should not be in active. If you restart the computer in Directory services restore mode the Active directory is not in active, so you can restore the Active directory.You can restore Active Directory in two ways
Authoritative restoreNon Authoritative restore
Non Authoritative restoreRestart the computer Press F8 to select Directory services restore modeStart Programs Accessories system tools Backup Click on restore tab Select the restore file Click on restore nowRestart the computer
Authoritative Restore modeRestart the computer Press F8 to select Directory services restore modeStart Programs Accessories system tools Backup Click on restore tab Select the restore file Click on restore nowOpen command promptType ntdsutilType authoritative restore
Note: Here you can restore authoritatively entire database or a particular OU. But you cannot restore a particular object.
Type restore sub tree distinguished name of OU Ex: research is a OU under yahoo.com, then you have to type distinguished name like ou=research, dc=yahoo, dc=com
What are the logical components of Active Directory?Organizational UnitsDomainsTreesForests
What are the physical components of Active Directory?SitesDomain ControllersGlobal Catalogue
Who can create site level Group Policy?Enterprise Admin
Who can create Domain lever Group Policy?Domain Admin
Who can create Organization Unit lever Group Policy?Domain AdminWho can create Local Group Policy?Local Administrator or Domain Administrator
What is the hierarchy of Group Policy?
Local policy Site Policy
Domain Policy OU Policy
Sub OU Policy (If any are there)
Explain about Active Directory database.The information stored in the Active Directory is called Active Directory database.The information stored in the Active Directory (i. e., Active directory database) on every domain controller in the forest is partitioned into three categories. They are
Domain Partition Configuration Partition Schema Partition
Domain PartitionThe domain partition contains all of the objects in the directory
for a domain. Domain data in each domain is replicated to every domain controller in that domain, but not beyond its domain.
Configuration PartitionThe configuration partition, which contains replication configuration information (and other information) for the forest
Schema PartitionThe schema partition contains all object types and their
attributes that can be created in Active Directory. This data is common to all domain controllers in the domain tree or forest, and is replicated by Active Directory to all the domain controllers in the forest.
What is Global Catalogue?The global catalogue holds a partial replica of domain data
directory partitions for all domains in the forest. By default, the partial set of attributes stored in the global catalog includes those attributes most frequently used in search operations, because one of the primary functions of the global catalogue is to support clients querying the directory.
Explain about different groups in Active directory.There are two types of groups are the in Active directory.
Security groupDistributed group
What is the protocol that is used for security in Windows 2000?Kerberos V5
How many can you open Task Manager?One can open Task Manager in three ways1) Start Run Taskmgrok2) Right click on Task bar Select Task manager3) Press CTRL + ALT + DELETE click on Task Manager4) Press CTRL+ Shift + ESC (short cut key)
How many ways do you have to determine whether a computer is Domain Controller or not?There are several ways to determine 1) On log on Windows dialogue box see whether the log on field
has this computer option or not. If it contains only domain names then it is a Domain Controller, if it contains this computer option then it is either Work station or Member server.
2) Start Run Type netdom query fsmo The computer names that have been listed there are Domain Controller.
3) Search for NTDS and Sysvol folder in system directory, if they are there then it is a Domain Controller.
4) StartRun Regedit32 Search for NTDS folder in HKEY_LOCALMACHINE If you find that one then it is a Domain Controller.
5) Start Programs Administrative tools Active Directory Users and Computers Click on Domain Controller OU the names that are listed there are the names of the domain controllers.
6) In 2000 you cannot change the name of the Domain Controller so Right click on My computer Properties Network Identification There Change button is grayed out.
Diagnostic Utilities
a) PING b) finger c) hostname d) Nslookup e) ipconfigf) Netstat
g) NBTStat h) Route i) Tracer j) ARP
PING:Verifies that TCP/IP is configured and another host is available.
FINGER:Retrieves system information from a remote computer that
supports TCP/IP finger services
HOSTNAME:It displays the host name.
NSLOOKUP:Examines Entries in the DNS database, which pertains to a
particular host or domain
NETSTAT:Displays protocol statistics and the current state of TCP/IP
concepts.
NBTSTAT:Checks the state of current NetBIOS over TCP/IP connections,
updates LMhost’s cache or determines your registered name or scope ID.
Route:Views or modifies the local routing table.
TRACERTVerifies the route from the local host to remote host
ARPDisplays a cache of local resolved IP address to MAC address
What is Dedicated Line?
Any telecommunications line that is continuously available for the subscriber with little or no latency. Dedicated lines are also referred to as “leased lines.”Note: The other one is the Dial up line.
What is Dial up line?Any telecommunications link that is serviced by a modem. Dial-up lines are ordinary phone lines used for voice communication, while dedicated or leased lines are digital lines with dedicated circuits. Dial-up lines are generally much less expensive to use, but they have less available bandwidth.
What is FQDN (Fully Qualified Domain Name)?Hostname.Domain.com
Give an Example for FQDN?For example, the fully qualified domain name (FQDN) barney.northwind.microsoft.com can be broken down as follows:
Host name: barney Third-level domain: north wind (stands for North wind Traders
Ltd., a fictitious Microsoft subsidiary)
Second-level domain: Microsoft (Microsoft Corporation)
Top-level domain: com (commercial domain)
The root domain has a null label and is not expressed in the FQDN
How to know port 3389 (Terminal services) is working or not? netstat -a (Displays all connections and listening of ports)
What is a host?Any device on a TCP/IP network that has an IP address. Example includes severs, clients, network interface print devices, routers.
How is the host identified in the network?By a TCP/IP address.
What is a Host name?An alias given to a computer on TCP/IP network to identify it on the network. Host names are friendlier way to TCP/IP hosts than IP address.A host name can contain A-Z, 0-9, “.”, “-“, characters.
What is Logon Credentials?The information authenticate a user, generally consisting ofUser NamePasswordDomain Name
What is the Refresh interval for Group Policy?Refresh interval for Domain Controllers is 5 minutes, and the refresh interval for all other computers in the network is 45 minutes (doubt).
How many ports are there?There are 65535 ports are there.
Note: The ports 0-1023 are called well known ports and all other ports are called Dynamic or private ports (i.e., 1024-65535)
How to do quick shutdown/restart?Press Ctrl +Alt +Del, on the dialogue box you can shutdown button.While pressing shutdown button hold CTRL key
What is native mode and what is mixed mode?
If some of your domain controller are Windows NT in the windows 2000 domain, that is called mixed mode. If you want to compatible with NT domain controller in windows 2000 domain you should be in mixed mode.
If all of your domain controllers are windows 2000 then you can change mixed mode to native mode. After changing to native mode you will some extra functionality to secure your windows 2000 domain.Ex: On user account properties, click on dial-in tab then you can see some extra options.
How to change mixed mode to native mode?Start Programs Administrative tools Active directory users and computers Right click on Domain Drag down to properties on General tab click on Change mode button Click YesNote: By default windows 2000 will be loaded in mixed mode. You can change windows 2000 from mixed mode to native mode, but once if you change mixed mode to native mode you cannot change from native mode to mixed mode.
Note: When you are formatting the disk, if you set the block size as default, windows 2000/XP/2003 divides the partition into 4 KB blocks. When you are creating a file or folder it allocates space to that file or folder in multiples of 4 KB. When you create a new file first time it allocates 4 KB, after 4 KB is filled up it allocates another 4 KB size, it goes on like this until the disk space is completed.
Note: With windows 2000 advanced server and data centre server we can NLB cluster 2 to 32 servers. It supports clustering up to 2 nodes.Note: With disk quotas we can track the usage of disk space for each user. We can limit each user to use certain amount of space.
What is latency?The required time for all updates to be completed throughout all
domain controllers on the network domain or forest.
What is convergence?The state at which all domain controllers have the same replica
contents of the Active Directory database.
How to force KCC to generate connection object immediately without delay?Type the command repadmin /kcc. This command forces the KCC to generate connection object immediately without any delay.
What are the file names that we cannot create in Windows operating system?The file names that cannot be created in Windows operating system are
Con Prn Lpt1, Lpt2, Lpt3, Lpt4, ….., Lpt9
Com1, com2 com3, com4, com5,….., com9 Nul Aux
Note: The file name clock$ cannot be created in DOS 6.22 or earlier versions of DOS.
What is QoS?QoS stands for Quality of Service. With QoS we can reserve bandwidth to certain applications.
What is NAT?NAT stands for Network Address Translation. It is a device
between the Internet (i.e., public network) and our private network. On one NIC card it has valid Internet address; on the other NIC it has our private (internal) network address.
NAT is a device that translates one valid public IP address to more tuple internal private address.
We load Windows 2000 RRAS (Routing and Remote Access service) service into this Windows 2000 server and we turn in to a router. Now we add NAT protocol, so now onwards our internal clients sends their traffic through this router to the internet, when it passing through this NAT server it stripes off the internal network IP address and assigns a valid public IP address. So goes out and communicates with that valid public IP address, comes back in the NAT server stripes off the public IP address and replaces private IP address, sends the traffic back to that particular client. For client perspective they don’t know any thing except they are surfing internet.
We load RRAS in to windows 2000 server; we turn this server as router. Now we add NAT protocol, so that now on our clients can send traffic to internet through this router , as it passes through the NAT server this server stripes off the internal IP address and replaces with a valid public IP address. Then it goes to the internet surf the internet when it comes back through the NAT server, now NAT server stripes off the valid public IP address and replaces it with its internal IP address sends the traffic to that particular client.
How to go to the NAT options?Start Programs Administrative tools RRAS IP routing NAT
Note: Windows 2000 NAT can acts as a DHCP server. So it is possible to give IP address with our NAT server. When you are doing this make sure that you don’t have DHCP server in your network.
If you have less clients (5 or 6) then there is no harm assigning IP address through NAT, but if your network is big then best is to use DHCP.
How to enable DHCP service through NAT?Start Programs Administrative tools RRAS IP routing Right click on NAT go to properties Click on Address assignment Select the option automatically assign IP address by using DHCP
Note: If don’t want to use your NAT server to assign IP addresses clear the check box.
Note: NAT server contains at least two NIC, because one for internal IP address and another one for external (Public IP).
How to add public IP address pools to our NAT server?Start Programs Administrative tools RRAS IP routing click on NAT on Right hand side you see network cards click on external NIC (which has a valid public IP) Click on Address pool tab Click on add button Give the pool of IP addresses.Note: By default there is no access to the internal devices on the NAT network to out side clients. By default out side clients cannot access any thing in our Nat network.
What are the limitations of Windows 2000 NAT? Supports only TCP/IP
There is no support for IPX or other protocol.No support for:
SNMP (so we cannot do SNMP monitoring for our NAT devices) LDAP Com / Dcom Kerberos V5 RPC IPSec
Note: Windows 2000 NAT doesn’t allow L2TP traffic, it allows only PPTP traffic.
What is proxy?NAT server helps the client to access Internet, where as proxy
server does every thing for client. When a request comes from the client the proxy server surfs the internet and caches the results to its local disk, sends that result to the client.
With proxy we have performance improvement, because results are cached to the local hard disk.
With proxy we have security, because only one system in the internal network communicating with the Internet.
Rather than allowing clients to access internet by changing IP address, the proxy server does all the surfing for clients and caches to its local disk and gives to the clients.
How to install proxy server 2.0 on windows 2000?There is a patch to install proxy on windows 2000. It doesn’t install natively on windows 2000. You have to install along with the windows 2000 patch. You can download this patch from Microsoft website. Or you can get this in windows proxy CD.Go to Proxy folder Click on windows proxy update click on the patch file Go through the wizard. This patch file invokes the proxy installation. To configure the proxy settings
Start Programs Microsoft proxy server Microsoft management console we get MMC for Internet Information Service, because our proxy server is incorporated with in IIS service.
With proxy we have two types of caching. Active caching Passive caching
How to set proxy setting to the clients? Right click Internet explorer Click on connections Click on LAN settings Click use proxy server type the IP address of the proxy server and port that we are using
What are the features of Microsoft proxy 2.0?Active / Passive cachingUser level controlIP filtersAccess logsAccess to the internet for IPX clients
What we get with RRAS?We will get with RRAS the ability to create a fully functional router with our windows 2000 server.
We will get quite a bit of Remote connectivity functionality. It also can support clients dialing in through phone lines, or through the internet through a virtual private network.
What IAS does for us?Internet Authentication server gives us RADIUS server. RADIUS stands for Remote Authentication Dial in User Server, RADIUS is an industry standard.
Note: an IP address is assigned to every device that you want access on the network, and each have unique IP address. A client, server, every interface of router, printer and all devices on the network should have an IP address to communicate in the network.
Note: In class C address we have 254 clients for each subnet.In class B address we have approximately 65,534 hosts per
subnet.In class A address we have millions of hosts per subnet. Numbers can range from 0-255, but x.x.x.0 is used for identifying
network and x.x.x.255 is used for broadcasting, so we use the numbers from 1-254.
Note: The portion between two firewalls is called screened subnet, in corporate network we call it as DMZ (De Militarized zone)
Who is responsible to assign Public IP address?The responsible organization to assign IP address is IntetNIC (Internet Network Information Centre). This organization assigns public IP address to all individuals or organizations. But you can take IP address
from ISP’s (Internet Service Providers), because ISP’s buys a pool IP addresses from InterNIC and then sells to others.
Note: Tracrt command traces the root (path) for which we are connecting.
Pathping is combination of tracert and ping. It displays path and some other information.
Note: When DNS stops you will see the event ID is 2.When DNS starts you will see the event ID is 3.When GC is enabled you will see the event ID 1119 on that
particular server.When time synchronization enabled you can see event ID’s 35
and 37.
How to increase or decrease tomb stone interval?By default tomb stone interval is 60 days. You can increase or decrease the tomb stone interval. You can decrease till 2 days. You can increase as much as you want.
To decrease tomb stone interval we use ADSI edit.With windows 2000 we have the advantage being able to
configure our Windows 2000 server with RRAS service, and turn our windows 2000 server into a router.
What are the functionalities of RRAS? Supports IP + IPX routing Supports numerous interface types IP filters Integrates with active directory Supports standard routing protocols
RIP version 1 or version 2 (Routing information protocol)
OSPF IGMP ( Internet Group Management Protocol)
This is for multicasting. Ex: Video conference sent to more people at a time.
What are Unicast, Multicast, and Broad cast?Unicast: Just from one computer to one computer.Multicast: Those who ever register for a particular multicast group to those only.Broadcast: To all the computers.
Note: with RIP version 1 we cannot do CIDR /VLSM. To transfer the route table to the all routers RIP version 1 uses broad cast. With RIP version 2 we can do CIDR. To transfer the route table to all routers RIP version 2 uses multicast. Also with version 2 we have password authentication to transfer router table.
What is VPN?VPN stands for Virtual Private Network. By using public media we
are establishing a private secure connection. To communicate through
VPN we use PPTP (Point to Point Tunneling Protocol) or L2TP (Layer2 Tunneling Protocol).
Most cases we use L2TP because this is more secure. The only one case that we use PPTP is only when we are trying to use VPN through a NAT server, another reason to use is if don’t have windows clients that have capability to establish L2TP VPN connection.
RADIUSRADIUS stands for Remote Authentication Dial in User
Service. It is used to authenticate remote users. Instead of authenticating users at individual RAS server, we pass a request to central server (RADIUS server), and let the authentication happen there. All RAS servers pass authentication requests to this central server (RADIUS server) that is doing the authentication. It is authenticating users based on Active Directory. It is also doing reporting, so it is doing .accounting and authentication. With RADIUS authentication will takes place at a central location. Now there is no need to maintain a local database of users for each RAS server. When ever authentication needed RAS server forwards query to RADIUS server.Accounting means we keep tracking who is connected, how long, why they failed to connect etc., the information is all centralized here.
By centralizing accountability and authentication we are doing our RAS servers as dumb devices. So when RAS server fails then there is no need to worry about the 100 or 1000 accounts we manually created on the RAS server, so that we can authenticate. All you need to do is swap out this device with another and configure it to pass the authentication to RADIUS server. Note: Terminology wise the central server is RADIUS server. Clients for RADIUS are RAS servers. How to configure RADIUS client?RADIUS client is nothing but RAS server. In windows 2000 it is RRAS server. Go to RRAS server Start Programs Administrative tools RRAS Right click the server drag down to the properties click on security Select Authentication provider as RADIUS server Select Accounting provider as RADIUS server Click on configure (at Authentication as well as at Accounting) Add the server that is going to act as a RADIUS server hit OK Restart RRAS service.
How to create a RADIUS server?To make server as a RADIUS server we install Internet Authentication Service. Start Settings Control panel Add/Remove programs Add/Remove windows components Select Network services click on details Select Internet Authentication service Click on OK
Now you can open IAS MMC.Start Programs Administrative tools Internet Authentication Service Right click on client Add new client give the names of RAS servers Select the appropriate options click finish
Note: One of thing you have to do is Register Internet Authentication service in Active Directory.Administrative tools Internet Authentication service Right click at the root select Register service in Active DirectoryNow our IAS can access Active Directory so that it can authenticate users by using Active Directory our Active Directory database.
Note: Put your RAS server close to the clients. Put your RADIUS server close to the Active Directory database.
Tell me how to upgrade from 2000 to 2003?Actually it is one month procedure. I will brief you important things.Perform adprep /forestprep on the domain controller which has schema role.This is one time operation per forest.Perform adprep /domainprep on the domain controller which has IM role (You have to this in the domain for which you want up gradation)This is one time operation per domain.Now the following things are common to all domain controllers which you are upgrading from 2000 to 2003.
Remove administrative tools and support tools Run the command winnt32.exe /checkupgrade only. Install any hot fixes, if there are any suggested Microsoft, or
suggested by End market administrator (if they have any own applications)
Then upgrade by running the command winnt32.exe from windows 20003 CD ROM
How do you take back ups?On Monday we will take Normal backup.Then we follow Incremental backup till FridayNote: For incremental backup more no. of tapes are required. For differential backup much space is required on the tape, but we need only two tapes to restore the data.
How to know the MAC address of a Network interface card?First type the Ping IP address (IP address of the Network interface card for which you want to know the MAC address)Then it caches the MAC address.Now type Arp –a This command shows the cached MAC address of that particular NIC.
Note: If you install DCPROMO in member server then it will become Domain Controller, if you uninstall DCPROMO in Domain Controller then it will become Member server, if you are uninstalling DCPROMO on last domain controller then it will become standalone server.
Note: Always file size is less than or equal to file size on disk except when file compressed. If file is compressed file size greater than file size on disk.
The data replicated between domain controllers is called data and also called naming context. Once a domain controller has been established only changes are replicated.
The replication path that Active Directory data travels through an enterprise is called the replication topology.
The change will be replicated to all domain controllers in the site with in 15 minutes since there can only be three hops.
Note: Each domain controller keeps a list of other known domain controllers and the last USN received from each controller.
What is propagation dampening?This is used to prevent unnecessary replication by preventing
updates from being sent to the servers that are sent already. To prevent this domain controller uses up-to-vector numbers.
In windows 2000 SYSVOL share is used to authenticate users. The sysvol share includes group policies information which is replicated to all local domain controllers. File replication service (FRS) is used to replicate sysvol share. The “Active Directory users and computers” tool is used to change the file replication service schedule.
The DNS IP address and computer name is stored in Active Directory for Active Directory integrated DNS zones and replicated to all local domain controllers. DNS information is not replicated to domain controllers outside the domain.
What is the protocol that is used to replicate data?Normally Remote Procedure Call (RPC) is used to replicate data and is always used for intrasite replication since it is required to support the FRS. RPC depends on IP (Internet Protocol) for transport.
SMTP may be used for replication between sites, where each site is separate domain, because SMTP can’t replicate the domain partition.
Clustering: This is supported by only Windows 2000 advanced server and datacenter server. Cluster makes several computers appear as one to applications and clients. It supports clustering up to 2 nodes. You can cluster 2 to 32 servers. The “cluster service” must be installed to implement clustering.
Note: FAT16 supports partitions up to 4 GB in Windows 2000.FAT32 supports partitions up to 32 GB in Windows 2000.NTFS supports partitions 7 MB to 2 TB.When you are formatting a partition,
If you enter the size less than 4 GB, on file system dialogue box you can see FAT, FAT32, and NTFS.
If you enter the between 4 GB and 32 GB, on file system dialogue box you can see FAT32, and NTFS.
If you enter the size more than 32 GB, on file system dialogue box you can see only NTFS.
Note: You cannot compress or encrypt folders on FAT partition.
Internet Information Service (IIS)This is used to host web sites. First install the IIS service.How to install IIS?Start Settings Control panel add/remove programs Add/remove Windows components Select Application server Select Internet Information Service Click OK
How to open IIS?Start Programs Administrative tools IISOr Start Run type inetmgr.exe click OK
How to host a website?Start Programs Administrative tools IIS Right click on web sites Select New Select website Click Next give description of the web site Enter the IP address to use web site, enter the port number (by default port 80) Enter the path for home directory Select Read, Run Scripts, and Browse Click finish
Note: If you want you can change the port number, but generally we don’t change the port number. If you have changed the port number, then when typing URL you have to type the port number followed by the URL.Ex: www.google.com:83If you haven’t typed any thing by default it takes the port number as 80.
OSI Layers & FunctionsLayer Protocol Responsibility
ApplicationFTP, HTTP, Telnet, DNS, TFTP,
POP3, SMTP, News
Provides network services to the end
users
PresentationPCT, TIFF, JPEG, MIDI, MPEG
SessionNFS, SQL, RPC, X Windows
TransportTCP, UDP
NetworkIP, IPX, ICMP, ARP, RIP, OSPF,
IGRP, EIGRP, IPSec
Data-LinkPPP, PPTP, L2TP, HDLC, Frame
relayPhysical
What is WINS and what it does?
WINS stands for Windows Internet Naming Service. It resolves NETBIOS names to IP addresses. WINS is used only when you need to access the NETBIOS resources.
What is NetBIOS?NetBIOS stands for Network Basic Input Output System. It is naming interface by which client can access network resources. It manages data transfer between nodes on a network.
What is NETBIOS?NETBIOS stands for Network Basic Input Output System. It is a naming interface, it is interface by which client can connect to access the lower level of the TCP/IP model to be able to communicate and access those resources.
We share resources with the NETBIOS interface in Windows NT. This means that we are using NetBIOS name to connect the client to the server.
What is the length of NETBIOS name?A NETBIOS name is 16 characters long. The first fifteen characters you can use for the server name, the 16th character is an identifier for what type of service it is registering.
Note: Computer names are not the only names that are registered as a NetBIOS names, a domain name can be registered as NetBIOS name, any service on the network can be registered as the NetBIOS names, for example messenger service.Note: Communication in the network happen IP address to IP address, ultimately MAC address to MAC address.
What is there in the network before WINS?Initially the computers in the network used to communicate with
broadcast. If there is less number of hosts, then there is no problem. But when there is more number of hosts on the network more traffic will be generated. So later they invented lmhost file (LAN Manager Host file). By this they configure the lmhost file of each computer with the entries of each computer’s IP address and NETBIOS name. So each computer will look into its lmhost file to resolve NETBIOS names. But configuring each computer lmhost file manually is time consuming and more difficult. Later then invented centralized lmhost file. By this they configure lmhost on one server, and configure each computer to use that lmhost file. But in this you need to configure the centralized lmhost file manually. So Microsoft introduced WINS. By this you need to install WINS on a server in the network and configure the computers to use that WINS server. That’s all, you need not configure any thing on WINS server. The WINS server makes an entry automatically when a client is initialized to use WINS.
Note: A UNIX does not have ability to register into WINS database. But if a UNIX server is there in network and you need to resolve it, then for this you need to configure manually the entry of that UNIX server in the WINS server.
What is the location of lmhost file (LAN Manager Host file) in windows 2000?Winnt/system32/drivers/etc/lmhost.samNote: Extension represents that it is a sample file. You can create lmhost file with out that extension.
What are Windows 2000 WINS enhancements when compare to the previous versions? Better Management interface Better clients Replication can maintain persistent connections. Supports automatic partner discovery Integrates with DNS and DHCP Supports burst mode handling
Note: Windows 2000 doesn’t use WINS for its naming structure. Windows 2000 uses DNS for its naming structure. The only time that you need WINS in Windows 2000 environment is when you want resolve NETBIOS based resources such as NT file server. In native Windows 2000 environment there is no need to use WINS.
How to install WINS?Start Settings Control Panel Add/remove programs Add/remove Windows components Select Network Services Select WINS Click next insert the Windows 2000 CD click OK click on finishThis is all you have to do in WINS server. Now go to each and every client and configure them to use WINS server.
How to configure a client to use WINS server?Go to the client computer Open TCP/IP properties dialogue box Click on Advanced button Click on WINS tab give the IP address of WINS server click OK
How to open WINS?Start Programs Administrative tools WINSOr Start Run winsmgmt.msc
How to see records in WINS database?Open WINS MMC Right click on Active Registration Select either find by owner or find by name Provide appropriate details Then you can see records in WINS database.
How to configure an entry manually in WINS?Open WINS MMC Click on Active Registration Right click on right hand side Select new static entry Enter the NETBIOS name and IP address Click OK
Note: You can configure as many as WINS servers as you want on the network. No matter that which client is using which WINS server, but all WINS server should be configured to replicate the data with each other.
How to configure the WINS servers to replicate database with other WINS servers on the network?Open WINS MMC Right click on Replication partners Select New replication partner Give the IP address of the other WINS server click OK
Note: By default WINS makes its replications partners as push/pull replication partners.Note: Group policies won’t apply for Windows 95/98 clients.
First create a shared folder and put installation files on that shared folder.
What is the program that is used to create .msi files when .msi files are not available?Wininstall
How to deploy software using Group Policy?Open the Group Policy Object Here you have two places to set deployment of software, one is software settings under computer configuration and another one is software settings under user configuration to set a package for either user or computer right click on appropriate software installation Select New Select package Select the .msi file or .zap file of an application Select either assign or publish Click OK.Perform the above procedure for each application that you want to deploy through Group Policy.
What is the different between deploying applications per computer or per user basis?If you deploy applications per computer that applications will be deployed to that computer when the computer has started. If you deploy applications per user basis then applications will be deployed when a users logs on. For computers you can only assign packages.For users you can assign or publish packages.
What is assign of a application to a computer?For computer we can only assign, we cannot publish. For computers assign means when the computer starts that time only those applications will be installed. For assigning applications to the computers we have to have .msi files.
What is difference between assign and publish of a package to a user?
When we assign an application Icons are placed (in start menu or on desktop), but application
will be installed on demand. i.e., when you click on the icon then only application will be installed.
Or application will be installed when you are trying corresponding document. Or go to Add/Remove programs add corresponding package.
When we publish an application Application will be installed when you are trying corresponding
document. Or go to Add/Remove programs add corresponding package.
Note: With assign we install a package in 3 ways where as with publish we can install in 2 ways.
To assign a package you have to have a .msi file.To publish a package you have to have either .msi files or .zap files
Note: With assign you will get the more functionality than publish. So when it is possible for assign, choose assign only.Note: When ever you have a .msi file then only you can repair or upgrade that application. With .zap you cannot do them.
How to install published applications through Add/Remove programs?Start Settings Control panel Add/Remove programs Click on Add New programs Click on required application Click on add button.
How to upgrade an existing application in software installation folder of GPO?
How to apply service packs to an existing application in software installation folder of GPO?
How to delete a application from software installation folder of GPO?
How to set minimum password length through Group Policy?Open GPO Click on Computer configuration Windows settings Security settings Account policies Password policies select minimum password length give the number click OK
What do we call the area between two firewalls?The area between two firewalls is called DMZ (De Militarized Zone) or Screened subnet.
Note: Depending on the situation, Windows 2000 can be licensed in a per-seat or per-server mode. Per-server can be changed to Per-Seat once. Per-seat is a permanent choice.
When licensing Windows 2000 Server, Client Access Licenses (CALs) must also be purchased for the number of clients that will be accessing the server, regardless of the desktop operating system that is installed on the clients.
Note: For Disk Management in Windows 2003 you can use command line tool diskpart.exe (New feature in Windows 2003). For more details type diskpart.exe at command prompt and then type “?”.
Note: ForeignSecurityPrincipals Container for security principals from trusted external domains. Administrators should not manually change the contents of this container.
Note: By default Search doesn’t display hidden files. i.e., you are searching for a file which has hidden attribute, even though it is exists your search doesn’t display it.
Note: By default search doesn’t displays hidden files. But if you want to search hidden files also you can search by modifying the following key in registry.Mycomputer\HKEY_CURRENT_USER\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\Here you can search hidden attribute. Click on this and change value from 0 to 1.
File and folder Attributes:Write Users can copy and paste new files and folders and users can change folder attributes. However, users cannot open or browse the folder unless you grant the Read permission.
Read Users can see the names of files and subfolders in a folder and view folder attributes, ownership, and permissions. Users can open and view files, but they cannot change files or add new files.
List Folder Contents Users can see the names of files and subfolders in the folder. However, users cannot open files to view their contents.
Read & Execute Users have the same rights as those assigned through the Read permission, as well as the ability to traverse folders. Traverse folders rights allow a user to reach files and folders located in subdirectories, even if the user does not have permission to access portions of the directory path.
What is the work FRS (File Replication Service?It is used to replicate both the contents of the SYSVOL share between domain controllers and the contents of Distributed File System (DFS) replicas.
What are the contents of SYSVOL folder?
SYSVOL includes the actual SYSVOL file share, the NETLOGON file share, all Windows 9x and Windows NT System Policies, and all Win2K and later Group Policy Objects (GPOs).SYSVOL also contains all user and computer logon and logoff (and startup and shutdown) scripts. By default, SYSVOL is stored in C:\Windows\Sysvol, exists on all domain controllers, and should be identical on each domain controller in a domain.
What is Distinguished Name (DN)?The DN identifies the domain that holds the object, as well as it provides complete path through the container hierarchy by which the object is reached. A typical DN is as follows. CN=someone, CN=Users, DC=Microsoft, DC=com.
What is Relatively Distinguished Name (RDN)?The RDN is part of the name that is an attribute of the object it self. In the above example The RDN of the someone user object is “CN=someone”. The RDN of the parent object is “CN=Users”.
Note: The replication happen for every 5 minutes. Because if replication happen immediately for each modification there will more traffic, so it replicates modifications collectively that are done during default interval.
How do determine the Operating system type that you are working on?Right click on My computer Select properties on general tab you can see operating system type and version.
ADSI edit:When you open ADSI edit you can see 3 database partitions, i.e., domain partition, configuration partition, and schema partition. Under this you can see CN, and Distinguished names of different objects.
How to cluster two computers?First go to one of the computer that is going to cluster.Start Programs Administrative tools Cluster administrator You will get open connection to cluster dialogue box (if you wont get this dialogue box, then click on file click on open connection) Select Create new cluster Go through the wizard.
Then go to the 2nd computer Start Programs Administrative tools Cluster administrator You will get open connection to cluster dialogue box (if you wont get this dialogue box, then click on file click on open connection) Select Add a node to the cluster Go through the wizard.
Note: In 2003 Cluster administrator installed by default. In 2000 Cluster administrator installed when Cluster service
component is installed.
How to install cluster service component?Start Settings Control panel Add/remove programs Add/remove windows components Select Cluster services Click ok
Note: By using cluster Administrator you can configure, control, manage and monitor clusters.
Note: Clustering is only supported with Windows Server 2003,
Enterprise Edition and Windows Server 2003, Datacenter Edition,
Windows 2000 Advanced server and Data center server.
A cluster consists of at least two connected physical computers,
or nodes, and a shared storage device, such as RAID-5 disk set
channel. The cluster provides a redundant hardware solution. Because
services can run on one or both of the nodes in the cluster, users can
connect to either node in the same way that they would connect to a
stand-alone server; thereby providing greater user availability.
What is failover?Cluster service monitors the services on all nodes. If a node fails, Cluster service restarts or moves the services on the failed node to a functional node. This process is called failover. The ability to use multiple servers at all times reduces system costs while increasing reliability, because you do not have to dedicate servers for disaster recovery. When the failed node is restored, the resources may be returned to the original node. This process is called failback Failover and failback in a cluster can be performed manually by the people who maintain the cluster or can occur automatically when there is an unplanned hardware or application failure.
What is active/active clustering and active/passive clustering? Active/active clustering describes clustering when both members of the cluster are online and able to accept user service requests. This is different from active/passive clustering where only one member of a cluster provides service to users at a time. Active/passive is the preferred recommended cluster configuration.
In an active/passive cluster, the cluster includes at least one
passive node and one or more active nodes. A node is active if it runs
an instance of an Exchange virtual server (EVS). A node is passive if it
does not run an instance of EVS (Exchange Virtual Server) or any other
application. A passive node is ready to take over the tasks of an active
node whenever a failover occurs on any active node. Whether a node
is active or passive may change over the lifetime of a node. After a
failover, the passive node which now runs the failed-over EVS is an
active node and the original node became a passive node. In an
active/passive cluster, the active node is actively handling requests
while the passive node is standing by waiting for another node to fail.
Similar to active/passive clustering, in active/active clustering,
when one node fails or is taken offline, the other node in the cluster
takes over for the failed node. However, because the failover causes
the other node to take on additional processing operations, the
overall performance of your Exchange cluster may be reduced.
Note: Microsoft recommends active/passive cluster configurations over
active/active configurations. Active/active clusters have more
limitations than active/passive clusters. Active/active clusters have a
limit of 1,900 concurrent connections to a node hosting EVSs, and they
are only supported on two nodes.
Note: Windows 2000 Advanced server supports 2 nodes
clustering.
Windows 2000 Data center server supports 4 nodes
clustering.
Windows 2003 Enterprise and Data center supports 8
nodes clustering.
Kerberos Authentication Kerberos is the Internet standard security protocol for handling
authentication of users or system identity.
Kerberos allows UNIX clients and servers to have Active Directory accounts and obtain authentication from a domain controller.
Services can impersonate users allowing middle-tier service to authenticate to a back-end data server on behalf of the user.
Scripts
Scripts are used to run commands automatically when a user logging
on. Generally in small organizations scripts are used to map drives
automatically.
How to create a Script?
Open note pad.
Write the script.
Save it as *.bat file in net logon folder.
Then go to the user properties for whom you want to run that
particular script Click on profile type the file name in the logon
script box. (Just type the file name, no need to give path of the file)
Click OK.
Example of a script for mapping drives.
Open a note pad file. Type the following information (with in the lines)
as it is.
Net use p: \\liveserver\common
Net use x: \\liveserver\pdata
Save it as *.bat in net logon folder.
Note: The contents of a script file are nothing but command those we
use at command prompt. A user can run these commands when he
logs on and can get same functionality. But running all these
commands at each log on will be difficult. So to automatically run all
these commands at command prompt when ever a user logs on, we
use scripts.
Note: The location of the net logon folder is My network places
Entire Network Microsoft Windows Network Click on Domain name
Click on Server name Select NET LOGON folder.
Note: Actually NET LOGON is not a folder but it is share name of the
folder %systemroot%\sysvol\sysvol\domainname.com\scripts. So
there is no folder called NET LOGON in the server but it is share name
scripts folder.
So when you save a script file it will be saved in the Script folder
Note: You have store scripts in Scripts folder. So when Sysvol is
replicated to all Domain controllers in the domain these scripts are also
replicated.
Note: In Sysvol folder policies and Scripts are stored in respective sub
folders.
Suppose you have deleted Active Directory Users and Computers
from Administrative tools, how to restore it?
Start Programs Right click on Administrative tools Select All
Users Right click in the window drag down to New Select short
cut click on Browse My computer C:\Windows\System32
Select dsa.msc Click OK Give the name as Active Directory
Users and Computers Click OK.
Note: You can add all snap ins in Administrative tools like this only.
Note: The same procedure applied for any thing to place in start
menu, just right click on the parent folder select open all users, and
create a short cut there, that’s all.
How to dismount a volume through command line?
The command to dismount a volume through command prompt is
“fsutil volume dismount <volume pathname>”
How can I quickly find all the listening or open ports on my
computer?
Usually, if you want to see all the used and listening ports on your
computer, you'd use the NETSTAT command.
Open Command Prompt and type: C:\WINDOWS>netstat -an |find /i
"listening"
This command displays all listening ports.
C:\netstat -an |find /i "listening" > c:\openports.txt
This command redirects the output to a file openport.txt in C drive.
C:\netstat -an |find /i "listening" > c:\openports.txt
This command is used to see what ports your computer actually
communicates with.
Note: Suppose you have some roles on a domain controller. With out
transferring the roles to other domain controller you have demoted the
domain controller to a member server by the command dcpromo.
Then what will happen?
When you demote a domain controller which has roles by the
command dcpromo, during the demotion the roles will be transferred
to the nearest domain controller.
What is the location of device manager?
Right click on My computer drag down to properties Click on
hardware tab Click on device manager
Or
Start programs Administrative tools computer management
device manager
Or
Start Run type compmgmt.msc
Where do you get windows 2000 professional resource kit?
You get Windows 2000 professional resource kit along with Microsoft
technet subscription.
Note: If you want to know complete information about system
hardware, software and everything regarding system use the
command winmsd.exe.
Note: Disk quotas cannot be applied to groups in Windows
2000/2003.
You can apply disk quotas to groups in Unix.
Windows Server 2003
When you first logon to a new installation of W2k3 the default desktop
is blank apart from the Recycle bin. All the rest of the icons are
moved to the start menu.
You can readjust the desktop to the old Windows 2000 style by the
following way.
Right click on Taskbar Select Properties Click on Start tab
Select Classic
Right click on Start menu Select Properties Select Classic Start
menu
What is Manage your Server Wizard?
When you first logon to the Windows 2003 you will get Manage Your
Server Wizard.
A host of configuration and management tools have been brought
together in the Manage Your Server Wizard. It also includes the ability
to configure a profile – called a server role. There are 11 roles. (What
are they?)
The roles are
File server
Print server
Application server (IIS, ASP.NET)
Mail Server (POP3, SMTP)
Terminal Server
Remote Access/ VPN server
Domain Controller (Active Directory)
DNS Server
DHCP server
Streaming Media Server
WINS server
There is a role called “application server” but this provides IIS, ASP.NET
and Web development functionality only and should only be selected if
these are required.
How to add a role to a server?
Click on start menu Choose Manage Your Server Click on Add or
Remove Role Icon Highlight the role you wish to Add Click Next
Note: When adding a role, depending upon your choice, you may be
prompted to provide additional information to configure the role. You
may be also prompted for the W2K3 CD if additional files are required.
You can remove a role from the server using this Wizard.
Click on start menu Choose Manage Your Server Click on Add or
Remove Role Icon Highlight the role you wish to Add Click Next
By this if a role has not been added, it can be added. If it has already
been added, you can remove it.
Note: If the role you want to add or remove is not listed in Manage
Your server Wizard, go to Add/Remove Programs.
Note: You can change the computer name by using Manage Your
server Wizard, you can also add it to a Workgroup or Domain.
Remote Administration (formerly Terminal Services in
Administration Mode)
Remote Administration is now installed by default, you do not need to
install Terminal Services separately as this is now solely for user
Terminal Sessions. It will need to be enabled and access granted to the
appropriate users.
Administrator has access by default but you must have a password set
or otherwise you will not be able to logon.
Remote Administation can be configured by
Right Click on My computer Select properties click on Remote tab
Adding/Removing Users to Remote Administration
Click on the Select Remote user button click on Add/Remove button
If adding either enter the full user name (Domain\username) or
select Advanced and search for the user locally or in a domain.
Volume Shadow copy (Currently Not Recommended)
Volume Shadow Copy Service (VSS) was specifically designed to
provide point – in – time snapshots of volumes and eliminated
problems with backups of open files. It can also provide recovery of
files for end users or Administrators without having to do a restore
from backup.
The shadow copy process works on a schedule and is not
recommended to be done more than once per hour. The default
schedule is twice a day.
In order for the copy to work you will need to set aside a certain
amount of space on the same or another volume.
Users can access the previous versions of the files through Explorer. If
they have Windows 2000 then they will require the installation of a
software to enable the Explorer options.
Note: In Windows 2003 you can add upto 32 servers can work in a
NLB.
In Windows 2003 you can add upto 8 server to participate in a cluster.
Windows System Resource Manager (WSRM)
Microsoft Windows System Resource Manager (WSRM) provides
resource management and enables the allocation of resources,
including processor and memory resources, among multiple
applications. It has uses in enabling consolidaion of applications but
ensuring they are given the resources they require to run on a single
server.
Note: WSRM only runs on Windows server 2003 Enterprise and
Datacenter Editions.
WSRM allows administrators to control CPU and memory resource
allocation to applications, services, and processors. This feature can be
used to manage multiple applications on a single computer or multiple
users on a computer that runs Microsoft Terminal Services. The WSRM
architecture also allows administrators to manage resources on
multiple systems. WSRM provides GUI as well as command line
interfaces for resource management.
What is the location of the event log files in the system?
The location of event viewer log files is %systemroot%\system32\
config\ . Here all event log files i.e., application log, security log,
system log etc will be stored.
What are the switches that are available with repadmin?
Repadmin /showrepl Shows replication status
Repadmin /failcache Show recent failed cached replication
events.
Repadmin /syncall Synchronizes replication to all domain
controllers in entire forest. If you want to synchronize to only one
domain controller type the FQDN of the domain controller followed by
the repadmin /syncall.
Nltest
Replmon
Adsiedit.msc
How to associate an existing subnet object with a site?
Associating existing subnet with a site under the following conditions.
When you are removing the site to which the subnet was
associated.
When you have temporarily associated the subnet with a
different site and want to associate it with its permanent site.
Required credentials : Enterprise Admins
To associate an existing subnet object with a site
Start Programs Administrative tools Active Directory Sites and
Services Click on sites Click on subnet container Right click
on the subnet with which you want to associate the site and click on
properties On the site box click the site with which you want to
associate the subnet, click ok.
How to change the delay of initial Notification of an Intrasite
Replication partner?
Or
How to change the default replication interval between domain
controller with in a site?
The default Replication interval between the Domain controllers with in
a site is 5 minutes (300 seconds). To change the interval follow the
below steps
Log in as Domain Administrator Start Run Regedt32.exe
Navigate to HKLM\SYSTEM\CurrentControlset\services\NTDS\
Click on Parameters Double click on Replication notify pause
after modify (secs) In the base box, click decimal In the
value data box, type the number of seconds for the delayClick OK
How to change the Garbage Collection Period?
The Garbage collection period determines how often expired
tombstones are removed from the directory database. This period is
governed by an attribute value on the Directory services object in the
configuration container. The default value is 12 (hours).
Decrease the period to perform garbage collection more frequently.
Increase the period to perform garbage collection less frequently.
Log in Enterprise Admin Start Programs Support tools Tools
ADSI Edit Expand Configuration container Expand CN=
Configuration Expand CN = Services Expand CN =Windows
NT Right Click CN=Directory Service click on properties
Click Garbagecollperiod click Set Click OK
How to change the Priority for DNS SRV Records in the
Registry?
To prevent Clients from sending all requests to a single domain
controller, the domain controllers are assigned a priority value. Client
always send requests to the domain controller that has the lowest
priority value. If more than one domain controller has the same value,
The clients randomly choose from the group of domain controllers with
the same value. If no domain controllers with the lowest priority value
are available, then the clients send requests to the domain controller
with the next highest priority. A domain Controller’s priority value is
stored in registry. When the domain controller starts, the Net Logon
service registers domain controller, the priority value is registered with
the rest of its DNS information. When a client uses DNS to discover a
domain controller, the priority for a given domain controller is returned
to the client with the rest of the DNS information. The client uses the
priority values to help determine to which domain controller to send
requests.
The value is stored in the LdapSrvPriority registry entry. The default
value is 0 and it can be range from 0 through 65535.
Note: A lower value entered for LdapSrvPriority indicates a higher
priority. A domain controller with an LdapSrvPriority setting of 100
has a lower priority than a domain controller with a setting of 10.
Therefore, client attempts to use the domain controller with the setting
of 100 first.
To change priority for DNS SRV records in the registry
Log on as Domain Admin Start Run Regedit HKLM\SYSTEM|
CurrentControlSet\Services\Netlogon\Parameters Click Edit Click
New Click DWORD value For the New value name, type
LdapSrvPriority Click Enter Double click the value name that
just you typed to open the Edit DWORD Value dialogue box Enter
a value from 0 through 65535. The default value is 0 Choose
Decimal as the Base option Click OK Close the Registry editor.
How to change the Weight for DNS Records in the Registry?
To increase client requests sent to other domain controllers relative to
a particular domain controller, adjust the weight of the particular
domain controller to a lower value than the others. All domain
controllers starts with a default weight setting of 100 and can be
configured for any value from 0 through 65535, with a data type of
decimal. When you adjust the weight, consider it as a ratio of the
weight of this domain controller to the weight of the other domain
controllers. Because the default for the other domain controller is 100,
the number you enter for weight is divided by 100 to establish the
ratio. For example, if you specify a weight of 60, the ratio to the other
domain controller is 60/100. The reduces to 3/5, so you can expect
clients to be referred to other domain controller 5 times for every 3
times they get referred to the domain controller you are adjusting.
To change weight for DNS SRV records in the registry
Log on As domain Admin Start Run regedit HKLM\SYSTEM\
CurrentControlSet\Services\Netlogon\Parameters Click edit Click
New Click DWORD Value For the new value name, type
LdapSrvWeight Click Enter Double click on the value name you
just typed to open the Edit DWORD Value dialogue box Enter a
Value from 0 through 65535, the default value is 100. Choose
Decimal as the Base option Click OK Close Registry editor.
How to check Directory Database Integrity?
Prior to performing any other troubleshooting procedures relative to a
suspected database problem, or immediately following offline
defragmentation, perform a database integrity check.
Restart the domain controller in Directory Services Restore Mode
Open command prompt Type Ntdsutil, press enter Type files,
press Enter type integrity, press enter.
Note the status that is reported when the integrity check is completed.
If the integrity check completes successfully, type q and press
Enter to return to the ntdsutil prompt. Then go for semantic
database analysis.
If the integrity check reports errors, perform directory database
recovery.
Semantic Database Checkup:
At ntdsutil prompt type Semantic database analysis, press enter
At the Semantic checker: prompt type verbose on, and then
press Enter at the semantic checker: prompt type Go and then
press enter
Complete the Database Integrity check as follows:
If no errors are detected in the status at the end of the
procedure, type quit again to close Ntdsutil.exe, and then
restart in normal mode.
If Symantic Database analysis reports recoverable errors,
then perform semantic database analysis with fixup. If errors
are not recoverable, then either restore the domain controller
from backup or rebuild the domain controller.
How to do metadata clean up?
If you give the new domain controller the same name as the failed
computer, then you need perform only the first procedure to clean up
metadata, which removes the NTDS settings object of the failed
domain controller. If you will give the new domain controller a different
name, then you need to perform all three procedures.: Clean up
metadata, remove failed server object from the site and remove the
computer object from the domain controller container.
Log on as Enterprise admin Open command prompt Type
ntdsutil Type metadata cleanup At the metadata cleanup:
prompt type connect to the server servername, Where
servername is the name of the domain controller (any functional
domain controller in the same domain) from which you plan to clean up
the metadata of the failed domain controller, press Enter Type quit
and press Enter to return to the metadata cleanup: prompt. Type
Select operation target and press Enter Type List domains and
press Enter, this list the all domains in the forest with a number
associated with each. Type select domain number, where number
is the number corresponding to the domain in which he failed server
was located, press Enter Type list sites, press enter Type select
site number, where number is the number of the site in which the
domain controller was a member, press enter Type list servers in
site press Enter Type Select server number, and then press Enter
where number refers to the domain controller to be removed. Type
quit press Enter, the metadata cleanup menu is displayed. Type
remove selected server press Enter.
At this point, Active Directory confirms that the domain controller was
removed successfully. If you receive an error that the object could not
be found, Active Directory might have already removed from the
domain controller.
Type quit, and press Enter until you return to the command prompt.
If a new domain controller receives a different name than the failed
domain controller, perform the following additional steps.
Note: Do not perform the additional steps if the computer will have
the same name as the failed computer,. Ensure that the hardware
failure was not the cause of the problem. If the faulty hardware is not
changed, then restoring through reinstallation might not help.
To remove the failed server object from the sites
In the Active Directory sites and services, Expand the appropriate site
Delete the server object associated with the failed domain
controller.
To remove the failed server object from the domain controllers
container
In Active Directory users and computers, expand the domain
controllers container Delete the computer object associated with the
failed domain controller.
How to view the list of preferred list of Bridgehead servers?
To see all servers that have been selected as preferred bridgehead
servers in a forest, you can view the bridgeheadserverlistBL attribute
on the IP container object.
Log in Domain Admin Open ADSI edit Expand Configuration
container Expand
CN=Configuration,DC=ForestRootDomainName, CN=Sites, and
CN=Inter-Site Trasports. Right Click on CN=IP and then click
properties In the Select a property to view box, click
bridgeheadServerListBL.
The Values box displays the distinguished name for each server object
that is currently selected as a preferred bridgehead server in the
forest. If the value is <not set>, no preferred bridgehead servers are
currently selected.
How to view replication metadata of an object?
Replication metadata identifies the history of attributes that have been
replicated for a specified object. Use this procedure to identify time,
dates, and Update Sequence Numbers (USNs) of attribute replications,
as well as the domain controller on which replication originated.
To view replication metadata of an object
Log in as Domain Admin Open command prompt and type the
following command press enter.
Repadmin /showmeta distinguishedName serverName
/u:DomainName\Username /pw:*
Where:
Distinguisedname is the LDAP distinguished name of an object
that exists on ServerName.
Domain Name is the domain of ServerName
Username is the name of an administrative account in that
domain.
Note: If you are logged on as an administrator in the domain of the
destination domain controller, omit the /u: and /pw: switches.
How to verify the Existence of the Operations Master?
Or
How do you verify whether Operations Masters working
properly or not?
This test verifies that the operations masters are located and that they
are online and responding.
Dcdiag /s:domaincontroller /test:knowsofroleholders
Dcdiag /s:domaincontroller /test:fsmocheck
How to verify that Windows Time Service is Synchronizing
Time?
To verify use the following commands.
Net stop w32time
W32tm –once –test
Net start w32time
How to verify Successful Replication to a Domain Controller?
Use Repadmin.exe to verify success of Replication to a specific domain
controller. Run the /showreps command on the domain controller that
receives replication (the destination domain controller). In the output
under INBOUND NEIGHBORS, Repadmin.exe shows the LDAP
distinguished name of each directory partition for which inbound
directory replication has been attempted, the site and name of the
source domain controller, and whether it succeeded or not, as follows.
Last attempt @ YYYY-MM-DD HH:MM.SS was successful.
Last attempt @ [Never} was successful.
To verify successful replication to a domain controller
Use the following command
Repadmin /showreps ServerName /u:domainName\Username /pw:*
Where servername is the name of the destination domain controller.
How to verify Replication is Functioning?
To check if replication is working, use the following command
Dcdiag /test:replications
To verify that the proper permissions are set for replication, use the
following command.
Dcdiag /test:netlogons
How to verify Network connectivity?
To verify network connectivity first ping to the self IP address, and then
ping to the default gateway, and then ping to the remote computer.
To verify that the routers on the way to the destination are functioning
correctly. Use the pathping command.
Pathping <IP address>
What is the switch that is used to restart in Directory service
Restore mode in boot.ini file?
Use the following switch along with the path.
/safeboot:dsrepair (I hope this switch is available in Windows 2003
only)
Suppose ipconfig /registerdns command is not working. What
could be the problem?
The dhcp client service might be stopped. So go to the services.msc
and enable the dhcp client service.
What are the functional levels we have in Windows 2003?
There are 2 types of functional levels in Windows 2003.
Forest Functional Level
Domain Functional Level
What is forest functional level in Windows 2003?
The functional level of Active Directory forest that has one or more
domain controllers running Windows server 2003. The functional level
of a forest can be raised to enable new Active Directory features that
will apply to every domain controller in the forest. There are 3 forest
functional level.
Windows 2000 (Supports NT, 2000, 2003 domain controllers)
Windows server 2003 interim (supports only NT, 2003 domain
controllers)
Windows server 2003 (Supports only 2003 family domain
controllers)
Note: When you raise the functional level to windows server 2003
interim or windows server 2003 you will get advanced forest wide
Active Directory features.
What is domain functional level in Windows 2003?
The functional level of Active Directory domain that has one or more
domain controllers running Windows server 2003. The functional level
of a domain can be raised to enable new Active Directory features that
will apply to that domain only. There are 4 domain functional level.
Windows 2000 mixed (supports NT, 2000, 2003 domain
controllers)
Windows 2000 native (supports 2000, 2003 domain controllers
only)
Windows server 2003 interim (supports NT, 2003 domain
controllers only)
Windows server 2003 (Supports only 2003 domain controllers)
Note: When you raise the domain functional level you will get
additional features.
Note: By default domain operates at the Windows 2000 mixed mode
functional level.
How to raise forest functional level in Windows 2003?
Start Programs Administrative tools Active Directory Domains
and Trusts Right click on the Active Directory Domains and Trusts
Select Raise Forest functional level Select the required forest
functional level click OK
Note: To perform this you must be member of Domain Admin group
(in the forest root domain) or the Enterprise admin group.
How to raise domain functional level in Windows 2003?
Start Programs Administrative tools Active Directory Users and
computes Right click on the domain name Select Raise domain
functional level Select the appropriate domain level click OK
Note: If the functional level is windows server 2003 then you will get
all the features that are available with 2003. When Windows NT or
Windows 2000 domain controllers are included in your domain or forest
with domain controller running Windows server 2003, Active Directory
features are limited.
Note: Once if you raise the domain or forest functional level you
cannot revert back.
Advantages of different functional levels:
When ever you are in Windows 2000 mixed mode the advantage is
you can use Windows NT, 2000, 2003 domain controllers. The
limitations are
you cannot create universal groups
You cannot nest groups
You cannot convert groups (i.e., conversion between security
groups and distribution groups)
some additional dial in features will be disabled
you cannot rename the domain controller.
SID history disabled.
About cable modemsUnlike traditional modems, which convert analog and digital signals to exchange data over a telephone line, cable modems use Internet protocol to transmit data over a cable television line.About digital subscriber linesDigital subscriber lines, such as ADSL or DSL, are high-speed Internet connections offered by an Internet service provider (ISP). You operate as though you are on a network and are assigned an IP address.About ISDN linesIntegrated Services Digital Networks (ISDN) are digital telephone services that can transmit digital and voice data at much faster speeds than traditional modems.
What is Automated System Recovery?
Windows server 2003 has some tools to assist the administrator in
safeguarding the system against failure. One such tool is the
Automated System Recovery (ASR) set that should be created after
installing the server, after major changes are made and also schedule
at a regular interval.
How to create an ASR set?
Logon as administrator or backup operator start Run
ntbackup.exe Select Automated System Recovery
How to Recovering from a system failure with the ASR set?Insert the original operating system Installation CD into CD drive Restart your computer boot from CD Press F6 when prompted for Automated System Recovery Insert the Floppy disks of ASR
How to redirect output of a command to a text file from command prompt?To redirect output of a command to a text file use the following syntax,Commandname > filename.txt
What is the command that is used to display and modify security permissions of a folder?The command is xcacls.exe.
What is teaming?Teaming is the concept of combing two or more LAN cards for more speed. For n number of LAN cards there will be only one IP address. By teaming you can increase speed. For example if you are teaming 5 LAN cards of 100 MBPS now your network speed is 500 MBPS.
Note: You can assign one IP address to n number of LAN cards and at the same you can assign n number of IP addresses to LAN card.
Skills required for Microsoft Server AdministratorMicrosoft has specified more than twenty-five objectives for the
70-297 test, which are grouped under four topics. Following are
the important areas in which an individual should possess good
knowledge before taking the 70-297 test:
1. Analyzing business and technical requirements of an
organization.
2. Analyzing the impact of Active Directory on the existing technical
environment.
3. Analyzing existing and planned business models and
organizational structure.
4. Analyzing the structure of IT management.
5. Evaluating the company's existing and planned technical
environments.
6. Analyzing existing network operating system implementation.
7. Analyzing the impact of Active Directory on a planned
environment.
8. Analyzing the business requirement for client computer desktop
management.
9. Analyzing security requirements for the Active Directory
directory service.
10. Designing an Active Directory and domain structure.
11. Designing an Active Directory naming strategy including
planning of DNS.
12. Designing an organizational unit structure and a site
structure. Designing a replication strategy.
13. Designing a user and computer authentication strategy.
14. Designing the placement of operations masters, global
catalog servers, domain controllers, and DNS servers.
15. Identifying network topology and performance levels.
What is Active Directory Migration Tool (ADMT)? The Active Directory Migration Tool (ADMT) is used to migrate from an earlier implementation of Windows NT to Windows Server 2003 or Windows 2000 Server. ADMT supports not only migration from Windows NT 4.0 to Active Directory but also interforest and intraforest migrations. ADMT is designed to migrate an Active Directory schema from one forest to another, regardless of whether a change in operating systems is involved.
ADMT 2.0 has many new features such as a command-line interface and a better interface to work with Microsoft Exchange Server. ADMT also supports a user-account password migration.
How to restart Active Directory Domain Services? Take the following steps to restart Active Directory Domain Services:
Start the Services console through Start > Administrative Tools > Services.
What is LDIFDE? LDIFDE is a command-line tool in the Windows Server 2003 operating system. It is used to create, modify, and delete objects on computers running on Windows Server 2003 and Windows XP Professional. LDIFDE is also used to extend the schema, export Active Directory user and group information to other applications or services, and populate Active Directory with data from other directory services.
What is primary restore method? The primary restore method is a type of backup restoration of the System State data. This method is used to restore Active Directory data on a stand-alone domain controller. This method of restoration is also used in a situation when a completely failed forest needs to be restored
What is replication? Replication is a process through which the changes made to a replica on one domain controller are synchronized to replicas on all other domain controllers in the network. Each domain controller stores three types of replicas:
Schema partition: This partition stores definitions and attributes of objects that can be created in the forest. Changes made in this partition are replicated to all the domain controllers in all the domains in the forest.
Configuration partition: This partition stores the logical structure of the forest deployment. It includes the domain structure and replication topology. Changes made in this partition are replicated to all the domain controllers in all the domains in the forest.
Domain partition: This partition stores all the objects in a domain. Changes made in this partition are replicated to all the domain controllers within the domain.
Note: Windows supports a new type of directory partition named Application directory partition. This partition is available only to the Windows 2003 (or above) domain controllers. The applications and services use this partition to store application-specific data.
Creating, modifying, moving, or deleting an object triggers a replication between domain controllers. Replications are of two types:
Intrasite: In the intrasite (within a site) replication, the data is not compressed, as the replication mostly uses LAN connections. This saves the computer's CPU time of processing data. In the intrasite replication, the replication partners poll each other periodically and notify each other when changes need to be replicated, and then pull the information for processing. Active Directory uses the remote procedure call (RPC) transport protocol for intrasite replication.
Intersite: As intersite (between sites) replication uses WAN connections, a large amount of data is compressed to save bandwidth. For the same reason, the replication partners do not notify each other when changes need to be replicated. Instead, administrators configure the replication schedule to update the information. Active Directory uses the IP or SMTP protocol for intersite replication.
What is NLB Manager? Network Load Balancing (NLB) Manager is a Windows Server 2008 GUI tool to manage NLB. NLB Manager is used to add or remove hosts from an NLB cluster, to configure a cluster, and to
manage a cluster. NLB Manager can be installed by using Add Features within Server Manager
What are group policies? Group policies specify how programs, network resources, and the operating system work for users and computers in an organization. They are collections of user and computer configuration settings that are applied on the users and computers (not on groups). For better administration of group policies in the Windows environment, the group policy objects (GPOs) are used.
What is GPO?Group policy object (GPO) is a collection of group policy settings. It can be created using a Windows utility known as the Group Policy snap-in. GPO affects the user and computer accounts located in sites, domains, and organizational units (OUs). The Windows 2000/2003 operating systems support two types of GPOs, local and non-local (Active Directory-based) GPOs.
Local GPOsLocal GPOs are used to control policies on a local server running Windows 2000/2003 Server. On each Windows 2000/2003 server, a local GPO is stored. The local GPO affects only the computer on which it is stored. By default, only Security Settings nodes are configured. The rest of the settings are either disabled or not enabled. The local GPO is stored in the %systemroot%SYSTEM32GROUPPOLICY folder.
Non-local GPOsNon-local GPOs are used to control policies on an Active Directory-based network. A Windows 2000/2003 server needs to be configured as a domain controller on the network to use a non-local GPO. The non-local GPOs must be linked to a site, domain, or organizational unit (OU) to apply group policies to the user or computer objects. The non-local GPOs are stored in %systemroot%SYSVOL<domain name>POLICIES<GPO GUID>ADM, where <GPO GUID> is the GPO's globally unique identifier. Two non-local GPOs are created by default when the Active Directory is installed:
Default Domain Policy: This GPO is linked to the domain and it affects all users and computers in the domain.
Default Domain Controllers Policy: This GPO is linked to the Domain Controllers OU and it affects all domain controllers placed in this OU.
What is ADS (Automated Deployment Services)? Microsoft Windows Server 2003 Automated Deployment Services (ADS) is used by administrators to build and manage very large and scaled out deployment of Windows servers. It includes a new set of imaging tools for rapidly deploying Windows 2000 Server and Windows Server 2003 remotely. An AD offers improved communication security and a reliable script execution framework. It uses the image-based deployment method
Under what conditions should Administrators create multiple
forests? Microsoft recommends the creation of multiple forests
under the following conditions:
If Administrators do not trust each other: An Administrator
can create a "denial of service" condition. One can create this
condition by rapidly creating or deleting objects, hence causing a
large amount of replication to the global catalog. This replication
can waste network bandwidth and slow down global catalog
servers, as they spend time in processing replication. This
condition forces administrators to create multiple forests.
Organizations cannot agree on a forest change policy:
Changes in schema, configuration, and the addition of new
domains to a forest have forest-wide impact. If organizations in a
forest cannot agree on a common policy, they cannot share the
same forest, forcing administrators to create multiple forests.
If one wants to limit the scope of a trust relationship: All
domains in a forest trust each other. In order to prevent certain
users from being granted permissions to certain resources, those
users must be placed in a forest different from the forest
containing those resources. Administrators can use explicit trust
relationships to allow those users to be granted access to
resources in specific domains, if required
What is GPMC tool? The Group Policy Management Console (GPMC)
is a tool for managing group policies in Windows Server 2003. It
provides administrators a single consolidated environment for
working on group policy-related tasks. GPMC provides a single
interface with drag-and-drop functionality to allow an administrator
to manage group policy settings across multiple sites, domains, or
even forests. GPMC is used to back up, restore, import, and copy
group policy objects. It also provides a reporting interface on how
group policy objects (GPOs) have been deployed.
What is Performance Monitor? Performance Monitor is used to get
statistical information about the hardware and software components
of a server. Performance Monitor is used for the following:
Monitor objects on multiple computers.
Log data pertaining to objects on multiple computers, over time.
Analyze the effects of changes made to a computer.
Launch programs and send notifications when thresholds are
reached.
Export data for analysis in spreadsheet or database applications.
Save counter and object settings for repeated use.
Create reports for use in analyzing performance, over time.
What is System Monitor? System Monitor is a Windows graphical
tool for measuring the performance of a host or remote computer. It
is used to view reports on CPU load, memory usage, and interrupt
rate, and the overall throughput of the traffic on a network. Using
System Monitor, administrators can perform the following functions:
Create charts and reports to measure a computer's efficiency.
Identify and troubleshoot possible issues, such as unbalanced
resource use, insufficient hardware, or poor program design.
Plan for additional hardware needs.
System Monitor can also be used to monitor the resource use of
specific components and program processes.
What is the SQL Server: General Statistics: User Connections
counter? The SQL Server: General Statistics: User Connections
counter displays the number of user connections in SQL Server. Its
maximum value is 255. An increase in the value of the counter
causes performance problems and affects throughput. A Database
Administrator should monitor this counter to resolve performance
issues.
What is Simple Mail Transfer Protocol (SMTP)? Simple Mail
Transfer Protocol (SMTP) is a protocol used for sending e-mail
messages between servers. It is mostly used to send messages from
a mail client such as Microsoft Outlook to a mail server. Most of the e-
mail systems that send mails over the Internet use SMTP to send
messages from one server to another. Due to its limitations in
queuing messages at the receiving end, it is generally used with
either the POP3 or IMAP protocol, which enables a user to save and
download messages from the server.
What is bluescreen error? Bluescreen error, sometimes called
Blue Screen of Death (BSOD), is the condition that occurs when a
Windows computer fails to boot properly or quits unexpectedly.
Microsoft refers these blue screens as "Stop errors". There are
several causes of the blue screen popping up. It can be due to a
poorly written device driver, bad memory, damaged registry, or
usage of incompatible versions of DLLs. In Windows NT, Windows
2000, Windows XP, Windows Server 2003, and Windows Vista, a blue
screen of death occurs when the kernel or a driver running in kernel
mode encounters an error from which it cannot recover. This is
usually caused by an illegal operation being performed. The only safe
action to overcome such situations is to restart the computer.
What is the netstat command? The netstat command displays
protocol-related statistics and the state of current TCP/IP
connections. It is used to get information about the open connections
on a computer, incoming and outgoing data, as well as the ports of
remote computers to which the computer is connected. The netstat
command gets all this networking information by reading the kernel
routing tables in the memory.
What is IIS? Internet Information Services (IIS) is a software service
that supports Web site creation, configuration, and management,
along with other Internet functions. Microsoft Internet Information
Services includes Network News Transfer Protocol (NNTP), File
Transfer Protocol (FTP), and Simple Mail Transfer Protocol (SMTP).
Clustering A cluster is a group of two or more computers (servers)
connected to provide fault tolerance and load balancing. It is
dedicated to run a specific application. Each server in a cluster is
known as a node. The failover and failback capabilities of a cluster
bring the application downtime to zero.
Note: Server clustering is intended to provide high availability for
applications and not for data.
Failover In the cluster, each node or computer runs the same critical
application. In case one computer fails, the other computers detect
the failure and take charge immediately. This phenomenon is called
failover.
Failback When the failed node returns back to the network, other
nodes take notice and the cluster begins to use the restored node
again. This phenomenon is called failback.
Types of Clusters: Windows Server 2003 supports two types of
clusters:
Server clusters
Network Load Balancing (NLB)
Server Clusters In server clusters, all nodes are connected to a
common data set, such as a storage area network. All nodes have
access to the same application data. Any of these nodes can process a
request from a client at any time. Nodes can be configured as either
active or passive. Only an active node can process requests from
clients. In the event of a failure of the active node, the passive node
takes charge and becomes active. Otherwise, the passive node
remains idle.
Server clusters are created for running applications that have
frequently changing data sets and have long-running in-memory
states. The applications such as database servers, e-mail and
messaging servers, and file and print services can be included in
server clusters.
A server cluster is treated as a single destination for a client. It has its
own name and IP address. This address is different from the individual
IP addresses of the servers in the cluster. Hence, when any server fails
in the cluster, the passive server becomes active. Clients send their
requests to the server cluster address. Therefore, this change over
does not affect the functionality of the cluster.
Windows Server 2003 supports eight nodes in a cluster. However,
Windows 2000 Server supports only two nodes in a cluster.
Network Load Balancing Network Load Balancing (NLB) is a type of
clustering. It is used to provide high availability and reliability of the
application servers. NLB is configured for the applications that rarely
change and that have very small data sets. Web servers, FTP servers,
VPN servers are the areas where NLB can be used successfully.
In the NLB cluster, all nodes are active and have separate identical
data sets. Multiple servers (or nodes) are used to distribute the load of
processing data. Clients send the requests to the cluster, and then the
clustering software distributes incoming client requests among the
nodes. If a node fails, the clients' requests are served by other nodes.
Network Load Balancing is highly scaleable. Both Windows 2003 and
Windows 2000 operating systems support NLB clusters of up to thirty-
two nodes.
What is Task Manager Utility? The Task Manager utility provides
information about programs and processes running on a computer.
By using Task Manager, a user can end or run programs, end
processes, and display a dynamic overview of his computer's
performance. Task Manager provides an immediate overview of
system activity and performance.
What is DNS namespace? DNS namespace is the hierarchical
structure of the domain name tree. It is defined such that the names
of all similar components must be similarly structured, but similarly
identifiable. The full DNS name must point to a particular address.
Consider the following image of DNS namespace of the Internet:
The salessrv1 and salessrv2 are host names of the hosts configured
in the sales.ucertify.com domain. The fully qualified domain name
(FQDN) of the host salessrv1 is salessrv1.sales.ucertify.com. No two
hosts can have the same FQDN.
What is ADSIEdit? ADSIEdit is a Microsoft Management Console
(MMC) snap-in that acts as a low-level editor for Active Directory. It is
a Graphical User Interface (GUI) tool. Network administrators can use
it for common administrative tasks such as adding, deleting, and
moving objects with a directory service. The attributes for each
object can be edited or deleted by using this tool. ADSIEdit uses the
ADSI application programming interfaces (APIs) to access Active
Directory. The following are the required files for using this tool:
ADSIEDIT.DLL
ADSIEDIT.MSC
Regarding system requirements, a connection to an Active Directory
environment and Microsoft Management Console (MMC) is necessary.
What are group scopes? The scope of a group defines two
characteristics:
It determines the level of security applying to a group.
It determines which users can be added to a group.
Windows Server 2003 supports the following scopes:
Domain Local: Domain local groups are used to assign permissions to
local resources such as files and printers. Members can come from any
domain.
Global: Members of this group can access resources in any domain.
Members can only come from the local domain.
Universal: Members can be added from any domain in the forest.
Members can access resources from any domain. Universal groups are
used for managing the security across domains. Universal groups can
also contain global groups. Universal groups are only available in the
domains having functional level Windows 2000 native or Windows
Server 2003.
What is IPv6? IP addressing version 6 (IPv6) is the latest version of
IP addressing. IPv6 is designed to solve many of the problems that
were faced by IPv4, such as address depletion, security, auto-
configuration, and extensibility. With the fast increasing number of
networks and the expansion of the World Wide Web, the allotted IP
addresses are depleting rapidly, and the need for more network
addresses is arising. IPv6 solves this problem, as it uses a 128-bit
address that can produce a lot more IP addresses. These addresses
are hexadecimal numbers, made up of eight octet pairs. An example
of an IPv6 address is 45CF: 6D53: 12CD: AFC7: E654: BB32: 543C:
FACE.
What is DSMOD? DSMOD is a command-line utility that is used to
modify existing objects, such as users, computers, groups, servers,
OUs etc., in Active Directory
What is NTDSUTIL utility? NTDSUTIL.EXE is a command-line tool
that is used to manage Active Directory. This utility is used to
perform the following tasks:
Performing database maintenance of Active Directory.
Managing and controlling operations master roles.
Removing metadata left behind by domain controllers.
Note: The NTDSUTIL utility is supposed to be used by experienced
administrators.
What is System File Checker utility? The System File Checker
utility is used to verify the integrity of the operating system files, to
restore them if they are corrupt, and to extract compressed files
(such as drivers) from installation disks. It can also be used to backup
the existing files before restoring the original files.
What is SCHTASKS tool? The SCHTASKS tool is used to schedule
commands and programs to run periodically or at a specific time. It
adds and removes tasks from the schedule, starts and stops tasks on
demand, and displays and changes scheduled tasks.
What is CHKDSK? CHKDSK is a command-line tool used to scan and
repair volumes on the hard disk for physical problems such as bad
blocks. It also repairs volumes for logical structure errors such as lost
clusters, cross-linked files, or directory errors.
Network Configuration and Management Utilities Administrators
use various utilities to configure and manage networks. Following are
some commonly used utilities:
WINIPCFG: WINIPCFG is a Windows 9x Internet Protocol (IP)
configuration utility used to display all current TCP/IP network
configuration values for a computer running Microsoft TCP/IP. Network
configuration values include the current IP address allocated to the
computer and other useful data about TCP/IP allocation. This utility is
of particular use on networks using Dynamic Host Configuration
Protocol (DHCP), allowing users to determine which TCP/IP
configuration values have been configured by DHCP.
IPCONFIG: IPCONFIG is a command-line utility used to display current
TCP/IP network configuration values, and to update or release the
Dynamic Host Configuration Protocol (DHCP) allocated leases. It is also
used to display, register, or flush Domain Name System (DNS) names.
NSLOOKUP: NSLOOKUP is a utility for diagnosing and troubleshooting
Domain Name System (DNS) problems. It performs its function by
sending queries to the DNS server and obtaining detailed responses at
the command prompt. This information can be useful for diagnosing
and resolving name resolution issues, verifying whether or not the
resource records are added or updated correctly in a zone, and
debugging other server-related problems. This utility is installed along
with the TCP/IP protocol through the Control Panel.
PING: PING is a command-line utility used to test connectivity with a
host on a TCP/IP-based network. This is achieved by sending out a
series of packets to a specified destination host. On receiving the
packets, the destination host responds with a series of replies. These
replies can be used to determine if the network is working properly.
TRACERT: TRACERT is a route-tracing Windows utility that displays
the path an IP packet takes to reach its destination. It shows the Fully
Qualified Domain Name (FQDN) and the IP address of each gateway
along the route to the remote host.
PATHPING: PATHPING is a command-line utility that pings each hop
along the route for a set period of time and shows the delay and
packet loss along with the tracing functionality of TRACERT, which
helps determine a weak link in the path.
NBTSTAT: NBTSTAT is a Windows utility used to check the state of
current NetBIOS over TCP/IP connections, update the NetBIOS name
cache, and determine the registered names and scope IDs.
NETSTAT: NETSTAT is a command-line utility that displays protocol
related statistics and the state of current TCP/IP connections. It is used
to obtain information about the open connections on a computer,
incoming and outgoing data, and also the ports of remote computers
to which the computer is connected. The NETSTAT command gets all
this networking information by reading the kernel routing tables in the
memory.
TELNET: TELNET is a command-line connectivity utility that starts
terminal emulation with a remote host running the Telnet Server
service. TELNET allows users to communicate with a remote computer,
offers the ability to run programs remotely, and facilitates remote
administration. The TELNET utility uses the Telnet protocol for
connecting to a remote computer running the Telnet server software,
to access files. It uses TCP port 23 by default.
What is a certificate? A certificate is a digital representation of
information that identifies authorized users on the Internet and
intranets. It can be used with applications and security services to
provide authentication. Certificates are issued by certification
authorities (CAs).
What is a nonclustered index? A nonclustered index has the
same B-tree structure as the clustered index. The index consists of a
root page, intermediate levels, and a leaf level. The leaf level of a
nonclustered index does not contain the actual data. It contains
pointers to the data that is stored in the data pages. A nonclustered
index does not physically rearrange the data.
Monitoring Physical Server Performance SQL Server 2005 can
be installed on a Windows 2000 or Windows 2003 server computer. A
database administrator is always concerned about the performance
of the SQL Server database engine and the server computer.
Database Administrators monitor the performance of the server
using various tools to analyze performance and resolve performance
issues.
System Monitor: System Monitor is a tool used to monitor the
performance of the server. It gives information about the resources
that are under pressure. The values of various counters in System
Monitor indicate which resource is under pressure. Performance
deterioration can be diagnosed by setting performance alerts. These
alerts show the increase or decrease in a counter value with respect
to the pre-defined value. Normally the counters are monitored for a
period of 24-hours. If an error occurs, a message regarding the error
can either be sent to the administrator or written to the Application
log. Log files can be saved in various formats such as text file, binary
file, or SQL database file.
The counters that are to be measured in order to resolve
performance issues are as follows:
Memory: Pages/sec
Memory: Available Bytes
SQL Server: Buffer Manager: Buffer Cache Hit Ratio
Physical Disk: Disk Reads/sec
Physical Disk: Disk Writes/sec
Physical Disk: %Disk Time
Physical Disk: Avg: Disk Queue Length
Physical Disk: % Free Space
Logical Disk: %Free Space
Processor: %Processor Time
System: Processor Queue Length
Network Interface: Bytes Received/sec
Network Interface: Bytes Sent/sec
Network Interface: Bytes/sec
Network Interface: Output Queue Length
SQL Server: General: User Connection
Tip for server roles. There are eight server roles. These roles are
as follows:
sysadmin
dbcreator
bulkadmin
diskadmin
processadmin
serveradmin
setupadmin
securityadmin
What is virus? A virus is a malicious program. A computer virus
passes from one computer to another in the same way as a biological
virus passes from one person to another. Most viruses are written
with a malicious intent, so that they can cause damage to programs
and data in addition to spreading themselves. Viruses infect existing
programs to alter the behavior of programs, actively destroy data,
and perform actions on storage devices that render their stored data
inaccessible.
Computer viruses attack the software of a computer such as
operating systems, data files, application software, and e-mails.
However, viruses do not affect the computer hardware
Network Protocols
Protocol is a set of rules and conventions by which two computers pass
messages across a network. Sets of standard protocols facilitate
communication between the computers in a network having different
types of hardware and software. Both the sender and the receiver
computers must use exactly the same set of protocols in order to
communicate with each other. A protocol can lay down the rules for
the message format, timing, sequencing, and error handling.
The description of the primary protocols in the suite is as follows:
Protocol Name
Description
IP Internet Protocol (IP) is a connectionless network-layer protocol that is the primary carrier of data on a TCP/IP network.
TCP Transmission Control Protocol (TCP) is a reliable, connection-oriented protocol operating at the transport layer. This protocol can transmit large amounts of data. Application-layer protocols, such as HTTP and FTP, utilize the services of TCP to transfer files between clients and servers.
UDP User Datagram Protocol (UDP) is a connectionless, unreliable transport-layer protocol. UDP is used primarily for brief exchange of requests and replies.
Telnet Telnet is a protocol that enables an Internet user to log onto and enter commands on a remote computer linked to the Internet, as if the user were using a text-based terminal directly attached to that computer.
FTP File Transfer Protocol (FTP) is a primary protocol of the TCP/IP protocol suite, used to transfer text and binary files between computers over a TCP/IP network.
SMTP Simple Mail Transfer Protocol (SMTP) is used for transferring or sending e-mail messages between servers.
PPP: Point-to-Point Protocol (PPP) is a set of industry-standard framing
and authentication protocols included with Windows remote access to
ensure interoperability with third-party remote access software. It is a
data link-layer protocol designed to create a direct connection between
two computers, typically using telephone lines.
POP3: Post Office Protocol version 3 (POP3) is a protocol used for
retrieving e-mail messages. The POP3 servers allow access to a single
Inbox in contrast to IMAP servers that provide access to multiple
server-side folders.
IMAP: Internet Message Access Protocol (IMAP) is a protocol for
receiving e-mail messages. It allows an e-mail client to access and
manipulate a remote e-mail file without downloading it to the local
computer. It is used mainly by the users who want to read their e-mails
from remote locations.
PPTP: Point-to-Point Tunneling Protocol (PPTP) is an encryption
protocol used to provide secure, low-cost remote access to corporate
networks through public networks such as the Internet. Using PPTP,
remote users can use PPP-enabled client computers to dial a local ISP
and connect securely to the corporate network through the Internet.
HTTP: Hypertext Transfer Protocol (HTTP) is a client/server TCP/IP
protocol used on the World Wide Web (WWW) to display Hypertext
Markup Language (HTML) pages. HTTP defines how messages are
formatted and transmitted, and what actions Web servers and
browsers should take in response to various commands. For example,
when a client application or browser sends a request to the server
using HTTP commands, the server responds with a message containing
the protocol version, success or failure code, server information, and
body content, depending on the request. HTTP uses TCP port 80 as the
default port.
HTTPS: Hypertext Transfer Protocol Secure (HTTPS) protocol is a
protocol used in the Uniform Resource Locator (URL) address line to
connect to a secure site. If a site has been made secure by using the
Secure Sockets Layer (SSL), HTTPS (instead of HTTP protocol) should
be used as a protocol type in the URL.
ARP: Address Resolution Protocol (ARP) is a network maintenance
protocol of the TCP/IP protocol suite. It is responsible for the resolution
of IP addresses to media access control (MAC) addresses of a network
interface card (NIC). The ARP cache is used to maintain a correlation
between a MAC address and its corresponding IP address. ARP
provides the protocol rules for making this correlation and providing
address conversion in both directions. ARP is limited to physical
network systems that support broadcast packets.
ICMP: Internet Control Message Protocol (ICMP) is a maintenance
protocol and is normally considered a part of the IP layer. ICMP
messages are encapsulated within IP datagrams, so that they can be
routed throughout an internetwork.
Internet Message Access Protocol 4 (IMAP4): It is an e-mail message
retrieval protocol that allows e-mail clients to retrieve e-mail messages
from e-mail servers. IMAP4 has the following advantages over the POP3
protocol:
IMAP4 can be used to download only specific mails from the mail
server, while POP3 downloads all the mails from the mail server
at a time.
IMAP4 can download only a part of the message (e.g., the
header) initially. Then depending upon the user, the entire
message can be downloaded afterwards. However, POP3
downloads the entire message at a time.
IMAP4 only marks a message as deleted as soon as it is being
read. The message will then be deleted as soon as the user logs
off, or sends the EXPUNGE command to the mail server.
IMAP4 supports server side storage. Hence, the location of the
user is insignificant. However, POP3 uses a local client
application to read the mails.
Since IMAP4 stores messages on the server side, the user does
not have to bother about fault tolerance and system crashes.
When the POP3 protocol is used, the messages once downloaded
from the server are stored locally and can be lost if the local
system crashes.
IMAP4 allows a user to create multiple mailboxes on multiple
servers under the same user name. The user can personalize
these mailboxes for receiving specific kinds of mails in each
mailbox. However, POP3 allows only a single user account to be
configured.
Changes made to a mail are propagated to the IMAP4 server.
This feature is not available under POP3 protocol.
However, there are some disadvantages of IMAP4 over the
POP3 protocol, which are as follows:
If the connection with the mail server drops while reading a mail,
it has to be re-established. On the other hand, POP3 downloads
the entire mail at a time. Hence, if the connection with the mail
server is dropped at the time of reading a mail, it does not affect
the reading.
The POP3 protocol is mostly supported by the commercially
available mail servers.
Since the mails in IMAP4 are stored on the server, the space
storage management is a primary concern on such mail servers.
IP Addressing IP Addresses are used to uniquely identify the
computers in a network, so each computer must have its own unique IP
address. An IP address consists of two parts: a network identifier and a
host identifier. The network identifier denotes the type of network, and
the host identifier is a unique number of a particular computer. So in a
particular type of network, each node has the same network id and a
host id, which are unique.
The type of IP address also depends on the subnet mask, which is used
to determine which part of the IP address denotes the network id and
which part is the host id. For example, if the IP address is
192.168.1.200 and the subnet mask is 255.255.255.0, the network id
will be 192.168.1 and the host id will be 200. In the same way, if the
subnet mask is 255.255.0.0, the network id will be 192.168 and the
host id will be 1.200. If the subnet mask is 255.0.0.0, the network id
will be 192 and the host id will be 168.1.200.
There are two versions of IP addressing, the commonly used IPv4 and
the latest version known as IPv6. They have been discussed in detail in
the following paragraphs.
IPv4
IP Address In this version of IP addressing, an IP address is of 32 bits
in length, and is divided into four 8 bit decimal values known as octets.
In these types of IP addresses, the leftmost bit has the value of 128,
which is followed by 64, 32, 16, 8, 4, 2, and 1. An IP address can have
values from 0 to 255 because each bit can be either a 0 or a 1. So if all
the bits are 1, the value will be 255; and if all the bits are 0, the value
will be 0.
Subnet Mask A subnet mask determines which part of the IP address
denotes the network id and which part is the host id. It is also a 32-bit
number, which is expressed in decimal format. The subnet mask is
assigned according to the class of IP address used.
IP Address Classes The Internet Assigned Number Authority registers
the IP addresses used in the networks to ensure their uniqueness. IP
addresses have been divided into five groups or classes known as IP
Address classes. Each class of IP address has a particular subnet mask
associated with it. The five classes of IP addresses are class A, B, C, D
and E, in which class D is reserved for multicast addressing and class E
is reserved for future use. So only classes A through C are used for
assigning IP addresses to client computers.
In class A addresses, only the first octet is used to define the
network id, and the rest are used for the host id. It has the
address range from 1 to 126 and so it can have only 126
numbers of networks. The number of hosts possible in these
types of networks is 16,777,214. It uses the subnet mask
255.0.0.0.
In class B networks, the first two octets represent the network id
and the rest are the host id. It has a range of 128-191 and can
have 16384 networks with 65,534 hosts. The standard subnet
mask assigned to these IP addresses is 255.255.0.0.
In class C addresses, the first three octets are used to represent
the network id. It has a range of 192-223 and can have
2,097,152 networks with 253 hosts. The subnet mask associated
with it is 255.255.255.0.
Class D addresses have an address range of 224-239, and class E
addresses have an address range of 240-255.
Default Gateway Default gateway is a TCP/IP configuration option,
used to communicate with TCP/IP nodes on remote network segments.
At least one interface must be configured with the IP address of a
default gateway.
IPv6 The current version of IP addressing (i.e., IPv4) has its limitations.
With the fast increasing number of the networks and the expansion of
the World Wide Web, the IP addresses allotted are finishing fast and
the need for more network addresses has arisen. IPv6 can solve this
problem, as it uses a 128-bit address that can produce a lot more IP
addresses. These addresses are hexadecimal numbers, made up of
eight octet pairs. An example of an IPv6 address can be 45CF: 6D53:
12CD: AFC7: E654: BB32: 543C.
Subnetting Subnets are subdivisions of an IP address network, used
for creating smaller broadcast domains and for better utilization of the
bits in the host ID. Through subnetting, the host id portion of an IP
address can be used to create more networks than by using the
default subnet mask.
Suppose that a company has been assigned a Class C IP address
200.1.1.0, and the standard subnet mask is 255.255.255.0. This means
that the network id will be 200.1.1 and the total number of hosts will
be 254. The company has two departments: production and sales.
Members of the production department do not need to access the
computers of the sales department. So it is better to have separate
networks for both the departments for better security and
manageability. Through subnetting, the bits from the host id portion
can be used to create more networks, which will work as separate
networks.
Public and Private Networks Network can be differentiated as
private and public. A public network is a network, which can be
accessed by anyone from the general public, an example being the
Internet. In contrast, a private network is accessible only by those
people who have special permissions on that particular network. An
example of a private network is a network within an organization such
as a company, a hospital, or a college.
Public and private networks have different types of IP addressing
schemes. Addresses on the Internet are assigned by the IANA (Internet
Assigned Numbers Authority), which assigns them to the Internet
Service Providers (ISPs), who then distribute them to the users. Apart
from the public address, some addresses have been reserved for the
private networks. These are not available for general public and are
used in private networks.
Some addresses from each of the classes A, B, and C have been
assigned for use by private networks. The address range for class A
addresses is from 10.0.0.0 to 255.255.255, for class B addresses it is
from 172.6.0.0 to 172.31.255.255, and for class C addresses, it is from
192.168.0.0 to 192.168.255.255.
IP Addressing Methods:
Static Addressing In static addressing, every computer is assigned
an IP address manually. It is not preferred in large networks, which
have lots of hosts, because the chance of assigning duplicate
addresses will be more. This will result in a conflict of IP addresses and
deterioration of the speed. Also it is time consuming, as every system
is configured manually and if some changes are to be made
afterwards, it will consume a lot of time doing it manually for every
computer.
Dynamic Addressing In this type of addressing scheme, the IP
addresses are assigned automatically by the use of Dynamic Host
Configuration Protocol (DHCP) to all the computers in the network. This
results in much less burden on the network administrator and faster
configuration of the network. This type of addressing needs a DHCP
server, to which a range of IP addresses is allotted. The DHCP server
automatically assigns any address from the range of IP addresses
defined to the workstations on the network.
APIPA Automatic private IP addressing (APIPA) is a feature of Windows
XP TCP/IP that configures a unique IP address for each computer on a
network when the TCP/IP protocol is configured for dynamic addressing
and a DHCP server is not available or offline. The key function of APIPA
is to allow resources to be available even if the DHCP server is offline.
APIPA addresses are always in the range of 169.254.0.1 and
169.254.255.254 and use a subnet mask of 255.255.0.0.
When a user configures a TCP/IP connection to obtain an IP address
automatically, by default the computer tries to find a DHCP server for
obtaining the address. The user obtains the address if the computer
finds the DHCP server. If it does not find the DHCP server, the
computer uses APIPA to configure a unique IP address for the
computers of a network. Since APIPA does not offer a gateway address,
it can never be used on the Internet, and the clients using APIPA
cannot access resources outside the local subnet.
TCP/UDP Ports The default TCP/UDP ports associated with TCP/IP protocol or
applications are as under:
Protocol
Port
HTTP 80
HTTPS 443
POP3 110
FTP 20
FTP 21
IMAP4 143
SMTP 25
NNTP 119
NTP 123
DNS 53
TFTP 69
Telnet 23
SSH 22
What are cluster configurations? Server clusters using the
Cluster service can be set up as one of the following three different
cluster configurations:
1. Single Node server clusters: They can be configured with or
without external cluster storage devices. For Single Node server
clusters without an external cluster storage device, the local disk
is configured as the cluster storage device.
2. Single Quorum Device server clusters: They can have two or
more nodes and are so configured as to attach every node to one
or more shared storage devices, such as an external array of
Small Computer System Interface (SCSI) disks. The cluster
configuration data is stored on a single cluster storage device,
also known as the quorum disk.
3. Majority Node Set server clusters: They can have two or
more nodes, but nodes might not be attached to one or more
cluster storage devices. The cluster configuration data is stored
on multiple disks across the cluster, and the Cluster service
guarantees that this data is kept consistent across the disks.
However, server clusters using the Cluster service are set up
depending on the specific needs for failovers, in which application
services are moved to another node in the cluster.
What is N+I Hot Standby Server? N+I Hot Standby Server is one
of the failover models. It is commonly referred to as an
Active/Passive mode. In an active/passive mode, the active nodes
handle all client requests, whereas the passive nodes monitor the
active nodes. In N+I Hot Standby Server, N denotes the number of
active nodes, and I refers to the number of passive nodes. This
model has a drawback that the server resources remain idle for a
long time and are utilized only when another server fails. However, it
is the most scalable and reliable model.
What is failover? Failover is a term associated with cluster
services. It refers to the ability of a server to immediately start
servicing the requests if a primary server fails. If the application
services in a cluster-node fail, the Cluster Service generally tries to
restart them on the same node. If the services do not start, then it
moves the services to another node in the cluster and restarts them
on that node.
Windows Server 2003 Active Directory and Network
Infrastructure Windows Server 2003 Active Directory is a
centralized database that stores the collection of information about
all the resources available on the Windows Server 2003 domain. It is
a hierarchical representation of all the objects and their attributes
available on the network. It enables administrators to manage the
network resources, i.e., computers, users, printers, shared folders,
etc., in an easy way. The logical structure represented by Active
Directory consists of forests, trees, domains, organizational units,
and individual objects. This structure is completely independent from
the physical structure of the network, and allows administrators to
manage domains according to the organizational needs without
bothering about the physical network structure.
Following is the description of all logical components of the Active
Directory structure:
1. Forest: A forest is the outermost boundary of an Active
Directory structure. It is a group of multiple domain trees that
share a common schema but do not form a contiguous
namespace. It is created when the first Active Directory-based
computer is installed on a network. There is at least one forest
on a network. The first domain in a forest is called a root domain.
It controls the schema and domain naming for the entire forest.
It can be separately removed from the forest. Administrators can
create multiple forests and then create trust relationships
between specific domains in those forests, depending upon the
organizational needs.
2. Trees: A hierarchical structure of multiple domains organized in
the Active Directory forest is referred to as a tree. It consists of a
root domain and several child domains. The first domain created
in a tree becomes the root domain. Any domain added to the
root domain becomes its child, and the root domain becomes its
parent. The parent-child hierarchy continues until the terminal
node is reached. All domains in a tree share a common schema,
which is defined at the forest level. Depending upon the
organizational needs, multiple domain trees can be included in a
forest.
3. Domains: A domain is the basic organizational structure of a
Windows Server 2003 networking model. It logically organizes
the resources on a network and defines a security boundary in
Active Directory. The directory may contain more than one
domain, and each domain follows its own security policy and
trust relationships with other domains. Almost all the
organizations having a large network use domain type of
networking model to enhance network security and enable
administrators to efficiently manage the entire network.
4. Objects: Active Directory stores all network resources in the
form of objects in a hierarchical structure of containers and
subcontainers, thereby making them easily accessible and
manageable. Each object class consists of several attributes.
Whenever a new object is created for a particular class, it
automatically inherits all attributes from its member class.
Although the Windows Server 2003 Active Directory defines its
default set of objects, administrators can modify it according to
the organizational needs.
5. Organizational Unit (OU): It is the least abstract component of
the Windows Server 2003 Active Directory. It works as a
container into which resources of a domain can be placed. Its
logical structure is similar to an organization's functional
structure. It allows creating administrative boundaries in a
domain by delegating separate administrative tasks to the
administrators on the domain. Administrators can create multiple
Organizational Units in the network. They can also create nesting
of OUs, which means that other OUs can be created within an
OU.
In a large complex network, the Active Directory service provides a
single point of management for the administrators by placing all the
network resources at a single place. It allows administrators to
effectively delegate administrative tasks as well as facilitate fast
searching of network resources. It is easily scalable, i.e., administrators
can add a large number of resources to it without having additional
administrative burden. It is accomplished by partitioning the directory
database, distributing it across other domains, and establishing trust
relationships, thereby providing users with benefits of decentralization,
and at the same time, maintaining the centralized administration.
The physical network infrastructure of Active Directory is far too simple
as compared to its logical structure. The physical components are
domain controllers and sites.
1. Domain Controller: A Windows 2003 server on which Active
Directory services are installed and run is called a domain
controller. A domain controller locally resolves queries for
information about objects in its domain. A domain can have
multiple domain controllers. Each domain controller in a domain
follows the multimaster model by having a complete replica of
the domain's directory partition. In this model, every domain
controller holds a master copy of its directory partition.
Administrators can use any of the domain controllers to modify
the Active Directory database. The changes performed by the
administrators are automatically replicated to other domain
controllers in the domain.
However, there are some operations that do not follow the
multimaster model. Active Directory handles these operations
and assigns them to a single domain controller to be
accomplished. Such a domain controller is referred to as
operations master. The operations master performs several
roles, which can be forest-wide as well as domain-wide.
o Forest-wide roles: There are two types of forest-wide roles:
Schema Master and Domain Naming Master. The Schema
Master is responsible for maintaining the schema and
distributing it to the entire forest. The Domain Naming
Master is responsible for maintaining the integrity of the
forest by recording additions of domains to and deletions
of domains from the forest. When new domains are to be
added to a forest, the Domain Naming Master role is
queried. In the absence of this role, new domains cannot
be added.
o Domain-wide roles: There are three types of domain-wide
roles: RID Master, PDC Emulator, and Infrastructure Master.
Domain controllers can also be assigned the role of a
Global Catalog server. A Global Catalog is a special Active
Directory database that stores a full replica of the directory
for its host domain and the partial replica of the directories
of other domains in a forest. It is created by default on the
initial domain controller in the forest. It performs the
following primary functions regarding logon capabilities
and queries within Active Directory:
1. It enables network logon by providing universal
group membership information to a domain
controller when a logon request is initiated.
2. It enables finding directory information about all the
domains in an Active Directory forest.
A Global Catalog is required to log on to a network within
a multidomain environment. By providing universal group
membership information, it greatly improves the
response time for queries. In its absence, a user will be
allowed to log on only to his local domain if his user
account is external to the local domain.
2. Site: A site is a group of domain controllers that exist on
different IP subnets and are connected via a fast and reliable
network connection. A network may contain multiple sites
connected by a WAN link. Sites are used to control replication
traffic, which may occur within a site or between sites.
Replication within a site is referred to as intrasite replication, and
that between sites is referred to as intersite replication. Since all
domain controllers within a site are generally connected by a fast
LAN connection, the intrasite replication is always in
uncompressed form. Any changes made in the domain are
quickly replicated to the other domain controllers. Since sites are
connected to each other via a WAN connection, the intersite
replication always occurs in compressed form. Therefore, it is
slower than the intrasite replication.
What are domain functional levels? The domain functional levels
are the various states of a domain, which enable domain-wide Active
Directory features within a network environment. Domain levels are
the same as domain modes in Windows 2000. Windows supports four
types of functional levels:
1. Windows 2000 Mixed: This is the default domain functional
level. When a first domain controller is installed or upgraded to
Windows 2003, the domain controller is configured to run in the
Windows 2000 mixed functional level. In this mode, domain
controllers running the following operating systems are
supported:
o Windows NT Server 4.0
o Windows 2000 Server
o Windows Server 2003
2. Windows 2000 Native: In this level, domain controllers running
Windows 2000 and Windows 2003 can interact with each other.
No domain controller running a pre-Windows 2000 version is
supported in this functional level of the domain.
3. Windows Server 2003 Interim: This functional level allows a
Windows Server 2003 domain controller to interact with domain
controllers in the domain running Windows NT 4.0 or Windows
Server 2003. This functional level is used to upgrade the first
Windows NT domain to a new forest.
Note: Windows Server 2003 interim functional level does not
support domain controllers running Windows 2000.
4. Windows Server 2003: This functional level of domain allows a
Windows Server 2003 domain controller to interact only with the
domain controllers running Windows 2003 in the domain. A
domain level can be raised to Windows Server 2003 only when
all the domain controllers in the domain are running Windows
Server 2003
What is site? A site is a collection of one or more well-connected
(usually a local area network) TCP/IP subnets. The network between
the subnets must be highly reliable and fast (512 Kbps and higher).
Although the sites are defined on the basis of location, they can be
spanned over more than one location. A site structure corresponds
to the physical environment, whereas a domain is the logical
environment of the network. A site can contain single or multiple
domains, and a domain can contain single or multiple sites. Sites
are created to physically group the computers and resources for
optimizing the network traffic. Administrators can configure Active
Directory access and replication technology to take advantage of
the physical network by configuring sites. When a user logs on to a
network, the authentication request searches for the domain
controllers in the same site where the user is located. A site
prevents the network traffic from traveling on wide area network
(WAN) links that are slow.
What is DCDIAG tool? AD Trubleshooting tool. Domain
Controller Diagnostic (DCDIAG) is a diagnostic tool that is used to
analyze the domain controllers in a forest to report problems or
issues. The scope of this tool covers the functions of the domain
controllers and interactions across an entire enterprise. The DCDIAG
tool is used to diagnose the domain controller status for the following
issues:
Connectivity
Replication
Integrity of topology
Permissions on directory partition heads
Permissions of users
Functionality of the domain controller locator
Consistency among domain controllers in the site
Verification of trusts
Diagnosis of replication latencies
Replication of trust objects
Verification of File Replication service
Verification of critical services
Note: DCDIAG is an analyzing tool, which is mostly used for the
reporting purposes. Although this tool allows specific tests to be run
individually, it is not intended as a general toolbox of commands for
performing specific tasks.
What is NETDOM? NETDOM is a command-line tool that allows
management of Windows domains and trust relationships. It is used
for batch management of trusts, joining computers to domains,
verifying trusts, and secure channels
Windows 2003 system services? Windows Server 2003 comes
with many system services that have different functionalities in the
operating system. When Windows Server 2003 is first installed, the
default system services are created and are configured to run when
the system starts
Example: Following are some important system services of Windows Server 2003:
Alerter Automatic UpdatesCluster Service DHCP Distributed File System DNS Client service DNS Server serviceEvent Log service
Remote InstallationRemote Procedure Call (RPC) Routing and Remote Access
What is a paging file? A paging file is a hidden file on the hard disk
used by Windows operating systems to hold parts of programs and
data that do not fit in the computer's memory. The paging file and
the physical memory, or random access memory (RAM), comprise
the virtual memory. Windows operating systems move data from the
paging file to the memory as required and move data from the
memory to the paging file to make room for new data. A paging file
is also known as a swap file.
What are authoritative and non-authoritative Active
Directory restores? There are two general methods of restoring
Active Directory from the backup media: authoritative and non-
authoritative.
Authoritative restore makes the computer authoritative over other
domain controllers. Data restored authoritatively in a computer takes
precedence over other domain controllers' data, despite the fact that
the restored data is older than the current replicas. Authoritative
restore is typically used to restore a system to a previously known
state. The NTDSUTIL command-line tool allows authoritatively
restoring the entire directory, a subtree, or individual objects,
provided they are leaf objects.
A non-authoritative restore results in the restored data (which may
be outdated) becoming synchronized with the data on other domain
controllers through replication.
What is ADPREP tool? The ADPREP tool is used to prepare
Windows 2000 domains and forests for an upgrade to
Windows Server 2003. It extends the schema, updates
default security descriptors of selected objects, and adds
new directory objects as required by some applications.
Syntax: ADPREP {/forestprep | /domainprep}
Parameter Description
/forestprep Prepares a Windows 2000 forest for an upgrade to a Windows Server 2003 forest.
/domainprep
Prepares a Windows 2000 domain for an upgrade to a Windows Server 2003 domain.
/? Displays help for the command.
To run ADPREP /forestprep, the administrator must be a member
of the Enterprise Admins group and the Schema Admins group in
Active Directory. The ADPREP /forestprep command must be run
on the schema master.
To run ADPREP /domainprep, the administrator must be a member
of the Domain Admins group or the Enterprise Admins group in
Active Directory. The ADPREP /domainprep command must be run
on each infrastructure master.
Which files are included in the System State data? Following
are the files included in the System State data:
Boot files, including the system files and all files protected by
Windows File Protection (WFP)
Active Directory (on domain controller only)
SYSVOL (on domain controller only)
Certificate Services (on certification authority only)
Cluster database (on cluster node only)
Registry
IIS metabase
Performance counter configuration information
Component Services Class registration database
What is RENDOM utility? RENDOM is a Windows 2003 utility used
to rename and restructure a domain in the forest. It can perform the
following tasks:
Change the DNS and NetBIOS names of the forest-root domain.
Change the DNS and NetBIOS names of any tree-root domain.
Change the DNS and NetBIOS names of the parent and child
domains.
Restructure a domain's position in the forest.
The utility is supplied by Microsoft and is placed in the
ValueaddMsftMgmtDomren directory on the Windows Server 2003 CD-
ROM.
Note: Renaming a domain is a thorough multi-step process that
requires a detailed understanding of the operation. It affects every
domain controller in the forest.
What is volume shadow copy? The Windows Backup provides a
feature of taking a backup of files that are opened by a user or
system. This feature is known as volume shadow copy. Volume
shadow copy makes a duplicate copy of all files at the start of the
backup process. In this way, files that have changed during the
backup process are copied correctly. Volume shadow copy ensures
the following:
Applications continue to write data to the volume during a
backup
Backups are scheduled at any time without locking out users.
What are Performance Logs and Alerts? Performance Logs and
Alerts is an MMC snap-in that is used to establish performance
baselines, diagnose system problems, and anticipate increased
system resource demands. It is used to obtain useful data for
detecting system bottlenecks and changes in system performance.
The alerting functionality of this tool is extremely useful for
troubleshooting intermittent and difficult-to-reproduce problems. It
uses the same performance counters as the System Monitor for
capturing information to log files over a period of time. The prime
benefit of this tool is the ability to capture performance counter
information for further analysis. Performance Logs and Alerts runs
as a service and loads during computer startup. It does not require
a user to log on to a computer.
Network Interface Card A network interface card (NIC) is a
computer circuit board or card installed in a computer. It provides
a physical connection between a computer and the network.
Network interface cards provide a dedicated, full-time connection
to a network. Each network Interface card has a unique Media
Access Control (MAC) address.
Media Access Control (MAC) address is a numerical identifier that
is unique for each network interface card (NIC). MAC addresses
are 48-bit values expressed as twelve hexadecimal digits, usually
divided into hyphen-separated pairs, for example, FF-00-F8-32-13-
19. MAC addresses are also referred to as hardware addresses,
Ethernet addresses, and universally administered addresses
(UAAs).
Hub A hub is a device used to link computers in a network. It
connects computers that have a common architecture, such as
Ethernet, ARCnet, FDDI, or Token Ring. All hub-computer
connections for a particular network use the same type of cable,
which can be twisted-pair, coaxial, or fiber-optic. Hubs are
generally used in star topology networks. Token Ring hubs are
also known as Multistation Access Units (MSAUs). A hub works on
the physical layer of the OSI model. Two types of hubs are
available as follows:
1. Active hub is a central device used to connect computers in a
star network. It regenerates and retransmits deteriorated signals
on the network.
2. Passive hub is a central device used to connect computers in a
star network. It receives information through one of its ports and
sends it to the computers connected to every other port.
Therefore, although the information is broadcasted to the
network, only the destination computer reads it. A passive hub
does not regenerate signals.
Repeater A repeater is a basic LAN connection device. It allows a network cabling system to extend beyond its maximum allowed length and reduces distortion by amplifying or regenerating network signals. Repeaters can also be used to connect network segments composed of different media, such as connecting a twisted pair cable segment to a fiber-optic cable segment. A repeater works at the physical layer of the OSI model.
Switch A switch is a network connectivity device that brings media segments together in a central location. It reads the destination's MAC address or hardware address from each incoming data packet and forwards the data packet to its destination. This reduces the network traffic. Switches operate at the data-link layer of the OSI model.
Router A router is a device that routes data packets between
computers in different networks. It is used to connect multiple networks, and it determines the path to be taken by each data packet to its destination computer. A router maintains a routing table of the available routes and their conditions. By using this information, along with distance and cost algorithms, the router determines the best path to be taken by the data packets to the destination computer. A router can connect dissimilar networks, such as Ethernet, FDDI, and Token Ring, and route data packets among them. Routers operate at the network layer (layer 3) of the Open Systems Interconnection (OSI) model.
Brouter A brouter is a combination of a bridge and a router. It is used to connect dissimilar network segments, and it routes only a specific transport protocol such as TCP/IP. A brouter also works as a bridge for all types of packets, passing them on as long as they are not local to the LAN segment from which they have originated.
Bridge A bridge is an interconnectivity device that connects two local area networks (LANs) or two segments of the same LAN using the same communication protocols and provides address filtering between them. Users can use this device to divide busy networks into segments and reduce network traffic. A bridge broadcasts data packets to all the possible destinations within a specific segment. Bridges operate at the data-link layer of the OSI model.
Gateway A gateway is a network interconnectivity device that translates different communication protocols and is used to connect dissimilar network technologies. It provides greater functionality than a router or bridge because a gateway functions both as a translator and a router. Gateways are slower than bridges and routers. A gateway is an application layer device.
Modem Modem stands for Modulator-Demodulator. It is a device that enables a computer to transmit information over standard telephone lines. Since a computer stores information digitally and a telephone line is analog, a modem converts digital signals to analog and vice versa. The conversion of a digital signal to analog is known as modulation and that of an analog signal to digital is known as demodulation.
Normal Backups When an administrator chooses to use a
normal backup, all selected files and folders are backed up and
the archive attribute of all files are cleared. A normal backup does
not use the archive attribute to determine which files to back up.
A normal backup is used as the first step of any backup plan. It is
used with the combination of other backup types for planning a
backup strategy of an organization. Normal backups are the most
time-consuming and are resource hungry. Restoration from a
normal backup is more efficient than other types of backups.
Incremental Backups An incremental backup backs up files that
are created or changed since the last normal or incremental
backup. It takes the backup of files of which the archive attribute
is set. After taking a backup, it clears the archive attribute of files.
An incremental backup is the fastest backup process. Restoring
data from an incremental backup requires the last normal backup
and all subsequent incremental backups. Incremental backups
must be restored in the same order as they were created.
Note: If any media in the incremental backup set is damaged or
data becomes corrupt, the data backed up after corruption cannot
be restored.
Differential Backups Differential backup backs up files that are
created or changed since the last normal backup. It does not clear
the archive attribute of files after taking a backup. The restoration
of files from a differential backup is more efficient than an
incremental backup.
Copy Backups A copy backup copies all selected files and
folders. It neither uses nor clears the archive attribute of the files.
It is generally not a part of a planned scheduled backup.
Daily Backups A daily backup backs up all selected files and
folders that have changed during the day. It backs up data by
using the modified date of the files. It neither uses nor clears the
archive attribute of the files.
Combining backup types The easiest backup plan is to take a
normal backup every night. A normal backup every night ensures
that the data is restored from a single job the next day. Although
the restoration of data from a normal backup is easy, taking a
backup is time consuming. Hence, an administrator is required to
make an optimal backup plan. An administrator must consider the
following points before creating a backup plan:
The time involved in taking the backup.
The size of the backup job.
The time required to restore a system in the event of a system
failure.
The most common solutions for the needs of different organizations
include the combination of normal, differential, and incremental
backups.
Combination of Normal and Differential Backups An
administrator can use a combination of a normal backup and a
differential backup to save time in taking a backup as well as for a
restoration of data. In this plan, a normal backup can be taken on
Sunday, and differential backups can be taken on Monday through
Friday every night. If data becomes corrupt at any time, only a normal
and last differential backup are required to be restored. Although this
combination is easier and takes lesser time for restoration, it takes
more time to take backup, if data changes frequently.
Combination of Normal and Incremental Backups A combination
of normal and incremental backups can be used to save more time for
taking backups. In this plan, a normal backup is taken on Sunday and
incremental backups on Monday through Friday every night. If data
becomes corrupt at any time, a normal and all incremental backups till
date are required to be restored.
Backing up a System State Data
System State Data System State data contains critical elements of
the Windows 2000 and Windows Server 2003 operating systems.
Following are the files included in the System State data:
Boot files, including the system files and all files protected by
Windows File Protection (WFP)
Active Directory (on domain controller only)
SYSVOL (on domain controller only)
Certificate Services (on certification authority only)
Cluster database (on cluster node only)
Registry
IIS metabase
Performance counter configuration information
Component Services Class registration database
What is Internet Security and Acceleration (ISA) Server
2000? Internet Security and Acceleration Server 2000 is a Microsoft
product that is used to provide powerful security and network
acceleration while accessing the Internet. It works as a firewall as
well as a Web cache server. It integrates with the Microsoft
Windows 2000 operating system for policy-based security,
acceleration, and management of internetworking.
Features of ISA Server
It provides an additional level of security.
It offers industry-leading Web cache performance.
It integrates with Microsoft Windows 2000.
It enables administrators to use bandwidth efficiently.
It provides increased manageability.
It provides enhanced usability.
It provides integrated services.
It provides increased extensibility.
It provides improved interoperability.
It provides enhanced scalability.
Site and Replication
What is a Site? A site is a collection of one or more well-
connected (usually a local area network) TCP/IP subnets. The
network between the subnets must be highly reliable and fast
(512 Kbps and higher). Although the sites are generally defined
on the basis of location, they can be spanned over more than one
location. A site structure corresponds to the physical
environment, whereas a domain is the logical environment of the
network. A site can contain single or multiple domains, and a
domain can contain single or multiple sites.
The sites are created to physically group the computers and
resources to optimize network traffic. Administrators can
configure Active Directory access and replication technology to
take advantage of the physical network by configuring sites.
When a user logs on to the network, the authentication request
searches for the domain controllers in the same site as the user.
A site prevents the network traffic from traveling on slow wide
area network (WAN) links.
What are Directory Tree, Directory Partition, and Replica?
Directory tree is a hierarchy of objects and containers of Active
Directory, which represents all the objects in the forest. Each
domain controller stores a copy of a specific part of the directory
tree, called a directory partition (sometimes called naming
context). The copy of the directory partition is called a replica. A
replica contains all attributes for each directory partition object.
Each domain controller in the forest stores a replica.
What is replication? Replication is a process through which the
changes made to a replica on one domain controller are
synchronized to replicas on all the other domain controllers in the
network. Each domain controller stores three types of replicas:
Schema partition: This partition stores definitions and
attributes of objects that can be created in the forest. The
changes made in this partition are replicated to all the domain
controllers in all the domains in the forest.
Configuration partition: This partition stores the logical
structure of the forest deployment. It includes the domain
structure and the replication topology. The changes made in this
partition are replicated to all the domain controllers in all the
domains in the forest.
Domain partition: This partition stores all the objects in a
domain. Changes made in this partition are replicated to all the
domain controllers within the domain.
Note: Windows Server 2003 supports a new type of directory partition
named Application directory partition. This partition is available only to
Windows 2003 domain controllers. The applications and services use
this partition to store application-specific data.
Creating, modifying, moving, and deleting an object trigger a
replication between domain controllers. Replications are of two types:
Intrasite: An intrasite (within a site) replication mostly uses LAN
connections. As intrasite replication does not compress data, it
saves a computer's CPU time. In an intrasite replication, the
replication partners poll each other periodically and notify each
other when changes need to be replicated, and then pull the
information for processing. Active Directory uses a remote
procedure call (RPC) transport protocol for intrasite replication.
Intersite: As an intersite (between sites) replication uses WAN
connections, a large amount of data is compressed to save WAN
bandwidth. For the same reason, the replication partners do not
notify each other when changes need to be replicated. Instead,
administrators configure the replication schedule to update the
information. Active Directory uses an IP or SMTP protocol for
intersite replication.
For intrasite replication to take place, connection objects are required.
The Active Directory automatically creates and deletes connection
objects as and when required. Connection objects can be created
manually to force replication.
What are Site Links? Site links are logical, transitive connections
between two or more sites. For intersite replication to take place, site
links are required to be configured. Once a site link has been
configured, the knowledge consistency checker (KCC) then
automatically generates the replication topology by creating the
appropriate connection objects. Site links are used to determine the
paths between two sites. They must be created manually.
Site links are transitive in nature. For example, if Site 1 is linked with
Site 2 and Site 2 is linked with Site 3, then Site 1 and Site 3 are linked
transitively. The administrators can control transitivity of the site link.
By default, transitivity is enabled. Site link transitivity can be enabled
or disabled through a bridge.
What is Site Link Bridge? A site link bridge is created to build a
transitive and logical link between two sites that do not have an
explicit site link. The site link bridge is created only when the
transitivity of the site link is disabled.
What is Site Link Cost? Site link cost is an attribute of a site link.
Each site link has been assigned a default cost of 100. The knowledge
consistency checker (KCC) uses the site link cost to determine which
site links should be preferred for replication. It should be remembered
that the lower the site link cost, the more preferred is the link.
For example, an administrator has to configure the site link cost of
links between Site 1 and Site 2. There are two site links available as
shown in the image below:
S1S2 is a T1 site link that uses T1 lines for replication, whereas
S1S2DU uses a dial-up connection for replication. If the administrator
requires that the KCC should prefer the S1S2 site link to the S1S2DU
site link for replication, he will have to configure the SIS2 link with a
lower cost than that of the S1S2DU link. Any site link configured with
the site link cost of one (1) will always get preference over the other
site links with a higher cost.
What is Bridgehead Server? A bridgehead server is a domain
controller in each site, which is used as a contact point to receive and
replicate data between sites. For intersite replication, KCC designates
one of the domain controllers as a bridgehead server. In case the
server is down, KCC designates another one from the domain
controller. When a bridgehead server receives replication updates from
another site, it replicates the data to the other domain controllers
within its site.
What is Preferred Bridgehead Server? A preferred bridgehead
server is a domain controller in a site, specified by an administrator, to
act as a bridgehead server. Administrators can specify more than one
preferred bridgehead server, but only one server is active at a time in
a site. A preferred bridgehead server is designated to take advantage
of a certain domain controller having the appropriate bandwidth to
transmit and receive information
What are Performance Logs and Alerts? Performance Logs and
Alerts is an MMC snap-in that is used to establish performance
baselines, diagnose system problems, and anticipate increased
system resource demands. It is used to obtain useful data for
detecting system bottlenecks and changes in system performance.
The alerting functionality of this tool is extremely useful for
troubleshooting intermittent and difficult-to-reproduce problems. It
uses the same performance counters as the System Monitor for
capturing information to log files over a period of time. The prime
benefit of this tool is the ability to capture performance counter
information for further analysis. Performance Logs and Alerts runs as
a service and loads during computer startup. It does not require a
user to log on to a computer
What is WLBS.EXE? WLBS.EXE is a command-line tool, which is
used as a Network Load Balancing control program. WLBS.EXE is
used to start, stop, and administer Network Load Balancing, as well
as to enable and disable ports and to query cluster status.
Note: WLBS.EXE cannot be used to change the registry parameters
of Network Load Balancing.
What is buffer overflow? Buffer overflow is a condition in which an
application receives more data than it is configured to accept. This
usually occurs due to programming errors in the application. Buffer
overflow can terminate or crash the application
What is DMZ? Demilitarized zone (DMZ) or perimeter network is a
small network that lies in between the Internet and a private
network. It is the boundary between the Internet and an internal
network, usually a combination of firewalls and bastion hosts that
are gateways between inside networks and outside networks. DMZ
provides a large enterprise network or corporate network the ability
to use the Internet while still maintaining its security
What is Kerberos v5? Kerberos v5 is an authentication method
used by Windows operating systems to authenticate users and
network services. Windows 2000/2003 and XP clients and servers
use Kerberos v5 as the default authentication method. Kerberos has
replaced the NT LAN Manager (NTLM) authentication method, which
was less secure. Kerberos uses mutual authentication to verify both
the identity of the user and network services. The Kerberos
authentication process is transparent to the users.
Note: Kerberos v5 is not supported on Windows XP Home clients or
on any clients that are not members of an Active Directory domain.
What is Software Update Services (SUS)? Software Update
Services (SUS) is a tool used to acquire and distribute critical
Windows patches to computers running Windows operating systems.
Administrators use SUS to download and test the patches, and then
deploy the patches to the appropriate computers running the
Automatic Updates clients. SUS consists of three components:
1. Software Update Services (SUS) that runs on the server.
2. Automatic Updates (AU) that runs on client computers.
3. Group Policy settings that control AU clients from Active
Directory.
SUS does not support Microsoft Office or Microsoft BackOffice products.
It updates the operating systems (except Windows NT or Windows 9x),
Microsoft IIS, and Microsoft Internet Explorer (IE) only.
Which installation modes are available with ISA Server? The
following modes are available as a part of the ISA Server setup
process:
Firewall: In Firewall mode, network configuration can be secured
by configuring rules that control communication between a
corporate network and the Internet. In this mode, internal
servers can also be published to share data with Internet users.
Cache: In Cache mode, network performance can be improved
and bandwidth can be saved by storing commonly accessed
Internet objects locally. Requests can be routed from the Internet
users to an appropriate internal Web server.
Integrated: Integrated mode is a combination of Firewall and
Cache modes. It supports all the features available in Firewall
and Cache modes of ISA Server
Windows Server 2003 interview and certification questions
How do you double-boot a Win 2003 server box? The Boot.ini file is set as read-only, system, and hidden to prevent unwanted editing. To change the Boot.ini timeout and default settings, use the System option in Control Panel from the Advanced tab and select Startup.
What do you do if earlier application doesn’t run on Windows Server 2003? When an application that ran on an earlier legacy version of Windows cannot be loaded during the setup function or if it later malfunctions, you must run the compatibility mode function. This is accomplished by right-clicking the application or setup program and selecting Properties –> Compatibility –> selecting the previously supported operating system.
If you uninstall Windows Server 2003, which operating systems can you revert to? Win ME, Win 98, 2000, XP. Note, however, that you cannot upgrade from ME and 98 to Windows Server 2003.
How do you get to Internet Firewall settings? Start –> Control Panel –> Network and Internet Connections –> Network Connections.
What is Active Directory? Active Directory is a network-based object store and service that locates and manages resources, and makes these resources available to authorized users and groups. An underlying principle of the Active Directory is that everything is considered an object—people, servers, workstations, printers, documents, and devices. Each object has certain attributes and its own security access control list (ACL).
Where are the Windows NT Primary Domain Controller (PDC) and its Backup Domain Controller (BDC) in Server
2003? The Active Directory replaces them. Now all domain controllers share a multimaster peer-to-peer read and write relationship that hosts copies of the Active Directory.
How long does it take for security changes to be replicated among the domain controllers? Security-related modifications are replicated within a site immediately. These changes include account and individual user lockout policies, changes to password policies, changes to computer account passwords, and modifications to the Local Security Authority (LSA).
What’s new in Windows Server 2003 regarding the DNS management? When DC promotion occurs with an existing forest, the Active Directory Installation Wizard contacts an existing DC to update the directory and replicate from the DC the required portions of the directory. If the wizard fails to locate a DC, it performs debugging and reports what caused the failure and how to fix the problem. In order to be located on a network, every DC must register in DNS DC locator DNS records. The Active Directory Installation Wizard verifies a proper configuration of the DNS infrastructure. All DNS configuration debugging and reporting activity is done with the Active Directory Installation Wizard.
When should you create a forest? Organizations that operate on radically different bases may require separate trees with distinct namespaces. Unique trade or brand names often give rise to separate DNS identities. Organizations merge or are acquired and naming continuity is desired. Organizations form partnerships and joint ventures. While access to common resources is desired, a separately defined tree can enforce more direct administrative and security restrictions.
How can you authenticate between forests? Four types of authentication are used across forests: (1) Kerberos and NTLM network logon for remote access to a server in another forest; (2) Kerberos and NTLM interactive logon for physical logon outside the user’s home forest; (3) Kerberos delegation to N-tier application in another forest; and (4) user principal name (UPN) credentials.
What snap-in administrative tools are available for Active Directory? Active Directory Domains and Trusts Manager, Active Directory Sites and Services Manager, Active Directory Users and Group Manager, Active Directory Replication (optional, available from the Resource Kit), Active Directory Schema Manager (optional, available from adminpak)
What types of classes exist in Windows Server 2003 Active Directory?
o Structural class. The structural class is important to the system administrator in that it is the only type from which new Active Directory objects are created. Structural classes are developed from either the modification of an existing structural type or the use of one or more abstract classes.
o Abstract class. Abstract classes are so named because they take the form of templates that actually create other templates (abstracts) and structural and auxiliary classes. Think of abstract classes as frameworks for the defining objects.
o Auxiliary class. The auxiliary class is a list of attributes. Rather than apply numerous attributes when creating a structural class, it provides a streamlined alternative by applying a combination of attributes with a single include action.
o 88 class. The 88 class includes object classes defined prior to 1993, when the 1988 X.500 specification was adopted. This type does not use the structural, abstract, and auxiliary definitions, nor is it in common use for the development of objects in Windows Server 2003 environments.
How do you delete a lingering object? Windows Server 2003 provides a command called Repadmin that provides the ability to delete lingering objects in the Active Directory.
What is Global Catalog? The Global Catalog authenticates network user logons and fields inquiries about objects across a forest or tree. Every domain has at least one GC that is hosted on a domain controller. In Windows 2000, there was typically one GC on every site in order to prevent user logon failures across the network.
How is user account security established in Windows Server 2003? When an account is created, it is given a unique access number known as a security identifier (SID). Every group to which the user belongs has an associated SID. The user and related group SIDs together form the user account’s security token, which determines access levels to objects throughout the system and network. SIDs from the security token are mapped to the access control list (ACL) of any object the user attempts to access.
If I delete a user and then create a new account with the same username and password, would the SID and permissions stay the same? No. If you delete a user account and attempt to recreate it with the same user name and password, the SID will be different.
What do you do with secure sign-ons in an organization with many roaming users? Credential Management feature of Windows Server 2003 provides a consistent single sign-on
experience for users. This can be useful for roaming users who move between computer systems. The Credential Management feature provides a secure store of user credentials that includes passwords and X.509 certificates.
Anything special you should do when adding a user that has a Mac? "Save password as encrypted clear text" must be selected on User Properties Account Tab Options, since the Macs only store their passwords that way.
What remote access options does Windows Server 2003 support? Dial-in, VPN, dial-in with callback.
Where are the documents and settings for the roaming profile stored? All the documents and environmental settings for the roaming user are stored locally on the system, and, when the user logs off, all changes to the locally stored profile are copied to the shared server folder. Therefore, the first time a roaming user logs on to a new system the logon process may take some time, depending on how large his profile folder is.
Where are the settings for all the users stored on a given machine? \Document and Settings\All Users
What languages can you use for log-on scripts? JavaScipt, VBScript, DOS batch files (.com, .bat, or even .exe)
Windows Server 2003 Active Directory and Security questions
What’s the difference between local, global and universal groups? Domain local groups assign access permissions to global domain groups for local domain resources. Global groups provide access to resources in other trusted domains. Universal groups grant access to resources in all trusted domains.
I am trying to create a new universal user group. Why can’t I? Universal groups are allowed only in native-mode Windows Server 2003 environments. Native mode requires that all domain controllers be promoted to Windows Server 2003 Active Directory.
What is LSDOU? It’s group policy inheritance model, where the policies are applied to Local machines, Sites, Domains and Organizational Units.
Why doesn’t LSDOU work under Windows NT? If the NTConfig.pol file exist, it has the highest priority among the numerous policies.
Where are group policies stored? %SystemRoot%System32\GroupPolicy
What is GPT and GPC? Group policy template and group policy container.
Where is GPT stored? %SystemRoot%\SYSVOL\sysvol\domainname\Policies\GUID
You change the group policies, and now the computer and user settings are in conflict. Which one has the highest priority? The computer settings take priority.
You want to set up remote installation procedure, but do not want the user to gain access over it. What do you do? gponame–> User Configuration–> Windows Settings–> Remote Installation Services–> Choice Options is your friend.
What’s contained in administrative template conf.adm? Microsoft NetMeeting policies
How can you restrict running certain applications on a machine? Via group policy, security settings for the group, then Software Restriction Policies.
You need to automatically install an app, but MSI file is not available. What do you do? A .zap text file can be used to add applications using the Software Installer, rather than the Windows Installer.
What’s the difference between Software Installer and Windows Installer? The former has fewer privileges and will probably require user intervention. Plus, it uses .zap files.
What can be restricted on Windows Server 2003 that wasn’t there in previous products? Group Policy in Windows Server 2003 determines a users right to modify network and dial-up TCP/IP properties. Users may be selectively restricted from modifying their IP address and other network configuration parameters.
How frequently is the client policy refreshed? 90 minutes give or take.
Where is secedit? It’s now gpupdate.
You want to create a new group policy but do not wish to inherit. Make sure you check Block inheritance among the options when creating the policy.
What is "tattooing" the Registry? The user can view and modify user preferences that are not stored in maintained portions of the Registry. If the group policy is removed or changed, the user preference will persist in the Registry.
How do you fight tattooing in NT/2000 installations? You can’t.
How do you fight tattooing in 2003 installations? User Configuration - Administrative Templates - System - Group Policy - enable - Enforce Show Policies Only.
What does IntelliMirror do? It helps to reconcile desktop settings, applications, and stored files for users, particularly those who move between workstations or those who must periodically work offline.
What’s the major difference between FAT and NTFS on a local machine? FAT and FAT32 provide no security over locally logged-on users. Only native NTFS provides extensive permission control on both remote and local files.
How do FAT and NTFS differ in approach to user shares? They don’t, both have support for sharing.
Explan the List Folder Contents permission on the folder in NTFS. Same as Read & Execute, but not inherited by files within a folder. However, newly created subfolders will inherit this permission.
I have a file to which the user has access, but he has no folder permission to read it. Can he access it? It is possible for a user to navigate to a file for which he does not have folder permission. This involves simply knowing the path of the file object. Even if the user can’t drill down the file/folder tree using My Computer, he can still gain access to the file using the Universal Naming Convention (UNC). The best way to start would be to type the full path of a file into Run… window.
For a user in several groups, are Allow permissions restrictive or permissive? Permissive, if at least one group has Allow permission for the file/folder, user will have the same permission.
For a user in several groups, are Deny permissions restrictive or permissive? Restrictive, if at least one group has Deny permission for the file/folder, user will be denied access, regardless of other group permissions.
What hidden shares exist on Windows Server 2003 installation? Admin$, Drive$, IPC$, NETLOGON, print$ and SYSVOL.
What’s the difference between standalone and fault-tolerant DFS (Distributed File System) installations? The standalone server stores the Dfs directory tree structure or topology locally. Thus, if a shared folder is inaccessible or if the
Dfs root server is down, users are left with no link to the shared resources. A fault-tolerant root node stores the Dfs topology in the Active Directory, which is replicated to other domain controllers. Thus, redundant root nodes may include multiple connections to the same data residing in different shared folders.
We’re using the DFS fault-tolerant installation, but cannot access it from a Win98 box. Use the UNC path, not client, only 2000 and 2003 clients can access Server 2003 fault-tolerant shares.
Where exactly do fault-tolerant DFS shares store information in Active Directory? In Partition Knowledge Table, which is then replicated to other domain controllers.
Can you use Start->Search with DFS shares? Yes.
What problems can you have with DFS installed? Two users opening the redundant copies of the file at the same time, with no file-locking involved in DFS, changing the contents and then saving. Only one file will be propagated through DFS.
I run Microsoft Cluster Server and cannot install fault-tolerant DFS. Yeah, you can’t. Install a standalone one.
Is Kerberos encryption symmetric or asymmetric? Symmetric.
How does Windows 2003 Server try to prevent a middle-man attack on encrypted line? Time stamp is attached to the initial client request, encrypted with the shared key.
What hashing algorithms are used in Windows 2003 Server? RSA Data Security’s Message Digest 5 (MD5), produces a 128-bit hash, and the Secure Hash Algorithm 1 (SHA-1), produces a 160-bit hash.
What third-party certificate exchange protocols are used by Windows 2003 Server? Windows Server 2003 uses the industry standard PKCS-10 certificate request and PKCS-7 certificate response to exchange CA certificates with third-party certificate authorities.
What’s the number of permitted unsuccessful logons on Administrator account? Unlimited. Remember, though, that it’s the Administrator account, not any account that’s part of the Administrators group.
If hashing is one-way function and Windows Server uses hashing for storing passwords, how is it possible to attack the password lists, specifically the ones using NTLMv1? A cracker would launch a dictionary attack by hashing
every imaginable term used for password and then compare the hashes.
What’s the difference between guest accounts in Server 2003 and other editions? More restrictive in Windows Server 2003.
How many passwords by default are remembered when you check "Enforce Password History Remembered"? User’s last 6 passwords.
Technical Interview Questions – NetworkingWhat is an IP address?
An Internet Protocol address (IP address) is a numerical label that is assigned to devices participating in a computer network that uses the Internet Protocol for communication between its nodes. An IP address serves two principal functions: host or network interface identification and location addressing. Its role has been characterized as follows: "A name indicates what we seek. An address indicates where it is. A route indicates how to get there.
What is a subnet mask? The word subnetwork (usually shortened to subnet) has two related meanings. In the older and more general meaning, it meant one physical network of an internetwork. In the Internet Protocol (IP), a subnetwork is a division of a classful network. The rest of this article is about the second meaning. Subnetting an IP network allows a single large network to be broken down into what appear (logically) to be several smaller ones. It was originally introduced before the introduction of classful network numbers in IPv4, to allow a single site to have a number of local area networks. Even after the introduction of classful network numbers, subnetting continued to be useful, as it reduced the number of entries in the Internet-wide routing table (by hiding information about all the individual subnets inside a site). As a side benefit, it also resulted in reduced network overhead, by dividing the parts which receive IP broadcasts.
What is ARP? The Address Resolution Protocol (ARP) is a computer networking protocol for determining a network host's link layer or hardware address when only it’s Internet Layer (IP) or Network Layer address is known. This function is critical in local area networking as well as for routing internetworking traffic across gateways (routers) based on IP addresses when the next-hop router must be determined. ARP was defined by RFC 826 in 1982. It is Internet Standard STD 37.
What is ARP Cache Poisoning? ARP stands for Address Resolution Protocol. Every computer in a LAN has 2 identifiers: IP and MAC address. IP is either entered by the user or dynamically allocated by a server. But the MAC address is unique for any Ethernet card. For example, if you have 2 ethernet cards, one for wired and the other for
WiFi, you have 2 MAC addresses on your machine. The MAC address is a hardware code for your ethernet card. The communications between computers is done on the IP level. Means that if you want to send a file to a computer, you need to know the other computer IP. Now, ARP is the protocol that matches every IP with a certain MAC address in ARP table that is saved on your switch in your LAN. ARP cache poisoning is changing this ARP table on the switch. For Normal case, when a machine tries to connect to another machine. The first machine goes to the ARP table with the other machine IP, the ARP table provide the MAC address for the other machine and the communication starts. But if someone plays with the table, the first machine goes with the IP and the ARP table will provide a faulty MAC address to a 3rd machine who wants to intrude through your communication. This Kind of attach is known as "Man in the Middle".
What is the ANDing process? In order to determine whether a destination host is local or remote, a computer will perform a simple mathematical computation referred to as an AND operation. While the sending host does this operation internally, understanding what takes place is the key to understanding how an IP-based system knows whether to send packets directly to a host or to a router.
What is a default gateway? What happens if I don't have one? A gateway is a routing device that knows how to pass traffic between different subnets and networks. A computer will know some routes (a route is the address of each node a packet must go through on the Internet to reach a specific destination), but not the routes to every address on the Internet. It won’t even know all the routes on the nearest subnets. A gateway will not have this information either, but will at least know the addresses of other gateways it can hand the traffic off to. Your default gateway is on the same subnet as your computer, and is the gateway your computer relies on when it doesn’t know how to route traffic. The default gateway is typically very similar to your IP address, in that many of the numbers may be the same. However, the default gateway is not your IP address. To see what default gateway you are using, follow the steps below for your operating system.
Can a workstation computer be configured to browse the Internet and yet NOT have a default gateway? If we are using public ip address, we can browse the internet. If it is having an intranet address a gateway is needed as a router or firewall to communicate with internet.Without default gateway you cannot browse internet. It doesnt matter if you are on public or private network. Default Gateway is required to route your IP packets from your network to the other networks.
What is a subnet? Why do I care?
A subnet specifies a range of IP addresses. The special attribute of a subnet is that all the computers within the subnet (a "sub-network") can talk directly to each other, and don't need a router to communicate.
When it's time to send a packet, your computer delivers a packet a) directly to the destination computer or b) sends it to the router for ultimate delivery.
But how does your computer know whether the packet's destination is within its subnet? The answer is that your computer uses the subnet mask to determine the members of the subnet. If your computer's address and the destination computer's IP addresses are in the same subnet address range, then they can send packets directly to each other. If they're not in the same range, then they must send their data through a router for delivery.The chart below associates the number of IP addresses in a subnet to the subnet mask. For example, the subnet mask "255.255.255.0" represents 254 consecutive IP addresses.
Subnet Mask
# of Addresses Subnet Mask# of
Addresses
/1 128.0.0.0 2.1 billion /17 255.255.128.0 32,766
/2 192.0.0.0 1 billion /18 255.255.192.0 16,382
/3 224.0.0.0 536 million /19 255.255.224.0 8,190
/4 240.0.0.0 268 million /20 255.255.240.0 4,094
/5 248.0.0.0 134 million /21 255.255.248.0 2,046
/6 252.0.0.0 67 million /22 255.255.252.0 1,022
/7 254.0.0.0 34 million /23 255.255.254.0 510
/8 255.0.0.017 million (Class A)
/24 255.255.255.0 254 (Class C)
/9255.128.0.0
8.4 million /25255.255.255.128
126
/10255.192.0.0
4.2 million /26255.255.255.192
62
/11255.224.0.0
2.1 million /27255.255.255.224
30
/12255.240.0.0
1 million /28255.255.255.240
14
/13255.248.0.0
524 thousand /29255.255.255.248
6
/14255.252.0.0
262 thousand /30255.255.255.252
2
/15255.254.0.0
131 thousand /31255.255.255.254
RFC 3021
/16255.255.0.0
65,534 (Class B) /32255.255.255.255.
A single address
What is APIPA? Zero configuration networking (zeroconf), is a set of techniques that automatically creates a usable Internet Protocol (IP) network without manual operator intervention or special configuration servers.Automatic Private IP Addressing: a safety mechanism in dynamic host client processing to assign IP addresses within a given range when the main DHCP mechanism fails
APIPA, also known as Automatic Private IP Addressing, is a feature used in Windows operating systems. It comes into action only when DHCP (Dynamic Host Configuration Protocol) servers are available. When the DHCP client first comes on, it will try to establish a connection with the DHCP server in order to get an IP address. It is when this server is (or at a later point becomes) unavailable, that APIPA will kick in.
As the client is unable to connect with the server, APIPA will automatically try to configure itself with an IP address from an specially reserved range. (This reserved IP address range goes from 169.254.0.0 to 169.254.255.255).
What is an RFC? Name a few if possible (not necessarily the numbers, just the ideas behind them) A Request For Comments (RFC) document defines a protocol or policy used on the Internet. An RFC can be submitted by anyone. Eventually, if it gains enough interest, it may evolve into an Internet Standard Each RFC is designated by an RFC number. Once published, an RFC never changes. Modifications to an original RFC are assigned a new RFC number.
What is RFC 1918? RFC 1918 is Address Allocation for Private Internets The Internet Assigned Numbers Authority (IANA) has reserved the following three blocks of the IP address space for private internets: 10.0.0.0 - 10.255.255.255 (10/8 prefix) 172.16.0.0 - 172.31.255.255 (172.16/12 prefix) 192.168.0.0 - 192.168.255.255 (192.168/16
prefix) We will refer to the first block as "24-bit block", the second as "20-bit block", and to the third as "16-bit" block. Note that (in pre-CIDR notation) the first block is nothing but a single class A network number, while the second block is a set of 16 contiguous class B network numbers, and third block is a set of 256 contiguous class C network numbers.
What is CIDR? CIDR (Classless Inter-Domain Routing, sometimes known as supernetting) is a way to allocate and specify the Internet addresses used in inter-domain routing more flexibly than with the original system of Internet Protocol (IP) address classes. As a result, the number of available Internet addresses has been greatly increased. CIDR is now the routing system used by virtually all gateway hosts on
the Internet's backbone network. The Internet's regulating authorities now expect every Internet service provider (ISP) to use it for routing.
The original Internet Protocol defines IP addresses in four major classes of address structure, Classes A through D. Each of these classes allocates one portion of the 32-bit Internet address format to a network address and the remaining portion to the specific host machines within the network specified by the address. One of the most commonly used classes is (or was) Class B, which allocates space for up to 65,533 host addresses. A company who needed more than 254 host machines but far fewer than the 65,533 host addresses possible would essentially be "wasting" most of the block of addresses allocated. For this reason, the Internet was, until the arrival of CIDR, running out of address space much more quickly than necessary. CIDR effectively solved the problem by providing a new and more flexible way to specify network addresses in routers. (With a new version of the Internet Protocol - IPv6 - a 128-bit address is possible, greatly expanding the number of possible addresses on the Internet. However, it will be some time before IPv6 is in widespread use.)
Using CIDR, each IP address has a network prefix that identifies either an aggregation of network gateways or an individual gateway. The length of the network prefix is also specified as part of the IP address and varies depending on the number of bits that are needed (rather than any arbitrary class assignment structure). A destination IP address or route that describes many possible destinations has a shorter prefix and is said to be less specific. A longer prefix describes a destination gateway more specifically. Routers are required to use the most specific or longest network prefix in the routing table when forwarding packets.
A CIDR network address looks like this:
192.30.250.00/18The "192.30.250.00" is the network address itself and the "18" says that the first 18 bits are the network part of the address, leaving the last 14 bits for specific host addresses. CIDR lets one routing table entry represent an aggregation of networks that exist in the forward path that don't need to be specified on that particular gateway, much as the public telephone system uses area codes to channel calls toward a certain part of the network. This aggregation of networks in a single address is sometimes referred to as a supernet. CIDR is supported by the Border Gateway Protocol, the prevailing exterior (interdomain) gateway protocol. (The older exterior or interdomain gateway protocols, Exterior Gateway Protocol and Routing Information Protocol, do not support CIDR.) CIDR is also supported by the OSPF interior or intradomain gateway protocol.
You have the following Network ID: 192.115.103.64/27. What is the IP range for your network?It ranges from 192.115.103.64 - 192.115.103.96
But the usable addresses are from 192.115.103.64 - 192.115.103.94
192.115.103.95 - it is the broadcast address 192.115.103.96 - will be the ip address of next range We can use 30 hostes in this network
You have the following Network ID: 131.112.0.0. You need at least 500 hosts per network. How many networks can you create? What subnet mask will you use? Subnet mask is 255.255.252.0, we can create 4 subnet and at least we can connect 500host per network
You need to view at network traffic. What will you use? Name a few tools Depends what type of traffic I want to monitor and the network design. I really liked using Fluke Networks OptiView Network Analyzer. Software though I would say wireshark, sitrace, Iris Network Traffic Analyzer, Airsnare, Packetcapsa. Backtrack (a linux live CD) has tons of different applications that you can use to monitor and view network traffic
How do I know the path that a packet takes to the destination? use "tracert" command-line
What is DHCP? What are the benefits and drawbacks of using it?
Benefits:
1. DHCP minimizes configuration errors caused by manual IP address configurationDHCP minimizes configuration errors caused by manual IP address configuration
2. Reduced network administration.
Disadvantage
Your machine name does not change when you get a new IP address. The DNS (Domain Name System) name is associated with your IP address and therefore does change. This only presents a problem if other clients try to access your machine by its DNS name.
Benefits:
1. DHCP minimizes configuration errors caused by manual IP address configurationDHCP minimizes configuration errors caused by manual IP address configuration
2. Reduced network administration.
Disadvantage
Your machine name does not change when you get a new IP address. The DNS (Domain Name System) name is associated with your IP address and therefore does change. This only presents a problem if other clients try to access your machine by its DNS name.
Describe the steps taken by the client and DHCP server in order to obtain an IP address. At least one DHCP server must exist on a network. Once the DHCP server software is installed, you create a DHCP scope, which is a pool of IP addresses that the server manages. When clients log on, they request an IP address from the server, and the server provides an IP address from its pool of available addresses. DHCP was originally defined in RFC 1531 (Dynamic Host Configuration Protocol, October 1993) but the most recent update is RFC 2131 (Dynamic Host Configuration Protocol, March 1997). The IETF Dynamic Host Configuration (dhc) Working Group is chartered to produce a protocol for automated allocation, configuration, and management of IP addresses and TCP/IP protocol stack parameters.
What is the DHCPNACK and when do I get one? Name 2 scenarios. Recently I saw a lot of queries regarding when the Microsoft DHCP server issues a NAK to DHCP clients. For simplification purposes, I am listing down the possible scenarios in which the server should NOT issue a NAK. This should give you a good understanding of DHCP NAK behavior.
When a DHCP server receives a DHCPRequest with a previously assigned address specified, it first checks to see if it came from the local segment by checking the GIADDR field. If it originated from the local segment, the DHCP server compares the requested address to the IP address and subnet mask belonging to the local interface that received the request.
DHCP server will issue a NAK to the client ONLY IF it is sure that the client, "on the local subnet", is asking for an address that doesn't exist on that subnet.
The server will send a NAK EXCEPT in the following scenarios:-
1. Requested address from possibly the same subnet but not in the address pool of the server:-
This can be the failover scenario in which 2 DHCP servers are serving the same subnet so that when one goes down, the other should not NAK to clients which got an IP from the first server.
2. Requested address on a different subnet:- If the Address is from the same superscope to which the subnet belongs, DHCP server will ACK the REQUEST.
What ports are used by DHCP and the DHCP clients? Requests are on UDP port 68, Server replies on UDP 67 double check. These are reversed.
Describe the process of installing a DHCP server in an AD infrastructure.
Terms you'll need to understand: DHCP Lease duration Scopes Superscopes Multicast scopes Scope options
Techniques you'll need to master:
Installing DHCP Understanding the DHCP lease process Creating scopes, superscopes, and multicast scopes Configuring the lease duration Configuring optional IP parameters that can be assigned to DHCP
clients Understanding how DHCP interacts with DNS Configuring DHCP for DNS integration Authorizing a DHCP server in Active Directory Managing a DHCP server Monitoring a DHCP server
Introduction The TCP/IP protocol is an Active Directory operational requirement. This means that all computers on Windows 2000 network require a
unique IP address to communicate with the Active Directory. Static IP addresses can add a lot of administrative overhead. Not only can
management of static IP addresses become time consuming, but such management also increases the chances of misconfigured parameters. Imagine having to manually type 10,000 IP addresses and not make a single error. The Dynamic Host Configuration Protocol (DHCP) can be
implemented to centralize the administration of IP addresses. Through DHCP, many of the tasks associated with IP addressing can be
automated. However, implementing DHCP also introduces some security issues because anyone with physical access to the network
can plug in a laptop and obtain IP information about the internal network.
In this chapter, you'll learn how to implement a DHCP server, including the installation process, authorization of the server, and the configuration of DHCP scopes. The chapter ends by looking at how to manage a DHCP server and monitor its performance.
What is DHCPINFORM? DHCPInform is a DHCP message used by DHCP clients to obtain DHCP options. While PPP remote access clients do not use DHCP to obtain IP addresses for the remote access connection, Windows 2000 and Windows 98 remote access clients use the DHCPInform message to obtain DNS server IP addresses, WINS server IP addresses, and a DNS domain name. The DHCPInform message is sent after the IPCP negotiation is concluded.
The DHCPInform message received by the remote access server is then forwarded to a DHCP server. The remote access server forwards DHCPInform messages only if it has been configured with the DHCP Relay Agent..
Describe the integration between DHCP and DNS. Traditionally, DNS and DHCP servers have been configured and managed one at a time. Similarly, changing authorization rights for a particular user on a group of devices has meant visiting each one and making configuration changes. DHCP integration with DNS allows the aggregation of these tasks across devices, enabling a company's network services to scale in step with the growth of network users, devices, and policies, while reducing administrative operations and costs.
This integration provides practical operational efficiencies that lower total cost of ownership. Creating a DHCP network automatically creates an associated DNS zone, for example, reducing the number of tasks required of network administrators. And integration of DNS and DHCP in the same database instance provides unmatched consistency between service and management views of IP address-centric network services data.
Windows Server 2003 DNS supports DHCP by means of the dynamic update of DNS zones. By integrating DHCP and DNS in a DNS deployment, you can provide your network resources with dynamic addressing information stored in DNS. To enable this integration, you can use the Windows Server 2003 DHCP service.The dynamic update standard, specified in RFC 2136: Dynamic Updates in the Domain Name System (DNS
UPDATE), automatically updates DNS records. Both Windows Server 2003 and Windows 2000 support dynamic update, and both clients and DHCP servers can send dynamic updates when their IP addresses change.Dynamic update enables a DHCP server to register address (A) and pointer (PTR) resource records on behalf of a DHCP client by using DHCP Client FQDN option 81. Option 81 enables the DHCP client to provide its FQDN to the DHCP server. The DHCP client also provides instructions to the DHCP server describing how to process DNS dynamic updates on behalf of the DHCP client.The DHCP server can dynamically update DNS A and PTR records on behalf of DHCP clients that are not capable of sending option 81 to the DHCP server. You can also configure the DHCP server to discard client A and PTR records when the DHCP client lease is deleted. This reduces the time needed to manage these records manually and provides support for DHCP clients that cannot perform dynamic updates. In addition, dynamic update simplifies the setup of Active Directory by enabling domain controllers to dynamically register SRV resource records.If the DHCP server is configured to perform DNS dynamic updates, it performs one of the following actions:
The DHCP server updates resource records at the request of the client. The client requests the DHCP server to update the DNS PTR record on behalf of the client, and the client registers A.
The DHCP server updates DNS A and PTR records regardless of whether the client requests this action or not. By itself, dynamic update is not secure because any client can modify DNS records. To secure dynamic updates, you can use the secure dynamic update feature provided in Windows Server 2003. To delete outdated records, you can use the DNS server aging and scavenging feature.
What options in DHCP do you regularly use for an MS network?
Automatic providing IP address Subnet mask DNS server Domain name Default getaway or router
What are User Classes and Vendor Classes in DHCP? Microsoft Vendor Classes
How do I configure a client machine to use a specific User Class? The command to configure a client machine to use a specific user class is
ipconfig /setclassid "<Name of your Network card>" <Name of the class you created on DHCP and you want to join (Name is case sensitive)>
Eg:
ipconfig /setclassid " Local Area Network" Accounting
What is the BOOTP protocol used for, where might you find it in Windows network infrastructure? BootP (RFC951) provides a unique IP address to the requester (using port 67) similar to the DHCP request on port 68 AND can provide (where supported) the ability to boot a system without a hard drive (ie: a diskless client)
Apple OS X 10.* Server supports BootP (albeit) renamed as NetBoot. The facility allows the Admin to maintain a selected set of configurations as boot images and then assign sets of client systems to share(or boot from) that image. For example Accounting, Management, and Engineering departments have elements in common, but which can be unique from other departments. Performing upgrades and maintenance on three images is far more productive that working on all client systems individually.
Startup is obviously network intensive, and beyond 40-50 clients, the Admin needs to carefully subnet the infrastructure, use gigabit
switches, and host the images local to the clients to avoid saturating the network. This will expand the number of BootP servers and multiply the number of images, but the productivity of 1 BootP server per 50 clients is undeniable :)
Sunmicro, Linux, and AIX RS/600 all support BootP.
Todate, Windows does not support booting "diskless clients".
DNS zones – describe the differences between the 4 types. Dns zone is actual file which contains all the records for a specific domain.
i) Forward Lookup Zones: - This zone is responsible to resolve host name to ip.
ii) Reverse Lookup Zones: - This zone is responsible to resolve ip to host name.
iii) Stub Zone: - Stubzone is read only copy of primary zone, but it contains only 3 records viz the SOA for the primary zone, NS record and a Host (A) record.
DNS record types – describe the most important ones.
A (Host) Classic resource record. Maps hostname to IP(ipv4) PTR Maps IP to hostname (Reverse of A (Host)
AAAA Maps hostname to ip (ipv6)
Cname Canonical name, in plain English an alias.such as
Web Server,FTP Server, Chat Server
NS Identifies DNS name servers. Important for forwarders
MX Mail servers, particularly for other domains.MX records required to deliver internet email.
_SRV Required for Active Directory. Whole family of underscore service, records, for example, gc = global catalog.
SOA Make a point of finding the Start of Authority (SOA) tab at the DNS Server.
SRV records: - A SRV or Service Record is a category of data in the DNS specifying information on available services. When looking up for a service, you must first lookup the SRV Record for the service to see which server actually handles it. Then it looks up the Address Record for the server to connect to its IP Address.
Authoritative Name Server [NS] Record:-A Zone should contain one NS Record for each of its own DNS servers (primary and
secondary). This mostly is used for Zone Transfer purposes (notify). These NS Records have the same name as the Zone in which they are located.
SOA:-This record is used while syncronising data between multiple computers.A given zone must have precisely one SOA record which contains Name of Primary DNS Server,Mailbox of the Responsible Person,Serial Number: Used by Secondary DNS Servers to check if the Zone has changed. If the Serial Number is higher than what the Secondary Server has, a Zone Transfer will be initiated,Refresh Interval: How often Secondary DNS Servers should check if changes are made to the zone,Retry Interval: How often Secondary DNS Server should retry checking, if changes are made - if the first refresh fails,Expire Interval: How long the Zone will be valid after a refresh. Secondary Servers will discard the Zone if no refresh could be made within this interval.Minimum (Default) TTL: Used as the default TTL for new Records created within the zone. Also used by other DNS Server to cache negative responses (such as Record does not exist, etc.).
Describe the process of working with an external domain name
Serving Sites with External Domain Name Servers
If you host Web sites on this server and have a standalone DNS server acting as a primary (master) name server for your sites, you may want to set up your control panel's DNS server to function as a secondary (slave) name server:
To make the control panel's DNS server act as a secondary name server:
Go to Domains > domain name > DNS Settings (in the Web Site group).
Click Switch DNS Service Mode.
Specify the IP address of the primary (master) DNS server.
Click Add.
Repeat steps from 1 to 5 for each Web site that needs to have a secondary name server on this machine.
To make the control panel's DNS server act as a primary for a zone:
Go to Domains > domain name > DNS Settings (in the Web Site group).
Click Switch DNS Service Mode. The original resource records for the zone will be restored.
If you host Web sites on this server and rely entirely on other machines to perform the Domain Name Service for your sites (there are two external name servers - a primary and a secondary), switch off the control panel's DNS service for each site served by external name servers.
To switch off the control panel's DNS service for a site served by an external name server:
Go to Domains > domain name > DNS Settings (in the Web Site group).
Click Switch Off the DNS Service in the Tools group. Turning the DNS service off for the zone will refresh the screen, so that only a list of name servers remains.
Note: The listed name server records have no effect on the system. They are only presented on the screen as clickable links to give you a chance to validate the configuration of the zone maintained on the external authoritative name servers.
Repeat the steps from 1 to 3 to switch off the local domain name service for each site served by external name servers.
If you wish to validate the configuration of a zone maintained on authoritative name servers:
Go to Domains > domain name > DNS Settings (in the Web Site group).
Add to the list the entries pointing to the appropriate name servers that are authoritative for the zone: click Add, specify a name server, and click OK. Repeat this for each name server you would like to test.
The records will appear in the list.
Click the records that you have just created. Parallels Plesk Panel will retrieve the zone file from a remote name server and check the resource records to make sure that domain's resources are properly resolved.
The results will be interpreted and displayed on the screen.
Describe the importance of DNS to AD. When you install Active Directory on a server, you promote the server to the role of a domain controller for a specified domain. When completing this process, you are prompted to specify a DNS domain name for the Active Directory domain for which you are joining and promoting the server.If during this process, a DNS server authoritative for the domain that you specified either cannot be located on the network or does not support the DNS dynamic update protocol, you are prompted with the option to install a DNS server. This option is provided because a DNS server is
required to locate this server or other domain controllers for members of an Active Directory domain
Describe a few methods of finding an MX record for a remote domain on the Internet. In order to find MX Records for SMTP domains you can use Command-line tools such as NSLOOKUP or DIG. You can also use online web services that allow you to perform quick searches and display the information in a convenient manner.
What does "Disable Recursion" in DNS mean? In the Windows 2000/2003 DNS console (dnsmgmt.msc), under a server's Properties -> Forwarders tab is the setting Do not use recursion for this domain. On the Advanced tab you will find the confusingly similar option Disable recursion (also disables forwarders).
Recursion refers to the action of a DNS server querying additional DNS servers (e.g. local ISP DNS or the root DNS servers) to resolve queries that it cannot resolve from its own database. So what is the difference between these settings?
The DNS server will attempt to resolve the name locally, then will forward requests to any DNS servers specified as forwarders. If Do not use recursion for this domain is enabled, the DNS server will pass the query on to forwarders, but will not recursively query any other DNS servers (e.g. external DNS servers) if the forwarders cannot resolve the query.
If Disable recursion (also disables forwarders) is set, the server will attempt to resolve a query from its own database only. It will not query any additional servers.
If neither of these options is set, the server will attempt to resolve queries normally: ... the local database is queried ... if an entry is not found, the request is passed to any forwarders that are set ... if no forwarders are set, the server will query servers on the Root Hints tab to resolve queries beginning at the root domains.
What could cause the Forwarders and Root Hints to be grayed out? Win2K configured your DNS server as a private root server
What is a "Single Label domain name" and what sort of issues can it cause? Single-label names consist of a single word like "contoso". • Single-label DNS names cannot be registered by using an Internet registrar. • Client computers and domain controllers that joined to single-label domains require additional configuration to dynamically register DNS records in single-label DNS zones. • Client computers and domain controllers may require additional configuration to resolve DNS queries in single-label DNS zones.
• By default, Windows Server 2003-based domain members, Windows XP-based domain members, and Windows 2000-based domain members do not perform dynamic updates to single-label DNS zones. • Some server-based applications are incompatible with single-label domain names. Application support may not exist in the initial release of an application, or support may be dropped in a future release. For example, Microsoft Exchange Server 2007 is not supported in environments in which single-label DNS is used. • Some server-based applications are incompatible with the domain rename feature that is supported in Windows Server 2003 domain controllers and in Windows Server 2008 domain controllers. These incompatibilities either block or complicate the use of the domain rename feature when you try to rename a single-label DNS name to a fully qualified domain name.
What is the "in-addr.arpa" zone used for? When creating DNS records for your hosts, A records make sense. After all, how can the world find your mail server unless the IP address of that server is associated with its hostname within a DNS database? However, PTR records aren't as easily understood. If you already have a zone file, why does there have to be a separate in-addr.arpa zone containing PTR records matching your A records? And who should be making those PTR records--you or your provider? Let's start by defining in-addr.arpa. .arpa is actually a TLD like .com or .org. The name of the TLD comes from Address and Routing Parameter Area and it has been designated by the IANA to be used exclusively for Internet infrastructure purposes. In other words, it is an important zone and an integral part of the inner workings of DNS. The RFC for DNS (RFC 1035) has an entire section on the in-addr.arpa domain. The first two paragraphs in that section state the purpose of the domain: "The Internet uses a special domain to support gateway location and Internet address to host mapping. Other classes may employ a similar strategy in other domains. The intent of this domain is to provide a guaranteed method to perform host address to host name mapping, and to facilitate queries to locate all gateways on a particular network in the Internet. Note that both of these services are similar to functions that could be performed by inverse queries; the difference is that this part of the domain name space is structured according to address, and hence can guarantee that the appropriate data can be located without an exhaustive search of the domain space." In other words, this zone provides a database of all allocated networks and the DNS reachable hosts within those networks. If your assigned network does not appear in this zone, it appears to be unallocated. And if your hosts don't have a PTR record in this database, they appear to be unreachable through DNS. Assuming an A record exists for a host, a missing PTR record may or may not impact on the DNS reachability of that host, depending upon the applications running on that host. For example, a mail server will definitely be impacted as PTR records are used in mail header checks and by most anti-SPAM mechanisms. Depending upon your web server configuration, it may also depend upon an existing PTR record. This is why the DNS RFCs recommend that every A record has an associated PTR record. But who should make and host those PTR
records? Twenty years ago when you could buy a full Class C network address (i.e. 254 host addresses) the answer was easy: you. Remember, the in-addr.arpa zone is concerned with delegated network addresses. In other words, the owner of the network address is authoritative (i.e. responsible) for the host PTR records associated with that network address space. If you only own one or two host addresses within a network address space, the provider you purchased those addresses from needs to host your PTR records as the provider is the owner of (i.e. authoritative for) the network address. Things are a bit more interesting if you have been delegated a CIDR block of addresses. The in-addr.arpa zone assumes a classful addressing scheme where a Class A address is one octet (or /8), a Class B is 2 octets (or /16) and a Class C is 3 octets (or /24). CIDR allows for delegating address space outside of these boundaries--say a /19 or a /28. RFC 2317 provides a best current practice for maintaining in-addr.arpa with these types of network allocations. Here is a summary regarding PTR records: • Don't wait until users complain about DNS unreachability--be proactive and ensure there is an associated PTR record for every A record. • If your provider hosts your A records, they should also host your PTR records. • If you only have one or two assigned IP addresses, your provider should host your PTR records as they are authoritative for the network those hosts belong to. • If you own an entire network address (e.g. a Class C address ending in 0), you are responsible for hosting your PTR records. • If you are configuring an internal DNS server within the private address ranges (e.g. 10.0.0.0 or 192.168.0.0), you are responsible for your own internal PTR records. • Remember: the key to PTR hosting is knowing who is authoritative for the network address for your domain. When in doubt, it probably is not you.
DNS requirements for installing Active Directory
When you install Active Directory on a member server, the member server is promoted to a domain controller. Active Directory uses DNS as the location mechanism for domain controllers, enabling computers on the network to obtain IP addresses of domain controllers.
During the installation of Active Directory, the service (SRV) and address (A) resource records are dynamically registered in DNS, which are necessary for the successful functionality of the domain controller locator (Locator) mechanism.
To find domain controllers in a domain or forest, a client queries DNS for the SRV and A DNS resource records of the domain controller, which provide the client with the names and IP addresses of the domain controllers. In this context, the SRV and A resource records are referred to as Locator DNS resource records.
When adding a domain controller to a forest, you are updating a DNS zone hosted on a DNS server with the Locator DNS resource records and identifying the domain controller. For this reason, the DNS zone must allow dynamic updates (RFC 2136) and the DNS server hosting
that zone must support the SRV resource records (RFC 2782) to advertise the Active Directory directory service. For more information about RFCs, see DNS RFCs.
If the DNS server hosting the authoritative DNS zone is not a server running Windows 2000 or Windows Server 2003, contact your DNS administrator to determine if the DNS server supports the required standards. If the server does not support the required standards, or the authoritative DNS zone cannot be configured to allow dynamic updates, then modification is required to your existing DNS infrastructure.
For more information, see Checklist: Verifying DNS before installing Active Directory and Using the Active Directory Installation Wizard.
Important
• The DNS server used to support Active Directory must support SRV resource records for the Locator mechanism to function. For more information, see Managing resource records.
• It is recommended that the DNS infrastructure allows dynamic updates of Locator DNS resource records (SRV and A) before installing Active Directory, but your DNS administrator may add these resource records manually after installation.
After installing Active Directory, these records can be found on the domain controller in the following location: systemroot\System32\Config\Netlogon.dns
How do you manually create SRV records in DNS? this is on windows server
go to run ---> dnsmgmt.msc
right click on the zone you want to add srv record to and choose "other new record"
and choose service location(srv).....
Name 3 benefits of using AD-integrated zones.
You can give easy name resolution to your clients. By creating AD- integrated zone you can also trace hacker and
spammer by creating reverse zone.
AD integrated zoned all for incremental zone transfers which on transfer changes and not the entire zone. This reduces zone transfer traffic.
AD Integrated zones support both secure and dynamic updates.
AD integrated zones are stored as part of the active directory and support domain-wide or forest-wide replication through application partitions in AD.
What are the benefits of using Windows 2003 DNS when using AD-integrated zones?
Advantages:
DNS supports Dynamic registration of SRV records registered by a Active Directory server or a domain controller during promotion. With the help of SRV records client machines can find domain controllers in the network.
DNS supports Secure Dynamic updates. Unauthorized access is denied.
Exchange server needs internal DNS or AD DNS to locate Global Catalog servers.
Active Directory Integrated Zone. If you have more than one domain controller (recommended) you need not worry about zone replication. Active Directory replication will take care of DNS zone replication also.
If your network uses DHCP with Active Directory then no other DHCP will be able to service client requests coming from different network. It is because DHCP server is authorized in AD and will be the only server to participate on network to provide IP Address information to client machines.
Moreover, you can use NT4 DNS with Service Pack 4 or later. It supports both SRV record registration and Dynamic Updates.
Using Microsoft DNS gives the following benefits: If you implement networks that require secure updatesIf you want to take benefit of Active Directory replicationIf you want to integrate DHCP with DNS for Low-level clients to register their Host records in Zone database
You installed a new AD domain and the new (and first) DC has not registered its SRV records in DNS. Name a few possible causes. The machine cannot be configured with DNS client her own The DNS service cannot be run
What are the benefits and scenarios of using Stub zones? One of the new features introduced in the Windows Server 2003-based implementation of DNS are stub zones. Its main purpose is to provide name resolution in domains, for which a local DNS server is not authoritative. The stub zone contains only a few records: - Start of Authority (SOA) record pointing to a remote DNS server that is
considered to be the best source of information about the target DNS domain, - one or more Name Server (NS) records (including the entry associated with the SOA record), which are authoritative for the DNS domain represented by the stub zone, - corresponding A records for each of the NS entries (providing IP addresses of the servers). While you can also provide name resolution for a remote domain by creating a secondary zone (which was a common approach in Windows Server 2000 DNS implementation) or delegation (when dealing with a contiguous namespace), such approach forces periodic zone transfers, which are not needed when stub zones are used. Necessity to traverse network in order to obtain individual records hosted on the remote Name Servers is mitigated to some extent by caching process, which keeps them on the local server for the duration of their Time-to-Live (TTL) parameter. In addition, records residing in a stub zone are periodically validated and refreshed in order to avoid lame delegations.
What are the benefits and scenarios of using Conditional Forwarding? The benefits are speed up name resolution in certain scenarios. According to research that is forwarded to the correct server or with specific speed. And down where DNS queries are sent in specific areas.
What are the differences between Windows Clustering, Network Load Balancing and Round Robin, and scenarios for each use? I will make a few assumptions here: 1) By "Windows Clustering Network Load Balancing" you mean Windows Network Load Balancing software included in Windows Server software a.k.a NLB., and 2) By Round Robin, you mean DNS Round Robin meaning the absence of a software or hardware load balancing device, or the concept of the Round Robin algorithm available in just about every load balancing solution.
Microsoft NLB is designed for a small number (4 - 6) of Windows Servers and a low to moderate number of new connections per second, to provide distribution of web server requests to multiple servers in a virtual resource pool. Some would call this a "cluster", but there are suttle differences between a clustered group of devices and a more loosely configured virtual pool. From the standpoint of scalability and performance, almost all hardware load balancing solutions are superior to this and other less known software load balancing solutions [e.g. Bright Tiger circa 1998].
DNS Round Robin is an inherent load balancing method built into DNS. When you resolve an IP address that has more than one A record, DNS hands out different resolutions to different requesting local DNS servers. Although there are several factors effecting the exact resulting algorithm (e.g. DNS caching, TTL, multiple DNS servers [authoritative or cached]), I stress the term "roughly" when I say it roughly results in an even distribution of resolutions to each of the addresses specified for a particular URL. It does not however, consider availability, performance, or any other metric and is completely static. The basic RR algorithm is available in many software and hardware load
balancing solutions and simply hands the next request to the next resource and starts back at the first resource when it hits the last one.
NLB is based on proprietary software, meant for small groups of Windows servers only on private networks, and is dynamic in nature (takes into account availability of a server, and in some cases performance). "Round Robin", DNS or otherwise, is more generic, static in nature (does not take into account anything but the resource is a member of the resource pool and each member is equal), and ranges from DNS to the default static load balancing method on every hardware device in the market.
How do I clear the DNS cache on the DNS server?
To clear DNS Cache do the following:
Start Run
Type "cmd" and press enter
In the command window type "ipconfig /flushdns"
A. If done correctly it should say "Successfully flushed the DNS Resolver Cache."
B. If you receive an error "Could not flush the DNS Resolver Cache: Function failed during execution.", follow the Microsoft KB Article 919746 to enable the cache. The cache will be empty however this will allow successful cache-flush in future.
What is the 224.0.1.24 address used for? WINS server group address. Used to support autodiscovery and dynamic configuration of replication for WINS servers. For more information, see WINS replication overview
WINS server group address. Used to support autodiscovery and dynamic configuration of replication for WINS servers. For more information, see WINS replication overview by following the below link
What is WINS and when do we use it? WINS is windows internet name service who is use for resolved the NetBIOS (computer name) name to IP address. This is proprietary for Windows. You can use in LAN.
DNS is a Domain Naming System, which resolves Host names to IP addresses. It uses fully qualified domain names. DNS is an Internet standard used to resolve host names
Can you have a Microsoft-based network without any WINS server on it? What are the "considerations" regarding not using WINS? Yes, you can. WINS was designed to speed up
information flow about the Windows workstations in a network. It will work without it, and most networks do not utilize WINS servers anymore because it is based on an old protocol (NetBUI) which is no longer in common use.
Describe the differences between WINS push and pull replications. To replicate database entries between a pair of WINS servers, you must configure each WINS server as a pull partner, a push partner, or both with the other WINS server.
A push partner is a WINS server that sends a message to its pull partners, notifying them that it has new WINS database entries. When a WINS server's pull partner responds to the message with a replication request, the WINS server sends (pushes) copies of its new WINS database entries (also known as replicas) to the requesting pull partner.
A pull partner is a WINS server that pulls WINS database entries from its push partners by requesting any new WINS database entries that the push partners have. The pull partner requests the new WINS database entries that have a higher version number than the last entry the pull partner received during the most recent replication.
What is the difference between tombstoning a WINS record and simply deleting it?
Simple deletion removes the records that are selected in the WINS console only from the local WINS server you are currently managing. If the WINS records deleted in this way exist in WINS data replicated to other WINS servers on your network, these additional records are not fully removed. Also, records that are simply deleted on only one server can reappear after replication between the WINS server where simple deletion was used and any of its replication partners.
Tombstoning marks the selected records as tombstoned, that is, marked locally as extinct and immediately released from active use by the local WINS server. This method allows the tombstoned records to remain present in the server database for purposes of subsequent replication of these records to other servers. When the tombstoned records are
replicated, the tombstone status is updated and applied by other WINS servers that store replicated copies of these records. Each replicating WINS server then updates and tombstones
Name the NetBIOS names you might expect from a Windows 2003 DC that is registered in WINS. 54 name the NetBIOS names you might expect from a windows 2003 dc that is registered in wins
What are router interfaces? What types can they be?
Router Interfaces
Routers can have many different types of connectors; from Ethernet, Fast Ethernet, and Token Ring to Serial and ISDN ports. Some of the available configurable items are logical addresses (IP,IPX), media types, bandwidth, and administrative commands. Interfaces are configured in interface mode which you get to from global configuration mode after logging in.
Logging in to the Router
Depending on the port you're using, you might have to press enter to get the prompt to appear (console port). The first prompt will look like Routername> the greater than sign at the prompt tell you that you are in user mode. In user mode you can only view limited statistics of the router in this mode. To change configurations you first need to enter privileged EXEC mode. This is done by typing enable at the Routername> prompt, the prompt then changes to Routername#. This mode supports testing commands, debugging commands, and commands to manage the router configuration files. To go back to user mode, type disable at the Routername# prompt. If you want to leave completely, type logout at the user mode prompt. You can also exit from the router while in privileged mode by typing exit or logout at the Routername# prompt.
Global Configuration Mode
Enter this mode from the privileged mode by typing configure terminal or (conf t for short). The prompt will change to Routername(config)#. Changes made in this mode change the running-config file in DRAM. Use configure memory to change the startup-config in NVRAM. Using configure network allows you to change the configuration file on a TFTP server. If you change the memory or network config files, the router has to put them into memory (DRAM) in order to work with them, so this will change your router's current running-config file.
Interfaces modeWhile in global configuration mode you can make changes to individual interfaces with the command Routername(config)#interface ethernet 0 or Routername(config)#int e0 for short, this enters the interface configuration mode for Ethernet port 0 and changes the prompt to look like Routername(config-if)#.Bringing Up Interfaces If an interface is shown administratively down when the show interface command is given in privileged EXEC mode, use the command no shutdown to enable the interface while in interface configuration mode.Setting IP Addresses
In global configuration mode, enter the interface configuration mode (Routername(config)#int e0) and use the command
Routername(config-if)#ip address [ip address] [network mask]. If it is the first time using the interface, also use the no shutdown command to enable and bring up the interface.
Router_2(config)#int e0Router_2(config-if)#ip address 192.168.1.1 255.255.255.0 Router_2(config-if)#no shutdownSecondary IP Addresses
You can add another IP address to an interface with the secondary command. The syntax is the same as setting an IP address except you add secondary to the end of it. Using secondary interfaces, it allows you to specify 2 IP addresses for 1 interface. Use subinterfaces instead, since they allow for more than 2 IP addresses on an interface and secondaries will probably be replaced soon.
Subinterfaces In global configuration mode you can create virtual interfaces (subinterfaces), so at the prompt Routername(config)# type int e0.1 and the prompt will change to Routername(config-subif)#. For all practical purposes there isn't a limit to the amount of subinterfaces an interface can have.Show Interfaces To view information about an interface, use the command: Router_2#show interface e0 Ethernet0 is up, line protocol is up Hardware is Lance, address is 0000.cc34.ec7d (bia 0000.cc34.ec7d) Internet address is 192.168.1.1/24 MTU 1500 bytes, BW 10000 Kbit, DLY 1000 usec, rely 255/255, load 1/255 Encapsulation ARPA, loopback not set, keepalive set (10 sec) ARP type: ARPA, ARP Timeout 04:00:00 Last input never, output 00:00:07, output hang never Last clearing of "show interface" counters never Queueing strategy: fifo Output queue 0/40, 0 drops; input queue 0/75, 0 drops 5 minute input rate 0 bits/sec, 0 packets/sec 5 minute output rate 0 bits/sec, 0 packets/sec 0 packets input, 0 bytes, 0 no buffer Received 0 broadcasts, 0 runts, 0 giants, 0 throttles 0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort 0 input packets with dribble condition detected 614 packets output, 58692 bytes, 0 underruns 0 output errors, 0 collisions, 2 interface resets 0 babbles, 0 late collision, 0 deferred 0 lost carrier, 0 no carrier 0 output buffer failures, 0 output buffers swapped out
Interface Problems
When using the command show interface [type #] interface problems can be seen and appropriate action taken.
Message Solution
Ethernet0 is up, line protocol is up
None needed, interface working properly
Ethernet0 is up, line protocol is down
Clocking or framing problem, check clock rate and encapsulation type on both routers
Ethernet0 is down, line protocol is down
Cable or interface problem, check interfaces on both ends to ensure they aren't shutdown
Ethernet0 is administratively down, line protocol is down
The interface has been shutdown, use the no shutdown command in the interface's configuration mode
Serial InterfacesThe serial interface is usually attached to a line that is attached to a CSU/DSU that provides clocking rates for the line. However, if two routers are connected together, one of the serial interfaces must act as the DCE device and provide clocking. The DCE end of the cable is the side of the cable that has a female connector where it connects to the other cable. The clocking rate on the DCE device is set in interface configuration mode with the commands: Router3(config)#int s0 Router3(config-if)#clock rate ?
Speed (bits per second) 1200 2400 4800 9600 19200 38400 56000 64000 72000 125000 148000 250000 500000 800000 1000000 1300000 2000000 4000000
<300-8000000> Choose clockrate from list above Router3(config-if)#clock rate 56000
Bandwidth Cisco routers ship with T1 (1.544 mbps) bandwidth rates on their serial interfaces. Some routing protocols use the bandwidth of links to determine the best route. The bandwidth setting is irrelevant
with RIP routing. Bandwidth is set with the bandwidth command and ranges from 1 - 10000000 kilobits per second. Router3(config)#int s0 Router3(config-if)#bandwidth ? <1-10000000> Bandwidth in kilobits Router3(config-if)#bandwidth 10000000 Saving Changes
Any time you make changes and want them saved over the next reboot, you need to copy the running-config to the startup-config in NVRAM. Use the command:
Router3#copy run startYou can see either of the files by using the commands: Router3#show runRouter3#show startTo erase the startup file use the command: Router3#erase start
Show Controllers Tells you information about the physical interface itself, it also gives you the cable type and whether it is a DTE or DCE interface. Syntax is: Router_2#show controllers s 1
*Note there is a space between the s and the 1.
What is NAT? NAT (Network Address Translation) is a technique for preserving scarce Internet IP addresses
What is the real difference between NAT and PAT? NAT is a feature of a router that will translate IP addresses. When a packet comes in, it will be rewritten in order to forward it to a host that is not the IP destination. A router will keep track of this translation, and when the host sends a reply, it will translate back the other way.
PAT translates ports, as the name implies, and likewise, NAT translates addresses. Sometimes PAT is also called Overloaded NAT
How do you configure NAT on Windows 2003? To configure the Routing and Remote Access and the Network Address Translation components, your computer must have at least two network interfaces: one connected to the Internet and the other one connected to the internal network. You must also configure the network translation computer to use Transport Control Protocol/Internet Protocol (TCP/IP).
If you use dial-up devices such as a modem or an Integrated Services Digital Network (ISDN) adapter to connect to the Internet, install your dial-up device before you configure Routing and Remote Access.
Use the following data to configure the TCP/IP address of the network adapter that connects to the internal network:
TCP/IP address: 192.168.0.1
Subnet mask: 255.255.255.0
No default gateway
Domain Name System (DNS) server: provided by your Internet service
provider (ISP)
Windows Internet Name Service (WINS) server: provided by your ISP
Use the following data to configure the TCP/IP address of the network
adapter that connects to the external network:
TCP/IP address: provided by your ISP
subnet mask: provided by your ISP
default gateway: provided by your ISP
DNS server: provided by your ISP
WINS server: provided by your ISP
Before you continue, verify that all your network cards or all your dial-
up adapters are functioning correctly.
Configure Routing and Remote Access
To activate Routing and Remote Access, follow these steps:
Click Start, point to All Programs, point to Administrative Tools,
and then click Routing and Remote Access.
Right-click your server, and then click Configure and Enable
Routing and Remote Access.
In the Routing and Remote Access Setup Wizard, click Next, click
Network address translation (NAT), and then click Next.
Click Use this public interface to connect to the Internet, and
then click the network adapter that is connected to the Internet. At this
stage you have the option to reduce the risk of unauthorized access to
your network. To do so, click to select the Enable security on the
selected interface by setting up Basic Firewall check box.
Examine the selected options in the Summary box, and then click
Finish.
Configure dynamic IP address assignment for private network
clients
You can configure your Network Address Translation computer to act
as a Dynamic Host Configuration Protocol (DHCP) server for computers
on your internal network. To do so, follow these steps:
Click Start, point to All Programs, point to Administrative Tools,
and then click Routing and Remote Access.
Expand your server node, and then expand IP Routing.
Right-click NAT/Basic Firewall, and then click Properties.
In the NAT/Basic Firewall Properties dialog box, click the Address
Assignment tab.
Click to select the Automatically assign IP addresses by using the
DHCP allocator check box. Notice that default private network
192.168.0.0 with the subnet mask of 255.255.0.0 is automatically
added in the IP address and the Mask boxes. You can keep the
default values, or you can modify these values to suit your network.
If your internal network requires static IP assignment for some
computers -- such as for domain controllers or for DNS servers --
exclude those IP addresses from the DHCP pool. To do this, follow
these steps:
Click Exclude.
In the Exclude Reserved Addresses dialog box, click Add, type the
IP address, and then click OK.
Repeat step b for all addresses that you want to exclude.
Click OK.
Configure name resolution
To configure name resolution, follow these steps:
Click Start, point to All Programs, point to Administrative Tools,
and then click Routing and Remote Access. Right-click NAT/Basic
Firewall, and then click Properties.
In the NAT/Basic Firewall Properties dialog box, click the Name
Resolution tab.
Click to select the Clients using Domain Name System (DNS)
check box. If you use a demand-dial interface to connect to an external
DNS server, click to select the Connect to the public network when
a name needs to be resolved check box, and then click the
appropriate dial-up interface in the list.
How do you allow inbound traffic for specific hosts on Windows 2003 NAT? You can use the Windows Server 2003 implementation of IPSec to compensate for the limited protections provided by applications for network traffic, or as a network-layer foundation of a defense-in-depth strategy. Do not use IPSec as a replacement for other user and application security controls, because it cannot protect against attacks from within established and trusted communication paths. Your authentication strategy must be well defined and implemented for the potential security provided by IPSec to be realized, because authentication verifies the identity and trust of the computer at the other end of the connection.
What is VPN? What types of VPN does Windows 2000 and beyond work with natively? The virtual private network (VPN) technology included in Windows Server 2003 helps enable cost-effective, secure remote access to private networks. VPN allows administrators to take advantage of the Internet to help provide the functionality and security of private WAN connections at a lower cost. In Windows Server 2003, VPN is enabled using the Routing and Remote Access service. VPN is part of a comprehensive network access solution that includes support for authentication and authorization services, and advanced network security technologies.
There are two main strategies that help provide secure connectivity between private networks and enabling network access for remote users.
1.1.1.1.1 Dial-up or leased line connectionsA dial-up or leased line connection creates a physical connection to a port on a remote access server on a private network. However, using dial-up or leased lines to provide network access is expensive when compared to the cost of providing network access using a VPN connection.
1.1.1.1.2 VPN connectionsVPN connections use either Point-to-Point Tunneling Protocol (PPTP) or Layer Two Tunneling Protocol/Internet Protocol security (L2TP/IPSec) over an intermediate network, such as the Internet. By using the Internet as a connection medium, VPN saves the cost of long-distance phone service and hardware costs associated with using dial-up or leased line connections. A VPN solution includes advanced security technologies such as data encryption, authentication, authorization, and Network Access Quarantine Control.
Note
Network Access Quarantine Control is used to delay remote access to a
private network until the configuration of the remote access computer
has been examined and validated.
Using VPN, administrators can connect remote or mobile workers (VPN
clients) to private networks. Remote users can work as if their
computers are physically connected to the network. To accomplish
this, VPN clients can use a Connection Manager profile to initiate a
connection to a VPN server. The VPN server can communicate with an
Internet Authentication Service (IAS) server to authenticate and
authorize a user session and maintain the connection until it is
terminated by the VPN client or by the VPN server. All services typically
available to a LAN-connected client (including file and print sharing,
Web server access, and messaging) are enabled by VPN.
VPN clients can use standard tools to access resources. For example, clients can use Windows Explorer to make drive connections and to connect to printers. Connections are persistent: Users do not need to reconnect to network resources during their VPN sessions. Because drive letters and universal naming convention (UNC) names are fully supported by VPN, most commercial and custom applications work without modification.
VPN Scenarios
Virtual private networks are point-to-point connections across a private or public network such as the Internet. A VPN client uses special TCP/IP-based protocols, called tunneling protocols, to make a virtual call to a virtual port on a VPN server. In a typical VPN deployment, a client initiates a virtual point-to-point connection to a remote access server over the Internet. The remote access server answers the call, authenticates the caller, and transfers data between the VPN client and the organization’s private network.
To emulate a point-to-point link, data is encapsulated, or wrapped, with a header. The header provides routing information that enables the data to traverse the shared or public network to reach its endpoint. To emulate a private link, the data being sent is encrypted for confidentiality. Packets that are intercepted on the shared or public network are indecipherable without the encryption keys. The link in which the private data is encapsulated and encrypted is known as a VPN connection.
A VPN Connection
There are two types of VPN connections:
Remote access VPN
Site-to-site VPN
Remote Access VPNRemote access VPN connections enable users working at home or on the road to access a server on a private network using the infrastructure provided by a public network, such as the Internet. From the user’s perspective, the VPN is a point-to-point connection between the computer (the VPN client) and an organization’s server. The exact infrastructure of the shared or public network is irrelevant because it appears logically as if the data is sent over a dedicated private link.
Site-to-Site VPNSite-to-site VPN connections (also known as router-to-router VPN connections) enable organizations to have routed connections between separate offices or with other organizations over a public network while helping to maintain secure communications. A routed VPN connection across the Internet logically operates as a dedicated WAN link. When networks are connected over the Internet, as shown in the following figure, a router forwards packets to another router across a VPN connection. To the routers, the VPN connection operates as a data-link layer link.
A site-to-site VPN connection connects two portions of a private network. The VPN server provides a routed connection to the network to which the VPN server is attached. The calling router (the VPN client) authenticates itself to the answering router (the VPN server), and, for mutual authentication, the answering router authenticates itself to the calling router. In a site-to site VPN connection, the packets sent from
either router across the VPN connection typically do not originate at the routers.
VPN Connecting Two Remote Sites Across the Internet
VPN Connection Properties
PPTP-based VPN and L2TP/IPSec-based VPN connection properties are described in the following sections.
EncapsulationVPN technology provides a way of encapsulating private data with a header that allows the data to traverse the network.
AuthenticationThere are three types of authentication for VPN connections:
1.1.1.1.3 User authenticationFor the VPN connection to be established, the VPN server authenticates the VPN client attempting the connection and verifies that the VPN client has the appropriate permissions. If mutual authentication is being used, the VPN client also authenticates the VPN server, providing protection against masquerading VPN servers.
The user attempting the PPTP or L2TP/IPSec connection is authenticated using Point-to-Point (PPP)-based user authentication protocols such as Extensible Authentication Protocol-Transport Layer Security (EAP-TLS), Microsoft Challenge-Handshake Authentication Protocol (MS-CHAP), Microsoft Challenge-Handshake Authentication Protocol version 2 (MS-CHAP v2), Shiva Password Authentication Protocol (SPAP), and Password Authentication Protocol (PAP). For PPTP connections, you must use EAP-TLS, MS-CHAP, or MS-CHAP v2. EAP-TLS using smart cards or MS-CHAP v2 is highly recommended, as they provide mutual authentication and are the most secure methods of exchanging credentials.
1.1.1.1.4 Computer authentication with L2TP/IPSecBy performing computer-level authentication with IPSec, L2TP/IPSec connections also verify that the remote access client computer is trusted.
1.1.1.1.5 Data authentication and integrity
To verify that the data being sent on an L2TP/IPSec VPN connection originated at the other end of the connection and was not modified in transit, L2TP/IPSec packets include a cryptographic checksum based on an encryption key known only to the sender and the receiver.
Data Encryption
Data can be encrypted for protection between the endpoints of the VPN connection. Data encryption should always be used for VPN connections where private data is sent across a public network such as the Internet. Data that is not encrypted is vulnerable to unauthorized interception. For VPN connections, Routing and Remote Access uses Microsoft Point-to-Point Encryption (MPPE) with PPTP and IPSec encryption with L2TP.
Address and Name Server AllocationWhen a VPN server is configured, it creates a virtual interface that represents the interface on which all VPN connections are made. When a VPN client establishes a VPN connection, a virtual interface is created on the VPN client that represents the interface connected to the VPN server. The virtual interface on the VPN client is connected to the virtual interface on the VPN server, creating the point-to-point VPN connection.
The virtual interfaces of the VPN client and the VPN server must be assigned IP addresses. The assignment of these addresses is done by the VPN server. By default, the VPN server obtains IP addresses for itself and VPN clients using the Dynamic Host Configuration Protocol (DHCP). Otherwise, a static pool of IP addresses can be configured to define one or more address ranges, with each range defined by an IP network ID and a subnet mask or start and end IP addresses.
Name server assignment, the assignment of Domain Name System (DNS) and Windows Internet Name Service (WINS) servers to the VPN connection, also occurs during the process of establishing the VPN connection.
Tunneling Overview
Tunneling is a method of using a network infrastructure to transfer data for one network over another network. The data (or payload) to be transferred can be the frames (or packets) of another protocol. Instead of sending a frame as it is produced by the originating node, the tunneling protocol encapsulates the frame in an additional header. The additional header provides routing information so that the encapsulated payload can traverse the intermediate network.
The encapsulated packets are then routed between tunnel endpoints over the network. The logical path through which the encapsulated packets travel through the network is called a tunnel. After the
encapsulated frames reach their destination on the network, the frame is de-encapsulated (the header is removed) and the payload is forwarded to its final destination. Tunneling includes this entire process (encapsulation, transmission, and de-encapsulation of packets).
Tunneling
Tunneling ProtocolsTunneling enables the encapsulation of a packet from one type of protocol within the datagram of a different protocol. For example, VPN uses PPTP to encapsulate IP packets over a public network such as the Internet. A VPN solution based on either PPTP or L2TP can be configured.
PPTP and L2TP depend heavily on the features originally specified for PPP. PPP was designed to send data across dial-up or dedicated point-to-point connections. For IP, PPP encapsulates IP packets within PPP frames and then transmits the encapsulated PPP-packets across a point-to-point link. PPP was originally defined as the protocol to use between a dial-up client and a network access server (NAS).
PPTPPPTP allows multiprotocol traffic to be encrypted and then encapsulated in an IP header to be sent across an organization’s IP network or a public IP network such as the Internet. PPTP encapsulates Point-to-Point Protocol (PPP) frames in IP datagrams for transmission over the network. PPTP can be used for remote access and site-to-site VPN connections. PPTP is documented in RFC 2637 in the IETF RFC Database.
PPTP uses a TCP connection for tunnel management and a modified version of Generic Routing Encapsulation (GRE) to encapsulate PPP frames for tunneled data. The payloads of the encapsulated PPP frames can be encrypted, compressed, or both. The following figure shows the structure of a PPTP packet containing an IP datagram.
Structure of a PPTP Packet Containing an IP Datagram
When using the Internet as the public network for VPN, the PPTP server is a PPTP-enabled VPN server with one interface on the Internet and a second interface on the intranet.
L2TPL2TP allows multiprotocol traffic to be encrypted and then sent over any medium that supports point-to-point datagram delivery, such as IP, X.25, frame relay, or asynchronous transfer mode (ATM). L2TP is a combination of PPTP and Layer 2 Forwarding (L2F), a technology developed by Cisco Systems, Inc. L2TP represents the best features of PPTP and L2F. L2TP encapsulates PPP frames to be sent over IP, X.25, frame relay, or ATM networks. When configured to use IP as its datagram transport, L2TP can be used as a tunneling protocol over the Internet. L2TP is documented in RFC 2661 in the IETF RFC Database.
L2TP over IP networks uses User Datagram Protocol (UDP) and a series of L2TP messages for tunnel management. L2TP also uses UDP to send L2TP-encapsulated PPP frames as tunneled data. The payloads of encapsulated PPP frames can be encrypted, compressed, or both, although the Microsoft implementation of L2TP does not use MPPE to encrypt the PPP payload. The following figure shows the structure of an L2TP packet containing an IP datagram.
Structure of an L2TP Packet Containing an IP Datagram
L2TP with IPSec (L2TP/IPSec)In the Microsoft implementation of L2TP, IPSec Encapsulating Security Payload (ESP) in transport mode is used to encrypt L2TP traffic. The combination of L2TP (the tunneling protocol) and IPSec (the method of encryption) is known as L2TP/IPSec. L2TP/IPSec is described in RFC 3193 in the IETF RFC Database.
The result after applying ESP to an IP packet containing an L2TP message is shown in the following figure.
Encryption of L2TP Traffic with IPSec ESP
Routing for VPN
Routing for remote access and site-to-site VPN connections is described in the following sections.
Routing for Remote Access VPN ConnectionsConventional routing occurs between routers over either LAN-based shared access technologies, such as Ethernet or Token Ring, or WAN-based point-to-point technologies, such as T1 or frame relay.
Default RoutingThe preferred method for directing packets to a remote network is to create a default route on the remote access client that directs packets to the remote network (the default configuration for VPN remote access clients). Any packet that is not intended for the neighboring LAN segment is sent to the remote network. When a connection is made, the remote access client, by default, adds a default route to its routing table and increases the metric of the existing default route to ensure that the newest default route is used. The newest default route points to the new connection, which ensures that any packets that are not addressed to the local LAN segment are sent to the remote network.
Under this configuration, when a VPN client connects and creates a new default route, Internet sites that have been accessible are no longer accessible (unless Internet access is available through the organization’s intranet). This poses no problem for remote VPN clients that require access only to the organization’s network. However, it is not acceptable for remote clients that need access to the Internet while they are connected to the organization’s network.
Split TunnelingSplit tunneling enables remote access VPN clients to route corporate-based traffic over the VPN connection while sending Internet-based traffic using the user’s local Internet connection. This prevents the use of corporate bandwidth for access to Internet sites.
However, a split tunneling implementation can introduce a security issue. If a remote access client has reachability to both the Internet and a private organization network simultaneously, the possibility
exists that the Internet connection could be exploited to gain access to the private organization network through the remote access client. Security-sensitive companies can choose to use the default routing model to help ensure that all VPN client communications are protected by the corporate firewall.
Routing for Site-to-Site VPN ConnectionsWith conventional WAN technologies, IP packets are forwarded between two routers over a physical or logical point-to-point connection. This connection is dedicated to the customer across a private data network that is provided by the WAN service provider.
With the advent of the Internet, packets can now be routed between routers that are connected to the Internet across a virtual connection that emulates the properties of a dedicated, private, point-to-point connection. This type of connection is known as a site-to-site VPN connection. Site-to-site VPN connections can be used to replace expensive long-haul WAN links with short-haul WAN links to a local Internet service provider (ISP).
A site-to-site VPN connection connects two portions of a private network. The VPN server provides a routed connection to the network to which the VPN server is attached. On a site-to-site VPN connection, the packets sent from either router across the VPN connection typically do not originate at the routers.
To facilitate routing between the sites, each VPN server and the routing infrastructure of its connected site must have a set of routes that represent the address space of the other site. These routes can be added manually, or routing protocols can be used to automatically add and maintain a set of routes.
Site-to-Site Routing ProtocolsThere are two routing protocols that can be used in a site-to-site VPN deployment:
Routing Information Protocol (RIP)
Open Shortest Path First (OSPF)
1.1.1.1.6 RIPRIP is designed for exchanging routing information within a small to medium-size network. RIP routers dynamically exchange routing table entries.
The Windows Server 2003 implementation of RIP has the following features:
The ability to select which RIP version to run on each interface for
incoming and outgoing packets.
Split-horizon, poison-reverse, and triggered-update algorithms that are
used to avoid routing loops and speed recovery of the network when
topology changes occur.
Route filters for choosing which networks to announce or accept.
Peer filters for choosing which router’s announcements are accepted.
Configurable announcement and route-aging timers.
Simple password authentication support.
The ability to disable subnet summarization.
1.1.1.1.7 OSPFOSPF is designed for exchanging routing information within a large or very large network. Instead of exchanging routing table entries like RIP routers, OSPF routers maintain a map of the network that is updated after any change to the network topology. This map, called the link state database, is synchronized between all the OSPF routers and is used to compute the routes in the routing table. Neighboring OSPF routers form an adjacency, which is a logical relationship between routers to synchronize the link state database.
VPN and Firewalls Overview
The routing service supports a variety of inbound and outbound packet-filtering features that block certain types of traffic. The filtering options include the following: TCP port, UDP port, IP protocol ID, Internet Control Message Protocol (ICMP) type, ICMP code, source address, and destination address. A VPN server can be placed behind a firewall or in front of a firewall. These two approaches are described in the following sections.
VPN Server Behind a FirewallIn the most common configuration, the firewall is connected to the Internet, and the VPN server is an intranet resource that is attached to the perimeter network. The VPN server has an interface on both the perimeter network and the intranet. In this scenario, the firewall must be configured with input and output filters on its Internet interface that allow tunnel maintenance traffic and tunneled data to pass to the VPN server. Additional filters can allow traffic to pass to Web, FTP, and other types of servers on the perimeter network. For an additional layer of security, the VPN server should also be configured with PPTP or L2TP/IPSec packet filters on its perimeter network interface.
VPN Server in Front of a FirewallWhen the VPN server is in front of the firewall and connected to the Internet, packet filters must be added to the VPN server’s Internet
interface to allow only VPN traffic to and from the IP address of that interface.
For inbound traffic, when the tunneled data is decrypted by the VPN server, it is forwarded to the firewall. Through the use of its filters, the firewall allows the traffic to be forwarded to intranet resources. Because the only traffic that crosses the VPN server is generated by authenticated VPN clients, in this scenario, firewall filtering can be used to prevent VPN users from accessing specific intranet resources. Because Internet traffic allowed on the intranet must pass through the VPN server, this approach also prevents the sharing of FTP or Web intranet resources with non-VPN Internet users.
Technologies Related to VPN
Integrating VPN with the other network infrastructure components is an important part of VPN design and implementation. VPN has to be integrated with directory, authentication, and security services, as well as with IP address assignment and name server assignment services. Without proper design, VPN clients are unable to obtain proper IP addresses and resolve intranet names, and packets cannot be forwarded between VPN clients and intranet resources.
VPN-related technologies are described in the following sections:
Connection Manager DHCP EAP-RADIUS IAS Name Server Assignment (DNS and WINS) NAT
Connection ManagerConnection Manager is a service profile that can be used to provide customized remote access to a network through a VPN connection. The advanced features of Connection Manager are a superset of basic dial-up networking. Connection Manager provides support for local and remote connections by using a network of points of presence (POPs), such as those available worldwide through ISPs. Windows Server 2003 includes a set of tools that enable a network manager to deliver pre-configured connections to network users. These tools are:
The Connection Manager Administration Kit (CMAK)
Connection Point Services (CPS)
CMAKA network administrator can tailor the appearance and behavior of a connection made with Connection Manager by using CMAK. With CMAK, an administrator can develop client dialer and connection software that allows users to connect to the network by using only the
connection features that the administrator defines for them. Connection Manager supports a variety of features that both simplify and enhance implementation of connection support, most of which can be incorporated using the Connection Manager Administration Kit Wizard.
CMAK enables administrators to build profiles that customize the Connection Manager installation package so that it reflects an organization’s identity. CMAK allows administrators to determine which functions and features to include and how Connection Manager appears to end-users. Administrators can do this by using the CMAK wizard to build custom service profiles.
CPSConnection Point Services (CPS) automatically distributes and updates custom phone books. These phone books contain one or more Point of Presence (POP) entries, with each POP supplying a telephone number that provides dial-up access to an Internet access point for VPN connections. The phone books give users complete POP information, so when they travel they can connect to different Internet POPs rather than being restricted to a single POP.
Without the ability to update phone books (a task CPS handles automatically), users would have to contact their organization’s technical support staff to be informed of changes in POP information and to reconfigure their client-dialer software. CPS has two components:
Phone Book Administrator
Phone Book Service
1.1.1.1.8 Phone Book AdministratorPhone Book Administrator is a tool used to create and maintain the phone book database and to publish new phone book information to the Phone Book Service.
1.1.1.1.9 Phone Book ServiceThe Phone Book Service runs on an IIS server and responds to requests from Connection Manager clients to verify the current version of subscribers’ or corporate employees’ current phone books and, if necessary, downloads a phone book update to the Connection Manager client.
DHCPFor both PPTP and L2TP connections, the data being tunneled is a PPP frame. A PPP connection must be established before data can be sent. The VPN server must have IP addresses available in order to assign them to a VPN server’s virtual interface and to VPN clients during the IP Control Protocol (IPCP) negotiation phase that is part of the process
of establishing a PPP connection. The IP address assigned to a VPN client is also assigned to the virtual interface of that VPN client.
For Windows Server 2003-based VPN servers, the IP addresses assigned to VPN clients are obtained through DHCP by default. A static IP address pool can also be configured. DHCP is also used by remote access VPN clients to obtain additional configuration settings after the PPP connection is established.
EAP-RADIUSEAP-RADIUS is the passing of EAP messages of any EAP type by an authenticator to a Remote Authentication Dial-In User Service (RADIUS) server for authentication. For example, for a remote access server that is configured for RADIUS authentication, the EAP messages sent between the remote access client and remote access server are encapsulated and formatted as RADIUS messages between the remote access server (the authenticator) and the RADIUS server (the authenticator).
EAP-RADIUS is used in environments where RADIUS is the authentication provider. An advantage of using EAP-RADIUS is that EAP types only need to be installed at the RADIUS server, not at each remote access server. In the case of an IAS server, only EAP types need to be installed.
In a typical use of EAP-RADIUS, a server running Routing and Remote Access is configured to use EAP and to use an IAS server for authentication. When a connection is made, the remote access client negotiates the use of EAP with the remote access server. When the client sends an EAP message to the remote access server, the remote access server encapsulates the EAP message as a RADIUS message and sends it to its configured IAS server. The IAS server processes the EAP message and sends a RADIUS-encapsulated EAP message back to the remote access server. The remote access server then forwards the EAP message to the remote access client. In this configuration, the remote access server is only a pass-through device. All processing of EAP messages occurs at the remote access client and the IAS server.
Routing and Remote Access can be configured to authenticate locally or to a RADIUS server. If Routing and Remote Access is configured to authenticate locally, all EAP methods will be authenticated locally. If Routing and Remote Access is configured to authenticate to a RADIUS server, then all EAP messages will be forwarded to the RADIUS server with EAP-RADIUS.
IASThe VPN server can be configured to use either Windows or RADIUS as an authentication provider. If Windows is selected as the authentication provider, the user credentials sent by users attempting VPN connections are authenticated using typical Windows authentication mechanisms, and the connection attempt is authorized using local remote access policies.
If RADIUS is selected and configured as the authentication provider on the VPN server, user credentials and parameters of the connection request are sent as RADIUS request messages to a RADIUS server.
The RADIUS server receives a user-connection request from the VPN server and authenticates and authorizes the connection attempt. In addition to a yes or no response to an authentication request, RADIUS can inform the VPN server of other applicable connection parameters for this user such as maximum session time, static IP address assignment, and so on.
RADIUS can respond to authentication requests based on its own user account database, or it can be a front end to another database server, such as a Structured Query Language (SQL) server or a Windows domain controller (DC). The DC can be located on the same computer as the RADIUS server, or elsewhere. In addition, a RADIUS proxy can be used to forward requests to a remote RADIUS server.
IAS is the Windows implementation of a RADIUS server and proxy.
Name Server Assignment (DNS and WINS)Name server assignment, the assignment of Domain Name System (DNS) and Windows Internet Name Service (WINS) servers, occurs during the process of establishing a VPN connection. The VPN client obtains the IP addresses of the DNS and WINS servers from the VPN server for the intranet to which the VPN server is attached.
The VPN server must be configured with DNS and WINS server addresses to assign to the VPN client during IPCP negotiation. For NetBIOS name resolution, you do not have to use WINS and can enable the NetBIOS over TCP/IP (NetBT) proxy on the VPN server.
NATA network address translator (NAT) translates the IP addresses and Transmission Control Protocol/User Datagram Protocol (TCP/UDP) port numbers of packets that are forwarded between a private network and the Internet. The NAT on the private network can also provide IP address configuration information to the other computers on the private network.
PPTP-based VPN clients can be located behind a NAT if the NAT includes an editor that can translate PPTP packets. PPTP-based VPN servers can be located behind a NAT if the NAT is configured with static mappings for PPTP traffic. If the L2TP/IPSec-based VPN clients or servers are positioned behind a NAT, both client and server must support IPSec NAT traversal (NAT-T).
L2TP (layer 2 tunneling protocol) VPN server is also known as L2TP server in native mode & in PPTP in mixed mode
What is IAS? In what scenarios do we use it? Internet Authentication Service IAS is deployed in these common scenarios:
Dial-up corporate accessOutsourced corporate access through service providersInternet access
What's the difference between Mixed mode and Native mode in AD when dealing with RRAS? The Mixed mode is for networks that have Windows 98/ME in addition to Windows 2000/XP/2003 clients. Mixed mode requires the RAC (Remote Application Client) to be installed for proper communication with the clients. The Native mode is for networks that consist only of Windows 2000/XP/2003 clients. The CMS server communicates natively with the clients using Windows networking features that aren't available in 98/ME clients. The RAC program is not needed. If you have no or few 98/ME clients, choose this option.
What are Conditions and Profile in RRAS Policies? Remote access policies are an ordered set of rules that define whether remote access connection attempts are either authorized or rejected. Each rule includes one or more conditions (which identifies the criteria), a set of profile settings (to be applied on the connection attempt), and a permission setting (grant or deny) for remote access. This can be compared like a brain of the door-keeper (VPN server) which allows entry to your network from outside. Remote access policy decides who can access what resources from where using what tunnel settings. So configuring proper set of policies are important.
How does SSL work? Secure Sockets Layer uses a cryptographic system that encrypts data with two keys.
When a SSL Digital Certificate is installed on a web site, users can see a padlock icon at the bottom area of the navigator. When an Extended Validation Certificates is installed on a web site, users with the latest versions of Firefox, Internet Explorer or Opera will see the green address bar at the URL area of the navigator.
How does IPSec work? IPSec is an Internet Engineering Task Force (IETF) standard suite of protocols that provides data authentication, integrity, and confidentiality as data is transferred between communication points across IP networks. IPSec provides data security at the IP packet level. A packet is a data bundle that is organized for transmission across a network, and it includes a header and payload (the data in the packet). IPSec emerged as a viable network security standard because enterprises wanted to ensure that data could be securely transmitted over the Internet. IPSec protects against possible security exposures by protecting data while in transit
How do I deploy IPSec for a large number of computers? Just use this program Server and Domain Isolation Using IPsec and Group Policy
What types of authentication can IPSec use? Deploying L2TP/IPSec-based Remote Access
Deploying L2TP-based remote access VPN connections using Windows Server 2003 consists of the following:
* Deploy certificate infrastructure
* Deploy Internet infrastructure
* Deploy AAA infrastructure
* Deploy VPN servers
* Deploy intranet infrastructure
* Deploy VPN clients
Implantando L2TP/IPSec-based Acesso Remoto Implantando L2TP com base em conexões VPN de acesso remoto usando o Windows Server 2003 é constituída pelos seguintes elementos:
* Implantar certificado infra-estrutura * Implantar infra-estrutura Internet * Implantar infra-estrutura AAA * Implementar VPN servidores * Implantar intranet infra-estrutura * Implementar clientes VPN
What is PFS (Perfect Forward Secrecy) in IPSec? In an authenticated key-agreement protocol that uses public key cryptography, perfect forward secrecy (or PFS) is the property that ensures that a session key derived from a set of long-term public and private keys will not be compromised if one of the (long-term) private keys is compromised in the future.
Forward secrecy has been used as a synonym for perfect forward secrecy [1], since the term perfect has been controversial in this context. However, at least one reference [2] distinguishes perfect forward secrecy from forward secrecy with the additional property that an agreed key will not be compromised even if agreed keys derived from the same long-term keying material in a subsequent run are compromised.
How do I monitor IPSec? To test the IPSec policies, use IPSec Monitor. IPSec Monitor (Ipsecmon.exe) provides information about
which IPSec policy is active and whether a secure channel between computers is established.
Looking at IPSec-encrypted traffic with a sniffer, What packet types do I see? You can see the packages to pass, but you cannot see its contents
IPSec Packet Types IPSec packet types include the authentication header (AH) for data integrity and the encapsulating security payload (ESP) for data confidentiality and integrity. The authentication header (AH) protocol creates an envelope that provides integrity, data origin identification and protection against replay attacks. It authenticates every packet as a defense against session-stealing attacks. Although the IP header itself is outside the AH header, AH also provides limited verification of it by not allowing changes to the IP header after packet creation (note that this usually precludes the use of AH in NAT environments, which modify packet headers at the point of NAT). AH packets use IP protocol 51. The encapsulating security payload (ESP) protocol provides the features of AH (except for IP header authentication), plus encryption. It can also be used in a null encryption mode that provides the AH protection against replay attacks and other such attacks, without encryption or IP header authentication. This can allow for achieving some of the benefits of IPSec in a NAT environment that would not ordinarily work well with IPSec. ESP packets use IP protocol 50.
What can you do with NETSH? Netsh is a command-line scripting utility that allows you to, either locally or remotely, display, modify or script the network configuration of a computer that is currently running.
Usage: netsh [-a AliasFile] [-c Context] [-r RemoteMachine] [Command | -f ScriptFile]
The following commands are available:
Commands in this context: ? - Displays a list of commands. add - Adds a configuration entry to a list of entries. delete - Deletes a configuration entry from a list of entries. dump - Displays a configuration script. exec - Runs a script file. help - Displays a list of commands. interface - Changes to the `interface' context. ras - Changes to the `ras' context. routing - Changes to the `routing' context. set - Updates configuration settings. show - Displays information.
The following subcontexts are available: routing interface ras
To view help for a command, type the command, followed by a space, and then type?
How do I look at the open ports on my machine? Windows: Open a command prompt (Start button -> Run-> type "cmd"), and type: netstat -a
Linux: Open an SSH session and type: netstat -an
What is the different between Workgroup and Domain?A workgroup is an interconnection of a number of systems that share resources such as files &printers without a dedicated server .Each workgroup maintains a local database for user accounts, security etc. A domain, on the otherhand is an interconnection of systems that share resources with one or more dedicated server, which can be used to control security and permissions for all users in the domain. Domain maintains a centralized database and hence a centralized management of user accounts, policies etc are established. If you have a user account on domain then you can log on to any system without user account on that particular system.
How will assign Local Administrator rights for domain user?To assign a domain user with local administrative right in any client of domain we should log in to the respected client system then, Start->control panel->user accounts->give username, password and name of domain->add->advanced->locations->find now->select others(in that select administrator user)->ok->next->ok.
How will you restrict user logon timing in domain?Start->dsa.msc->double click on users->right click on any users->properties->click on account->click on logon hours->logon denied->select time (by dragging mouse)->click on logon permission->ok.
What is the purpose of sysvol?The sysvol folder stores the server’s copy of the domain’s public files. The contents such as group policy, users etc of the sysvol folder are replicated to all domain controllers in the domain. The sysvol folder must be located on an NTFS volume.
What is OU? Explain its Uses.An object is a set of attributes that represents a network resource, say a user, a computer, a group policy, etc and object attributes are characteristics of that object stored in the directory. Organizational units act as a container for objects. Objects can be arranged according to security and administrative requirement in an organization. You can easily manage and locate objects after arranging them into organizational units. Administrator can delegate the authority to manage different organizational units and it can be nested to other organizational units. Create an OU if you want to:* Create a company’s structure and organization within a domain –
Without OUs, all users are maintained anddisplayed in a single list, the Users container, regardless of a user’s department, location, or role.* Delegate administrative control – Grant administrative permissions to users or groups of users at the OU level.* Accommodate potential changes in a company’s organizational structure – Users can easily be reorganized betweenOUs, while reorganizing users between domains generally requires more time and effort.* Group objects with similar network resources – This way it is easy to perform any administrative tasks. For example,all user accounts for temporary employees can be grouped in an OU.
* Restrict visibility – Users can view only the objects for which they have access.
Explain different edition of windows 2003 Server?*Windows Server 2003, Web Edition :- is mainly for building and hosting Web applications, Web pages, and XML Web Services.* Windows Server 2003, Standard Edition :- is aimed towards small to medium sized businesses. Flexible yet versatile, Standard Edition supports file and printer sharing, offers secure Internet connectivity, and allows centralized desktop application deployment* Windows Server 2003, Enterprise Edition :- is aimed towards medium to large businesses. It is a full-function server operating system that supports up to eight processors and provides enterprise-class features such as eight-node clustering using Microsoft Cluster Server (MSCS) software and support for up to 32 GB of memory.* Windows Server 2003, Datacenter Edition:- is the flagship of the Windows Server line and designed for immense infrastructures demanding high security and reliability.* Windows Server 2003, Compute Cluster Edition:- is designed for working with the most difficult computing problems that would require high performance computing clusters.* Windows Storage Server 2003:- is optimised to provide dedicated file and print sharing services. It is only available through OEMs when purchased pre-configured with network attached storage devices.
What is DNS Server?Domain Name System (or Service or Server), a service that resolves domain names into IP addresses and vice versa. Because domain names are alphabetic, they’re easier to remember.The Internet however, is really based on ip addresses. Every time you use a domain name, therefore, a DNS service must translate the name into the corresponding IP address. For example, the domain name www.example.com might translate to 198.105.232.4.
The DNS system is, in fact, its own network. If one DNS server doesn’t know how to translate a particular domain name, it asks another one, and so on, until the correct IP address is returned.
Why DNS server is required for Active Directory?The key reason for integrating DNS and AD is efficiency. This is particularly true where you have lots of replication traffic. You can’t resolve host names. You can’t find services, like a domain controller.
What is the Purpose of A and PTR Record?A (Host) record is used to resolve name to ip address while PTR (pointer) record is used to resolve ip address to name.
What is the purpose of DHCP Server?A DHCP server is the server that is responsible for assigning unique IP address to the computers on a network. No two computers (actually, no two network cards1 [even if two are in one computer]) can have the same IP address on a network at the same time or there will be conflicts. To that end, DHCP servers will take a request from a computer that has just been added (or is renewing) to the network and assign it a unique IP address that is available. These assignments typically only last for a limited time (an hour to a week usually) and so you are never guaranteed that the IP address for a particular computer will remain the same when using a DHCP (some DHCP servers allow you to specify that a computer gets the same address all the time however).
Explain about Group Scopes?A DHCP scope is a valid range of IP addresses which are available for assignments or lease to client computers on a particular subnet. In a DHCP server, you configure a scope to determine the address pool of ip which the server can provide to DHCP clients.
Scopes determine which IP addresses are provided to the clients. Scopes should be defined and activated before DHCP clients use the DHCP server for its dynamic IP configuration. You can configure as many scopes on a DHCP server as is required in your network environment
How will you backup DNS Server?If you are using Active Directory-integrated DNS, then your DNS information is stored in Active Directory itself, and you’ll need to back up the entire system state. If not, however, The Backup directory in the %SystemRoot%\System32\Dns folder contains backup information for the DNS configuration and the DNS database.
How will backup DHCP Server?The Backup directory in the %SystemRoot%\System32\DHCP folder contains backup information for the DHCP configuration and the DHCP database. By default, the DHCP database is backed up every 60 minutes automatically. To manually back up the DHCP database at any time, follow these steps:
1. In the DHCP console, right-click the server you want to back up, and then click Backup.
2. In the Browse For Folder dialog box, select the folder that will contain the backup DHCP database, and then click OK.
Explain APIPA.A Windows-based computer that is configured to use DHCP can automatically assign itself an Internet Protocol (IP) address if a DHCP server is not available or does not exist. The Internet Assigned Numbers Authority (IANA) has reserved 169.254.0.0-169.254.255.255 for Automatic Private IP Addressing(APIPA).
Explain about AD Database.Windows 2003 Active Directory data store, the actual database file, is %SystemRoot%\ntds\NTDS.DIT. The ntds.dit file is the heart of Active Directory including user accounts. Active Directory’s database engine is the Extensible Storage Engine ( ESE ) which is based on the Jet database used by Exchange 5.5 and WINS. The ESE has the capability to grow to 16 terabytes which would be large enough for 10 million objects.Only the Jet database can manipulate information within the AD datastore.
Explain about Group Policy.Group policies are used by administrators to configure and control user environment settings. Group Policy Objects (GPOs) are used to configure group policies which are applied to sites, domains, and organizational units (OUs). Group policy may be blocked or set so it cannot be overridden. The default is for subobjects to inherit the policy of their parents. There is a maximum of 1000 applicable group policies.
Group policies are linked to domains, organizational units, or sites in Active Directory. A policy must be linked to a container object in Active Directory to be effective. They are stored in any domain for storage but can be linked to other domains to make them effective there also. The policy must be linked to the container (site, domain, or OU) that it is stored in to be effective in that container. One policy object can be linked to several containers. Several policy objects can be linked to one container.
What is the default time for group policy refresh interval time?The default refresh interval for policies is 90 minutes. The default refresh interval for domain controllers is 5 minutes. Group policy object’s group policy refresh intervals may be changed in the group policy object.
Explain Hidden Share.Using hidden shares on your network is useful if you do not want a shared folder or drive on the network to be easily accessible. Hidden shares can add another layer of protection for shared files against unauthorized people connecting to your network. Using hidden shares helps eliminate the chance for people to guess your password (or be logged into an authorized Windows account) and then receive access to the shared resource.
Windows automatically shares hard drives by default for administrative purposes. They are hidden shares named with the drive letter followed by a dollar sign (e.g., C$) and commented as Default Share. Thus, certain networking and administrator functions and applications can work properly. Not that preventing Windows from creating these hidden or administrative shares by default each time your computer boots up takes a registry change.
What ports are used by DHCP and the DHCP clients?Requests are on UDP port 68, Server replies on UDP 67.
How do I configure a client machine to use a specific IP Address?Reservation using mac address in DHCP.
Name 3 benefits of using AD-integrated zones.1. We can give easy name resolution to your clients.2. By creating AD- integrated zone you can also trace hacker and spammer by creating reverse zone.3. AD integrated zoned all for incremental zone transfers which on transfer changes and not the entire zone. This reduces zone transfer traffic.4. AD Integrated zones support both secure and dynamic updates.5. AD integrated zones are stored as part of the active directory and support domain-wide or forest-wide replication through application partitions in AD.
How do you backup & Restore AD?You can backup Active Directory by using the NTBACKUP tool that comes built-in with Windows Server 2003. Backing up the Active Directory is done on one or more of your Active Directory domain Controllers, and is performed by backing up the System State on those servers. The System State contains the local Registry, COM+ Class Registration Database, the System Boot Files, certificates from Certificate Server (if it’s installed), Cluster database (if it’s installed), NTDS.DIT, and the SYSVOL folder. the tombstone is 60 days (Windows 2000/2003 DCs), or 180 days (Windows Server 2003 SP1 DCs).
You can use one of the three methods to restore Active Directory from backup media: Primary Restore, Normal Restore (i.e. Non Authoritative), and Authoritative Restore.
Primary Restore: This method rebuilds the first domain controller in a domain when there is no other way to rebuild the domain. Perform a primary restore only when all the domain controllers in the domain are lost, and you want to rebuild the domain from the backup. Members of the Administrators group can perform the primary restore on local computer. On a domain controller, only members of the Domain Admins group can perform this restore.
Normal Restore: This method reinstates the Active Directory data to the state before the backup, and then updates the data through the
normal replication process. Perform a normal restore for a single domain controller to a previously known good state.
Authoritative Restore: You perform this method in tandem with a normal restore. An authoritative restore marks specific data as current and prevents the replication from overwriting that data. The authoritative data is then replicated through the domain. Perform an authoritative restore for individual object in a domain that has multiple domain controllers. When you perform an authoritative restore, you lose all changes to the restore object that occurred after the backup. You need to use the NTDSUTIL command line utility to perform an authoritative restore. You need to use it in order to mark Active Directory objects as authoritative; so that they receive a higher version recently changed data on other domain controllers does not overwrite System State data during replication.
How do you change the DS Restore admin password? Microsoft Windows 2000 uses the Setpwd utility to reset the DS Restore Mode password. In Microsoft Windows Server 2003, that functionality has been integrated into the NTDSUTIL tool. Note that you cannot use the procedure if the target server is running in DSRM.
How can you forcibly remove AD from a server? In run use the command ->dcpromo /forceremoval
What is the SYSVOL folder? The sysvol folder stores the server’s copy of the domain’s public files. The contents such as group policy, users etc of the sysvol folder are replicated to all domain controllers in the domain. The sysvol folder must be located on an NTFS volume
What is the entire problem if DNS Server fails? If your DNS server fails, you can’t resolve host names. You can’t resolve domain controller IP Address.
How can you restrict running certain applications on a machine? The Group Policy Object Editor and the Software Restriction Policies extension of Group Policy Object Editor are used to restrict running certain applications on a machine. For Windows XP computers that are not participating in a domain, you can use the Local Security Settings snap-in to access Software Restriction Policies.
What can you do to promote a server to DC? Start->Run->DCPROMO
How will map a folder through AD? Navigate domain user properties->give path in profile tab in the format \\servername\sharename.
Explain Quotas. Disk Quota is a feature or service of NTFS which helps to restrict or manage the disk usage from the normal user. It can be implemented per user user per volume basis.By default it is disabled. Administrative privilege is required to perform the task. In
2003server we can control only drive but in 2008server we can establish quota in folder level.
Explain Backup Methodology. The different types of backup methodologies are:
* Normal Backup:-This is default backup in which all files are backed up even if it was backed up before.*Incremental Backup:-In this type of backup only the files that haven’t been backed up are taken care of or backed up.*Differential Backup:-This backup is similar to incremental backup because it does not take backup of those files backed up by normalbackup but different from incremental because it will take backup of differentially backed up files at next time of differential backup.*Copy Backup:-This type of backup is which is used during system state backup and asr backup. It is used in special conditions only.*Daily Backup:-This type of backup takes backup of only those files that are created on that particular day.*System Backup:-This type of backup takes backup of files namely, Boot file, COM+Class Registry, Registry. But in server it takesbackup of ads.*ASR Backup:-This type of backup takes backup of entire boot partition including OS and user data. This should be the lasttroubleshooting method to recover an os from disaster.
Explain how to publish printer through AD.The group policy setting ‘Automatically publish new printers in AD’ when disabled, prevents the Add Printer Wizard from automatically publishing shared printers. In addition, Group policy setting ‘Allow printers to be published’ should be enabled(default) for printers to be published on that computers.
Explain the functionality of FTP Server?The FTP server is to accept incoming FTP requests. Copy or move the files that you want to make available to the FTP publishing folder for access. The default folder is drive:\Inetpub\Ftproot, where drive is the drive on which IIS is installedIn the client-server model, a file server is a computer responsible for the central storage and management of data files so that other computers on the same network can access the files. A file server allows users to share information over a network without having to physically transfer files by floppy diskette or some other external storage device.
Specify the Port Number for AD, DNS, DHCP, HTTP, HTTPS, SMTP, POP3 & FTPAD- uses LDAP Udp 389 and UDP 135,DNS- 53,DHCP-67,68,HTTP-80,HTTPS-,SMTP-25,POP3-110 & FTP-20,21.
Explain Virtual Directory in IIS?A virtual server can have one home directory and any number of other
publishing directories. These other publishing directories are referred to as virtual directories.
What is Exclusion Range in DHCP Server?Exclusion Range is used to reserve a bank of ip addresses so computer that require only static ip address such as DNS servers, legacy printers can use reserved assigned addresses .These are not assigned by DHCP server.
Explain SOA Record.Start Of Authority(SOA) Records indicate that NameServer is authoritative server for the domain.
What must be done to an AD forest before Exchange can be deployed?Setup.exe /forestprep
What Exchange process is responsible for communication with AD?DSACCESS
What 3 types of domain controller does Exchange access?Normal Domain Controller, Global Catalog, Configuration Domain Controller
What connector type would you use to connect to the Internet, and what are the two methods of sending mail over that connector?SMTP Connector: Forward to smart host or use DNS to route to each address
How would you optimize Exchange 2003 memory usage on a Windows Server 2003 server with more than 1 GB of memory?Add /3 GB switch to boot.ini
Name the process names for the following:System Attendant? MAD.EXE, Information Store – STORE.EXE, SMTP/POP/IMAP/OWA – INETINFO.EXE
What is the maximum amount of databases that can be hosted on Exchange 2003 Enterprise?20 databases 4 SGs x 5 DBs
What are the standard port numbers for SMTP, POP3, IMAP4, RPC, LDAP and Global Catalog?
- 25 SMTP- 110 POP3- 143 IMAP4- 135 RPC- 389 LDAP- 636 LDAP (SSL)- 3268 Global Catalog- 465 SMTP/SSL,- 993 IMAP4/SSL- 563 IMAP4/SSL- 53 DNS ,- 80 HTTP- 88 Kerberos
- 110 POP3- 119 NNTP
What are the prequisite for installation of Exchange Server ?
The pre requsite are
IIS, SMTP, WWW service ,NNTP, W3SVC NET Framework
ASP.NET
Then run Forestprep
The run domainprep.
Which protocol is used for Public Folder? NNTP
What is the use of NNTP with exchange? This protocol is used the news group in exchange
Disaster Recovery Plan? Ans: Deals with the restoration of computer system with all attendent software and connections to full functionality under a variety of damaging or interfering external condtions.
About the new features in Exchange 2003:
Updated Outlook Web Access. Updated VSAPI (Virus Scanning Application Programming
Interface)
but in Exchange Server 2003 Enterprise, there are Specific Features which is Eight-node Clustering using the Windows Clustering service in Windows Server
Multiple storage groups. .X.400 connectors which supports both TCP/IP and X.25.
What would a rise in remote queue length generally indicate? This means mail is not being sent to other servers. This can be explained by outages or performance issues with the network or remote servers.
What would a rise in the Local Delivery queue generally mean? This indicates a performance issue or outage on the local server. Reasons could be slowness in consulting AD, slowness in handing messages off to local delivery or SMTP delivery. It could also be databases being dismounted or a lack of disk space.
What are the disadvantages of circular logging? In the event of a corrupt database, data can only be restored to the last backup.
What is the maximum storage capacity for Exchange standard version? What would you do if it reaches maximum capacity?” 16GB.Once the store dismounts at the 16GB limit the only way to mount it again is to use the 17GB registry setting. And even this is a temporary solution. if you apply Exchange 2003 SP2 to your Standard Edition server, the database size limit is initially increased to 18GB. Whilst you can go on to change this figure to a value up to 75GB, it’s important to note that 18GB is the default setting HKLM\System\CurrentControlSet\Services\MSExchangeIS\{server name}\Private-{GUID It therefore follows that for registry settings that relate to making changes on a public store, you’ll need to work in t he following registry key:
HKLM\System\CurrentControlSet\Services\MSExchangeIS\{server name}\Public-{GUID}
Under the relevant database, create the following registry information: Value type: REG_DWORD
Value name: Database Size Limit in GB
Set the value data to be the maximum size in gigabytes that the database is allowed to grow to. For the Standard Edition of Exchange, you can enter numbers between 1 and 75. For the Enterprise Edition, you can enter numbers between 1 and 8000. Yes, that’s right, between 1GB and 8000GB or 8TB. Therefore, even if you are running the Enterprise Edition of Exchange, you can still enforce overall database size limits of, say, 150GB if you so desire..
What is MIME & MAPI?
MIME = Multipurpose Internet Mail Extensions It defines non-ASCII message formats. It is a coding standard that defines the structure of E-Mails and other Internet messages. MIME is also used for declaration of content from other Internet protocols like HTTP, Desktop environments like KDE, Gnome or Mac OS X Aqua. The standard is defined in RFC 2045.
With MIME it is possible to exchange information about the type of messages (the content type) between the sender and the recipient of the message. MIME also defines the art of coding (Content-Transfer-Encoding). These are different coding methods defined for the transportation of non ASCII characters in plain text documents and non text documents like Images, Voice and Video for transportation through text based delivery systems like e-mail or the Usenet.
The non text elements will be encoded from the sender of the message and will be decoded by the message recipient. Coding of non ASCII characters is often based on “quoted printable” coding, binary data typically using Base64-coding.
There is an extension of this Standard called S/MIME (Secure Multipurpose Internet Mail Extensions) that allows the signing and encryption of messages. There are other e-mail encryption solutions like PGP/MIME (RFC 2015 and 3156).
MAPI = Messaging Application Programming Interface It’s the programming interface for email. It is a Microsoft Windows program interface that enables you to send e-mail from within a Windows application and attach the document you are working on to the e-mail note. Applications that take advantage of MAPI include word processors, spreadsheets, and graphics applications. MAPI-compatible applications typically include a Send Mail or Send in the File pulldown menu of the application. Selecting one of these sends a request to a MAPI server.
List the services of Exchange Server 2003? There are several services involved with Exchange Server, and stopping different services will accomplish different things. The services are interdependent, so when you stop or start various services you may see a message about having to stop dependent services. If you do stop dependent services, don’t forget to restart them again when you restart the service that you began with.
To shut down Exchange completely on a given machine, you need to stop all of the following services:
Microsoft Exchange Event (MSExchangeES) :-This service was used for launching event-based scripts in Exchange 5.5 when folder changes were detected. Exchange 2000 offered the ability to create Event Sinks directly, so this use of this service has decreased. This service is not started by default.
Microsoft Exchange IMAP4 (IMAP4Svc):-This service supplies IMAP4 protocol message server functionality. This service is disabled by default. To use IMAP4 you must enable this service, configure it to auto-start, and start the service.
Microsoft Exchange Information Store (MSExchangeIS) :-This service is used to access the Exchange mail and public folder stores. If this
service is not running, users will not be able to use Exchange. This service is started by default.
Microsoft Exchange Management (MSExchangeMGMT):-This service is responsible for various management functions available through WMI, such as message tracking. This service is started by default.
Microsoft Exchange MTA Stacks (MSExchangeMTA):-This service is used to transfer X.400 messages sent to and from foreign systems, including Exchange 5.5 Servers. This service was extremely important in Exchange 5.5, which used X.400 as the default message transfer protocol. Before stopping or disabling this service, review MS KB 810489. This service is started by default.
Microsoft Exchange POP3 (POP3Svc):-This service supplies POP3 protocol message server functionality. This service is disabled by default. To use POP3 you must enable this service, configure it to auto-start, and start the service.
Microsoft Exchange Routing Engine (RESvc):-This service is used for routing and topology information for routing SMTP based messages. This service is started by default.
Microsoft Exchange System Attendant (MSExchangeSA):-This service handles various cleanup and monitoring functions. One of the most important functions of the System Attendant is the Recipient Update Service (RUS), which is responsible for mapping attributes in Active Directory to the Exchange subsystem and enforcing recipient policies. When you create a mailbox for a user, you simply set some attributes on a user object. The RUS takes that information and does all of the work in the background with Exchange to really make the mailbox. If you mailbox-enable or mail-enable objects and they don’t seem to work, the RUS is
One of the first places you will look for an issue. If you need to enable diagnostics for the RUS, the parameters are maintained in a separate service registry entry called MSExchangeAL. This isn’t a real service; it is simply the supplied location to modify RUS functionality. This service is started by default.
Microsoft Exchange Site Replication Service (MSExchangeSRS):-This service is used in Organizations that have Exchange 5.5 combined with Exchange 2000/2003. This service is not started by default.
Network News Transfer Protocol (NntpSvc) :-This service is responsible for supplying NNTP Protocol Server functionality. This service is started by default.
Simple Mail Transfer Protocol (SMTPSVC):-This service is responsible for supplying SMTP Protocol Server functionality. This service is started by default.
How can you recover a deleted mail box? In Exchange, if you delete a mailbox, it is disconnected for a default period of 30 days (the mailbox retention period), and you can reconnect it at any point during that time. Deleting a mailbox does not mean that it is permanently deleted (or purged) from the information store database right away, only that it is flagged for deletion. At the end of the mailbox retention period, the mailbox is permanently deleted from the database. You can also permanently delete the mailbox by choosing to purge it at any time.
This also means that if you mistakenly delete a mail-enabled user account, you can recreate that user object, and then reconnect that mailbox during the mailbox retention period.
Configure the deleted mailbox retention period at the mailbox store object level.
To Delete a Mailbox in Exchange
1. Right-click the user in Active Directory Users and Computers.
2. Click Exchange Tasks.
3. Click Next on the Welcome page of the Exchange Task Wizard.
4. Click Delete Mailbox.
5. Click Next, click Next, and then click Finish.
The mailbox is now flagged for deletion and will be permanently deleted at the end of the mailbox retention period unless you recover it.
To Reconnect (or Recover) a Deleted Mailbox
1. In Exchange System Manager, locate the mailbox store that contains the disconnected mailbox.
2. Click the Mailboxes object under the mailbox store.
3. If the mailbox is not already marked as disconnected (the mailbox icon appears with a red X), right-click the Mailboxes object, and then click Cleanup Agent.
4. Right-click the disconnected mailbox, click Reconnect, and then select the appropriate user from the dialog box that appears.
5. Click OK.
Note Only one user may be connected to a mailbox because all globally unique identifiers (GUIDs) are required to be unique across an entire forest
To Reconnect a Deleted Mailbox to a New User Object
1. In Active Directory Users and Computers, create a new user object. When you create the new user object, click to clear the Create an Exchange Mailbox check box.
You will connect this user account to an already existing mailbox.
2. Follow steps 1 through 4 in the preceding “To Reconnect (or Recover) a Deleted Mailbox” section.
To Configure the Mailbox Retention Period
1. Right-click the mailbox store, and then click Properties.
2. On the Limits tab, change the Keep deleted mailboxes for (days) default setting of 30 to the number of days you want.
3. Click OK.
What is the use of ESUtil.exe? Repair the database. ESEUTIL is a tool to defragment your exchange databases offline, to check their integrity and to repair a damaged/lost database.
ESEUTIL is located in the \EXCHSRVR\BIN directory. This directory is not in the system path so you must open the tool in the BIN directory or enhance the system path with the \EXCHSRVR\BIN directory.
You can use the Eseutil utility to defragment the information store and directory in Microsoft Exchange Server 5.5 and to defragment the information store in Microsoft Exchange 2000 Server and in Microsoft Exchange Server 2003. Eseutil examines the structure of the database tables and records (which can include reading, scanning, repairing, and defragmenting) the low level of the database (Ese.dll). Eseutil is located in the Winnt\System32 folder in Exchange Server 5.5 and in the Exchsrvr/Bin folder in Exchange 2000 and in Exchange 2003. The utility can run on one database at a time from the command line.
If you have deleted the user, after you recreated the same user. How you will give the access of previous mail box? Reconnect the Deleted user’ s mailbox to the recreated user. Provided the recreated user doesn’t have mailbox
Which protocol is used for Public Folder? NNTP Network News Transfer Protocol, both nntp and imap helps clients to access the public folder. But actually, Smtp send the mails across the public folder.
What is latest service pack Exchange 2003? SP2
What is latest service pack Exchange 2000? SP4
What is the name of Exchange Databases? priv1.edb
How many databases in Standard Exchange version? 1
How many databases in Enterprise Exchange version? 20
New Features of windows2003 ACTIVE DIRECTORY
Easier Deployment and Management ADMT version 2.0—migrates password from NT4 to 2000 to
20003 or from 2000 to 2003 Domain Rename— supports changing Domain Name System
and/or NetBios name Schema Redefine— Allows deactivation of attributes and class
definitions in the Active directory schema AD/AM— Active directory in application mode is a new capability
of AD that addresses certain deployment scenarios related to directory enabled applications
Group Policy Improvements—-introduced GPMC tool to manage group policy
UI—Enhanced User Interface Grater Security Cross-forest Authentication Cross-forest Authorization Cross-certification Enhancements IAS and Cross-forest
authentication Credential Manager Software Restriction Policies Improved Performance and Dependability Easier logon for remote offices Group Membership replication enhancements Application Directory Partitions Install Replica from media Dependability Improvements— updated Inter-Site Topology
Generator (ISTG) that scales better by supporting forests with a greater number of sites than Windows 2000.
FILE AND PRINT SERVICES
1. Volume shadow copy service2. NTFS journaling file system3. EFS4. Improved CHDSK Performance5. Enhanced DFS and FRS Shadow copy of shared folders Enhanced
folder redirection6. Remote document sharing (WEBDAV)
IIS
Fault-tolerant process architecture—– The IIS 6.0 fault-tolerant process architecture isolates Web sites and applications into self-contained units called application pools
Health Monitoring—- IIS 6.0 periodically checks the status of an application pool with automatic restart on failure of the Web sites and applications within that application pool, increasing application availability. IIS 6.0 protects the server, and other applications, by automatically disabling Web sites and applications that fail too often within a short amount of time
Automatic Process Recycling— IIS 6.0 automatically stops and restarts faulty Web sites and applications based on a flexible set of criteria, including CPU utilization and memory consumption, while queuing requests
Rapid-fail Protection—- If an application fails too often within a short amount of time, IIS 6.0 will automatically disable it and return a “503 Service Unavailable” error message to any new or queued requests to the application.
Edit-While-Running
Difference between NT & 2000
NT SAM database is a flat database. Where as in windows 2000 active directory database is a hierarchical database.
In windows NT only PDC is having writable copy of SAM database but the BDC is only read only database. In case of Windows 2000 both DC and ADC is having write copy of the database
Windows NT will not support FAT32 file system. Windows 2000 supports FAT32
Default authentication protocol in NT is NTLM (NT LAN manager). In windows 2000 default authentication protocol is Kerberos V5.
Windows 2000 depends and Integrated with DNS. NT user Netbios names
Active Directory can be backed up easily with System state data.
Difference between 2000 & 2003
Application Server mode is introduced in windows 2003. Possible to configure stub zones in windows 2003 DNS Volume shadow copy services is introduced Windows 2003 gives an option to replicate DNS data b/w all DNS
servers in forest or All DNS servers in the domain.
Difference between PDC & BDC PDC contains a write copy of SAM database where as BDC contains read only copy of SAM database. It is not possible to reset a password or create objects without PDC in Windows NT.
Difference between DC & ADC There is no difference between in DC and ADC both contains write copy of AD. Both can also handles FSMO roles (If transfers from DC to ADC). It is just for identification. Functionality wise there is no difference.
What is DNS & WINS? DNS is a Domain Naming System, which resolves Host names to IP addresses. It uses fully qualified domain names. DNS is a Internet standard used to resolve host names
WINS is a Windows Internet Name Service, which resolves Netbios names to IP Address. This is proprietary for Windows.
What is the process of DHCP for getting the IP address to the client?
There is a four way negotiation process b/w client and server
DHCP Discover (Initiated by client) DHCP Offer (Initiated by server) DHCP Request (Initiated by Client) DHCP Acknowledgement (Initiated by Server)
In Short From We Can Say DORA
What are the port numbers for FTP, Telnet, HTTP, DNS FTP-21, Telnet – 23, HTTP-80, DNS-53, Kerberos-88, LDAP- 389
What is the database files used for Active Directory? The key AD database files—edb.log, ntds.dit, res1.log, res2.log, and edb.chk—all of which reside in \%systemroot%\ntds on a domain controller (DC) by default. During AD installation, Dcpromo lets you specify alternative locations for these log files and database file NTDS.DIT.
What is the location of AD Database? %System root%/NTDS/NTDS>DIT
What is the authentication protocol used in NT NTLM (NT LAN Manager)
What is subnetting and supernetting? Subnetting is the process of borrowing bits from the host portion of an address to provide bits for identifying additional sub-networks.
Supernetting merges several smaller blocks of IP addresses (networks) that are continuous into one larger block of addresses. Borrowing network bits to combine several smaller networks into one larger network does supernetting.
What is the use of terminal services Terminal services can be used as Remote Administration mode to administer remotely as well asApplication Server Mode to run the application in one server and users can login to that server to user that application.
What is the protocol used for terminal services RDP
What is the port number for RDP 3389
What is the difference between Authorized DHCP and Non Authorized DHCP To avoid problems in the network causing by mis-configured DHCP servers, server in windows 2000 must be validate by AD before starting service to clients. If an authorized DHCP finds any DHCP server in the network it stop serving the clients
Difference between inter-site and intra-site replication? Protocols using for replication. Intra-site replication can be done between the domain controllers in the same site. Inter-site replication can be done between two different sites over WAN links BHS (Bridge Head Servers) is responsible for initiating replication between the sites. Inter-site replication can be done B/w BHS in one site and BHS in another site. We can use RPC over IP or SMTP as a replication protocols where as Domain partition is not possible to replicate using SMTP
How to monitor replication We can user Replmon tool from support tools
What are the different backup strategies are available
Normal Backup Incremental Backup Differential Backup Daily Backup Copy Backup
What is a global catalog? Global catalog is a role, which maintains Indexes about objects. It contains full information of the objects in its own domain and partial information of the objects in other domains. Universal Group membership information will be stored in global catalog servers and replicate to all GC’s in the forest.
What is Active Directory and what is the use of it Active directory is a directory service, which maintains the relationship between resources and enabling them to work together. Because of AD hierarchal structure windows 2000 is more scalable, reliable. Active directory is derived from X.500 standards where information is stored is hierarchal tree like structure. Active directory depends on two Internet standards one is DNS and other is LDAP. Information in Active directory can be queried by using LDAP protocol
what is the physical and logical structure of AD Active directory physical structure is a hierarchal structure which fallows Forests—Trees—Domains— Child Domains—Grand Child—etc Active directory is logically divided into 3 partitions
1.Configuration partition 2. Schema Partition
3. Domain partition 4. Application Partition (only in windows 2003 not available in
windows 2000)
Out of these Configuration, Schema partitions can be replicated between the domain controllers in the in the entire forest. Whereas Domain partition can be replicated between the domain controllers in the same domain.
What is the process of user authentication (Kerberos V5) in windows 2000 after giving logon credentials an encryption key will be generated which is used to encrypt the time stamp of the client machine. User name and encrypted timestamp information will be provided to domain controller for authentication. Then Domain controller based on the password information stored in AD for that user it decrypts the encrypted time stamp information. If produces time stamp matches to its time stamp. It will provide logon session key and Ticket granting ticket to client in an encryption format. Again client decrypts and if produced time stamp information is matching then it will use logon session key to logon to the domain. Ticket granting ticket will be used to generate service granting ticket when accessing network resources
What are the port numbers for Kerberos, LDAP and Global Catalog? Kerberos – 88, LDAP – 389, Global Catalog – 3268
What is the use of LDAP (X.500 standard?) LDAP is a directory access protocol, which is used to exchange directory information from server to clients or from server to servers
What are the problems that are generally come across DHCP? Scope is full with IP addresses no IP’s available for new machines If scope options are not configured properly eg default gateway Incorrect creation of scopes etc
What is the role responsible for time synchronization PDC Emulator is responsible for time synchronization. Time synchronization is important because Kerberos authentication depends on time stamp information
What is TTL & how to set TTL time in DNS TTL is Time to Live setting used for the amount of time that the record should remain in cache when name resolution happened. We can set TTL in SOA (start of authority record) of DNS.
What is recovery console? Recovery console is a utility used to recover the system when it is not booting properly or not at all booting. We can perform fallowing operations from recovery console We can copy, rename, or replace operating system files and folders Enable or disable service or device startup the next time that start computer Repair the file system boot sector or the Master Boot Record Create and format partitions on drives
What is RIS and what are its requirements? RIS is a remote installation service, which is used to install operation system remotely.
Client requirements
PXE DHCP-based boot ROM version 1.00 or later NIC, or a network adapter that is supported by the RIS boot disk.
Should meet minimum operating system requirements
Software Requirements
Below network services must be active on RIS server or any server in the network
Domain Name System (DNS Service) Dynamic Host Configuration Protocol (DHCP) Active directory “Directory” service
What is FSMO Roles? Flexible single master operation (FSMO) roll are
Domain Naming Master Schema Master PDC Emulator Infrastructure Master RID Master
Brief all the FSMO Roles
Domain Naming master and schema master are forest level roles. PDC emulator, Infrastructure master and RID master are Domain level roles; First server in the forest performs all 5 roles by default. Later we can transfer the roles.
Domain Naming Master: Domain naming master is responsible for maintaining the relation ship between the domains. With out this role it is not possible to add or remove any domain. Schema Master: Schema contains set of classes and attributes. eg User, computer, printer are the objects in AD which are having their own set of attributes.. Schema master is responsible for maintaining this schema. Changes to the schema will affect entire forest. PDC Emulator: Server, which is performing this role, acts as a PDC in a mixed mode to synchronize directory information between windows 2000 DC to Windows NT BDC. Server, which is performing thisrole, will contain latest password information. This role is also responsible for time synchronization in the forest. Infrastructure Master: It is responsible for managing group membership information in the domain. This role is responsible for updating DN when name or location of the object is modified.
RID Master: Server, which is performing this role, will provide pool of RID to other domain controllers in the domain. SID is the combination of SID and RID SID=SID+RID where SID is Security identifier common for all objects in the domain and RID is relative identifier unique for each object How to manually configure FSMO Roles to separate DC’s We can configure manually by two ways:- Through MMC We can configure Domain Naming Master role through Active directory domains and trusts we can configure Schema Master Role through Active Directory schema Other Three roles we can configure by Active directory users and computers.
Through command prompt By using command NTDSUTIL—type ROLES—type CONNECTIONS—CONNECT TO SERVER SERVERNAME where server name is the name of the domain controller that you want to assign role--– Type transfer role, where role is the role that you want to transfer. For a list of roles that you can transfer, type ? at the fsmo maintenance prompt, and then press ENTER, or see the list of roles at the start of this article. For example, to transfer the RID master role, type transfer rid master. The one exception is for the PDC emulator role, whose syntax is transfer pdc, not transfer pdc emulator.
What is the difference between authoritative and non-authoritative restore In authoritative restore, Objects that are restored will be replicated to all domain controllers in the domain. This can be used specifically when the entire OU is disturbed in all domain controllers or specifically restore a single object, which is disturbed in all DC’s In non-authoritative restore, Restored directory information will be updated by other domain controllers based on the latest modification time.
What is Active Directory De-fragmentation De-fragmentation of AD means separating used space and empty space created by deleted objects and reduces directory size (only in offline De-fragmentation)
Difference between online and offline de-fragmentation? Online De-fragmentation will be performed by garbage collection process, which runs for every 12 hours by default which separate used space and white space (white space is the space created because of object deletion in AD eg User) and improves the efficiency of AD when the domain controller up and running
Offline defragmentation can be done manually by taking domain controller into Restoration mode. We can only reduce the file size of
directory database where as the efficiency will be same as in online defragmentation.
What is tombstone period? Tombstones are nothing but objects marked for deletion. After deleting an object in AD the objects will not be deleted permanently. It will be remain 60 days by default (which can be configurable) it adds an entry as marked for deletion on the object and replicates to all DC’s. After 60 days object will be deleted permanently from all Dc’s.
How to deploy the patches and what are the software’s used for this process Using SUS (Software update services) server we can deploy patches to all clients in the network. We need to configure an option called “Synchronize with Microsoft software update server” option and schedule time to synchronize in server. We need to approve new update based on the requirement. Then approved update will be deployed to clients we can configure clients by changing the registry manually or through Group policy by adding WUAU administrative template in group policy.
What is Clustering? Briefly define & explain it? Clustering is a technology, which is used to provide High Availability for mission critical applications. We can configure cluster by installing MCS (Microsoft cluster service) component from Add remove programs, which can only available in Enterprise Edition and Data center edition.
In Windows we can configure two types of clusters
NLB (network load balancing) cluster for balancing load between servers. This cluster will not provide any high availability. Usually preferable at edge servers like web or proxy.
Server Cluster: This provides High availability by configuring active-active or active-passive cluster. In 2 node active-passive cluster one node will be active and one node will be stand by. When active server fails the application will FAILOVER to stand by server automatically. When the original server backs we need to FAILBACK the application
Quorum: A shared storage need to provide for all servers which keeps information about clustered application and session state and is useful in FAILOVER situation. This is very important if Quorum disk fails entire cluster will fails.
Heartbeat: Heartbeat is a private connectivity between the servers in the cluster, which is used to identify the status of other servers in cluster.
How to configure SNMP SNMP can be configured by installing SNMP from Monitoring and Management tools from Add and Remove programs. For SNMP programs to communicate we need to configure common community name for those machines where SNMP programs
(eg DELL OPEN MANAGER) running. This can be configured from services.msc— SNMP service — Security.
Is it possible to rename the Domain name & how? In Windows 2000 it is not possible. In windows 2003 it is possible. On Domain controller by going to MYCOMPUTER properties we can change
What is SOA Record SOA is a Start of Authority record, which is a first record in DNS, which controls the startup behavior of DNS. We can configure TTL, refresh, and retry intervals in this record.
What is a Stub zone and what is the use of it. Stub zones are a new feature of DNS in Windows Server 2003 that can be used to streamline name resolution, especially in a split namespace scenario. They also help reduce the amount of DNS traffic on your network, making DNS more efficient especially over slow WAN links.
What is ASR (Automated System Recovery) and how to implement it? ASR is a two-part system; it includes ASR backup and ASR restore. The ASR Wizard, located in Backup, does the backup portion. The wizard backs up the system state, system services, and all the disks that are associated with the operating system components. ASR also creates a file that contains information about the backup, the disk configurations (including basic and dynamic volumes), and how to perform a restore.
You can access the restore portion by pressing F2 when prompted in the text-mode portion of setup. ASR reads the disk configurations from the file that it creates. It restores all the disk signatures, volumes, and partitions on (at a minimum) the disks that you need to start the computer. ASR will try to restore all the disk configurations, but under some circumstances it might not be able to. ASR then installs a simple installation of Windows and automatically starts a restoration using the backup created by the ASR Wizard.
What are the different levels that we can apply Group Policy? We can apply group policy at SITE level—Domain Level—OU level
What is Domain Policy, Domain controller policy, Local policy and Group Policy? Domain Policy will apply to all computers in the domain, because by default it will be associated with domain GPO, Where as Domain controller policy will be applied only on domain controller. By default domain controller security policy will be associated with domain controller GPO. Local policy will be applied to that particular machine only and effects to that computer only
What is the use of SYSVOL FOLDER? Policies and scripts saved in SYSVOL folder will be replicated to all domain controllers in the domain. FRS (File replication service) is responsible for replicating all policies and scripts.
What is folder redirection? Folder Redirection is a User group policy. Once you create the group policy and link it to the appropriate folder object, an administrator can designate which folders to redirect and where To do this, the administrator needs to navigate to the following location in the Group Policy Object:
User Configuration\Windows Settings\Folder Redirection
In the Properties of the folder, you can choose Basic or Advanced folder redirection and you can designate the server file system path to which the folder should be redirected.
The %USERNAME% variable may be used as part of the redirection path, thus allowing the system to dynamically create a newly redirected folder for each user to whom the policy object applies
Features of windows2003
Automated System Recovery (ASR) provides a facility to get Windows Server 2003 systems back up and running quickly after a failure occurs.
Internet Information Service 6.0 (By default will not install) Highly secured and locked down by default, new architectural model that includes features such as process isolation and a met abase stored in XML format.
Saved Queries: Active Directory Users and Computers now includes a new node named Saved Queries, which allows an administrator to create a number of predefined queries that are saved for future access.
Group Policy Management Console (GPMC) is a new a new tool for managing Group Policy in Windows Server 2003. While Group Policy–related elements have typically been found across a range of tools—such as Active Directory Users And Computers, the Group Policy MMC snap-in, and others—GPMC acts as a single consolidated environment for carrying out Group Policy–related tasks.
RSoP tool, the administrator could generate a query that would process all the applicable Group Policy settings for that user for the local computer or another computer on the network. After processing the query, RSoP would present the exact Group Policy settings that apply to that user, as well as the source Group Policy object that was responsible for the setting.
Remote Desktop: In Windows Server 2003, Terminal Services Remote Administration mode is known as Remote Desktop. Remote Desktop connections are enabled via the Remote tab in the System applet in Control Panel. When connecting to a terminal server using an RDP 5.1 client, many of the local resources are available within the remote
session, including the client file system, smart cards, audio (output), serial ports, printers (including network), and the clipboard.
Cross-Forest Trust Relationships : Windows Server 2003 supports cross-forest transitive trust relationships to allow users in one forest to access resources in any domain in another, and vice versa.
Domain Renaming & Domain Controller renaming is possible.
Universal Group Membership Caching: Windows Server 2003 introduces a new feature aimed at reducing the need for global catalog server’s at all remote locations. Universal group membership caching is a new feature that can be enabled on selected domain controllers, making them capable of caching universal group information locally without being a full-fledged global catalog server.
Volume shadow copies of shared folders feature makes point-in-time backups of user data to ensure that previous versions are easily accessible in cases where a user has accidentally deleted a file.
Application Directory Partitions: Active Directory forest has a copy of the schema partition, which defines the object types that can be created, and their associated properties. Similarly, all domain controllers in the forest hold a copy of the configuration partition, which holds information about sites and services. Within a domain, all domain controllers hold a copy of the domain partition, which includes information about the objectswithin that particular domain only.
Application directory partition. This new partition is unique in that it allows directory information to be replicated to certain domain controllers only, on an as-necessary basis. Specifically designed for directory- enabled applications and services, application directory partitions can contain any type of object, with the exception of security principals such as users, computers, or security group accounts.
Distributed File System: DFS is enhanced for Windows Server 2003, Enterprise Edition and Windows Server, Datacenter Edition by allowing multiple DFS roots on a single server. You can use this feature to host multiple DFS roots on a single server, reducing administrative and hardware costs of managing multiple namespaces and multiple replicated namespaces.
Improvements in Clustering:In Datacenter Edition, the maximum supported cluster size has been increased from 4-nodes in Windows 2000, to 8-nodes in Windows Server 2003.In Enterprise Edition, the maximum supported cluster size has been increased from 2-nodes in Windows 2000 Advanced Server to 8-nodes in Windows Server 2003.
Server clusters running Windows Server 2003, Enterprise Edition or Datacenter Edition integrate with the Microsoft Active Directory® service.This integration ensures that a “virtual” computer object is registered in Active Directory. This allows applications to use Kerberos authentication and delegation to highly available services running in a cluster. The computer object also provides a default location for Active Directory-aware services to publish service control points.
Server clusters are fully supported on computers running the 64-bit versions of Windows Server 2003. Windows Server 2003 supports Encrypting File System (EFS) on clustered (shared) disks.
RIS server supports to deploy all editions of Windows 2000, Windows XP Professional, and all editions of Windows Server 2003 (except Windows 2000 Datacenter Server and Windows Server 2003, Datacenter Edition.) In addition, administrators can use RIS servers using Risetup to deploy Windows XP 64-bit Edition and the 64- bit versions of Windows Server 2003.
Point-to-PointProtocoloverEthernet(PPPoE) : Windows Server 2003 delivers a native PPPoE driver for making broadband connections to certain Internet service providers (ISPs) without the need for additional software.Small businesses or corporate branch offices may also utilize PPPoE’s demand dial capabilities to integrate with the Routing and Remote Access service and NAT.
Internet Connection Firewall (ICF): ICF, designed for use in a small business, provides basic protection on computers directly connected to the Internet or on local area network (LAN) segments. ICF is available for LAN, dial-up, VPN, or PPPoE connections. ICF integrates with ICS or with the Routing and Remote Access service.
Open File Backup: The backup utility included with Windows Server 2003 now supports “open file backup”. In Windows 2000, files had to be closed before initiating backup operations. Backup now uses shadow copies to ensure that any open files being accessed by users are also backed up.(Need to modify some registry keys)
Stub Zones: This is introduced in windows 2003 DNS. A stub zone is like a secondary zone in that it obtains its resource records from other name servers (one or more master name servers). A stub zone is also read-only like a secondary zone, so administrators can’t manually add, remove, or modify resource records on it. First, while secondary zones contain copies of all the resource records in the corresponding zone on the master name server, stub zones contain only three kinds of resource records:a. A copy of the SOA record for the zone.b. Copies of NS records for all name servers authoritative for the zone.c. Copies of (glue)A records for all name servers authoritative for the zone.
That’s it–no CNAME records, MX records, SRV records, or A records for other hosts in the zone. So while a secondary zone can be quite large for a big company’s network, a stub zone is always very small, just a few records. This means replicating zone information from master to stub zone adds almost nil DNS traffic to your network as the records for name servers rarely change unless you decommission an old name server or deploy a new one.Difference between NT & 2000
Windows NT SAM database is a flat database. And windows 2000 active directory database is a hierarchical database.
In Windows NT only PDC is having writable copy of SAM database but the BDC is only having read only database. In case of Windows 2000 both DC and ADC is having write copy of the database.
Windows NT will not support FAT32 file system. Windows 2000 supports FAT32.Default authentication protocol in NT is NTLM (NT LAN manager). In windows 2000 default authentication protocol is Kerberos V5.
Features introduced in windows 2000, those are not in Windows NT.NTFS v5 supports Disk quotas.Remote Installation ServiceBuilt in VPN & NAT supportIPv6 supports.USB support.Distributed File System.Clustering support.ICS (Internet Connection Sharing)
Difference between PDC & BDC PDC contains a write copy of SAM database where as BDC contains read only copy of SAM database. It is not possible to reset a password without PDC in Windows NT. But both can participate in the user authentication. If PDC fails, we have to manually promote BDC to PDC from server manger.
Difference between DC & ADC There is no difference between in DC and ADC both contains write copy of AD. Both can also handles FSMO roles (If transfers from DC to ADC). Functionality wise there is no difference. ADC just require for load balancing & redundancy. If two physical sites are segregated with WAN link come under same domain, better to keep one ADC in other site, and act as a main domain controller for that site. This will reduce the WAN traffic and also user authentication performance will increase.
What is DNS & WINS DNS is a Domain Naming System/Server, use for resolve the Host names to IP addresses and also do the IP address to host name. It uses fully qualified domain names. DNS is a Internet standard used to resolve host names. Support up to 256 characters.
WINS is a Windows Internet Name Service, which resolves NetBIOS names to IP Address and also resolve the IP address to NetBIOS names. This is proprietary of Microsoft and meant for windows only. Support up to 15 characters.
If DHCP server is not available what happens to the client First time client is trying to get IP address DHCP server, If DHCP server is not found. C IP address from APIPA (Automatic Private I P Address) range 169.254.0.0 -169.254.255.255If client already got the IP and having lease duration it use the IP till the lease duration expires.
What are the different types of trust relationships?
Implicit Trusts —– Establish trust relationship automatically.Explicit Trusts —– We have to build manually trust relationship .NT to Win2k orForest to ForestTransitive —– If A B C then A CNon-Transitive —– If A B C then A is not trusting C One way —– One sideTwo way —– two sides
Windows Server 2003 Active Directory supports the following types of trust relationships:Tree-root trust Tree-root trust relationships are automatically established when you add a new tree root domain to an existing forest. This trust relationship is transitive and two-way.
Parent-child trust Parent-child trust relationships are automatically established when you add a new child domain to an existing tree. This trust relationship is also transitive and two-way.Shortcut trust Shortcut trusts are trust relationships that are manually created by systems administrators. These trusts can be defined between any two domains in a forest, generally for the purpose of improving user logon and resource access performance. Shortcut trusts can be especially useful in situations where users in one domain often need to access resources in another, but a long path of transitive trusts separates the two domains. Often referred to as cross-link trusts, shortcut trust relationships are transitive and can be configured as one-way or two-way as needs dictate.Realm trust Realm trusts are manually created by systems administrators between a non–WindowsKerberos realm and a Windows Server 2003 Active Directory domain. This type of trust relationship provides cross-platform interoperability with security services in any Kerberos version 5 realm, such as a UNIX implementation. Realm trusts can be either transitive or non-transitive, and one-way or two-way as needs dictate.External trust External trusts are manually created by systems administrators between Active Directory domains that are in different forests, or between a Windows Server 2003 Active Directory domain and a Windows NT 4.0 domain. These trust relationships provide
backward compatibility with Windows NT 4.0 environments, and communication with domains located in other forests that are not con-figured to use forest trusts. External trusts are nontransitive and can be configured as either one-way or two-way as needs dictate.Forest trust Forest trusts are trust relationships that are manually created by systems administrators between forest root domains in two separate forests. If a forest trust relationship is two-way, it effectively allows authentication requests from users in one forest to reach another, and for users in either forest to access resources in both. Forest trust relationships are transitive between two forests only and can be configured as either one-way or two-way as needs dictate.
By default implicit two way transitive trust relationships establish between all domains in the windows 2000/2003 forest.
What is the process of DHCP for getting the IP address to the client?
Discover —– Client broadcast the packets to find the DHCP serverOffer —– Server offersRequest for IP address —- Client request for IP address to the offered server.Acknowledge —– Server sends the Acknowledgement to the client
NACK ——– If client not get the IP address after server given offer, then Server sends the NegativeAcknowledgement.
DHCP Server uses port no.: 67DHCP Client uses port no.: 68
Brief explanation of RAID Levels
A volume is a storage unit made from free space on one or more disks. It can be formatted with a file system and assigned a drive letter. Volumes on dynamic disks can have any of the following layouts: simple, spanned, mirrored, striped, or RAID-5.
A simple volume uses free space from a single disk. It can be a single region on a disk or consist of multiple, concatenated regions. A simple volume can be extended within the same disk or onto additional disks. If a simple volume is extended across multiple disks, it becomes a spanned volume.
A spanned volume is created from free disk space that is linked together from multiple disks. You can extend a spanned volume onto a maximum of 32 disks. A spanned volume cannot be mirrored and is not fault-tolerant.
A striped volume is a volume whose data is interleaved across two or more physical disks. The data on this type of volume is allocated alternately and evenly to each of the physical disks. A striped volume
cannot be mirrored or extended and is not fault-tolerant. Striping is also known as RAID-0.
A mirrored volume is a fault-tolerant volume whose data is duplicated on two physical disks. All of the data on one volume is copied to another disk to provide data redundancy. If one of the disks fails, the data can still be accessed from the remaining disk. A mirrored volume cannot be extended. Mirroring is also known as RAID-1.
A RAID-5 volume is a fault-tolerant volume whose data is striped across an array of three or more disks. Parity (a calculated value that can be used to reconstruct data after a failure) is also striped across the disk array. If a physical disk fails, the portion of the RAID-5 volume that was on that failed disk can be re-created from the remaining data and the parity. A RAID-
The system volume contains the hardware-specific files that are needed to load Windows (for example, Ntldr, Boot.ini, and Ntdetect.com). The system volume can be, but does not have to be, the same as the boot volume.
The boot volume contains the Windows operating system files that are located in the
%Systemroot% and %Systemroot%\System32 folders. The boot volume can be, but does not have to be, the same as the system volume.
RAID 0 – Striping
RAID 1- Mirroring (minimum 2 HDD required)
RAID 5 – Striping With Parity (Minimum 3 HDD required)
RAID levels 1 and 5 only gives redundancy
What is the process of user authentication (Kerberos V5) in windows 2000? After giving logon credentials an encryption key will be generated this is used to encrypt the time stamp of the client machine. User name and encrypted timestamp information will be provided to domain controller for authentication. Then Domain controller based on the password information stored in AD for that user it decrypts the encrypted time stamp information. If produces time stamp matches to its time stamp. It will provide logon session key account information.
What is Global Catalog Server?Global Catalog server is the server which keeps the stores the details of each object created in the forest. Global Catalog is the master searchable index to all objects in forest
Can GC Server and Infrastructure place in single server? If not explain why?
No, As Infrastructure master does the same job as the GC. It does not work together.
What is the size of log file which created before updating into ntds.dit and the total number of files?Three Log files NamesEdb.logRes1.logRes2.logEach initially 10 MB
What does SYSVOL contains? SysVol Folder contains the public information of the domain & the information for replicationEx: Group policy object & scripts can be found in this directory.
Which is service in your windows is responsible for replication of Domain controller to another domain controller.KCC generates the replication topology.Use SMTP / RPC to replicate changes.
How data will travel between sites in ADS replication?As determined in the site connectors
What is the port number for SMTP, Kerberos, LDAP, and GC Server??SMTP 25, Kerberos 88, GC 3128, LDAP 53
What Intrasite and Intersite Replication?Intrasite is the replication within the same site & intersite the replication between sites
What is lost & found folder in ADS?It’s the folder where you can find the objects missed due to conflict.Ex: you created a user in OU which is deleted in other DC & when replication happed ADS didn’t find the OU then it will put that in Lost & Found Folder.
What is Garbage collection?Garbage collection is the process of the online defragmentation of active directory. It happens every 12 Hours.
What System State data contains?Contains Startup files,RegistryCom + Registration DatabaseMemory Page fileSystem filesAD informationCluster Service informationSYSVOL Folder
How do you restore a particular OU which deleted by accidentally?Go authoritative restore
What is IPSec Policy?IPSec provides secure gateway-to-gateway connections across outsourced private wide area network (WAN) or Internet-based connections using L2TP/IPSec tunnels or pure IPSec tunnel mode.IPSec Policy can be deployed via Group policy to the Windows Domain controllers 7 Servers.
What is the order of applying Group Policy?Local Policy.Site Policy.Domain Policy.OU Policy.
What are the new features in Windows 2003 related to ADS, Replication, and Trust? ADS: Can more than 5000 users in the groups
How to edit the Schema in ADS? ADSI Edit
What is Domain Local, Global Group, Universal group?Domain Local Only Users with in DomainGlobal groups are used to grant permissions to objects in any domain in the domain tree or forest. Members of global groups can include only accounts and groups from the domain in which they are defined.Universal groups are used to grant permissions on a wide scale throughout a domain tree or forest. Members of global groups include accounts and groups from any domain in the domain tree or forest.
What are the different types of Terminal Services? User Mode & Application Mode
What does mean by root DNS servers? Public DNS servers Hosted in the Internet which registers the DNS
What is a SOA record?Start of authority authorized DNS in the domain
How does the down level clients register it names with DNS server?Enable the WINS integration with DNS.
What is RsOP?RsOP is the resultant set of policy applied on the object (Group Policy)
What is default lease period for DHCP Server? 8 days Default
What is the process of DHCP clients for getting the ip address?Discover - Order - Receive - Acknowledge
What is multicast? Multicast scopes enable you to lease Class D IP addresses to clients for participation in multicast transmissions, such as streaming video and audio transmissions.
What is superscope? Superscopes enable you to group several standard DHCP scopes into a single administrative group without causing any service disruption to network clients.
What is the System Startup process? Windows 2K boot process on a Intel architecture.
Power-On Self Tests (POST) is run. The boot device is found, the Master Boot Record (MBR) is loaded
into memory, and its program is run. The active partition is located, and the boot sector is loaded. The Windows 2000 loader (NTLDR) is then loaded.
The boot sequence executes the following steps:
The Windows 2000 loader switches the processor to the 32-bit flat memory model.
The Windows 2000 loader starts a mini-file system. The Windows 2000 loader reads the BOOT.INI file and displays
the operating system selections (boot loader menu). The Windows 2000 loader loads the operating system selected
by the user. If Windows 2000 is selected, NTLDR runs NTDETECT.COM. For other operating systems, NTLDR loads BOOTSECT.DOS and gives it control.
NTDETECT.COM scans the hardware installed in the computer, and reports the list to NTLDR for inclusion in the Registry under the HKEY_LOCAL_MACHINE_HARDWARE hive.
NTLDR then loads the NTOSKRNL.EXE, and gives it the hardware information collected by NTDETECT.COM. Windows NT enters the Windows load phases.
What is WINS hybrid & mixed mode? Systems that are configured to use WINS are normally configured as a hybrid (H-node) client, meaning they attempt to resolve NetBIOS names via a WINS server and then try a broadcast (B-node) if WINS is unsuccessful. Most systems can be configured to resolve NetBIOS names in one of four modes:
Broadcast (B-node) - Clients use a broadcast only to resolve names. An enhanced B-node setting has the client use an LMHOST file as well. The hex value for this setting is 0×1.Peer-to-Peer (P-node) - Clients use WINS only to resolve names. The hex value for this setting is 0×2.Mixed (M-node) - Clients first use a broadcast in an attempt to resolve NetBIOS names. If this fails, they attempt the resolution via the WINS server. The hex value for this setting is 0×4.Hybrid (H-node) - Clients first use the WINS service in an attempt to
resolve NetBIOS names. If this fails, they attempt the resolution via broadcast. The hex value for this setting is 0×8.
What is Disk Quota? Disk Quota is the specifying the limits of usage on the disks.
What is the port number for SMTP, Kerberos, LDAP, and GC Server? SMTP 25, Kerberos 88, GC 3268, LDAP 389
What are some of the new tools and features provided by Windows Server 2008?Windows Server 2008 now provides a desktop environment similar to Microsoft Windows Vista and includes tools also found in Vista, such as the new backup snap-in and the BitLocker drive encryption feature. Windows Server 2008 also provides the new IIS7 web server and the Windows Deployment Service.
What are the different editions of Windows Server 2008? The entry-level version of Windows Server 2008 is the Standard Edition. The Enterprise Edition provides a platform for large enterprisewide networks. The Datacenter Edition provides support for unlimited Hyper-V virtualization and advanced clustering services. The Web Edition is a scaled-down version of Windows Server 2008 intended for use as a dedicated web server. The Standard, Enterprise, and Datacenter Editions can be purchased with or without the Hyper-V virtualization technology.
What two hardware considerations should be an important part of the planning process for a Windows Server 2008 deployment? Any server on which you will install Windows Server 2008 should have at least the minimum hardware requirement for running the network operating system. Server hardware should also be on the Windows Server 2008 Hardware Compatibility List to avoid the possibility of hardware and network operating system incompatibility.
How does the activation process differ on Windows Server 2008 as compared to Windows Server 2003? You can select to have activation happen automatically when the Windows Server 2008 installation is complete. Make sure that the Automatically Activate Windows When I’m online check box is selected on the Product Key page.
What are the options for installing Windows Server 2008?You can install Windows Server 2008 on a server not currently configured with NOS, or you can upgrade existing servers running Windows 2000 Server and Windows Server 2003.
How do you configure and manage a Windows Server 2008 core installation?This stripped-down version of Windows Server 2008 is managed from the command line.
Which Control Panel tool enables you to automate the running of server utilities and other applications?The Task Scheduler enables you to schedule the launching of tools such as Windows Backup and Disk Defragmenter.
What are some of the items that can be accessed via the System Properties dialog box?You can access virtual memory settings and the Device Manager via the System Properties dialog box.
Which Windows Server utility provides a common interface for tools and utilities and provides access to server roles, services, and monitoring and drive utilities?The Server Manager provides both the interface and access to a large number of the utilities and tools that you will use as you manage your Windows server.
How are local user accounts and groups created?Local user accounts and groups are managed in the Local Users and Groups node in the Server Manager. Local user accounts and groups are used to provide local access to a server.
When a child domain is created in the domain tree, what type of trust relationship exists between the new child domain and the tree’s root domain?Child domains and the root domain of a tree are assigned transitive trusts. This means that the root domain and child domain trust each other and allow resources in any domain in the tree to be accessed by users in any domain in the tree.
What is the primary function of domain controllers?The primary function of domain controllers is to validate users to the network. However, domain controllers also provide the catalog of Active Directory objects to users on the network.
What are some of the other roles that a server running Windows Server 2008 could fill on the network?A server running Windows Server 2008 can be configured as a domain controller, a file server, a print server, a web server, or an application server. Windows servers can also have roles and features that provide services such as DNS, DHCP, and Routing and Remote Access.
Which Windows Server 2008 tools make it easy to manage and configure a server’s roles and features?The Server Manager window enables you to view the roles and features installed on a server and also to quickly access the tools used to manage these various roles and features. The Server Manager can be used to add and remove roles and features as needed.
What Windows Server 2008 service is used to install client operating systems over the network? Windows Deployment Services (WDS) enables you to install client and server operating
systems over the network to any computer with a PXE-enabled network interface.
What domain services are necessary for you to deploy the Windows Deployment Services on your network?Windows Deployment Services requires that a DHCP server and a DNS server be installed in the domain.
How is WDS configured and managed on a server running Windows Server 2008?The Windows Deployment Services snap-in enables you to configure the WDS server and add boot and install images to the server.
What utility is provided by Windows Server 2008 for managing disk drives, partitions, and volumes?The Disk Manager provides all the tools for formatting, creating, and managing drive volumes and partitions.
What is the difference between a basic and dynamic drive in the Windows Server 2008 environment?A basic disk embraces the MS-DOS disk structure; a basic disk can be divided into partitions (simple volumes).Dynamic disks consist of a single partition that can be divided into any number of volumes. Dynamic disks also support Windows Server 2008 RAID implementations.
What is RAID? RAID, or Redundant Array of Independent Disks, is a strategy for building fault tolerance into your file servers. RAID enables you to combine one or more volumes on separate drives so that they are accessed by a single drive letter. Windows Server 2008 enables you to configure RAID 0 (a striped set), RAID 1 (a mirror set), and RAID 5 (disk striping with parity).
What is the most foolproof strategy for protecting data on the network?A regular backup of network data provides the best method of protecting you from data loss.
What conceptual model helps provide an understanding of how network protocol stacks such as TCP/IP work?The OSI model, consisting of the application, presentation, session, transport, network, data link, and physical layers, helps describe how data is sent and received on the network by protocol stacks.
What protocol stack is installed by default when you install Windows Server 2008 on a network server?TCP/IP (v4 and v6) is the default protocol for Windows Server 2008. It is required for Active Directory implementations and provides for connectivity on heterogeneous networks.
When TCP/IP is configured on a Windows server (or domain client), what information is required?
You must provide at least the IP address and the subnet mask to configure a TCP/IP client for an IPv4 client, unless that client obtains this information from a DHCP server. For IPv6 clients, the interface ID is generated automatically from the MAC hardware address on the network adapter. IPv6 can also use DHCP as a method to configure IP clients on the network.
What are two command-line utilities that can be used to check TCP/IP configurations and IP connectivity, respectively?The ipconfig command can be used to check a computer’s IP configuration and also renew the client’s IP address if it is provided by a DHCP server. ping can be used to check the connection between the local computer and any computer on the network, using the destination computer’s IP address.
What term is used to refer to the first domain created in a new Active Directory tree?The first domain created in a tree is referred to as the root domain. Child domains created in the tree share the same namespace as the root domain.
How is a server running Windows Server 2008 configured as a domain controller, such as the domain controller for the root domain or a child domain?Installing the Active Directory on a server running Windows Server 2008 provides you with the option of creating a root domain for a domain tree or of creating child domains in an existing tree. Installing Active Directory on the server makes the server a domain controller.
What are some of the tools used to manage Active Directory objects in a Windows Server 2008 domain?When the Active Directory is installed on a server (making it a domain controller), a set of Active Directory snap-ins is provided. The Active Directory Users and Computers snap-in is used to manage Active Directory objects such as user accounts, computers, and groups. The Active Directory Domains and Trusts snap-in enables you to manage the trusts that are defined between domains. The Active Directory Sites and Services snap-in provides for the management of domain sites and subnets.
How are domain user accounts created and managed?The Active Directory Users and Computers snap-in provides the tools necessary for creating user accounts and managing account properties. Properties for user accounts include settings related to logon hours, the computers to which a user can log on, and the settings related to the user’s password.
What type of Active Directory objects can be contained in a group?A group can contain users, computers, contacts, and other nested groups.
What type of group is not available in a domain that is running at the mixed-mode functional level?Universal groups are not available in a mixed-mode domain. The functional level must be raised to Windows 2003 or Windows 2008 to make these groups available.
What types of Active Directory objects can be contained in an Organizational Unit?Organizational Units can hold users, groups, computers, contacts, and other OUs. The Organizational Unit provides you with a container directly below the domain level that enables you to refine the logical hierarchy of how your users and other resources are arranged in the Active Directory.
What are Active Directory sites?Active Directory sites are physical locations on the network’s physical topology. Each regional domain that you create is assigned to a site. Sites typically represent one or more IP subnets that are connected by IP routers. Because sites are separated from each other by a router, the domain controllers on each site periodically replicate the Active Directory to update the Global Catalog on each site segment.
How can client computer accounts be added to the Active Directory?Client computer accounts can be added through the Active Directory Users and Computers snap-in. You can also create client computer accounts via the client computer by joining it to the domain via the System Properties dialog box. This requires a user account that has administrative privileges, such as members of the Domain Administrator or Enterprise Administrator groups.
What firewall setting is required to manage client computers such as Vista clients and Windows 2008 member servers?The Windows Firewall must allow remote administration for a computer to be managed remotely.
Can servers running Windows Server 2008 provide services to clients when they are not part of a domain?Servers running Windows Server 2008 can be configured to participate in a workgroup. The server can provide some services to the workgroup peers but does not provide the security and management tools provided to domain controllers.
What does the use of Group Policy provide you as a network administrator?Group Policy provides a method of controlling user and computer configuration settings for Active Directory containers such as sites, domains, and OUs. GPOs are linked to a particular container, and then individual policies and administrative templates are enabled to control the environment for the users or computers within that particular container.
What tools are involved in managing and deploying Group Policy?GPOs and their settings, links, and other information such as permissions can be viewed in the Group Policy Management snap-in.
How do you deal with Group Policy inheritance issues?GPOs are inherited down through the Active Directory tree by default. You can block the inheritance of settings from up line GPOs (for a particular container such as an OU or a local computer) by selecting Block Inheritance for that particular object. If you want to enforce a higher-level GPO so that it overrides directly linked GPOs, you can use the Enforce command on the inherited (or up line) GPO.
How can you make sure that network clients have the most recent Windows updates installed and have other important security features such as the Windows Firewall enabled before they can gain full network access?You can configure a Network Policy Server (a service available in the Network Policy and Access Services role). The Network Policy Server can be configured to compare desktop client settings with health validators to determine the level of network access afforded to the client.
What is the purpose of deploying local DNS servers?A domain DNS server provides for the local mapping of fully qualified domain names to IP addresses. Because the DNS is a distributed database, the local DNS servers can provide record information to remote DNS servers to help resolve remote requests related to fully qualified domain names on your network.
What types of zones would you want to create on your DNS server so that both queries to resolve hostnames to IP addresses and queries to resolve IP addresses to hostnames are handled successfully?You would create both a forward lookup zone and a reverse lookup zone on your Windows Server 2008 DNS server.
What tool enables you to manage your Windows Server 2008 DNS server?The DNS snap-in enables you to add or remove zones and to view the records in your DNS zones. You can also use the snap-in to create records such as a DNS resource record.
In terms of DNS, what is a caching-only server? caching-only DNS server supplies information related to queries based on the data it contains in its DNS cache. Caching-only servers are often used as DNS forwarders. Because they are not configured with any zones, they do not generate network traffic related to zone transfers.
How the range of IP addresses is defined for a Windows Server 2008 DHCP server?The IP addresses supplied by the DHCP server are held in a scope. A
scope that contains more than one subnet of IP addresses is called a superscope. IP addresses in a scope that you do not want to lease can be included in an exclusion range.
What TCP/IP configuration parameters can be provided to a DHCP client?The DHCP server can supply a DHCP client an IP address and subnet mask. It also can optionally include the default gateway address, the DNS server address, and the WINS server address to the client.
How can you configure the DHCP server so that it provides certain devices with the same IP address each time the address is renewed?You can create a reservation for the device (or create reservations for a number of devices). To create a reservation, you need to know the MAC hardware address of the device. You can use the ipconfig or nbstat command-line utilities to determine the MAC address for a network device such as a computer or printer.
To negate rogue DHCP servers from running with a domain, what is required for your DHCP server to function?The DHCP server must be authorized in the Active Directory before it can function in the domain.
What is DHCP? DHCP stands for "Dynamic Host Configuration Protocol". DHCP (Dynamic Host Configuration Protocol) is a communications protocol that lets network administrators centrally manage and automate the assignment of Internet Protocol (IP) addresses in an organization's network.DHCP assigns IP address to computers and other devices that are enabled as DHCP Clients. Deploying DHCP servers on the network automatically provides computers and other TCP/IP based network devices with valid IP addresses and the additional configuration parameters these devices need, called DHCP options, which allow them to connect to other network resources, such as DNS Servers, WINS servers and routers. Dynamic Host Configuration Protocol (DHCP) automatically assigns IP addresses and other network configuration information (subnet mask, broadcast address, etc) to computers on a network. A client configured for DHCP will send out a broadcast request to the DHCP server requesting an address. The DHCP server will then issue a "lease" and assign it to that client. The time period of a valid lease can be specified on the server. DHCP reduces the amount of time required to configure clients and allows one to move a computer to various networks and be configured with the ppropriate IP address, gateway and subnet mask.
Who Created It? How Was It Created?DHCP was created by the Dynamic Host Configuration Working Group of the Internet Engineering Task Force (IETF; a volunteer organization which defines protocols for use on the Internet). As such, its definition is recorded in an Internet RFC and the Internet Activities Board (IAB) is
asserting its status as to Internet Standardization. As of this writing (June 1998), DHCP is an Internet Draft Standard Protocol and is Elective. BOOTP is an Internet Draft Standard Protocol and is recommended.
At what layer of OSI it functions? DHCP works at Data link Layer. (Layer 2)
What is DORA? Finally, the chosen DHCP server sends the lease information (the IP address, potentially a subnet mask, DNS server, WINS server, WINS node type, domain name, and default gateway) to the workstation in a message called the DHCP ACK (data communications jargon for acknowledge). You can remember the four parts of a DHCP message by the mnemonic DORA - Discover, Offer, Request, and ACK.
What is the default Lease Period in DHCP Client/Server communication?The default lease is 8 days, after which a computer has to renew their use of the address they've been leased by your DHCP server.
There are certain situations however when you might want to lengthen this lease period to several weeks or months or even longer. These situations include (a) when you have a stable network where computers neither join or are removed or relocated; (b) when you have a large pool of available IP addresses to lease from; or (c) when your network is almost saturated with very little available bandwidth and you want to reduce DHCP traffic to increase available bandwidth (not by much, but sometimes every little bit helps).
How can you backup configuration file of DHCP server?DHCP database backs itself up automatically every 60 minutes to the%SystemRoot%\System32\Dhcp\Backup\Jet directory. This interval can be changed:1. Start the registry editor2. Move toHKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\DHCPServer\Parameters\BackupInterval3. Double click on BackupInterval and set to the number of minutes you want the backup to be performed. Click OK4. Close the registry editor5. Stop and restart the DHCP server service (Start - Settings - Control Panel - Services – DHCP Server - Start and Stop)You could backup the %SystemRoot%\System32\Dhcp\Backup\Jet directory if you wish.
Had you maintained/created any technical reference documentation on DHCP Server/Client? Yes.
What is TCP/IP port no. used for DHCP service? DHCP uses the same two IANA assigned ports as BOOTP: 67/udp for the server side, and 68/udp for the client side.
What is VLAN?A virtual LAN, commonly known as a vLAN or as a VLAN, is a method of creating independent logical networks within a physical network.A VLAN consists of a network of computers that behave as if connected to the same wire – even though they may actually be physically connected to different segments of a LAN. Network administrators configure VLANs through software rather than hardware, which make them extremely flexible.
How is it different than VLANs?DHCP and VLANs, which are very different in concept, are sometimes cited as different solutions to the same problem. While they have a goal in common (easing moves of networked computers), VLANs represent a more revolutionary change to a LAN than DHCP. A DHCP server and forwarding agents can allow you to set things up so that you can unplug a client computer from one network or subnet and plug it into another and have it come alive immediately, it having been reconfigured automatically. In conjunction to Dynamic DNS, it could automatically be given its same name in its new place. VLAN-capable LAN equipment with dynamic VLAN assignment allows you to configure things so a client computer can be plugged into any port and have the same IP number (as well as name) and be on the same subnet. The VLAN-capable network either has its own configuration that lists which MAC addresses are to belong to each VLAN, or it makes the determination from the source IP address of the IP packets that the client computer sends. Some differences in the two approaches:
DHCP handles changes by reconfiguring the client while a VLAN-capable network handles it by reconfiguring the network port the client is moved to. DHCP dynamic reconfiguration requires a DHCP server, forwarding agent in each router, and DHCP capability in each client's TCP/IP support. The analogous capability in VLANs requires that all hubs throughout the network be VLAN-capable, supporting the same VLAN scheme. To this point VLAN support is proprietary with no vendor interoperability, but standards are being developed. DHCP can configure a new client computer for you while a VLAN-capable network can't. DHCP is generally aimed at giving "easy moves" capability to networks that are divided into subnets on a geographical basis, or on separate networks. VLANs are generally aimed at allowing you to set up subnets on some basis other than geographical, e.g. instead of putting everyone in one office on the same subnet, putting each person on a subnet that has access to the servers that that person requires. There is an issue with trying to use DHCP (or BOOTP) and VLANs at the same time, in particular, with the scheme by which the VLAN-capable network determines the client's VLAN based upon the client computer's source IP address. Doing so assumes the client computer is already configured, which precludes the use of network to get the configuration information from a DHCP or BOOTP server.
What is DHCP relay Agent?DHCP Relay Agent component is a Bootstrap Protocol (BOOTP) relay agent that relays Dynamic Host Configuration Protocol (DHCP) messages between DHCP clients and DHCP servers on different IP networks.
How does DHCP relay agent work?A DHCP relay agent is an agent program or component responsible for relaying DHCP & BOOTP (Bootstrap Protocol) broadcast messages between a DHCP server and a client across an IP router. A DHCP relay agent supports DHCP/BOOTP message relay as defined in RFC (Request for Comment) 1541 & 2131. The DHCP relay agent service is managed using Routing & Remote Service.
DHCP User Class and Vendor Class OptionsDHCP provides support for a host of new features. The user-specified and vendor-specified DHCP options—features that let administrators assign separate options to clients with similar configuration requirements. For example, if DHCP-aware clients in your human resources (HR) department require a different default gateway or DNS server than the rest of your clients, you can configure DHCP Class IDs to distribute these options to HR clients. The options that Class IDs provide override any scope or global default options that the DHCP server typically assigns.
Option ClassesThe two option class types: User Class and Vendor Class. User Classes assign DHCP options to a group of clients that require similar configuration; Vendor Classes typically assign vendor-specific options to clients that share a common vendor type. For example, with Vendor Classes you can assign all Dell computers DHCP options that are common to those machines. The purpose of option classes is to group DHCP options for similar clients within a DHCP scope.
What is Super scope?A range of IP addresses that span several subnets. The DHCP server can assign these addresses to clients that are on several subnets.A super-scope is actually a collection of individual scopes. When you group different scopes together into a single superscope, you can do the following:· Place DHCP clients from multiple network IDs on the same physical segment· Allow remote DCHP clients from multiple network IDs to obtain an address from a DHCP Server· Place multiple DHCP Servers on the same physical segment, with each DCHP Server being responsible for a different scope.The superscope will allow the DHCP Server to answer requests from DHCP clients from different network IDs.
What is Multicast?A range of class D addresses from 224.0.0.0 to 239.255.255.255 that can be assigned to computers when they ask for them. A multicast
group is assigned to one IP address. Multicasting can be used to send messages to a group of computers at the same time with only one copy of the message.The Multicast Address Dynamic Client Allocation Protocol (MADCAP) is used to request a multicast address from a DHCP server.
What is a DHCP lease?A DHCP lease is the amount of time that the DHCP server grants to the DHCP client permission to use a particular IP address. A typical server allows its administrator to set the lease time.
What is WSUS?It is Microsoft Software Update Server, and it is designed to automate the process of distributing Windows operating system patches. It works by controlling the Automatic Updates applet already present on all Windows machines. Instead of many machines at UVA all going to Microsoft's website to download updates, the SUS server downloads all updates to an ITC-owned server and workstations then look there for updates.
What is the Minimum Free Disk Space required?Minimum of 6 GB free disk space is recommended to store the WSUS content.
How WSUS Works?WSUS is an update component of Windows Server and offers an effective and quick way to help keep systems up-to-date. WSUS provides a management infrastructure consisting of the following:Microsoft Update: The Microsoft Web site to which WSUS components connect for updates of Microsoft products.Windows Server Update Services server: The server component that is installed on a computer running a Microsoft Windows 2000 Server with Service Pack 4 (SP4) or Windows Server 2003 operating system inside the corporate firewall. WSUS server provides the features that administrators need to manage and distribute updates through a Web-based tool, which can be accessed from Internet Explorer on any Windows computer in the corporate network. In addition, a WSUS server can be the update source for other WSUS servers.Automatic Updates: The client computer component built into Microsoft Windows Server 2003, Windows XP, and Windows 2000 with SP3 operating systems. Automatic Updates enables both server and client computers to receive updates from Microsoft Update or from a server running WSUS.
What are the basic requirements (Hardware/Software) to implement the Windows SUS server?Server Hardware Requirements:WSUS requires a single server for basic operation, although you can scale your WSUS implementation to larger numbers of servers if you wish. For a basic implementation of up to 500 users, hardware requirements, per Microsoft, are:
· 1GHz CPU· 1GB RAMYou also need a network card, and around free disk space (described below)Server Software Requirements:You need the following software components:· A supported Windows Server operating system - Windows Server 2003 is the preferred OS, but Windows 2000 is also supported. WSUS is supported on all editions of Windows Server 2003, but there are some restrictions of you use the Web Edition (See [WUS Restrictions With2k3 Web].· IIS - WUS is operated via IIS, so your WUS Server needs to have IIS loaded. You need at least IIS 5.0.· .NET Framework 1.1 SP1 - get this 7.982MB download from the Microsoft download site. The .NET Framework 1.1 SP1 is delivered as a hot fix installation file (see KB article KB867460 for details). This expands to 55.6 MB (58,335,654 bytes) on disk prior to installation. The installation of this hot fix also stops IIS, and requires a reboot.· Background Intelligent Transfer Service 2.0 (BITS 2.0 English.zip) - this is a new version of BITS, at present only available to beta testers, or those on the OEP. This is a 1.34MB download.· WSUS Setup (WSUSSetup.exe) - Like BITS V2, this is available only to beta testers or members of the OEP at present. This is download is over 100mb.· SQL Database server. For Windows Server 2003 MSDE is installed during setup. For Windows 2000 it is not and MSDE or SQL server must be installed prior WUS setup.Server Disk Space Requirements:WUS Server disk space requirements fall into three categories: the WUS service, WUS updates and the WUS data base.Microsoft recommends that you have at least 6GB free disk space to store WUS content. At present, typical usage is around 1-2GB/language, although this does depend on what updates you specify and is likely to grow over time. The WSUS service installs (by default) into C:\Program Files\Update Services\. This folder takes up 365MB (371MB on disk) after the initial installation. The WSUSDatabase is managed by MDSE, and is installed by default into C:\WSUS\MSSQL$WSUS. This folder takes up 216 MB after the initial install, synchronize and with only 2 clients. The size of the DB grows as you add more computers, and as you manage more updates.
What is TCP/IP port no. used for Windows SUS services?WSUS uses 8530 port.
What is essential application used for WSUS database report?WSUS database stores update information, event information about update actions on client computers, and WSUS server settings.Administrators have the following options for the WSUS database:1. The Microsoft SQL Server 2000 Desktop Engine (Windows) (WMSDE) database that WSUS can install during setup on Windows Server 20032. An existing Microsoft® SQL Server™ 2000 database
3. An existing Microsoft Data Engine 2000 (MSDE) with Service Pack 3 (SP3) or Later.
What are essential settings required at the end of WSUS client?On the client side we have to enable Automatic update from security setting. Also we can enable automatic update from registry.Registry Key: KEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\WindowsUpdate\Type: Reg_DWORD· 0 - Disabled.· 1 - Enable the Automatic Update client to use the SUS Server specified by the "WUServer" value.If you have domain login on client, then we also enable auto update on client side through group policy.
What is DNS?DNS stands for Domain Naming System which provides name resolution for TCP/IP network. In addition it is a distributed database and hierarchal structure which ensures that each hostname is unique across a local and wide area network.DNS is the name resolution system of the Internet. Using DNS allows clients to resolve names of hosts to IP addresses so that communication can take place. DNS is the foundation upon which Active Directory is built.
How DNS Works?A. DNS uses a client/server model in which the DNS server maintains a static database of domain names mapped to IP addresses. The DNS client, known as the resolver, performs queries against the DNS servers. DNS resolves domain names to IP address using these stepsStep 1: A client (or “resolver”) passes its request to its local name server. For example, the URL term www.idgbooks.com typed into Internet Explorer is passed to the DNS server identified in the client TCP/IP configuration. This DNS server is known as the local name server.Step 2: If, as often happens, the local name server is unable to resolve the request, other name servers are queried so that the resolver may be satisfied.Step 3: If all else fails, the request is passed to more and more, higher-level name servers until the query resolution process starts with far-right term (for instance, com) or at the top of the DNS tree with root name servers
What is the TCP/IP port no. used for DNS services?53/TCP, UDP is used for DNS services.
What are the basic requirements (Hardware/Software) to implement the Windows DNS server?Server Hardware Requirements:Microsoft's suggested minimum hardware requirements (and some Microsoft recommendations) for
Windows Server 2003 (Standard) is listed here:· CPU speed: 133MHz (550MHz recommended)· RAM: 128MB (256MB recommended; 4GB maximum on Standard Server)· Disk space for setup: 1.5GB· CD-ROM drive: 12X· Monitor: Super VGA capable of providing 800 x 600 resolutions
Explain DNS Zones?A zone is simply a contiguous section of the DNS namespace. Records for a zone are stored and managed together. Often, sub-domains are split into several zones to make manageability easier.For example, support.microsoft.com and msdn.microsoft.com are separate zones, where support and msdn are sub-domains within the Microsoft.com domain.
Explain zone file?The database in a DNS server that contains the translations (mappings) between domain names and IP addresses. A zone file is made up of "resource records," which are lines of text that define the forward lookup of domains to IP, the reverse lookup of IP to domains as well as the names of DNS and mail servers. Records for aliases and other related information.
What is Primary DNS Zone?A primary DNS server holds the "master copy" of the data for a zone, and secondary servers have copies of this data which they synchronize with the primary through zone transfers at intervals or when prompted by the primary.
What is Standard Primary DNS Server?Standard primary zone holds a master copy of a zone and can replicate it to all configured secondary zones in standard text format. Any changes that must be made to the zone are made on the copy stored on the primary.
What is Active Directory Integrated DNS server?Active Directory–integrated zones are available only on Windows 2000 and 2003 DNS servers in an Active Directory domain. The zone information is contained within the Active Directory database and is replicated using Active Directory replication. Active Directory–integrated zones provide an increased level of replication flexibility as well as security. Active Directory–integrated zones also operate in a multi-master arrangement because they are hosted within Active Directory itself; this way, any DNS server (domain controller) hosting the Active Directory–integrated zone can update the zone data.
What is Secondary DNS Zone?A standard secondary zone holds a read-only copy of the zone information in standard text format.Secondary zones are created to increase performance and resilience of the DNS configuration.
Information is transferred from the primary zone to the secondary zones.
What is STUB Zone?Microsoft has introduced support for stub zones for the first time in Windows Server 2003. A stub zone contains only those resource records that are necessary to identify the authoritative DNS servers for that zone. Those resource records include Name Server (NS), Start of Authority (SOA), and possibly glue host (A) records. (Glue host records provide A record pointers to ensure that the master zone has the correct name server information for the stub zone.)Why Use Stub Zones?The idea behind stub zones is to speed up name resolution and reduce network traffic. This is a benefit for every network where you are able to use them.
What is Forward Lookup?Forward Lookup – resolves hostname to IP address. Forward Lookup zones supply the main DNS mechanism for finding Hosts (A), Name Servers (NS) or Service (_gc).
What is Reverse Lookup?Reverse Lookup – resolves IP address to hostname. I think of Reverse Lookup as a hacker’s tool, they can PING a server's IP address and then they use a Reverse Lookup query to discover the hostname. In truth, Reverse Lookup is required by NSLookup, DNSLint and other utilities.
What's the difference between a zone and a domain?Although the two terms can seem as if they are used interchangeably, there is a difference. A DNS domain is a segment of the DNS namespace. A zone, on the other hand, can contain multiple contiguous domains.For example, quepublishing.com is a DNS domain. It contains all the information for that specific portion of the DNS namespace. sales.quepublishing.com is another example of a domain, which is contiguous with the quepublishing.com domain; in other words, the two domains "touch." So, if you were to create a DNS forward lookup zone on your DNS server, it could contain records for both domains. Zones allow for the logical grouping and management of domains and resource records on your DNS servers.
DNS resource recordsDNS zone database is made up of a collection of resource records. Each resource record specifies information about a particular object. For example, address mapping (A) records map a host name to an IP address, and reverse-lookup pointer (PTR) records map an IP address to a host name. The server uses these records to answer queries for hosts in its zone. For more information, use the table to view DNS resource records.NS: Name server resource record specifies the authoritative DNS server for the particular zone.
SOA: This resource record specifies the DNS server providing authoritative information about the zone.A: Standard hostname resource record contains hostname to IP Address mapping.CNAME: This resource record allows you to use more than one name to point a single host.MX: This resource record is used by e-mail applications to locate a mail server within a zone.PTR: Used to map IP address to their associated hostnames. These records are only used in reverse lookup zones.SRV: This resource records is used to specify the location of specific services in a domain.
DNS with Active DirectoryActive Directory uses the same hierarchal naming convention as DNS. Because of this, the client computer uses DNS servers to locate Active Directory domain controllers and other Active Directory resources on the network.Without DNS, Active Directory couldn’t function, because client computers wouldn’t be able to locate these domain controllers and resources.Bottom line is, Active Directory is dependent on DNS. Active Directory can’t be implemented until the DNS server service is installed.
What is WINS?WINS (Windows Internet Naming Service) resolves’ Windows network computer names (also known as NetBIOS names) to Internet IP addresses, allowing Windows computers on a network to easily find and communicate with each other.
How WINS Works?By default, when a computer running Microsoft® Windows® 2000, Windows XP, or a Windows Server 2003 operating system is configured with WINS server addresses (either manually or through DHCP) for its name resolution, it uses hybrid node (h-node) as its node type for NetBIOS name registration unless another NetBIOS node type is configured. For NetBIOS name query and resolution, it also uses h-node behavior, but with a few differences.For NetBIOS name resolution, a WINS client typically performs the following general sequence of steps to resolve a name:1. Client checks to see if the name queried is its local NetBIOS computer name, which it owns.2. Client checks its local NetBIOS name cache of remote names. Any name resolved for a remote client is placed in this cache where it remains for 10 minutes.3. Client forwards the NetBIOS query to its configured primary WINS server. If the primary WINS server fails to answer the query--either because it is not available or because it does not have an entry for the name--the client will try to contact other configured WINS servers in the order they are listed and configured for its use.4. Client broadcasts the NetBIOS query to the local subnet.
5. Client checks the Lmhosts file for a match to the query, if it is configured to use the Lmhosts file.6. Client tries the Hosts file and then a DNS server, if it is configured for one
What is the TCP/IP port no. used for WINS services? 137
What are the basic requirements (Hardware/Software) to implement the Windows WINS server?Hardware Requirement: Pentium 4 - 2.8 GHz with 2 GB RAM 80 GB Hard drive/7200RPMRecommended hard drive division: 20 GB System Partition and 60 GB Data partition 100 Mbps Network adaptor or better Screen Resolution: - 1024 X 768 pixels, 256 colours (65,536 colours recommended)Software Requirement: Windows® Server 2003 Standard Edition SP1 or higher installed. Application Server Role installed: Internet Information Server 6.0 ASP.NET What is Primary & Secondary WINS Server?WINS servers can act as either a primary WINS server or a secondary WINS server to a client. The difference between primary and secondary WINS servers is simply the priority in which clients contact them. A primary WINS server is the first server a client contacts to perform its NetBIOS name service operations. A client contacts a secondary WINS server only when a primary WINS server is unable to fulfill the request, for example if it is unavailable when the client makes the request or unable to resolve a name for the client.If a primary WINS server fails to fulfill a request, the client makes the same request of its secondary WINS server. If more than two WINS servers are configured for the client, the client tries the additional secondary WINS servers until the list is exhausted or one of the WINS servers successfully responds to the request. After a client uses a secondary WINS server, it periodically tries to switch back to its primary WINS server for future name service requests.
How DNS does relate with ADS?Active Directory, which is an essential component of the Windows 2003 architecture, presents organizations with a directory service designed for distributed computing environments. Active Directory allows organizations to centrally manage and share information on network resources and users while acting as the central authority for network security. In addition to providing comprehensive directory services to a Windows environment, Active Directory is designed to be a consolidation point for isolating, migrating, centrally managing, and reducing the number of directories that companies require.You must have DNS to run Active Directory but don't need Active Directory to run DNS in a Windows 2000/20003 environment. AD relies heavily on DNS.
What is Host File?The "Hosts" file in Windows and other operating systems is used to associate host names with IP addresses. Host names are the www.yahoo.com addresses that you see every day. IP addresses are numbers that mean the same thing as the www words - the computers use the numbers to actually find the sites, but we have words like www.yahoo.com so humans do not need to remember the long strings of numbers when they want to visit a site.We can put names and addresses into the Hosts file so your computer does not have to ask a DNS server to translate the domain name into an IP number. This speeds up access to the host site you want to see because your computer no longer has to query other systems on the Internet for the address translation
What is LM Host File?A text file in a windows network that provides name resolution of NetBIOS host names to IP addresses. The LMHOSTS files were the Windows counterpart to the HOSTS files in UNIX, but have long since given way to the WINS naming system. LM stands for "LAN Manager," the name of Microsoft's earlier network operating system (NOS).
What is Firewall? What are the essential settings are used in Firewall?A system designed to prevent unauthorized access to or from a private network. Firewalls can be implemented in both hardware and software, or a combination of both. Firewalls are frequently used to prevent unauthorized internet users from accessing private networks connected to the internet, especially intranets. All messages entering or leaving the intranet pass through the firewall, which examines each message and blocks those that do not meet the specified security criteria.
There are several types of firewall techniques; the 3 basic are as given below:· Packets filter: Looks at each packet entering or leaving the network and accepts or rejects it based on user-defined rules. Packet filtering is fairly effective and transparent to users, but it is difficult to configure. In addition, it is susceptible to IP spoofing.· Application gateway: Applies security mechanisms to specific applications, such as FTP and Telnet servers. This is very effective, but can impose performance degradation.· Circuit-level gateway: Applies security mechanisms when a TCP or UDP connection is established. Once the connection has been made, packets can flow between the hosts without further checking.· Proxy server: Intercepts all messages entering and leaving the network. The proxy server effectively hides the true network addresses.
What is Proxy server?
In an enterprise that uses the Internet, a proxy server is a server that acts as an intermediary between a workstation user and the Internet so that the enterprise can ensure security, administrative control, and caching service. A proxy server is associated with or part of a gateway server that separates the enterprise network from the outside network and a firewall server that protects the enterprise network from outside intrusion.
What is VPN?VPN gives extremely secure connections between private networks linked through the Internet. It allows remote computers to act as though they were on the same secure, local network.
What are the types of protocols used in VPN?There are two types of protocols used in VPN those are PPTP & L2TP.PPTP: Point-to-Point Tunneling Protocol (PPTP) is a network protocol that enables the secure transfer of data from a remote client to a private enterprise server by creating a virtual private network (VPN) across TCP/IP-based data networks. PPTP supports on-demand, multi-protocol, virtual private networking over public networks, such as the Internet.L2TP: Layer 2 Tunneling Protocol is an emerging Internet Engineering Task Force (IETF) standard that combines the features of two existing tunneling protocols: Cisco's Layer 2 Forwarding and Microsoft's Point-to-Point Tunneling Protocol. L2TP is an extension to the Point-to-Point Protocol (PPP).
What is Terminal Services?Terminal Services is a component of Microsoft Windows operating systems (both client and server versions) that allows a user to access applications or data stored on a remote computer over a network connection. Terminal Services is Microsoft's take on server centric computing, which allows individual users to access network resources easily.
What is Directory Service?Directory service is a software application that stores and organizes information of networked computers, users, and network resources, and that allows network administrators to manage users’ access the resources.
What is Active Directory?Active Directory is an implementation of LDAP directory services. Active Directory allows administrators to assign enterprise-wide policies, deploy programs to many computers, and apply critical updates to an entire organization. Active Directory stores information and settings related to an organization in a central, organized, accessible database. Active Directory networks can vary from a small installation with a few hundred objects, to a large installation with millions of objects.
What is Active Directory Services?
Active Directory is a directory service used to store information about the network resources across a domain.
What are components of Active Directory (Hierarchy)?Components of Active Directory are Domain, Forest, Tree, Organizational Unit, Schema, Group Policy Objects and Global Catalog.
What is Tree (Logical Component)?Domain trees are a hierarchical grouping of one or more domains that share a single DNS namespace & have one or more child domain and are connected by transitive trust relationship. Example: ttsl.com is root and mah.ttsl.com is child.
What is Forest (Logical Component)?A forest is a group of one or more domain trees which share a common schema and global catalog.There is always at least one forest on a network, and it is created when the first Active Directory (domain controller) installed on a network.This first domain in a forest, called the forest root domain, is special because it holds the schema and controls domain naming for the entire forest. It cannot be removed from the forest without removing the entire forest itself. Also, no other domain can ever be created above the forest root domain in the forest domain hierarchy.
What is Domain (Logical Component)?A Domain is a logical grouping of networked computers in which more than one computer has shared resources. (Domains are the fundamental units that make up Active Directory).
What is OU (Logical Component)?OU is administrative-level container object in ADS that organize users, computers, groups and other organizational units together so that any changes, security privileges or any other administrative tasks could be accomplished more efficiently.
What is Domain Controller (Physical Component)?Domain Controllers are the physical storage location for the Active Directory Services Database.
What is Sites (Physical Component)?A Site is a physical component of Active Directory that is used to define and represent the physical topology of a network.
What is Object?Active Directory objects are the entities that make up a network. An object is a distinct, named set of attributes that represents something concrete, such as a user, a printer, or an application. For example, when we create a user object, Active Directory assigns the globally unique identifier (GUID), and we provide values for such attributes as the user's given name, surname, the logon identifier, and so on.
What is Schema?
The schema defines the type of objects and the attributes that each object has. The schema is what defines a user account for example. A user account must have a name, a password, and a unique SID. A user account can also have many additional attributes, such as location, address, phone number, e-mail addresses, terminal services profiles, and so on.
What is Schema Class & Attributes? Every directory object you create is an instance of an object class contained in the schema. Each object class contains a list of associated attributes that determine the information the object can contain. Classes and attributes are defined independently, so that a single attribute can be associated with multiple classes. All schema classes and attributes are defined by the classSchema and attributeSchema objects, respectively.
What is Global Catalog?Global catalog is a domain controller that stores a copy of all Active Directory objects in a forest. The global catalog stores a full copy of all objects in the directory for its host domain and a partial copy of all objects for all other domains in the forest.
What is Universal Group Membership Cache?In a forest that has more than one domain, in sites that have domain users but no global catalog server, Universal Group Membership Caching can be used to enable caching of logon credentials so that the global catalog does not have to be contacted for subsequent user logons.
What is LDAP? LDAP stands for Lightweight Directory Access Protocol is a networking protocol for querying and modifying directory services running over TCP/IP. And the TCP port for LDAP is 389. LDAP Version 5.
What are IIS services?IIS services are used to publish web based applications.
What is TCP/IP port no for Global Catalog? 3268What is TCP/IP port no for LDAP? 389What is TCP/IP port no for RDP? 3389What is the TCP/IP port no for SNMP? 161,162What is the TCP/IP port no for SMTP? 25What is the TCP/IP port no for POP3? 110What is the TCP/IP port no for IMAP? 143What is the TCP/IP port no for HTTP? 80What is the TCP/IP port no for HTTPS? 443What is TCP/IP port no for TELNET? 23
What are important operations roles in Active Directory?In a forest, there are at least five FSMO roles that are assigned to one or more domain controllers.The five FSMO roles are:
• Schema Master: The schema master domain controller controls all updates and modifications to the schema. To update the schema of a forest, you must have access to the schema master. There can be only one schema master in the whole forest.• Domain Naming Master: The domain naming master domain controller controls the addition or removal of domains in the forest. There can be only one domain naming master in the whole forest.• Infrastructure Master: Responsible for maintaining all inter-domain object references. In other words, the infrastructure master informs certain objects (such as groups) that other objects (such as users in another domain) have been moved, changed, or otherwise modified. This update is needed only in a multiple-domain environment.• Relative ID (RID) Master: The RID master is responsible for processing RID pool requests from all domain controllers in a particular domain. At any one time, there can be only one domain controller acting as the RID master in the domain.• PDC Emulator: Used whenever a domain contains non–Active Directory computers. It acts as a Windows NT primary domain controller (PDC) for legacy client operating systems, as well as for Windows NT backup domain controllers (BDCs). The PDC emulator also processes password changes and receives preferential treatment within the domain for password updates. If another domain controller is unable to authenticate a user because of a bad password, the request is forwarded to the PDC emulator. The PDC emulator performs this additional (and important) operations master role whether or not there are any BDCs in the domain.You can transfer FSMO roles by using the Ntdsutil.exe command-line utility or by using an MMC snap-in tool
How can we view All FSMO roles using command prompt?Ntdsutil.exe
How can we transfer Schema Master Role?Transfer the Schema Master RoleUse the Active Directory Schema Master snap-in to transfer the schema master role. Before you can use this snap-in, you must register the Schmmgmt.dll file.Register Schmmgmt.dll1. Click Start, and then click Run.2. Type regsvr32 schmmgmt.dll in the Open box, and then click OK.3. Click OK when you receive the message that the operation succeeded.Transfer the Schema Master Role1. Click Start, click Run, type mmc in the Open box, and then click OK.2. On the File, menu click Add/Remove Snap-in.P a g e | 173. Click Add.4. Click Active Directory Schema, click Add, click Close, and then click OK.
5. In the console tree, right-click Active Directory Schema, and then click Change Domain Controller.6. Click Specify Name, type the name of the domain controller that will be the new role holder, and then click OK.7. In the console tree, right-click Active Directory Schema, and then click Operations Master.8. Click Change.9. Click OK to confirm that you want to transfer the role, and then click Close.
How can we transfer Domain naming Master?Transfer the Domain Naming Master Role1. Click Start, point to Administrative Tools, and then click Active Directory Domains and Trusts.2. Right-click Active Directory Domains and Trusts, and then click Connect to Domain Controller.NOTE: You must perform this step if you are not on the domain controller to which you want to transfer the role. You do not have to perform this step if you are already connected to the domain controller whose role you want to transfer.3. Do one of the following:In the Enter the name of another domain controller box, type the name of the domain controller that will be the new control4. In the console tree, right-click Active Directory Domains and Trusts, and then click Operations Master.5. Click Change.6. Click OK to confirm that you want to transfer the role, and then click Close.
How can we transfer PDC Emulator, RID Master, Infrastructure Master?Transfer the RID Master, PDC Emulator, and Infrastructure Master Roles1. Click Start, point to Administrative Tools, and then click Active Directory Users and Computers.2. Right-click Active Directory Users and Computers, and then click Connect to Domain Controller.NOTE: You must perform this step if you are not on the domain controller to which you want to transfer the role. You do not have to perform this step if you are already connected to the domain controller whose role you want to transfer.3. Do one of the following:In the Enter the name of another domain controller box, type the name of the domain controller that will be the new control4. In the console tree, right-click Active Directory Users and Computers, point to All Tasks, and then click Operations Master.5. Click the appropriate tab for the role that you want to transfer (RID, PDC, or Infrastructure), and then click Change.6. Click OK to confirm that you want to transfer the role, and then click Close.
What will happen if Schema Master fails?
No updates to the Active Directory schema will be possible. Since schema updates are rare (usually done by certain applications and possibly an Administrator adding an attribute to an object), then the malfunction of the server holding the Schema Master role will not pose a critical problem.
What will happen if Domain Naming Master fails?Domain Naming Master must be available when adding or removing a domain from the forest (i.e. running DCPROMO). If it is not, then the domain cannot be added or removed. It is also needed when promoting or demoting a server to/from a Domain Controller. Like the Schema Master, this functionality is only used on occasion and is not critical unless you are modifying your domain or forest structure.
What will happen if RID Master fails?RID Master provides RIDs for security principles (users, groups, computer accounts). The failure of this FSMO server would have little impact unless you are adding a very large number of users or groups.Each DC in the domain has a pool of RIDs already, and a problem would occur only if the DC you adding the users/groups on ran out of RIDs.
What will happen if PDC Emulator fails?The server holding the PDC emulator role will cause the most problems if it is unavailable. This would be most noticeable in a mixed mode domain where you are still running NT 4 BDCs and if you are using down-level clients (NT and Win9x). Since the PDC emulator acts as a NT 4 PDC, then any actions that depend on the PDC would be affected (User Manager for Domains, Server Manager, changing passwords, browsing and BDC replication).In a native mode domain the failure of the PDC emulator isn't as critical because other domain controllers can assume most of the responsibilities of the PDC emulator.
What will happen if Infrastructure Master fails?This FSMO server is only relevant in a multi-domain environment. If you only have one domain, then the Infrastructure Master is irrelevant. Failure of this server in a multi-domain environment would be a problem if you are trying to add objects from one domain to another.
What are the basic requirements (Hardware/Software) to implement the Windows ADS server?Minimum requirements:Processor: Single 550 MHz PIII or comparableMemory: 512 MB of RAMHard Disks: Two 9 GB - MirroredNetwork: 100 Megabit EthernetSystems: 2 Windows 2000 SP4 Servers- RedundancyRecommended requirement Processor: Dual Intel Xeon or comparableMemory: 1 GB of RAMHard Disks: Three 9 GB - RAID5Network: 100 Megabit Ethernet
Systems: 2 Windows 2000 SP4 Servers- RedundancyDesktop/Member Server Requirements:Windows desktop OS should be at least Windows 2000 and have hardware to support such to receive benefit from the GTAD service.Windows member servers should be at the Windows 2000 level and have hardware to support such.
What is the difference between Intersite & Intrasite Replication?There are two types of replication traffic in Active Directory, intrasite and intersite. Intrasite replication traffic is between domain controllers within the same site. Intersite replication traffic is between domain controllers in different sites. The KCC tunes intrasite replication to minimize replication latency, whereas it tunes intersite replication to minimize bandwidth usage.Intrasite IntersiteTraffic is uncompressed. Traffic is compressed (to save bandwidth).Replication partners notify each other when changes must be replicated (to reduce latency).Replication partners do not notify each other (to save bandwidth).Replication partners poll one another periodically.Replication partners poll one another during scheduled intervals only.RCP over IP transport only. RCP over IP or SMTP over IP transports.Replication connections can be created between any two domain controllers in the same site.Replication connections can only be created between bridgehead servers. A bridgehead server is designated by the KCC. A bridgehead server is a domain controller that has been designated to perform all intersite replication for a particular site.
What is GROUPS?Groups are Active Directory (or local computer) objects that can contain users, contacts, computers, and other groups. In Windows 2003, groups are created in domains, using the Active Directory Users and Computers tool. You can create groups in the root domain, in any other domain in the forest, in any organizational unit, or in any container class object (such as the default Users container). Like user and computer accounts, groups are Windows 2000 security principals; they are directory objects to which SID’s are assigned at creation.
What is Distribution Group? (Group Type)These are used for non-security purposes by applications other than Windows. One of the primary uses is within an e-mail.As with user accounts, there are both local and domain-level groups. Local groups are stored in a local computer’s security database and are intended to control resource access on that computer.Domain groups are stored in Active Directory and let you gather users and control resource access in a domain and on domain controllers.
What is Security Groups? (Group Type)Security groups are used to group domain users into a single administrative unit. Security groups can be assigned permissions and
can also be used as e-mail distribution lists. Users placed into a group inherit the permissions assigned to the group for as long as they remain members of that group. Windows itself uses only security groups.
What is Global Group? (Group Scope)This group’s permissions and rights exist in the group’s domain and domains that have a trust relationship with the group’s domain. Global groups may be given rights and permissions of local groups.
What is Domain Local Group? (Group Scope)Created on Active Directory controllers and are used manage access to resources in the domain.
What is Universal Group? (Group Scope)Users from multiple domains that perform similar tasks or share resources across the domains. Any group & user in any domain can be a member of the universal group.
What is GROUP Policy?Group Policies are configuration settings applied to computers or users as they are initialized. All Group Policy settings are contained in Group Policy Objects (GPO’s) applied to Active Directory sites, domains, or organizational units.Group policy is an administrative tool for managing users’ settings and computer setting across domain network.
What is Group Policy Object?Group Policy Object (GPO) is a collection of settings that define what a system will look like and how it will behave for a defined group of users.
What are three types of Group Policy Objects? How Group Policy Inheritance Work? What is LSDO?LSDO - Local policies first, then Site based policies, then Domain level policies, then OU polices, then nested OU polices (OUs within OUs). Group polices cannot be linked to a specific user or group, only container objects.
What is the difference between FAT, FAT32 & NTFS & what is it? Following are Microsoft's Windows Glossary definitions for each of the 3 file systems:1. File Allocation Table (FAT): A file system used by MS-DOS and other Windows-based operating systems to organize and manage files. The file allocation table (FAT) is a data structure that Windows creates when you format a volume by using the FAT or FAT32 file systems. Windows stores information about each file in the FAT so that it can retrieve the file later.
2. FAT32: A derivative of the File Allocation Table (FAT) files system. FAT32 supports smaller cluster sizes and larger volumes than FAT, which results in more efficient space allocation on FAT32 volumes.3. NTFS: An advanced file system that provides performance, security, reliability, and advanced features that are not found in any version of FAT. For example, NTFS guarantees volume consistency by using standard transaction logging and recovery techniques. If a system fails, NTFS uses its log file and checkpoint information to restore the consistency of the file system. InWindows 2000 and Windows XP, NTFS also provides advanced features such as file and folder permissions, encryption, disk quotas, and compression.NTFS File System:1. NTFS is the best file system for large drives. Unlike FAT and FAT32, performance with NTFS isn't corrupted as drive size increases.2. One of the major security features in NTFS is encryption or, in other words, the process of disguising a message or data in such a way as to hide its substance.3. Another feature in NTFS is disk quotas. It gives you the ability to monitor and control the amount of disk space used by each user.4. Using NTFS, you can keep access control on files and folders and support limited accounts. InFAT and FAT32, all files and folders are accessible by all users no matter what their account type is.5. Domains can be used to tweak security options while keeping administration simple.6. Compression available in NTFS enables you to compress files, folders, or whole drives when you're running out of disk space.7. Removable media (such as tapes) are made more accessible through the Remote Storage feature.8. Recovery logging helps you restore information quickly if power failures or other system problems occur.9. In NTFS we can convert the file system through:1. Back up all your data before formatting:So you want to start with a 'clean' drive but can't afford losing your precious files? Very simple, all you need to do is back up your files to an external hard-drive or a partition other than the one you want to convert, or burn the data onto CDs. After you're done you can format a drive with NTFS.2. Use the convert command from command prompt:This way, you don't need to back up. All files are preserved as they are. However, I recommend a backup. You don't know what might go wrong and besides what would you lose if you do back-up? When I converted to NTFS using convert.exe, everything went smooth. Chances are your conversion will be equally smooth.IMPORTANT NOTE: This is a one-way conversion. Once you've converted to NTFS, you can't go back to FAT or FAT32 unless you format the drive.1. Open Command PromptStart | All Programs | Accessories | Command PromptORStart | Run | type "cmd" without quotes | OK
2. Type "convert drive letter: /fs:ntfs" and press Enter. For example, type "convert C:/fs:ntfs" (without quotes) if you want to convert drive C.
2. If you're asked whether you want to dismount the drive, agree.
What are Permissions?Permissions are a key component of the Windows Server 2003 security architecture that you can use to manage the process of authorizing users, groups, and computers to access objects on a network.
What is Backup?To copy files to a second medium (a disk or tape) as a precaution in case the first medium fails.
What are the types of Backup?There are 5 types of backup in windows 2003 and are as follows: Copy, Normal, Incremental, Daily and Differential.Explain Difference between Incremental & Differential Backup?Differential backup backs up only the files that changed since the last full back. For example, suppose you do a full backup on Sunday. On Monday you back up only the files that changed since Sunday, on Tuesday you back up only the files that changed since Sunday, and so on until the next full backup. Differential backups are quicker than full backups because so much less data is being backed up. But the amount of data being backed up grows with each differential backup until the next full back up. Differential backups are more flexible than full backups, but still unwieldy to do more than about once a day, especially as the next full backup approaches.Incremental backups also back up only the changed data, but they only back up the data that has changed since the last backup — be it a full or incremental backup. They are sometimes called "differential incremental backups," while differential backups are sometimes called "cumulative incremental backups." Confused yet? Don't be.
How can we take the backup for ADS?We can take the ADS backup through ntbackup and select the system state backup.
How to restore an ADS Backup?Restoring Windows Server 2003 system state and system servicesTivoli Storage Manager supports the Microsoft Volume Shadow copy Service (VSS) on Windows Server 2003. Tivoli Storage Manager uses VSS to restore all system state components as a single object, to provide a consistent point-in-time snapshot of the system state. You can restore all system service components (the default) or individual components.System state components include the following:· Active Directory (domain controller only)· Windows Server 2003 system volume· Certificate Server Database· COM+ database· Windows Registry
· System and boot filesAttention: Restoring system state in a situation other than system recovery is not recommended.You must have administrative authority to restore System State information. To restore the WindowsServer 2003 system state using the GUI:1. Click Restore from the GUI main window. The Restore window appears.2. Expand the directory tree by clicking the plus sign +. To display files in a folder, click the folder icon.3. Locate the System State node in the directory tree. You can expand the System State node to display the components.4. Click the selection box next to the System State node to restore the entire system state. You can restore the System State node only as a single entity because of dependencies among the system state components. By default, all components are selected; you cannot back up individual system state components.5. Click Restore. The Task List window displays the restore processing status.On the command line, use the restore system state command to restore a backup of a system state. See Restore System state for more information.Considerations:· You can restore System State data to an alternate machine.· If you are upgrading from a Windows 2000 machine to a Windows Server 2003 machine, you cannot restore the Windows 2000 system objects that were backed up to the server.· Your Windows Server 2003 client must be connected to a Tivoli Storage Manager Version 5.2.0 or higher server.· If Active Directory is installed, you must be in Active Directory restore mode.· See Performing a Windows XP or Windows Server 2003 system recovery for procedures on how to perform the following tasks:Your operating system is still functioning, but a complete system restore is required.A complete recovery is required, including an operating system re-installation.System services components include the following:· Background Intelligent Transfer Service (BITS)· Event logs· Removable Storage Management Database (RSM)· Cluster Database (cluster node only)· Remote Storage Service· Terminal Server Licensing· Windows Management Instrumentation (WMI)· Internet Information Services (IIS) metabase· DHCP database· Wins databaseTo restore the system services using the GUI:1. Click Restore from the GUI main window. The Restore window appears.
2. Expand the directory tree by clicking the plus sign +. To display files in a folder, click the folder icon.3. Locate the System Services node in the directory tree. You can expand the System Services node to display the components.4. Click the selection box next to the system services component(s) that you want to restore.5. Click Restore. The Task List window displays the backup processing status.On the command line, use the restore system services command to restore a backup of the system services. See Restore System services for more information.
What is a Cluster?A cluster is a group of independent computers that work together to run a common set of applications and provide the image of a single system to the client and application. The computers are physically connected by cables and programmatically connected by cluster software. These connections allow computers to use problem-solving features such as failover in Server clusters and load balancing in Network Load Balancing (NLB) clusters.
What is the definition for Additional Domain Controller?As name suggest its additional domain controller ...can play any of the FSMO roles at any given instance and provide SRV services to clients
What is Domain Controller?A domain controller is a server in which Active Directory Service is installed. Domain controllers are used to administer domain objects, such as user accounts and groups.
What is Proxy Server?In an enterprise that uses the Internet, a proxy server is a server that acts as an intermediary between a workstation user and the Internet so that the enterprise can ensure security, administrative control, and caching service. A proxy server is associated with or part of a gateway server that separates the enterprise network from the outside network and a firewall server that protects the enterprise network from outside intrusion.
What is Basic Disk?A standard disk with standard partitions (primary and extended)
What is Dynamic Disk?Disks that have dynamic mounting capability to add additional local or remote partitions or directories to a disk drive. These are called dynamic volumes. This is new with the Windows 2000 operating system and is not supported by any other operating systems. Any volume that is on more than one hard drive must be created with dynamic disks. A disk can only be converted from dynamic to basic by first deleting all the volumes in the dynamic disk.
What is RAID?
RAID (Redundant Array of Independent Disks). A collection of disk drives that offers increased performance and fault tolerance. There are a number of different RAID levels. The three most commonly used are 0, 1, and 5: Level 0: striping without parity (spreading out blocks of each file across multiple disks). Level 1: disk mirroring or duplexing. Level 2: bit-level striping with parity Level3: byte-level striping with dedicated parity.
What is Simple Volume?Simple volumes are the most common volumes and the type of volume that you will create most often. If you are using a single disk configuration, a simple volume is the only volume type that you can create.
What is Spanned Volume?Spanned volumes are created by combining disk space from two or more hard disks. Spanned volumes can be created by using different amounts of space from different hard disks. For example, a 10GB spanned volume can be created from 6GB of unallocated space on hard drive 0, 3GB of unallocated space on hard drive 1, and 1GB of space on hard drive 2. A spanned volume cannot be extended, and there is no fault tolerance in using a spanned volume. If any of the drives fail, the data on the volume is lost and must be restored from backup (tape). Spanned volumes can be created from two physical disks and can contain up to 32 physical disks.
What is Mirrored Volume?Mirrored volumes are created using two physical disks. A mirrored volume requires same amount of unallocated space on each of the physical disk used. When data is written to a mirrored volume, the data is written to disk and then synchronized on the second disk. An exact copy of the data is available on both physical disks.
What is Stripped Volume?A striped volume is created using a minimum of two and a maximum of 32 physical drives to create a single volume. A striped volume is created by using an equal amount of unallocated space on all the physical disks.The data is written across all physical disks in the volume in equal parts, thereby creating a stripe pattern. When data is written to the volume, it is divided into 64KB parts and each part is written to a separate disk. Chopping the data into pieces allows each physical disk to be performing a write operation at almost exactly the same time, thereby increasing speed dramatically. When data is read, it is read in the same way, in 64KB blocks at a time. Striped volumes provide the best read and write performance of all the different types of volumes. A striped volume gets its name from how the data is read and accessed on the drive.
What is Raid-0?RAID Level 0 is not redundant, hence does not truly fit the "RAID" acronym. In level 0, data is split across drives, resulting in higher data
throughput. Since no redundant information is stored, performance is very good, but the failure of any disk in the array results in data loss. This level is commonly referred to as striping.
What is RAID-1?RAID Level 1 provides redundancy by writing all data to two or more drives. The performance of a level 1 array tends to be faster on reads and slower on writes compared to a single drive, but if either drive fails, no data is lost. This is a good entry-level redundant system, since only two drives are required; however, since one drive is used to store a duplicate of the data, the cost per megabyte is high. This level is commonly referred to as mirroring.
What is RAID-5? RAID Level 5 is similar to level 4, but distributes parity among the drives. This can speed small writes in multiprocessing systems, since the parity disk does not become a bottleneck. Because parity data must be skipped on each drive during reads, however, the performance for reads tends to be considerably lower than a level 4 array. The cost per megabyte is the same as for level 4.
What is IP?The Internet Protocol (IP) is a data-oriented protocol used for communicating data across a packet switched internet-work. IP is a network layer protocol in the internet protocol suite and is encapsulated in a data link layer protocol (e.g., Ethernet).
What is TCP?Transmission Control Protocol, and pronounced as separate letters. TCP is one of the main protocols in TCP/IP networks. Whereas the IP protocol deals only with packets, TCP enables two hosts to establish a connection and exchange streams of data. TCP guarantees delivery of data and also guarantees that packets will be delivered in the same order in which they were sent.
What is UDP?UDP, a connectionless protocol that, like TCP, runs on top of IP networks. Unlike TCP/IP, UDP/IP provides very few error recovery services, offering instead a direct way to send and receive datagram’s over an IP network. It's used primarily for broadcasting messages over a network.
What is range of TCP/IP in Class A? 1 to 127
What is range of TCP/IP in Class B? 128 to 191
What is range of TCP/IP in Class C? 192 to 223
What are reserved IP ranges in Class A? 10.0.0.0 to 10.255.255.255
What are reserved IP ranges in Class B? 172.16.0.0 to 172.16.255.255
What are reserved IP ranges in Class C? 192.168.0.0 to 192.168.255.255
What is default IP range is broadcast by DHCP server if no scope is defined?255.255.255.255
What is Loop back IP address? 127.0.0.1
How can we assign Static IP & dynamic IP using command prompt utility?Yes. Through netsh command
What is Subnet Mask?In computer networks, a subnetwork or subnet is a range of logical addresses within the address space that is assigned to an organization. Subnetting is a hierarchical partitioning of the network address space of an organization (and of the network nodes of an autonomous system) into several subnets
What is Gateway?A gateway is either hardware or software that acts as a bridge between two networks so that data can be transferred between a numbers of computers.
What is Routed Protocol?Routed protocols are routed by routers which use routing protocols to communicate to other routers using routing protocols that have routed protocols.
What is Routing Protocol?Routing protocols distribute routing information throughout all routers on a network. By knowing about all other routers connected to the network, each router can determine the best path to use to deliver your traffic.
What is OSI Layer? Describe Each.OSI (Open Systems Interconnection) is a standard description or "reference model" for how messages should be transmitted between any two points in a telecommunication network. Its purpose is to guide product implementers so that their products will consistently work with other products. The reference model defines seven layers of functions that take place at each end of a communication. Although OSI is not always strictly adhered to in terms of keeping related functions together in a well-defined layer, many if not most products involved in telecommunication make an attempt to describe them in relation to the OSI model.Layer 7: The application layer...This is the layer at which communication partners are identified, quality of service is identified,
user authentication and privacy are considered, and any constraints on data syntax are identified. (This layer is not the application itself, although some applications may perform application layer functions.)Layer 6: The presentation layer...This is a layer, usually part of an operating system, that converts incoming and outgoing data from one presentation format to another (for example, from a text stream into a popup window with the newly arrived text). Sometimes called the syntax layer.Layer 5: The session layer...This layer sets up, coordinates, and terminates conversations, exchanges, and dialogs between the applications at each end. It deals with session and connection coordination.Layer 4: The transport layer...This layer manages the end-to-end control (for example, determining whether all packets have arrived) and error-checking. It ensures complete data transfer.Layer 3: The network layer...This layer handles the routing of the data (sending it in the right direction to the right destination on outgoing transmissions and receiving incoming transmissions at the packet level). The network layer does routing and forwarding.Layer 2: The data-link layer...This layer provides synchronization for the physical level and does bit-stuffing for strings of 1's in excess of 5. It furnishes transmission protocol knowledge and management.Layer 1: The physical layer...This layer conveys the bit stream through the network at the electrical and mechanical level. It provides the hardware means of sending and receiving data on a carrier.
What is the difference between CIDR & VLSM?BOTH are almost same with VLSM we can utilize the IP address space with CIDR we can improve both address space utilization and routing scalability in the internet. CIDR will be used in internet routers.VLSM - Variable Length Subnet Masking. Several new methods of addressing were created so that usage of IP space was more efficient. The first of these methods is called Variable-Length Subnet Masking (VLSM). Sub-netting had long been a way to better utilize address space. Subnets divide a single network into smaller pieces. This is done by taking bits from the host portion of the address to use in the creation n of a “sub” network. For example, take the class B network 147.208.0.0. The default network mask is 255.255.0.0, and the last two octets contain the host portion of the address. To use this address space more efficiently, we could take all eight bits of the third octet for the subnet. One drawback of sub-netting is that once the subnet mask has been chosen, the number of hosts on each subnet is fixed. This makes it hard for network administrators to assign IP space based on the actual number of hosts needed. For example, assume that a company has been assigned 147.208.0.0 and has decided to subnet this by using eight bits from the host portion of the address.Assume that the address allocation policy is to assign one subnet per department in an organization. This means that 254 addresses are assigned to each department. Now, if one department only has 20 servers, then 234 addresses are wasted. Using variable-length subnet masks (VLSM) improves on subnet masking. VLSM is similar to traditional fixed-length subnet masking in that it also allows a network
to be subdivided into smaller pieces. The major difference between the two is that VLSM allows different subnets to have subnet masks of different lengths. For the example above, a department with 20 servers can be allocated a subnet mask of 27 bits. This allows the subnet to have up to 30 usable hosts on it.CIDR: - Classless Inter-Domain Routing. CIDR is also called super-netting. It's an IP addressing scheme that replaces the older system based on classes A, B, and C. With CIDR, a single IP address can be used to designate many unique IP addresses. A CIDR IP address looks like a normal IP address except that it ends with a slash followed by a number, called the IP prefix. For example: 172.200.0.0/16.The IP prefix specifies how many addresses are covered by the CIDR address, with lower numbers covering more addresses. An IP prefix of /12, for example, can be used to address 1,048,576 former Class C addresses.CIDR addresses reduce the size of routing tables and make more IP addresses available within organizations.Comparing CIDR to VLSMCIDR and VLSM both allow a portion of the IP address space to be recursively divided into subsequently smaller pieces. The difference is that with VLSM, the recursion is performed on the address space previously assigned to an organization and is invisible to the global Internet. CIDR, on the other hand, permits the recursive allocation of an address block by an Internet Registry to a high-level ISP, a mid-level ISP, a low-level ISP, and a private organization’s network.
What is Difference between Windows NT, Windows 2000 & Windows 2003?The major difference between in NT, 2000 & 2003 are as follows:1) In winnt server concept pdc and bdc but there is no concept in 2000.2) In winnt server sam database r/w format in pdc and read only format in bdc, but in 2000 domain and every domain controller sam database read/writer format.3) 2000 server can any time any moment become server or member of server simple add/remove dcpromo. But in winnt you have to reinstall operating system.A) In 2000 we cannot rename domain whereas in 2003 we can rename DomainB) In 2000 it supports of 8 processors and 64 GB RAM (In 2000 Advance Server) whereas in 2003 supports up to 64 processors and max of 512GB RAMC) 2000 Supports IIS 5.0 and 2003 Supports IIS6.0D) 2000 doesn't support Dot net whereas 2003 Supports Microsoft .NET 2.0E) 2000 has Server and Advance Server editions whereas 2003 has Standard, Enterprise, Datacentre and Web server Editions.F) 2000 doesn't have any 64 bit server operating system whereas 2003 has 64 bit server operating systems (Windows Server 2003 X64 STD and Enterprise Edition)G) 2000 has basic concept of DFS (Distributed File systems) with defined roots whereas 2003 has Enhanced DFS support with multiple roots.
H) In 2000 there is complexality in administering Complex networks whereas 2003 is easy administration in all & Complex networksI) in 2000 we can create 1 million users and in 2003 we can create 1 billion users.J) In 2003 we have concept of Volume shadow copy service which is used to create hard disk snap shot which is used in Disaster recovery and 2000 doesn't have this service.K) In 2000 we don't have end user policy management, whereas in 2003 we have a End user policy management which is done in GPMC (Group policy management console).L) In 2000 we have cross domain trust relation ship and 2003 we have Cross forest trust relationship.M) 2000 Supports 4-node clustering and 2003 supports 8-node clustering.N) 2003 has High HCL Support (Hardware Compatibility List) issued by MicrosoftO) Code name of 2000 is Win NT 5.0 and Code name of 2003 is Win NT 5.1P) 2003 has service called ADFS (Active Directory Federation Services) which is used to communicate between branches with safe authentication.In 2003 there is improved storage management using service File Server Resource Manager (FSRM)R) 2003 has service called Windows Share point Services (It is an integrated portfolio of collaboration and communication services designed to connect people, information, processes, and systems both within and beyond the organizational firewall.)S) 2003 has Improved Print management compared to 2000 serverT) 2003 has telnet sessions available.U) 2000 supports IPV4 whereas 2003 supports IPV4 and IPV6In windows 2003 support SHADOW COPIES. A NEW TOOLTO RECOVER FILESWindow 2003 server includes IIS server in it. That is the biggest advantage on top of better file system managementIn 2003 server u can change the domain name at any time without rebuilding the domain where as in 2000 u have to rebuild the entire domain to change the domain nameIn windows 2000 support maximum 10 users’ access shared folder at a time through network.But in win2003 no limitation
How can we restore Windows XP/Windows 2000?If Windows XP starts1. Log on to Windows as Administrator.2. Click Start, point to All Programs, point to Accessories, point to System Tools, and then click System Restore. System Restore starts.3. On the Welcome to System Restore page, click Restore my computer to an earlier time (if it is not already selected), and then click Next.4. On the Select a Restore Point page, click the most recent system checkpoint in the on this list, click a restore point list, and then
click Next. A System Restore message may appear that lists configuration changes that System Restore will make. Click OK.5. On the Confirm Restore Point Selection page, click next. System Restore restores the previous Windows XP configuration, and then restarts the computer.6. Log on to the computer as Administrator. The System Restore Restoration Complete page appears.7. Click OK.
What is the difference between Windows XP Home Edition & Professional Edition? Windows XP Home Edition:· Contains basic support for security among multiple users.· Built-in support for peer-to-peer networking, but only for up to five computers.· The backup utility is not installed by default, but is included on the CD.Windows XP Professional Edition:· Includes extended support for security between multiple users on the same machine.· Better support for peer-to-peer networking, plus support for joining a "Windows NT domain."· The backup utility is installed by default.· The Professional edition includes the following components not found in the Home edition:
Administrative Tools (in the Start Menu and Control Panel) Automated System Recovery (ASR) Boot Configuration Manager DriverQuery Group Policy Refresh Utility Multi-lingual User Interface (MUI) add-on NTFS Encryption Utilitiy Offline Files and Folders OpenFiles Performance Log Manager Remote Desktop Scheduled Tasks Console Security Template Utility Taskkill Tasklist Telnet Administrator
· Provides support for multi-processor systems (2 or 4 CPUs), Dynamic Disks, Fax.
What are transaction logs in Exchange?Transaction logging is a robust disaster recovery mechanism that is designed to reliably restore an Exchange database to a consistent state after any sudden stop of the database.
What is Active Directory? Active Directory stores information about objects on a network and makes this information usable to users and network administrators.
Active Directory gives network users access to permitted resources anywhere on the network using a single logon process. It provides net-work administrators with an intuitive, hierarchical view of the network and a single point of administration for all network objects.
What is domain? A collection of computer, user, and group objects defined by the administrator. These objects share a common directory database, security policies, and security relationships with other domains.
What is forest? One or more Active Directory domains that share the same class and attribute definitions (schema), site, and replication information (configuration), and forest-wide search capabilities (global catalog). Domains in the same forest are linked with two-way, transitive trust relationships.
What is organizational unit (OU)? An Active Directory container object used within domains. An OU is a logical container into which users, groups, computers, and other OUs are placed. It can contain objects only from its parent domain. An OU is the smallest scope to which a GPO can be linked, or over which administrative authority can be delegated.
What is site? One or more well-connected (highly reliable and fast) TCP/IP subnets. A site allows administrators to configure Active Directory access and replication topology to take advantage of the physical network.
How is a directory service different from a directory? A directory service differs from a directory in that it is both the source of the information and the mechanism that makes the information available to the users.
How is Active Directory scalable? Active Directory enables you to scale the directory to meet business and network requirements through the configuration of domains and trees, and the placement of domain controllers. Active Directory allows millions of objects per domain and uses indexing technology and advanced replication techniques to speed performance.
What is multimaster replication? Multimaster replication is a replication model in which any domain controller accepts and replicates directory changes to any other domain controller. Because multiple domain controllers are employed, replication continues, even if any single domain controller stops working.
Name the Active Directory components used to represent an organization’s logical structure?
The Active Directory components used to represent an organization’s logical structure are domains, organizational units (OUs), trees, and forests.
Name the physical components of Active Directory. The physical components of Active Directory are sites and domain controllers.
What is the function of the global catalog? The global catalog has two main functions: (1) it enables a user to log on to a network by providing universal group membership information to a domain controller when a logon process is initiated, and (2) it enables finding directory information regardless of which domain in the forest actually contains the data.
List the four directory partitions of the Active Directory database. The four directory partitions of the Active Directory database are schema partition, configuration partition, domain partition, and application partition.
What is the function of the KCC? The KCC is a built-in process that runs on all domain controllers. The KCC configures connection objects between domain controllers. Within a site, each KCC generates its own connections. For replication between sites, a single KCC per site generates all connections between sites.
List the six types of trusts used in Active Directory. The six types of trusts used in Active Directory are tree-root trust, parent-child trust, shortcut trust, external trust, forest trust, and realm trust.
What is change and configuration management? What is IntelliMirror? Change and configuration management is a set of Windows Server 2003 features that simplify computer management tasks. IntelliMirror is a set of Windows Server 2003 features that assist with managing user and computer information, settings, and applications. When IntelliMirror is used in both server and client, the users’ data, applications, and settings follow them when they move to another computer.
Explain the function of group policies. Group policies are collections of user and computer configuration settings that can be linked to computers, sites, domains, and OUs to modify computer settings and specify the behavior of users’ desktops.
Define each of the following names: DN, RDN, GUID, UPN. The distinguished name (DN) uniquely identifies the object and contains the name of the domain that holds the object, as well as the complete path through the container hierarchy to the object. The relative distinguished name (RDN) is the part of an object’s DN that is an attribute of the object itself. The globally unique identifier (GUID) is a 128-bit hexadecimal number that is guaranteed to be unique within the enterprise. The user principal name (UPN) consists of a user account name (sometimes referred to as the user logon name) and a domain name identifying the domain in which the user account is located.
What three tools are necessary to develop an effective Active Directory infrastructure design? The following tools are necessary to develop an effective Active Directory infrastructure design: design team, business and technical analyses, and test environment.
List the four stages in the Active Directory design process.
The stages in the design process are creating a forest plan, creating a domain plan, creating an OU plan, and creating a site topology plan.
Why should you strive to create only one forest for your organization? Using more than one forest requires administrators to maintain multiple schemas, configuration containers, global catalogs, and trusts, and requires users to take complex steps to use the directory. Why should you try to minimize the number of domains in your organization? Adding domains to the forest increases management and hardware costs.
Why should you define the forest root domain with caution? Define your forest root domain with caution; because once you’ve named the forest root domain you cannot change it without renaming and reworking the entire Active Directory tree.
What is the primary reason for defining an OU? The primary reason for defining an OU is to delegate administration.
Which tool is used to install and remove Active Directory? Active Directory Installation Wizard, and command line tools is dcpromo.exe
Which tool helps assign roles to a server, including the role of domain controller? Configure Your Server Wizard
What is domain name? The name given by an administrator to a collection of networked computers that share a common directory. Part of the DNS naming structure, domain names consist of a sequence of name labels separated by periods.
What is forest root domain? The first domain created in a new forest
What are the reasons to create more than one child domain under a dedicated root domain? The reasons to create more than one child domain under the dedicated root are to meet required security policy settings, which are linked to domains; to meet special administrative requirements, such as legal or privacy concerns; to optimize replication traffic; to retain Windows NT domains; and to establish a distinct namespace.
What is a forest root domain? A forest root domain is the first domain you create in an Active Directory forest. The forest root domain must be centrally managed by an IT organization that is responsible for making domain hierarchy, naming, and policy decisions.
For best performance and fault tolerance, where should you store the database and log files? For best performance and fault tolerance, it’s recommended that you place the database and the log file on separate hard disks that are NTFS drives, although NTFS is not required.
What is the function of the shared system volume folder and where is the default storage location of the folder? The shared system volume folder stores public files that must be replicated to other domain controllers, such as logon scripts and some of the GPOs, for both the current domain and the enterprise. The default location for the shared system volume folder is %Systemroot%\Sysvol. The shared system folder must be placed on an NTFS drive.
Which of the following is not a valid reason for creating an additional domain? a. To meet SAM size limitations b. To meet required security policy settings, which are linked to domains c. To meet special administrative requirements, such as legal or privacy concerns d. To optimize replication traffic The correct answer is a. In Windows NT, the SAM database had a limitation of about 40,000 objects per domain. In Windows Server 2003, each domain can contain more than 1 million objects, so it is no longer necessary to define a new domain just to handle more objects.
What command must you use to install Active Directory using the Active Directory Installation Wizard? Use the Dcpromo command to install Active Directory using the Active Directory Installation Wizard. 2-62 Chapter 2 Installing and Configuring Active Directory
What items are installed when you use the Active Directory Installation Wizard to install Active Directory? The Active Directory Installation Wizard installs Active Directory, creates the full domain name, assigns the NetBIOS name for the domain, sets the Active Directory database and log folder location, sets the shared system volume folder location, and installs DNS and a preferred DNS server if you requested DNS installation.
Explain the two ways you can use an answer file to install Active Directory. An answer file that is used to install Windows Server 2003 can also include the installation of Active Directory. Or, you can create an answer file that installs only Active Directory and is run after Windows Server 2003 Setup is complete and you have logged on to the system.
What command must you use to install Active Directory using the network or backup media? Use the Dcpromo /adv command to install Active Directory using the network or backup media.
Which of the following commands is used to demote a domain controller? a. Dcdemote b. Dcinstall c. Dcpromo d. Dcremove The correct answer is c. You use the Dcpromo command to demote a domain controller.
After Active Directory has been installed, how can you verify the domain configuration? You can verify the domain configuration in three steps by using the Active Directory Users and Computers console. First, you verify that your domain is correctly named by finding it in the con-sole tree. Second, you double-click the domain, click the Domain Controllers container, and verify that your domain controller appears and is correctly named by finding it in the details pane. Third, you double-click the server and verify that all information is correct on the tabs in the Properties dialog box for the server.
After Active Directory has been installed, how can you verify the DNS configuration? You can verify DNS configuration by viewing the set of default SRV resource records on the DNS server in the DNS console.
After Active Directory has been installed, how can you verify DNS integration with Active Directory? You can verify DNS integration by viewing the Type setting and the Dynamic Updates setting in the General tab in the Properties dialog box for the DNS zone and the Load Zone Data on Startup setting in the Advanced tab in the Properties dialog box for the DNS server.
After Active Directory has been installed, how can you verify installation of the shared system volume? You can verify installation of the shared system volume by opening %Systemroot%\Sysvol or the location you specified during Active Directory installation and verifying that the Sysvol folder contains a shared Sysvol folder and that the shared Sysvol folder contains a folder for the domain, which contains a shared Scripts and a Policies folder.
What information is recorded in the directory service log? Active Directory records events, including errors, warnings, and information that it generates, in the directory service log in Event Viewer.
How can you fix data left behind after an unsuccessful removal of Active Directory? First, you must remove the orphaned metadata—NTDS Settings objects—using Ntdsutil. Then you must remove the domain controller object in the Active Directory Sites And Services con-sole. You can safely delete the domain controller object only after all services have been removed and no child objects exist.
Which of the following tools are best used to evaluate network connectivity? Choose all that apply. a. Dcpromoui.log file b. Dcpromo.log file c. Ntdsutil d. Netdiag e. Dcdiag The correct answers are d and e. Netdiag and Dcdiag are the tools best suited to evaluate net-work connectivity. The Dcpromoui and Dcpromo log files log events during the installation process, and Ntdsutil provides management facilities for Active Directory.
What is authoritative restore? In Backup, a type of restore operation performed on an Active Directory domain controller in which the objects in the restored directory are treated as authoritative, replacing (through replication) all existing copies of those objects.
What is nonauthoritative restore? A restore operation performed on an Active Directory domain controller in which the objects in the restored directory are not treated as authoritative. The restored objects are updated with changes held on other domain controllers in the domain.
What is domain functional level? The level on which a domain running Windows Server 2003 is running. The functional level of a domain can be raised to enable new Active Directory features that will apply to that domain only.
What is forest functional level? The level on which a forest running Windows Server 2003 is running. The functional level of a forest can be raised to enable new Active Directory features that will apply to every domain in the forest.
What is UPN suffix? The part of the UPN to the right of the @ character. The default UPN suffix for a user account is the DNS domain name of the domain that contains the user account. The UPN suffix is only used within the Active Directory forest, and it is not required to be a valid DNS name.
What is the purpose of the Active Directory Domains And Trusts console? The Active Directory Domains And Trusts console provides the interface to manage domains and manage trust relationships between forests and domains.
What is the purpose of the Active Directory Sites And Services console? The Active Directory Sites And Services console contains information about the physical structure of your network.
What is the purpose of the Active Directory Users And Computers console? The Active Directory Users And Computers console allows you to add, modify, delete, and organize Windows Server 2003 user accounts, computer accounts, security and distribution groups, and published resources in your organization’s directory. It also allows you to manage domain controllers and OUs.
Why isn’t the Active Directory Schema snap-in provided automatically on the Administrative Tools menu after you install Active Directory? By default, the Active Directory Schema snap-in is not available on the Administrative Tools menu and must be installed. This action is required to ensure that the schema cannot be modified by accident.
Which Active Directory-specific Windows Support Tool enables you to manage Windows Server 2003 domains and trust relationships? a. Ntdsutl.exe b. Netdom.exe c. Active Directory Domains And Trusts console d. Nltest.exe The correct answer is b. The Netdom.exe tool enables you to manage Windows Server 2003 domains and trust relationships. While the Active Directory Domains And Trusts console also provides this capability, this tool is not an Active Directory–specific Windows Support Tool.
What is the function of an MMC? Why is it necessary to create customized MMCs? The MMC is a tool used to create, save, and open collections of administrative tools, which are called consoles. The console does not provide management functions itself, but is the program that hosts management applications called snap-ins. You create custom MMCs to perform a unique set of administrative tasks.
What tasks should you complete before attempting to back up Active Directory data? Before attempting to back up Active Directory data, you must prepare the files that you want to back up, and, if you are using a removable media device, you must prepare the device.
What is system state data and why is it significant to backing up Active Directory? For the Windows Server 2003 operating system, the system state data comprises the registry, COM+ Class Registration database, system boot files, files under Windows File Protection, and the Certificate Services database (if the server is a certificate server). If the server is a domain controller, Active Directory and the Sysvol directory are also contained in the system state data. To back up Active Directory, you must back up the system state data.
Can you restrict who can gain access to a completed backup file or tape? If so, how? You can restrict who can gain access to a completed backup file or tape by selecting the Replace The Data On The Media With This Backup option and the Allow Only The Owner And The Administrator Access To The Backup Data And To Any Backups Appended To This Medium option on the Backup Options page in the Backup Or Restore Wizard.
When you specify the items you want to back up in the Backup Or Restore Wizard, which of the following should you select to successfully back up Active Directory data? a. System state data b. Shared system volume folder c. Database and log files d. Registry The correct answer is a. When you specify the items you want to back up in the Backup Or Restore Wizard, you must specify system state data to successfully back up Active Directory data.
Describe what happens in a nonauthoritative restore. In a nonauthoritative restore, the distributed services on a domain controller are restored from backup media and the restored data is then updated through normal replication. Each restored directory partition is updated with that of its replication partners. Describe what happens in an authoritative restore. An authoritative restore brings a domain or a container back to the state it was in at the time of backup and overwrites all changes made since the backup. Which method of restore should you use if you accidentally delete an OU? Authoritative.
Which method of restore should you use if a domain controller has completely failed due to hardware or software problems? Nonauthoritative.
Which of the following Ntdsutil command parameters should you use if you want to restore the entire directory? a. Restore database b. Restore subtree c. Database restore d. Subtree restore The correct answer is a. Database restore and subtree restore are not Ntdsutil command parameters. Restore subtree is used to restore a portion or a subtree of the directory.
What is operations master? A domain controller that has been assigned one or more special roles in an Active Directory domain. The domain controllers assigned these roles perform operations that are single-master (not permitted to occur at different places on the network at the same time).
What is selective authentication? A method of setting the scope of authentication differently for outgoing and incoming external and forest trusts. Selective trusts allow you to make flexible access control decisions between external domains in a forest.
What is trust relationship? A logical relationship established between domains to allow pass-through authentication, in which a trusting domain honors the logon authentications of a trusted domain. User accounts and global groups defined in a trusted domain can be given rights and permissions in a trusting domain, even though the user accounts or groups don’t exist in the trusting domain’s directory
What is the main consequence of creating multiple domains and trees? Adding domains and trees increases administrative and hardware costs.
Why would you need to create additional trees in your Active Directory forest? You might need to define more than one tree if your organization has more than one DNS name.
What is a tree root domain? A tree root domain is the highest-level domain in the tree; child and grandchild domains are arranged under it. Typically, the domain you select for a tree root should be the one that is most critical to the operation of the tree. A tree root domain can also be the forest root domain.
What are the reasons for creating multiple forests in an organization? Some of the reasons for creating multiple forests include to secure data and to isolate directory replication.
Which of the following is not a reason for creating multiple domains? a. To meet security requirements b. To meet administrative requirements c. To optimize replication traffic d. To meet delegation requirements e. To retain Windows NT domains The correct answer is d. In Windows NT, domains were the smallest units of administrative delegation. In Windows Server 2003, OUs allow you to partition domains to delegate administration, eliminating the need to define domains just for delegation.
Under what domain and forest functional levels can you rename or restructure domains in a forest?
You can rename or restructure the domains in a forest only if all domain controllers in the forest are running Windows Server 2003, all domain functional levels in the forest have been raised to Windows Server 2003, and the forest functional level has been raised to Windows Server 2003.
What utility is used to rename or restructure a domain in a forest? You can use the domain rename utility (Rendom.exe) to rename or restructure a domain.
Under what domain functional level can you rename a domain controller? You can rename a domain controller only if the domain functionality of the domain to which the domain controller is joined is set to Windows Server 2003.
What tool is used to rename a domain controller? You rename a domain controller by using the Netdom.exe: Windows Domain Manager command-line tool, included with the Windows Support Tools on the Windows Server 2003 Setup CD-ROM. You use the Netdom Computername command to manage the primary and alternate names for a computer.
What is the purpose of the operations master roles? The domain controllers assigned operations master roles perform operations that are single-master (not permitted to occur at different places in the network at the same time).
Which operations master roles must be unique in each forest? The schema master and the domain naming master roles must be unique in each forest.
Which operations master roles must be unique in each domain? The RID master, the PDC emulator, and the infrastructure master roles must be unique in each domain.
When should you seize an operations master role? Consider seizing an operations master role assignment when a server that is holding a role fails and you do not intend to restore it. Before seizing the operations master role, determine the cause and expected duration of the computer or network failure. If the cause is a networking problem or a server failure that will be resolved soon, wait for the role holder to become available again. If the domain controller that currently holds the role has failed, you must determine if it can be recovered and brought back online. In general, seizing an operations master role is a drastic step that should be considered only if the current operations master will never be available again.
Which of the following operations master roles should not be assigned to the domain controller hosting the global catalog?
a. Schema master b. Domain naming master c. RID master d. PDC emulator e. Infrastructure master The correct answer is e. The infrastructure master role should not be assigned to the domain controller that is hosting the global catalog. If the infrastructure master and global catalog are on the same domain controller, the infrastructure master will not function. The infrastructure master will never find data that is out of date, so it will never replicate any changes to the other domain controllers in the domain.
Which type of trust provides transitive trusts between domains in two forests? A forest trust.
What is the purpose of a shortcut trust? A shortcut trust is a trust between two domains in a forest, created to improve user logon times.
What is the purpose of an external trust? An external trust is a trust between Windows Server 2003 domains in different forests or between a Windows Server 2003 domain and a domain whose domain controller is running Windows NT 4 or earlier. This trust is created to provide backward compatibility with Windows NT environments or communications with domains located in other forests not joined by forest trusts.
What preliminary tasks must you complete before you can create a forest trust? Before you can create a forest trust, you must 1. Configure a DNS root server that is authoritative over both forest DNS servers that you want to form a trust with, or configure a DNS forwarder on both of the DNS servers that are authoritative for the trusting forests. 2. Ensure that the forest functionality for both forests is Windows Server 2003.
Which of the following trust types are created implicitly? Choose all that apply. a. Tree-root
b. Parent-child c. Shortcut d. Realm e. External f. Forest The correct answers are a and b. Shortcut, realm, external, and forest trusts must all be created manually (explicitly).
What is application directory partition? A directory partition that is replicated only to specific domain controllers. Only domain controllers running Windows Server 2003 can host a replica of an application directory partition. Applications and services can use application directory partitions to store application-specific data.
What is preferred bridgehead server? A domain controller in a site, designated manually by the administrator, that is part of a group of bridgehead servers. Once designated, preferred bridgehead servers are used exclusively to replicate changes collected from the site. An administrator may choose to designate preferred bridgehead servers when there is a lot of data to replicate between sites, or to create a fault-tolerant topology. If one preferred bridgehead server is not available, the KCC automatically uses one of the other preferred bridgehead servers. If no other preferred bridgehead servers are available, replication does not occur to that site.
What is universal group membership caching? A feature in Windows Server 2003 that allows a site that does not contain a global catalog server to be configured to cache universal group memberships for users who log on to the domain controller in the site. This ability allows a domain controller to process user logon requests without contacting a global catalog server when a global catalog server is unavailable. The cache is refreshed periodically as determined in the replication schedule. What is a site? A site is a set of IP subnets connected by a highly reliable and fast link (usually a LAN).
Which directory partition replica type must be replicated to all domain controllers within the domain? The domain partition must be replicated to all domain controllers within the domain.
Which type of replication compresses data to save WAN bandwidth? Intersite replication compresses data to save WAN bandwidth.
What is the difference between a site link and a connection object?
Site links are used by the KCC to determine replication paths between two sites and must be created manually. Connection objects actually connect domain controllers and are created by the KCC, though you can also create them manually if necessary.
Which of the following actions does not trigger replication? a. Accessing an object b. Creating an object c. Deleting an object d. Modifying an object e. Moving an object The correct answer is a. Creating, deleting, modifying, or moving an object triggers replication between domain controllers.
What site is created automatically in the Sites container when you install Active Directory on the first domain controller in a domain? The Default-First-Site-Name site.
How many subnets must each site have? To how many sites can a subnet be assigned? Each site must have at least one subnet, but a subnet can be assigned to only one site.
What is the minimum number of domain controllers you should place in a site? For optimum network response time and application availability, place at least one domain con-troller for each domain available at each site.
What is the purpose of a site license server? The site license server stores and replicates licensing information collected by the License Logging service on each server in a site.
Which of the following administrative tools is used to configure sites? a. Active Directory Users And Computers console b. Active Directory Domains And Trusts console c. Active Directory Sites And Services console d. Licensing console The correct answer is c. The Active Directory Sites And Services console is used to configure sites.
What object is created automatically in the IP container when you install Active Directory on the first DC in a domain? The DEFAULTIPSITELINK site link
You specified a preferred bridgehead server for your network. It fails and there are no other preferred bridgehead servers available. What is the result? If no other preferred bridgehead servers are specified or no other preferred bridgehead servers are available, replication does not occur
to that site even if there are servers that can act as bridgehead servers.
Why is it seldom necessary to create site link bridges? If site link transitivity is enabled, which it is by default, creating a site link bridge has no effect. Therefore, it is seldom necessary to create site link bridges.
Which type of replication does the connection schedule control? Intrasite replication Which of the following protocols should you use when network connections are unreliable? a. IP b. SMTP c. RPC d. DHCP The correct answer is b. Choose SMTP replication when network connections are unreliable or not always available. SMTP site links communicate asynchronously, meaning each replication transaction does not need to complete before another can start, because the transaction can be stored until the destination server is available.
You have a high-speed T1 link and a dial-up network connection in case the T1 link is unavailable. You assign the T1 link to have a cost of 100. What cost value should you assign to the dial-up link? a. 0 b. 50 c. 100 d. 150 The correct answer is d. Higher costs are used for slow links (the dialup connection), and lower costs are used for fast links (the T1 connection). Because Active Directory always chooses the connection on a per-cost basis, the less expensive connection (T1) is used as long as it is available.
What is the function of the global catalog? The global catalog performs three key functions: ■ It enables users to log on to a network by providing universal group membership information to a domain controller when a logon process is initiated. ■ It enables finding directory information regardless of which domain in the forest actually contains the data. ■ It resolves UPNs when the authenticating domain controller does not have knowledge of the account.
What is a global catalog server? A global catalog server is a domain controller that stores a full copy of all objects in the directory for its host domain and a partial copy of all objects for all other domains in the forest.
What must you do to allow a domain controller to process user logon requests without contacting a global catalog server? Enable the universal group membership caching feature using Active Directory Sites And Services.
For optimum network response time, how many domain controllers in each site should you designate as a global catalog server? For optimum network response time and application availability, designate at least one domain controller in each site as the global catalog server.
The universal group membership caching feature is set for which of the following? a. Forest b. Domain c. Site d. Domain controller The correct answer is c. The universal group membership caching feature must be set for each site and requires a domain controller to run a Windows Server 2003 operating system.
What is an application directory partition? An application directory partition is a directory partition that is replicated only to specific domain controllers. Only domain controllers running Windows Server 2003 can host a replica of an application directory partition.
Name the benefits of using an application directory partition. Using an application directory partition provides redundancy, availability, or fault tolerance, by replicating data to a specific domain controller or any set of domain controllers anywhere in the forest; it reduces replication traffic because the application data is only replicated to specific domain controllers; and applications or services that use LDAP can continue using it to access and store their application data in Active Directory.
What is a security descriptor and how is it used in an application directory partition? A security descriptor is a set of access control information attached to a container or object that controls the type of access allowed by users, groups, and computers. When an object is created in an application directory partition, a default security descriptor reference domain is assigned when the application directory partition is created.
What considerations should you make before deleting an application directory partition? Before deleting the application directory partition, you must identify the applications that use it, determine if it is safe to delete the last replica, and identify the partition deletion tool provided by the application.
Which of the following tools can you use to delete an application directory partition? (Choose all that apply.) a. Ntdsutil command-line tool b. Application-specific tools from the application vendor c. Active Directory Installation Wizard d. Active Directory Domains And Trusts console e. Active Directory Sites And Services console The correct answers are a, b, and c. To delete the application directory partition, you can use the Active Directory Installation Wizard to remove all application directory partition replicas from the domain controller, the tools provided with the application, or the Ntdsutil command-line tool.
What is the function of Replmon.exe? Replmon.exe, the Active Directory Replication Monitor, enables administrators to view the low-level status of Active Directory replication, force synchronization between domain controllers, view the topology in a graphical format, and monitor the status and performance of domain con-troller replication through a graphical interface. What is the function of Repadmin.exe? Repadmin.exe, the Replication Diagnostics Tool, allows you to view the replication topology as seen from the perspective of each domain controller. Repadmin.exe can be used in trouble-shooting to manually create the replication topology (although in normal practice this should not be necessary), to force replication events between domain controllers, and to view the replication metadata and see how up-to-date a domain controller is.
What is the function of Dsastat.exe? Dsastat.exe compares and detects differences between directory partitions on domain controllers and can be used to ensure that domain controllers are up-to-date with one another. The tool retrieves capacity statistics such as megabytes per server, objects per server, and mega-bytes per object class, and compares the attributes of replicated objects.
If replication of directory information has stopped, what should you check? Site links. Make sure that a site link has been created from the current site to a site that is connected to the rest of the sites in the network.
You received Event ID 1265 with the error “DNS Lookup Failure.” What are some actions you might take to remedy the error? (Choose all that apply.) a. Manually force replication. b. Reset the domain controller’s account password on the PDC emulator master. c. Check the domain controller’s CNAME record. d. Make sure ―Bridge All Site Links‖ is set correctly. e. Check the domain controller’s A record.
The correct answers are c and e. This message is often the result of DNS configuration problems. Each domain controller must register its CNAME record for the DsaGuid._msdcs.Forestname. Each domain controller must register its A record in the appropriate zone. So, by checking the domain controller’s CNAME and A records, you may be able to fix the problem
What is access control list (ACL)? The mechanism for limiting access to certain items of information or to certain controls based on users’ identity and their membership in various predefined groups. An ACL is typically used by system administrators for controlling user access to network resources such as servers, directories, and files and is typically implemented by granting permissions to users and groups for access to specific objects.
What is nested OUs? The creation of organizational units (OUs) within OUs What is organizational unit (OU)? An Active Directory container object used within a domain. An OU is a logical container into which you can place users, groups, computers, and other OUs. It can contain objects only from its parent domain. An OU is the smallest scope to which you can apply a Group Policy or delegate authority.
What are the three reasons for defining an OU? The three reasons for defining an OU are to delegate administration, to administer Group Policy, or to hide objects.
What is “delegating administration”? Delegating administration is the assignment of IT management responsibility for a portion of the namespace, such as an OU, to an administrator, a user, or a group of administrators or users.
What is the purpose of creating an OU to hide objects? Although a user might not have the permission to read an object’s attributes, the user can still see that the object exists by viewing the contents of the object’s parent container. You can hide objects in a domain by creating an OU for the objects and limiting the set of users who have the List Contents permission for that OU.
Can you assign access permissions based on a user’s membership in an OU? Why or why not? No, you cannot assign access permissions based on a user’s membership in an OU. OUs are not security principals. Access control is the responsibility of global, domain local, or universal groups.
Which of the following is the primary reason for defining an OU? a. To delegate administration
b. To hide objects c. To administer Group Policy d. To define the domain structure The correct answer is a. Although hiding objects and administering Group Policy are reasons for defining an OU, they are not the primary reason. You do not define an OU to define the domain structure.
In what two locations can you create an OU? You can create an OU within a domain or within another OU.
What tool do you use to create an OU? The Active Directory Users And Computers console is used to create an OU.
What action must you take to be able to view the Security tab in the Properties dialog box for an OU? You must select Advanced Features from the View menu on the Active Directory Users And Computers console.
How does the icon used for an OU differ from the icon used for a container? The icon used for an OU is a folder with a book. The icon used for a container is a folder.
What is the purpose of setting properties for an OU? To provide additional information about the OU or to assist in finding the OU, you might want to set properties for an OU.
Why might you need to move an OU? To accommodate the changing needs of an organization. Which is more flexible, domain structure or OU structure? Because OUs can be easily renamed, moved, and deleted, OU structure is more flexible than domain structure.
What are the three ways to move Active Directory objects between OUs? There are three ways to move Active Directory objects between OUs: ■ Use drag and drop ■ Use the Move option on the Active Directory Users And Computers console ■ Use the Dsmove command
What happens to permissions when you move objects between OUs? Permissions that are assigned directly to objects remain the same, and the objects inherit per-missions from the new OU. Any permission that was previously inherited from the old OU no longer affects the objects.
What is authentication? The process by which the system validates the user’s logon information. A user’s name and password are compared against the list
of authorized users. If the system detects a match, access is granted to the extent specified in the permissions list for that user.
What is smart card? A credit-card sized device that is used with an access code to enable certificate-based authentication and single sign-on to the enterprise. Smart cards securely store certificates, public and private keys, passwords, and other types of personal information. A smart card reader attached to the computer reads the smart card.
What is strong password? A password that provides an effective defense against unauthorized access to a resource. A strong password is at least seven characters long, does not contain all or part of the user’s account name, and contains at least three of the following four categories of characters: uppercase characters, lowercase characters, base 10 digits, and symbols found on the keyboard (such as !, @, and #).
Where are domain user accounts created? Domain user accounts are created in Active Directory on a domain controller.
What is a smart card? A smart card is a credit card-sized device that is used with a PIN number to enable certificate-based authentication and single sign-on to the enterprise. Smart cards securely store certificates, public and private keys, passwords, and other types of personal information.
Why should you always rename the built-in Administrator account? Rename the built-in Administrator account to provide a greater degree of security; it is more difficult for unauthorized users to break into the Administrator account if they do not know which user account it is.
What is the purpose of the Guest account? What is the default condition of the Guest account? The purpose of the built-in Guest account is to provide users who do not have an account in the domain with the ability to log on and gain access to resources. By default, the Guest account does not require a password (the password can be blank) and is disabled. You should enable the Guest account only in low-security networks and always assign it a password.
Which of the following are characteristics of a strong password? a. Is at least seven characters long b. Contains your user name c. Contains keyboard symbols d. Contains numerals e. Contains a dictionary word The correct answers are a, c, and d. Strong passwords do not contain your user name or dictionary words.
A user’s full name must be unique to what Active Directory component? A user’s full name must be unique to the OU or container where you create the user account.
A user’s logon name must be unique to what Active Directory component? A user’s logon name must be unique to the domain where you create the user account.
Why should you always require new users to change their passwords the first time that they log on? Requiring new users to change their passwords means that only they know the password, which makes the system more secure.
From which tab on a user’s Properties dialog box can you set logon hours? a. General tab b. Account tab c. Profile tab d. Security tab The correct answer is b. You set logon hours by clicking the Logon Hours button on the Account tab in a user’s Properties dialog box.
What is a user profile? A user profile is a collection of folders and data that stores the user’s current desktop environment, application settings, and personal data. A user profile also contains all of the network connections that are established when a user logs on to a computer, such as Start menu items and mapped drives to network servers.
Describe the function of the three types of user profiles. A local user profile is based at the local computer and is available at only the local computer. When a user logs on to the client computer running Windows Server 2003, he or she always receives his or her individual desktop settings and connections, regardless of how many users share the same client computer. A roaming user profile is based at the server and is downloaded to the local computer every time a user logs on and is available at any workstation or server computer on the network. Changes made to a user’s roaming user profile are updated locally and on the server when the user logs off. The user always receives his or her individual desktop settings and connections, in contrast to a local user profile, which resides only on one client computer. A mandatory user profile is a read-only roaming profile that is based at the server and down-loaded to the local computer every time a user logs on. It is available at any workstation or server computer on the network. Users can modify the desktop settings of the computer while they are logged on, but none of these changes are saved when they log off.
What must you do to ensure that a user on a client computer running Windows Server 2003 has a roaming user profile? First, create a shared folder on a network server that will contain the user’s roaming user profile. Second, in the Profiles tab in the Properties dialog box for the user, provide a path to the shared folder on the server. The next time that the user logs on, the roaming user profile is created.
How can you ensure that a user has a centrally located home folder? First, create a shared folder on a network server that will contain the user’s home folder. Second, in the Profiles tab in the Properties dialog box for the user, provide a path to the shared folder on the server. The next time that the user logs on, the home folder is available from the My Computer window.
Which of the following files must be renamed to configure a user profile as mandatory? a. Ntuser.dat b. Ntuser.doc c. Ntuser.man d. Ntuser.txt The correct answer is a. To configure a user profile as mandatory, you must make it read-only by changing the name of the Ntuser.dat file to Ntuser.man.
why would you rename a user account and what is the advantage of doing so? Rename a user account if you want a new user to have all of the properties of a former user, including permissions, desktop settings, and group membership. The advantage of renaming an account is that you do not have to rebuild all of the properties as you do for a new user account.
Why would you disable a user account and what is the advantage of doing so? Disable a user account when a user does not need an account for an extended period, but will need it again. The advantage of disabling a user account is that when the user returns, you can enable the user account so that the user can log on to the network again without having to rebuild a new account.
How is a disabled user account designated in the Active Directory Users And Computers console? A disabled user account is designated by a red ―X.‖
Why should you select the User Must Change Password At Next Logon check box when you reset a user’s password? Select User Must Change Password At Next Logon to force the user to change his or her pass-word the next time he or she logs on. This way, only the user knows the password.
What is domain local group? A security or distribution group often used to assign permissions to resources. You can use a domain local group to assign permissions to gain access to resources that are located only in the same domain where you create the domain local group. In domains with the domain functional level set to Windows 2000 mixed, domain local groups can contain user accounts, computer accounts, and global groups from any domain. In domains with the domain functional level set to Windows 2000 native or Windows Server 2003, domain local groups can contain user accounts, computer accounts, global groups, and universal groups from any domain, and domain local groups from the same domain.
What is global group? A security or distribution group often used to organize users who share similar network access requirements. You can use a global group to assign permissions to gain access to resources that are located in any domain in the tree or forest. In domains with the domain functional level set to Windows 2000 mixed, global groups can contain user accounts and computer accounts from the same domain. In domains with the domain functional level set to Windows 2000 native or Windows Server 2003, global groups can contain user accounts, computer accounts, and global groups from the same domain.
What is universal group? A security or distribution group often used to assign permissions to related resources in multiple domains. You can use a universal group to assign permissions to gain access to resources that are located in any domain in the forest. In domains with the domain functional level set to Windows 2000 mixed, universal groups are not available. In domains with the domain functional level set to Windows 2000 native or Windows Server 2003, universal groups can contain user accounts, computer accounts, global groups, and other universal groups from any domain in the forest.
What is Run As program? A program that allows you to run administrative tools with either local or domain administrator rights and permissions while logged on as a normal user.
What is the purpose of using groups? Use groups to simplify administration by granting rights and assigning permissions once to the group rather than multiple times to each individual member.
When should you use security groups rather than distribution groups? Use security groups to assign permissions. Use distribution groups when the only function of the group is not security related, such as an e-mail distribution list. You cannot use distribution groups to assign permissions.
What strategy should you apply when you use domain and local groups?
Place user accounts into global groups, place global groups into domain local groups, and then assign permissions to the domain local group. Why is replication an issue with universal groups? Universal groups and their members are listed in the global catalog. Therefore, when member-ship of any universal group changes, the changes must be replicated to every global catalog in the forest, unless the forest functional level is set to Windows Server 2003.
Which of the following statements about group scope membership are incorrect? (Choose all that apply.) a. In domains with a domain functional level set to Windows 2000 mixed, global groups can contain user accounts and computer accounts from the same domain. b. In domains with a domain functional level set to Windows 2000 mixed, global groups can contain user accounts and computer accounts from any domain. c. In domains with a domain functional level set to Windows 2000 mixed, domain local groups can contain user accounts, computer accounts, and global groups from the same domain. d. In domains with a domain functional level set to Windows 2000 mixed, domain local groups can contain user accounts, computer accounts, and global groups from any domain. e. In domains with a domain functional level set to Windows 2000 mixed, universal groups can contain user accounts, computer accounts, global groups, and other universal groups from any domain. f. In domains with a domain functional level set to Windows 2000 mixed, universal groups do not exist. The correct answers are b, c, and e. In domains with a domain functional level set to Windows 2000 mixed, global groups can contain user accounts and computer accounts from the same domain. In domains with a domain functional level set to Windows 2000 mixed, domain local groups can contain user accounts, computer accounts, and global groups from any domain. In domains with a domain functional level set to Windows 2000 mixed, universal groups do not exist.
Where can you create groups? With the necessary permissions, you can create groups in any domain in the forest, in an OU, or in a container you have created specifically for groups.
What is deleted when you delete a group? When you delete a group, you delete only the group and remove the permissions and rights that are associated with it. Deleting a group does not delete the user accounts that are members of the group.
What Active Directory components can be members of groups? Members of groups can include user accounts, contacts, other groups, and computers.
In what domain functional level is changing the group scope allowed? What scope changes are permitted in this domain functional level? You can change the scope of domains with the domain functional level set to Windows 2000 native or Windows Server 2003. The following scope changes are permitted: ■ Global to universal, as long as the group is not a member of another group having global scope ■ Domain local to universal, as long as the group being converted does not have another group with a domain local scope as its member ■ Universal to global, as long as the group being converted does not have another universal group as its member ■ Universal to domain local
The name you select for a group must be unique to which of the following Active Directory components? a. forest b. tree c. domain d. site e. OU The correct answer is c. The name you select for a group must be unique to the domain in which the group is created.
Why shouldn’t administrators be assigned to the Administrators group? Running Windows Server 2003 as an administrator makes the system vulnerable to Trojan horse attacks and other security risks. For most tasks, administrators should be assigned to the Users or Power Users group. To perform administrative-only tasks, administrators should log on as an administrator, perform the task, and then log off.
What is the purpose of the Run As program? The Run As program allows a user to run specific tools and programs with permissions other than those provided by the account with which the user is currently logged on. Therefore, the Run As program can be used to run administrative tools with either local or domain administrator rights and permissions while logged on as a normal user.
What are the two ways of invoking the Run As Program? The Run As program can be invoked on the desktop or by using the Runas command from the command line.
What is access control? A security mechanism that determines which operations a user, group, service, or computer is authorized to perform on a computer or on a particular object.
What is delegation? An assignment of administrative responsibility that allows users without administrative credentials to complete specific administrative tasks or to manage specific directory objects. Responsibility is
assigned through membership in a security group, the Delegation Of Control Wizard, or Group Policy settings.
What is permission? A rule associated with an object to regulate which users can gain access to the object and in what manner. Permissions are assigned or denied by the object’s owner.
What is selective authentication? On domain controllers running Windows Server 2003, a method of determining the scope of authentication between two forests joined by a forest trust or two domains joined by an external trust. With these selective trusts, you can make flexible forest-or domain-wide access control decisions.
What are two ways to locate Active Directory objects? There are two ways to locate Active Directory objects: 1) use the Find option on the Active Directory Users And Computers console, and 2) use the Dsquery command.
Which Dsquery command should you use to find users in the directory who have been inactive for two weeks? Dsquery user –inactive 2
Which Dsquery command should you use to find computers in the directory that have been disabled? Dsquery computer –disabled
What is the purpose of the saved queries feature? The saved queries feature enables administrators to create, edit, save, organize and e-mail saved queries in order to monitor or perform a specific task on directory objects.
What is a security principal? A security principal is a user, group, computer, or service that is assigned a SID. A SID uniquely identifies the user, group, computer, or service in the enterprise and is used to manage security principals.
You are trying to assign permissions to an object in its Properties dialog box, but you cannot find the Security tab. How can you fix this problem? To view the Security tab in the Properties dialog box, you must select Advanced Features on the View menu on the Active Directory Users And Computers console.
The permissions check boxes for a security principal are shaded. What does this indicate? If permission is inherited, its check boxes (located in the Security tab in the Properties dialog box for an object, and in the Permission Entry dialog box for an object) are shaded. However, shaded special permissions check boxes do not indicate inherited permissions. These shaded check boxes merely indicate that a special permission exists.
What are effective permissions? Effective permissions are the overall permissions that a security principal has for an object, including group membership and inheritance from parent objects.
Why is it necessary to delegate administrative control of Active Directory objects? You delegate administrative control of domains, OUs, and containers in order to provide other administrators, groups, or users with the ability to manage functions according to their needs.
What is the purpose of the Delegation Of Control Wizard? The Delegation Of Control Wizard is provided to automate and simplify the process of setting administrative permissions for a domain, OU, or container. How can you remove permissions you set by using the Delegation Of Control Wizard? Although the Delegation Of Control Wizard can be used to grant administrative permissions to containers and the objects within them, it cannot be used to remove those privileges. If you need to remove permissions, you must do so manually in the Security tab in the Properties dialog box for the container and in the Advanced Security Settings dialog box for the container.
For which of the following Active Directory objects can you delegate administrative control by using the Delegation Of Control Wizard? (Choose all that apply.) a. Folder b. User c. Group d. Site e. OU f. Domain g. Shared folder The correct answers are a, d, e, and f. Folders, sites, OUs, and domains are all objects for which administrative control can be delegated by using the Delegation Of Control Wizard.
What is Group Policy? A collection of user and computer configuration settings that specifies how programs, network resources, and the operating system work for users and computers in an organization. Group Policy can be linked to computers, sites, domains, and OUs.
What is Computer Configuration node? A node in the Group Policy Object Editor which contains the settings used to set group policies applied to computers, regardless of who logs on to them. Computer configuration settings are applied when the operating system initializes.
What is User Configuration node? A node in the Group Policy Object Editor which contains the settings used to set group policies applied to users, regardless of which computer the user logs on to. User configuration settings are applied when users log on to the computer.
What is a GPO? A GPO is a Group Policy Object. Group Policy configuration settings are contained within a GPO. Each computer running Windows Server 2003 has one local GPO and can, in addition, be sub ject to any number of nonlocal (Active Directory–based) GPOs.
What are the two types of Group Policy settings and how are they used? The two types of Group Policy settings are computer configuration settings and user configura tion settings. Computer configuration settings are used to set group policies applied to com puters, regardless of who logs on to them, and are applied when the operating system initializes. User configuration settings are used to set group policies applied to users, regardless of which computer the users logs on to, and are applied when users log on to the computer.
In what order is Group Policy applied to components in the Active Directory structure? Group Policy is applied to Active Directory components in the following order: local computer, site, domain, and then OU.
What is the difference between Block Policy Inheritance and No Override? Block Policy Inheritance is applied directly to the site, domain, or OU. It is not applied to GPOs, nor is it applied to GPO links. Thus Block Policy Inheritance deflects all Group Policy settings that reach the site, domain, or OU from above (by way of linkage to parents in the Active Direc tory hierarchy) no matter what GPOs those settings originate from. GPO links set to No Override are always applied and cannot be blocked using the Block Policy Inheritance option. Any GPO linked to a site, domain, or OU (not the local GPO) can be set to No Override, so that none of its policy settings can be overwritten by any other GPO during the processing of group policies. When more than one GPO has been set to No Override, the one highest in the Active Directory hierarchy (or higher in the hierarchy specified by the administrator at each fixed level in Active Directory) takes precedence. No Override is applied to the GPO link.
Which of the following nodes contains the registry-based Group Policy settings? a. Software Settings b. Windows Settings c. Administrative Templates d. Security Settings
The correct answer is c. The Administrative Templates node contains the registry-based Group Policy settings. The Software Settings node contains only the Software Installation extension. The Windows Settings node contains the settings for configuring the operating system, such as scripts, security settings, folder redirection, and RIS. The Security Settings node contains set tings for configuring security levels.
Describe a decentralized GPO design. With a decentralized GPO design, you create a base GPO to be applied to the domain that con tains policy settings for as many users and computers in the domain as possible. Next, you cre ate additional GPOs tailored to the common requirements of each OU, and apply them to the appropriate OUs. The goal of a decentralized GPO design is to include a specific policy setting in as few GPOs as possible. When a change is required, only one (or a few) GPO(s) have to be changed to enforce the change.
If administrative responsibilities in your organization are task-based and delegated among several administrators, which of the following types of GPOs should you plan to create? a. GPOs containing only one type of Group Policy setting b. GPOs containing many types of Group Policy settings c. GPOs containing only computer configuration settings d. GPOs containing only user configuration settings The correct answer is a. For example, a GPO that includes only security settings is best suited for organizations in which administrative responsibilities are task-based and delegated among several individuals.
If you want to create a GPO for a site, what administrative tool should you use? Use the Active Directory Sites And Services console to create a GPO for a site.
Why should you create an MMC for a GPO? If you create an MMC for a GPO, it is easier to administer because you can open it whenever necessary from the Administrative Tools menu.
Besides Read permission, what permission must you assign to allow a user or administrator to see the settings in a GPO? Write permission. A user or administrator who has Read access but not Write access to a GPO cannot use the Group Policy Object Editor to see the settings that it contains.
Why should you disable unused Group Policy settings? Disabling unused Group Policy settings avoids the processing of those settings and expedites startup and logging on for the users and computers subject to the GPO.
How do you prevent a GPO from applying to a specific group? You can prevent a policy from applying to a specific group by denying that group the Apply Group Policy permission for the GPO.
What’s the difference between removing a GPO link and deleting a GPO? When you remove a GPO link to a site, domain, or OU, the GPO still remains in Active Directory. When you delete a GPO, the GPO is removed from Active Directory, and any sites, domains, or OUs to which it is linked are not longer affected by it.
You want to deflect all Group Policy settings that reach the North OU from all of the OU’s parent objects. To accomplish this, which of the following exceptions do you apply and where do you apply it? a. Block Policy Inheritance applied to the OU b. Block Policy Inheritance applied to the GPO c. Block Policy Inheritance applied to the GPO link d. No Override applied to the OU e. No Override applied to the GPO
f. No Override applied to the GPO link The correct answer is a. You use the Block Policy Inheritance exception to deflect all Group Pol-icy settings from the parent objects of a site, domain, or OU. Block Policy Inheritance can only be applied directly to a site, domain, or OU, not to a GPO or a GPO link.
You want to ensure that none of the South OU Desktop settings applied to the South OU can be overridden. To accomplish this, which of the following exceptions do you apply and where do you apply it? a. Block Policy Inheritance applied to the OU b. Block Policy Inheritance applied to the GPO c. Block Policy Inheritance applied to the GPO link d. No Override applied to the OU e. No Override applied to the GPO f. No Override applied to the GPO link The correct answer is f. You use the No Override exception to ensure that none of a GPO’s set things can be overridden by any other GPO during the processing of group policies. No Override can only be applied directly to a GPO link.
What is Resultant Set of Policy (RSoP)? A feature that simplifies Group Policy implementation and troubleshooting. RSoP has two modes: Logging mode and Planning mode. Logging mode determines the resultant effect of policy settings that have been applied to an existing user and computer based on a site, domain, and OU. Planning mode simulates the resultant effect of policy settings that are applied to a user and a computer.
What is SharePoint? A centralized location for key folders on a server or servers, which provides users with an access point for storing and finding information and administrators with an access point for managing information.
What is folder redirection? An extension within Group Policy that allows you to redirect the following special folders: Application Data, Desktop, My Documents, My Pictures, and Start Menu.
What is Offline Files? A feature that provides users with access to redirected folders even when they are not connected to the network. Offline Files caches files accessed through folder redirection onto the hard drive of the local computer. When a user accesses a file in a redirected folder, the file is accessed and modified locally. When a user has finished working with the file and has logged off, only then does the file traverse the network for storage on the server.
What is the purpose of generating RSoP queries? RSoP is the sum of the policies applied to the user or computer, including the application of filters (security groups, WMI) and exceptions (No Override, Block Policy Inheritance). Because of the
cumulative effects of GPOs, filters, and exceptions, determining a user or computer’s RSoP can be difficult. The ability to generate RSoP queries in Windows Server 2003 makes determining RSoP easier.
What are the three tools available for generating RSoP queries? Windows Server 2003 provides three tools for generating RSoP queries: the Resultant Set Of Policy Wizard, the Gpresult command-line tool, and the Advanced System Information– Policy tool.
What is the difference between Logging mode and Planning mode? Logging mode reports the existing GPO settings for a user or computer. Planning mode simulates the GPO settings that a user and computer might receive, and it enables you change the simulation.
What is the difference between saving an RSoP query and saving RSoP query data? By saving an RSoP query, you can reuse it for processing another RSoP query later. By saving RSoP query data, you can revisit the RSoP as it appeared for a particular query when the query was created.
Which RSoP query generating tool provides RSoP query results on a console similar to a Group Policy Object Editor console? a. Resultant Set Of Policy Wizard b. Group Policy Wizard c. Gpupdate command-line tool d. Gpresult command-line tool e. Advanced System Information–Policy tool f. Advanced System Information–Services tool The correct answer is a. The Resultant Set Of Policy Wizard provides RSoP query results on a console similar to a Group Policy Object Editor console. There is no Group Policy Wizard. Gpupdate and Gpresult are command-line tools. The Advanced System Information tools provide results in an HTML report that appears in the Help And Support Center window.
What is the purpose of folder redirection? You redirect users’ folders to provide a centralized location for key Windows XP Professional folders on a server or servers. This centralized location, called a sharepoint, provides users with an access point for storing and finding information and administrators with an access point for managing information.
Which folders can be redirected? Windows Server 2003 allows the following special folders to be redirected: Application Data, Desktop, My Documents, My Pictures, and Start Menu.
Under what circumstances should you redirect My Documents to a home folder?
Redirect My Documents to a user’s home folder only if you have already deployed home directories in your organization. This option is intended only for organizations that want to maintain compatibility with their existing home directory environment.
What is the purpose of the Offline Files feature? The Offline Files feature provides users with access to redirected folders even when they are not connected to the network.
Which of the following are true statements? Choose three. a. Remote Desktop for Administration is installed by default on computers running Windows Server 2003. b. Remote Desktop for Administration is enabled by default on computers running Windows Server 2003. c. A server can be configured to use Offline Files and Remote Desktop for Administration at the same time. d. A server cannot be configured to use Offline Files and Remote Desktop for Administration at the same time. e. Before attempting to configure the computer to use Offline Files, you must disable Remote Desktop for Administration. f. Before attempting to configure the computer to use Offline Files, you must enable Remote Desktop for Administration. The correct answers are a, d, and e. Remote Desktop for Administration is installed, but not enabled, by default on computers running Windows Server 2003. Because Remote Desktop for Administration and Offline Files are mutually exclusive, a server cannot be configured to use Offline Files and Remote Desktop for Administration at the same time. Therefore, before you can configure a computer to use Offline Files, you must disable Remote Desktop for Administration.
Q In which Event Viewer log can you find Group Policy failure and warning messages? What type of event log records should you look for? You can find Group Policy failure and warning messages in the application event log. Event log records with the Userenv source pertain to Group Policy events.
What diagnostic log file can you generate to record detailed information about Group Policy processing and in what location is this file generated? You can generate a diagnostic log to record detailed information about Group Policy processing to a log file named Userenv.log in the hidden folder %Systemroot%\Debug\Usermode.
Which of the following actions should you take if you attempt to open a Group Policy Object Editor console for an OU GPO and you receive the message Failed To Open The Group Policy Object? a. Check your permissions for the GPO. b. Check network connectivity. c. Check that the OU exists.
d. Check that No Override is set for the GPO. e. Check that Block Policy Inheritance is set for the GPO. The correct answer is b. The message Failed To Open The Group Policy Object indicates a net-working problem, specifically a problem with the Domain Name System (DNS) configuration.
Which of the following actions should you take if you attempt to edit a GPO and you receive the message Missing Active Directory Container? a. Check your permissions for the GPO. b. Check network connectivity. c. Check that the OU exists. d. Check that No Override is set for the GPO. e. Check that Block Policy Inheritance is set for the GPO. The correct answer is c. The message Missing Active Directory Container is caused by Group Policy attempting to link a GPO to an OU that it cannot find. The OU might have been deleted, or it might have been created on another domain controller but not replicated to the domain controller that you are using.
Which of the following actions should you take if folder redirection is successful but files and folders are unavailable? Choose two. a. Check the user’s permissions for the redirected folder. b. Check network connectivity. c. Check that the redirected folder exists. d. Check to see if Remote Desktop for Administration is enabled. e. Check to see if the files have extensions that are not synchronized by default. The correct answers are a and b. If folder redirection is successful but files and folders are unavailable, users might not have Full Control for the redirected folder or there might be a connectivity problem with the network. Because folder redirection is successful, the redirected folder does exist. You would check to see if Remote Desktop for Administration is enabled or if files have extensions that are not synchronized by default if you are troubleshooting Offline Files and file synchronization.
What is Software Installation extension? An extension within Group Policy that is the administrator’s primary tool for managing software within an organization. Soft-ware Installation works in conjunction with Group Policy and Active Directory, establishing a Group Policy–based software management system that allows you to centrally manage the initial deployment of software, mandatory and non mandatory upgrades, patches, quick fixes, and the removal of software.
What is Assign? To deploy a program to members of a group where acceptance of the pro-gram is mandatory.
What is publish?
To deploy a program to members of a group where acceptance of the pro-gram is at the discretion of the user.
What is software distribution point (SDP)? In Software Installation, a network location from which users are able to get the software that they need. what is Windows Installer package? A file that contains explicit instructions on the installation and removal of specific applications.
What are the hardware requirements for deploying software by using Group Policy? To deploy software by using Group Policy, an organization must be running Windows 2000 Server or later, with Active Directory and Group Policy on the server, and Windows 2000 Professional or later on the client computers.
Describe the tools provided for software deployment. The Software Installation extension in the Group Policy Object Editor console on the server is used by administrators to manage software. Add Or Remove Programs in Control Panel is used by users to manage software on their own computers.
What is the difference between assigning applications and publishing applications? When you assign an application to a user, the application is advertised to the user the next time he or she logs on to a workstation, and local registry settings, including filename extensions, are updated. The application advertisement follows the user regardless of which physical computer he or she logs on to. When you publish the application to users, the application does not appear installed on the users’ computers. No shortcuts are visible on the desktop or Start menu, and no updates are made to the local registry on the users’ computers. You assign required or mandatory software to users or to computers. You publish software that users might find useful to perform their jobs.
What is the purpose of Windows Installer packages? A Windows Installer package is a file that contains explicit instructions on the installation and removal of specific applications.
Which of the following file extensions allows you to deploy software using the Software Installation extension? (Choose two.) a. .mst b. .msi c. .zap d. .zip e. .msp f. .aas The correct answers are b and c. Files with the extension .msi are either native Windows Installer packages or repackaged Windows
Installer packages, while files with the extension .zap are application files. Files with the extensions .mst and .msp are modifications and do not allow you to deploy software on their own. Files with the extension .aas are application assignment scripts, which contain instructions associated with the assignment or publication of a package.
Why is it necessary to set up an SDP? You must set up an SDP to provide a network location from which users can get the software that they need.
What feature is configured in the File Extensions tab in the Software Installation Properties dialog box? In the File Extensions tab in the Software Installation Properties dialog box, you specify which application users install when they open a file with an unknown extension. You can also configure a priority for installing applications when multiple applications are associated with an unknown file extension. What feature is configured in the Categories tab in the Software Installation Properties dialog box? In the Categories tab in the Software Installation Properties dialog box, you can designate categories for organizing assigned and published applications to make it easier for users to locate the appropriate application from within Add Or Remove Programs in Control Panel.
What feature is configured in the Modifications tab in the Properties dialog box for a Windows Installer package? In the Modifications tab in the Properties dialog box for a Windows Installer package, you can add modifications, remove modifications, and set the order of modifications. If the modifications are not properly configured, you will have to uninstall the package or upgrade the package with a correctly configured version.
You want to ensure that all users of the KC23 workstation can run FrontPage 2000. What action should you perform? a. Assign the application to the computer. b. Assign the application to users. c. Publish the application to the computer. d. Publish the application to users. The correct answer is a. Assigning the application to the KC23 workstation is the only way to ensure that all users of the workstation can run FrontPage 2000.
What is the difference between redeploying and upgrading an application deployed with Group Policy? You redeploy an application previously deployed with Group Policy if there are small changes that need to be made to the original software deployment configuration. You upgrade an application previously deployed with Group Policy if the original developer of the software releases a new version of the software or if your organization chooses to use a different vendor’s application. Upgrades typically involve
major changes to the software and normally have new version numbers. Usually a substantial number of files change for an upgrade.
Why shouldn’t you give users the option of applying an upgrade? If users have the option of applying the upgrade, they might or might not choose to apply it, which could cause application version variances within an organization.
What happens if you delete a GPO that deploys a software application before you choose the software removal method you want to implement and allow the soft-ware removal to be processed? If you delete a GPO that deploys a software application before you choose the software removal method you want to implement and allow the software removal to be processed, the application cannot be uninstalled with Group Policy. If the application cannot be uninstalled with Group Pol-icy, you (or the users) must manually uninstall the application from each client computer.
A software application deployed with Group Policy in your organization is no longer used. You no longer want users to be able to install or run the software. What action should you perform? a. Execute a forced removal b. Execute an optional removal c. Redeploy the application d. Upgrade the application The correct answer is a. If you no longer want users to be able to install or run the software, you should execute a forced removal.
Which of the following actions should you perform if a user attempts to install an assigned application and receives the message Another Installation Is Already In Progress? a. Check your permissions for the GPO b. Check network connectivity c. Check your permissions for the SDP d. Wait for the installation to complete The correct answer is d. The message Another Installation Is Already In Progress indicates that Windows Installer is already running another installation. You must wait for the installation to complete and then try your installation again.
Which of the following actions should you perform if a user attempts to install an assigned application and receives the message The Feature You Are Trying To Install Cannot Be Found In The Source Directory? Choose two. a. Check your permissions for the GPO b. Check connectivity with the SDP c. Check your permissions for the SDP d. Wait for the installation to complete e. Set the auto-install property for the package
The correct answers are b and c. The message The Feature You Are Trying To Install Cannot Be Found In The Source Directory can be caused by a connectivity problem to the SDP or by insufficient user permission for the SDP. There are also other reasons for receiving this message.
You are preparing a package for deployment. Which of the following actions should you perform if you receive the message Cannot Prepare Package For Deployment? a. Check your permissions for the GPO b. Check connectivity with the SDP c. Check your permissions for the SDP d. Set the appropriate category for the package e. Set the auto-install property for the package The correct answer is b. If you are preparing a package for deployment and you receive the message Cannot Prepare Package For Deployment, one of the actions you should take is to check connectivity with the SDP.
Which of the following actions should you take if a user double-clicks a document associated with a published application and a different application than the expected one installs? a. Set the auto-install property for the package b. Clear the auto-install property for the package c. Adjust the precedence for the expected application in the Application Precedence list d. Delete the unexpected application from the Application Precedence list The correct answer is c. If a user double-clicks a document associated with a published application and a different application than the expected one installs, you should adjust the precedence for the expected application in the Application Precedence list.
What is security template? A physical representation of a security configuration; a single file where a group of security settings is stored.
What is software restriction policies? Security settings in a GPO provided to identify soft-ware and control its ability to run on a local computer, site, domain, or OU.
What is audit policy? A policy that determines the security events to be reported to the net-work administrator
How are account policies different from other security policies? Account policies can be applied only to the root domain of the domain tree. They cannot be applied to sites or OUs.
What is the difference between user rights and permissions?
User rights are assigned to user and group accounts and applied through a GPO to sites, domains, or OUs. Permissions attached to objects are assigned to user and group accounts. Additionally, because user rights are part of a GPO, user rights can be overridden depending on the GPO affecting the computer or user.
Attributes for which logs are defined in the Event Log security area? The Event Log security area defines attributes related to the application, security, and system event logs in the Event Viewer console.
How can you set autoenrollment of user certificates? You set autoenrollment of user certificates in the Autoenrollment Settings Properties dialog box, which you can access by opening Autoenrollment Settings in Computer Configuration or User Configuration/Windows Settings/Security Settings/Public Key Policies in a GPO for a site, domain, or OU.
In which of the following security areas would you find the settings for determining which security events are logged in the security log on the computer? a. Event Log b. Account Policies c. Local Policies d. Restricted Groups The correct answer is c. You determine which security events are logged in the security log on the computer in the Audit Policy settings in the Local Policies security area.
What is the purpose of software restriction policies? Software restriction policies address the problem of regulating unknown or untrusted code. Software restriction policies are security settings in a GPO provided to identify software and control its ability to run on a local computer, site, domain, or OU. Explain the two default security levels. There are two default security levels for software restriction policies: Disallowed, which does not allow the software to run, regardless of the access rights of the user who is logged on to the computer, and Unrestricted, which allows software to run with the full rights of the user who is logged on to the computer. If the default level is set to Disallowed, you can identify and create rule exceptions for the programs that you trust to run. If the default level is set to Unrestricted, you can identify and create rules for the set of programs that you want to prohibit from running.
Describe how software is identified by software restriction policies. Using software restriction policies, software can be identified by its ■ Hash, a series of bytes with a fixed length that uniquely identify a program or file
■ Certificate, a digital document used for authentication and secure exchange of information on open networks, such as the Internet, extranets, and intranets ■ Path, a sequence of folder names that specifies the location of the software within the directory tree ■ Internet zone, a subtree specified through Internet Explorer: Internet, Intranet, Restricted Sites, Trusted Sites, or My Computer List the order of rule precedence. Rules are applied in the following order of precedence: hash rules, certificate rules, path rules (in a conflict, the most restrictive path rule takes precedence), and Internet zone rules.
Which of the following rule types applies only to Windows Installer packages? a. Hash rules b. Certificate rules c. Internet zone rules d. Path rules The correct answer is c. Internet zone rules apply only to Windows Installer packages.
What is the purpose of auditing? Auditing is a tool for maintaining network security. Auditing allows you to track user activities and system-wide events.
Where can you view audited events? You use the security log in the Event Viewer console to view audited events.
What is an audit policy? An audit policy defines the categories of events recorded in the security log on each computer. You set the Audit Policy settings in the Computer Configuration/Windows Settings/Security Settings/ Local Policies/Audit Policy extensions in a GPO.
Which event categories require you to configure specific objects for auditing to log the events? If you have specified the Audit Directory Service Access event category or the Audit Object Access event category to audit, you must configure the objects for auditing. Which of the following event categories should you audit if you want to find out if an unauthorized person is trying to access a user account by entering random passwords or by using password-cracking software? Choose all that apply. a. Logon Events—success events b. Logon Events—failure events c. Account Logon—success events d. Account Logon—failure events The correct answers are b and d. By auditing failure events in the Logon Events category, you can monitor logon failures that might indicate that an unauthorized person is trying to access a user account by entering random passwords or by using password-cracking
software. By auditing failure events in the Account Logon category, you can monitor logon failures that might indicate an unauthorized person is trying to access a domain account by using brute force.
What information is logged in the security log? The security log contains information on security events that are specified in the audit policy.
What is the default size of the security log? The default size of the security log is 512 KB.
In which of the following file formats can you archive a security log? Choose three. a. .txt b. .doc c. .rtf d. .bmp e. .evt f. .csv g. .crv The correct answers are a, e, and f. Logs can be saved as text (*.txt), event log (*.evt), or comma-delimited (*.csv) file format.
In which of the following archived file formats can you reopen the file in the Event Viewer console? a. .txt b. .doc c. .rtf d. .bmp e. .evt f. .csv g. .crv The correct answer is e. If you archive a log in log-file (*.evt) format, you can reopen it in the Event Viewer console.
You filtered a security log to display only the events with Event ID 576. Then you archived this log. What information is saved? a. The entire log is saved b. The filtered log is saved c. The entire log and the filtered log are each saved separately d. No log is saved The correct answer is a. When you archive a log, the entire log is saved, regardless of filtering options.
What is the purpose of security templates? A security template is a physical representation of a security configuration, a single file where a group of security settings is stored. You can use security templates to define the Account Policies, Local Policies, Event Log, Restricted Groups, Registry, and File System settings in a GPO. You can import (apply) a security template file to a local or nonlocal GPO. All computer or user accounts in the site, domain, or OU to which the GPO is applied receive the security
template settings. Importing a security template to a GPO eases domain administration by configuring security for multiple computers at once.
For which settings can security templates not be used? You cannot use security templates to define the IP Security, Public Key, Software Restriction, and Wireless Network security settings in a GPO.
What is the purpose of the predefined security templates? The predefined security templates are based on the role of a computer and common security scenarios. These templates can be used as provided, they can be modified, or they can serve as a basis for creating custom security templates.
Where are the predefined security templates stored? By default, predefined templates are stored in the %Systemroot%\Security\Templates folder.
Which of the following predefined security templates can be used to change the default file and registry permissions granted to the Users group so that members of the group can use most noncertified applications? a. Compatible workstation or server security settings (Compatws.inf) b. Default security settings updated for domain controllers (DC security.inf) c. Secure domain controller security settings (Securedc.inf) d. Out of the box default security settings (Setup security.inf) The correct answer is a. Only the Compatible template changes the default file and registry permissions granted to the Users group so that these members can use most noncertified applications.
What is the function of the Security Configuration And Analysis feature? The Security Configuration And Analysis feature is a tool for analyzing and configuring local system security. This feature compares the effects of one security template or the combined effects of a number of security templates with the currently defined security settings on a local computer.
What item is contained in the security configuration and analysis database? The security configuration and analysis database contains the security template that you want to compare with the settings currently defined on the computer.
What actions are performed during a security analysis? Security analysis compares the current state of system security against a security template in the security configuration and analysis database. The local computer’s security settings are queried for all security areas in the database configuration, and the values are compared. If the local computer settings match the database configuration settings, they are assumed to be correct. If not, the
policies in question are displayed as potential problems that need investigation.
What actions are performed during a security configuration? Security configuration applies the stored template configuration in the security configuration and analysis database to the local computer.
In the security analysis results, which icon represents a difference from the data-base configuration? a. A red X b. A red exclamation point c. A green check mark d. A black question mark The correct answer is a. A red X indicates a difference from the database configuration.
What is directory service log? A tool that displays errors, warnings, and information generated by Active Directory. If you experience problems with Active Directory, use the directory service log first to locate the causes of the problem.
What is file replication service log? A tool that displays errors, warnings, and information generated by FRS.
What is system Monitor? A tool that allows you to collect and view extensive data about the usage of hardware resources and the activity of system services on computers you administer.
Which Active Directory performance-monitoring tool should you use first to locate the causes of a problem with Active Directory? You should examine the directory service log in Event Viewer.
What is the function of System Monitor? System Monitor is a tool that supports detailed monitoring of the use of operating system resources.
What is the difference between a performance object and a performance counter? A performance object is a logical collection of performance counters associated with a resource or service that can be monitored. A performance counter is a value that applies to a performance object.
In what format does a histogram display performance data? A histogram displays performance data in a bar graph format.
Which of the following is not a function of System Monitor? a. Enables you to view current Active Directory performance data b. Enables you to view previously recorded Active Directory performance data
c. Enables you to view errors and warnings generated by Active Directory d. Enables you to collect real-time performance data from a local computer e. Enables you to collect real-time performance data from a specific computer on the network where you have permission The correct answer is c. You can view errors and warnings generated by Active Directory on the directory service log, but not System Monitor.
What is the function of a counter log? Counter logs record sampled data about hardware resources and system services based on performance objects and counters in the same manner as System Monitor.
What is the function of a trace log? Trace logs collect event traces that measure performance statistics associated with events such as disk and file I/O, page faults, and thread activity.
In which locations can you view performance data logged in a counter log? You can view logged counter data using System Monitor or export the data to a file for analysis and report generation.
What is the function of an alert? An alert detects when a predefined counter value rises above or falls below the configured threshold and notifies a user by means of the Messenger service. Alerts enable you to define a counter value that triggers actions such as sending a network message, running a program, making an entry in the application log, or starting a log.
Which of the following actions can be triggered by an alert? (Choose two.) a. Logging an entry into the application log b. Starting logging automatically c. Sending a network message to a computer d. Stopping logging automatically e. Presenting data in a graph format The correct answers are a and c. The actions that can be triggered by an alert include logging an entry in the application log in Event Viewer and sending a network message to a computer.
What action should you take to troubleshoot problems indicated by error and warning messages in the directory service log? Double-click the error or warning message and examine the header information in the Proper-ties dialog box for the message. In the header, you can find out the date and time the problem occurred, and the user and computer affected by the problem. In the Description box in the Properties dialog box for the message, you can read a text description of the problem.
What registry subkey contains the entries for which you can increase the logging level to retrieve more detailed information in the directory service log? HKEY_LOCAL_MACHINE SYSTEM\CurrentControlSet\Services\NTDS\Diagnostics
Why should you leave logging levels set to 0 unless you are investigating a problem? You should leave logging levels set to 0 unless you are investigating a problem because increasing the logging level increases the detail of the messages and the number of messages emitted and can degrade server performance.
What are the four steps in the process of analyzing and interpreting performance-monitoring results? The four steps are (1) establish a baseline, (2) analyze performance-monitoring results, (3) plan and implement changes to meet the baseline, and (4) repeat steps 2 and 3 until performance is optimized.
In the process of analyzing and interpreting performance-monitoring results, what is a baseline? A baseline is a measurement derived from the collection of data over an extended period during varying workloads and user connections, representing acceptable performance under typical operating conditions. The baseline indicates how system resources are used during periods of normal activity and makes it easier to spot problems when they occur.
Active Directory Facts Active Directory is based on the LDAP (Lightweight Directory Access Protocol) standard. Active Directory uses DNS for locating and naming objects. The tree root domain is the highest level domain in a tree (a tree root domain can also be a forest root domain). The tree root domain is the highest Active Directory domain in the tree. A tree is a group of domains based on the same name space. Domains in a tree: o Are connected with a two-way transitive trust. o Share a common schema. o Have common global catalogs. A schema makes up the attributes of an object in a tree. The forest root domain is the first domain created in the Active Directory forest. There are dedicated and regional forest root domains. Container objects are designed to contain other objects, either other containers or leaf objects. Domain container objects can contain Organizational Unit (OU) container objects. First level OUs can be called parents. Second level OUs can be called children.
OUs can contain other OUs or any type of leaf object (e.g., users, computers, printers). You cannot assign rights and permissions to OUs. You can assign GPOs (Group Policy Objects) to OUs. An Active Directory site is one or more well-connected, highly-reliable, fast TCP/IP subnets. All Active Directory sites contain servers and site links (the connection between two sites that allows replication to occur).
A site link cost is a value assigned to a link that is used to regulate the traffic according to the speed of the link. The higher the site link cost, the slower the link speed. Domain controllers are servers that contain copies of the Active Directory database that can be written to. Domain controllers participate in replication. The Active Directory database is partitioned and replicated. There are four types of Active Directory database partitions: o Domain o Configuration o Schema o Application Users find objects in Active Directory by querying the database. The first domain controller installed in the forest automatically becomes the global catalog server for that domain.
Installation Facts Active Directory requires the following: o TCP/IP running on the servers and clients. o A DNS server with SRV support. o Windows 2000 or 2003 operating systems. After installing Windows 2003, you can install Active Directory using the Dcpromo command. Members of the Domain Admins group can add domain controllers to a domain. Members of the Enterprise Admins group can perform administrative tasks across the entire network, including: o Change the Active Directory forest configuration by adding/removing domains. (New domains are created when the first domain controller is installed. Domains are removed when the last domain controller is uninstalled.) o Add/remove sites. o Change the distribution of subnets or servers in a site. o Change site link configuration
Advanced Installation Facts If you are installing a Windows Server 2003 server into an existing Windows 2000 Active Directory structure, you must first prepare Active Directory for the installation by taking the following steps: 1. Apply Service Pack 2 or later on all domain controllers. 2. Back up your data. 3. On the schema master for the forest, disconnect the server from the network and run Adprep /forestprep. 4. Reconnect the server and wait at least 15 minutes (or as long as a half a day or more) for synchronization to occur. 5. If Active Directory has multiple domains, or if the infrastructure master for the domain is on a different server than the schema master, run Adprep /domainprep on the infrastructure master for the domain.
Keep in mind the following facts about using Adprep:
To run /forestprep, you must be a member of the Schema Admins or Enterprise Admins group. To run /domainprep, you must be a member of the Domain Admins or Enterprise Admins group. If you have a single domain, and the infrastructure master is on the same server as the schema master, you do not need to run /domainprep (/forestprep performs all necessary functions to prepare Active Directory).
You should know the following facts about Active Directory advanced installations: Installing from a replica media set will create the initial Active Directory database using a backup copy and then replicate in any changes since the backup. This prevents a lot of the replication traffic that is normally created on a network when a server is promoted to a domain controller. To rename domain controllers, the domain functional level must be at least Windows 2003 (this means all domain controllers must be running Windows 2003).
Installation Tools You can use the following tools to troubleshoot an Active Directory installation: Tool
Description
Directory Services log Use Event Viewer to examine the log. The log lists informational, warning, and error events.
Netdiag Run from the command line. Test for domain controller connectivity (in some cases, it can make repairs).
DCDiag Analyzes domain controller states and tests different functional levels of Active Directory.
Dcpromo log files Located in %Systemroot%/Debug folder. Dcpromoui gives a detailed progress report of Active Directory installation and removal. Dcpromos is created when a Windows 3.x or NT 4 domain controller is promoted.
Ntdsutil Can remove orphaned data or a domain controller object from Active Directory.
You can also check the following settings to begin troubleshooting an Active Directory installation: Make sure the DNS name is properly registered. Check the spelling in the configuration settings. PING the computer to verify connectivity. Verify the domain name to which you are authenticating. Verify that the username and password are correct. Verify the DNS settings.
Backup and Restore Facts When you reboot after restoring, Active Directory replication replicates changes. Items restored non-authoritatively will be overwritten during replication. Use an authoritative restore to restore deleted objects. Objects will be replicated back to other domain controllers on the network. Use a nonauthoritative restore to get the DC back online. Items will replicate from other DCs after the restored DC goes back online. Active Directory data is restored by restoring the System State data. You cannot selectively restore Active Directory objects from the backup media. To restore objects that were added to deleted OUs, move the objects from the LostAndFound container. No restore of objects is necessary. Make sure you perform backups more often than the tombstone lifetime setting in Active Directory. For example, if the tombstone lifetime is set to 10 days, you should back up Active Directory at least every 9 days. If your backup interval is larger than the tombstone lifetime, your Active Directory backup can be viewed as expired by the system.
Microsoft gives the following as the best practice procedure for restoring Active Directory from backup media: 1. Reboot into Active Directory restore mode. Log in using the password you specified during setup (not a domain account). 2. Restore the System State data from backup to its original and to an alternate location. 3. Run Ntdsutil to mark the entire Active Directory database (if you're restoring the entire database) or specific Active Directory objects (if you're only restoring selected Active Directory objects) as authoritative. 4. Reboot normally. 5. Restore Sysvol contents by copying the Sysvol directory from the alternate location to the original location to overwrite the existing Sysvol directory (if you're restoring the entire database). Or, copy the policy folders (identified by GUID) from the alternate location to the original location to overwrite the existing policy folders.
You should know the following facts about Sysvol restoration: Sysvol is the shared system volume on all domain controllers. Sysvol stores scripts and Group Policy objects for the local domain and the network. The default location for Sysvol is %Systemroot/Sysvol. To ensure that the proper settings are authoritatively restored, copy the Sysvol directory from an alternate location over the existing Sysvol directory. Or, copy the Sysvol policy folders from the alternate location over the original location. (This maintains the integrity of the Group Policy of the computer.)
Security Facts A security principal is an account holder who has a security identifier. The Active Directory migration tool allows you to move objects between domains. Objects moved to a new domain get a new SID. The Active Directory migration tool creates a SID history. The SID history allows an object moved to a new domain to keep its original SID.
You should know the following information pertaining to identifiers:
Identifier Description GUID Globally Unique Identifier.
128-bit number guaranteed to be unique across the network. Assigned to objects when they are created. An object's GUID never changes (even if object is renamed or moved).
SID Security Identifier. Unique number assigned when an account is created. Every account is given a unique SID. System uses the SID to track the account rather than the account's user or group. A deleted account that is recreated will be given a different SID. The SID is composed of the domain SID and a unique RID.
RID Relative Identifier. Unique to all the SIDs in a domain. Passed out by the RID master.
Group Facts Active Directory defines three scopes that describe the domains on the network from which you can assign members to the group; where the group's permissions are valid; and which groups you can nest. Scope
Description
Global groups Are used to group users from the local domain. Typically, you assign users who perform similar job functions to a global group. A global
group can contain user and computer accounts and global groups from the domain in which the global group resides. Global groups can be used to grant permissions to resources in any domain in the forest.
Domain local groups Are used to grant access to resources in the local domain. They have open membership, so they may contain user and computer accounts, universal groups, and global groups from any domain in the forest. A domain local group can also contain other domain local groups from its domain. Domain local groups can be used to grant permissions to resources in the domain in which the domain local group resides.
Universal groups Are used to grant access to resources in any domain in the forest. They have open membership, so you can include user and computer accounts, universal groups, and global groups from any domain in the forest. Universal groups can be used to grant permissions to resources in any domain in the forest. Universal groups are available only in Windows 2000 Native or Windows 2003 domain functional level.
Group Strategy Facts To make permission assignments easier, assign permissions to a group, then add the accounts that need to use the group's resources. You can add user accounts, computers, and other groups to groups. You should remember the following when assigning members to groups: Adding a user account to a group gives that account all the permissions and rights granted to the group (the user must log off and log back on before the change takes effect). The same user account can be included in multiple groups. (This multiple inclusion may lead to permissions conflicts, so be aware of the permissions assigned to each group.) Nesting is the technique of making a group a member of another group. Using hierarchies of nested groups may make administration simpler--as long as you remember what permissions you have assigned at each level.
The following Use Description Application
table shows the three basic recommended approaches to managing users, groups, and permissions. Strategy ALP Used on
workstations and member servers.
A: Place user Accounts L: Into Local groups P: Assign Permissions to the local groups
Best used in a workgroup environment, not in a domain.
AGDLP Used in mixed mode domains and in native mode domains (does not use universal groups, which are also not available in mixed mode).
A: Place user Accounts G: Into Global groups DL: Into Domain Local groups P: Assign Permissions to domain local groups
1. Identify the users in the domain who use the same resources and perform the same tasks. Group these accounts together in global groups. 2. Create new domain local groups if necessary, or use the built-in groups to control access to resources. 3. Combine all global groups that need access to the same resources into the domain local group that controls those resources. 4. Assign permissions to the resources to the domain local group.
AGUDLP Used in native mode domains,
A: Place user Accounts G: Into
Universal groups should be used
when there is more than one domain, and you need to grant access to similar groups defined in multiple domains.
Global groups U: Into Universal groups DL: Into Domain Local groups P: Assign Permissions to domain local groups
when you need to grant access to similar groups defined in multiple domains. It is best to add global groups to universal groups, instead of placing user accounts directly in universal groups.
Designing Active Directory for Delegation You should structure the OUs and user account location based on administrative needs. When you delegate control of an OU, you assign a user or group the permissions necessary to administer Active Directory functions according to their needs. In a small organization, you may have a single administrative group to manage the Active Directory objects. In larger organizations, you may have OUs for several departments. In this case, you could delegate control to a user or group within each OU. Use the Delegate Control wizard in Active Directory Users and Groups to delegate control. You can verify permissions delegation two ways: o Select the Security tab in the container's Properties dialog box. o Open the Advanced Security Settings dialog box for the container.
Planning Guidelines To begin planning a forest, you must decide how many forests you need. You may need more than one forest because of the physical structure of the company, business unit autonomy, schema differences, or trust limitations. Multiple forests require more administration. Additional administrative difficulties include: o Schema consistency. o Global catalog placement. o Trust configuration. o Resource access. Every time you add a domain, you add administrative and hardware costs. You should consider multiple domains if you need to o Configure separate security policies. o Separate administration. o Control replication traffic.
o Support Windows NT. o Create distinct name spaces. o Configure password policies. Create OUs for the following reasons: o Administrative purposes. o Corporate policies. o Administer Group Policies.
Trust Types The following table shows the types of trusts you can create in Active Directory. Trust Type
Characteristics and Uses
Tree root Automatically established between two trees in the same forest. Trusts are transitive and two-way.
Parent/child Automatically created between child and parent domains. Trusts are transitive and two-way.
Shortcut Manually created between two domains in the same forest. Trusts are transitive, and can be either one-way or two-way. Create a shortcut trust to reduce the amount of Kerberos traffic on the network due to authentication.
External Manually created between domains in different forests. Typically used to create trusts between Active Directory and NT 4.0 domains. Trusts are not transitive, and can be either one-way or two-way.
Forest root Manually created between the two root domains or two forests. Transitive within the two forests. Can be either one-way or two-way.
Realm Manually created between Active Directory and non-Windows Kerberos realms.
Trusts have a direction that indicates which way trust flows in the relationship. The direction of the arrow identifies the direction of trust. For example, if Domain A trusts Domain B, the arrow would point from Domain A to Domain B. Domain A is the trusting domain, and Domain B is the trusted domain. Resource access is granted opposite of the direction of trust. For example, if Domain A trusts Domain B, users in Domain B have access to resources in Domain A (remember that users in the trusted domain have access to resources in the trusting domain). A two-way trust is the same as two one-way trusts in opposite directions. Functional Level Types
The table below shows the domain functional levels. Domain Functional Level
Domain Controller Operating Systems
Features
2000 Mixed NT 2000 2003 The following features are available in 2000 Mixed: Universal groups are available for distribution groups. Group nesting is available for distribution groups.
2000 Native 2000 2003 The following features are available in 2000 Native: Universal groups are available for security and distribution groups. Group nesting. Group converting (allows conversion between security and distribution groups). SID history (allows security principals to be migrated among domains while maintaining permissions and group memberships).
2003 2003 The following features are available in 2003: All features of 2000 Native domains. Domain controller rename. Update logon time stamp. User password on InetOrgPerson object.
Forest functional levels depend on the domain functional levels. The table below shows the forest functional levels. Forest Functional Level
Domain Functional Level
Features
2000 2000 Mixed or 2000 Native
The following features are available in 2000: Global catalog replication improvements are available if both replication partners are running Windows Server 2003.
2003 2003 The following features are available in 2003: Global catalog replication improvements Defunct schema objects Forest trusts Linked value replication Domain rename Improved AD replication algorithms Dynamic auxiliary classes InetOrgPerson objectClass change
Operation Master Types The following table lists the operation masters at the domain and forest levels. Only one domain controller in the domain or forest performs each role. Operation Master
Function and Characteristics
RID Master Ensures domain-wide unique relative IDs (RIDs). One domain controller in each domain performs this role. The RID master allocates pools of IDs to each domain controller. When a DC has used all the IDs, it gets a new pool of IDs.
PDC Emulator Emulates a Windows NT 4.0 primary domain controller (PDC). Replicates password changes within a domain. Ensures synchronized time within the domain (and between domains in the forest). One domain controller in each domain performs this
role. Infrastructure Master Tracks moves and renames of
objects. Updates group membership changes. One domain controller in each domain performs this role.
Domain Naming Master Ensures that domain names are unique. Must be accessible to add or remove a domain from the forest. One domain controller in the forest performs this role.
Schema Master Maintains the Active Directory schema for the forest. One domain controller in the forest performs this role.
You should know the following facts about operation master roles: Operation master role servers are also called flexible single master operation (FSMO) servers. These are domain controllers that perform operations on the network. By default, the first domain controller in the forest holds all operation masters. When you create a new domain, the first domain controller holds the three domain operation masters (RID master, PDC emulator, infrastructure master). Use Active Directory Users and Computers to transfer RID master, PDC emulator, and infrastructure masters. Use Active Directory Domains and Trusts to transfer the domain naming master. Use the Active Directory Schema snap-in to transfer the schema master. Run Regsvr32 schmmgmt.dll to register the Active Directory Schema snap-in to make it available for adding to a custom console. Before transferring any role, you must connect to the domain controller that will receive the transferred role.
To move an object between domains (using Movetree.exe), you must initiate the move on the domTroubleshooting Operation Masters The following table lists several problems that can be attributed to inaccessible or failed operation masters. If you have this problem...
Check this operations master...
Unable to add Active Directory objects (either from one or many domain controllers).
RID master
Unable to move or rename an object.
Infrastructure master
Group membership information is not updated between domain controllers
Infrastructure master
Cannot add or remove a domain Domain naming master Non-Windows 2000/XP/2003 clients cannot authenticate.
PDC master
Password changes are not updated.
PDC master
Normally, you should transfer roles to other servers only if the server holding the original role is available. If the server holding the master has failed, you will need to seize the role (forcefully move the role to another server). To seize an operations master role you must use the Repadmin tool to make sure the domain controller that is seizing the role is fully up-to-date with the updates on the former role owner. Use the Ntdsutil tool to finish seizing the role: o Enter ntdsutil at the command line. o Enter roles. o Enter connections. o Enter connect to server [fully qualified domain name of the server]. o Enter quit. o At the FSMO prompt, enter seize [master role name]. o Enter quit to exit. After seizing the role, do not bring the old server back on line. If you repair the server, use Dcpromo to first remove Active Directory. Then bring it back on line, install Active Directory, and transfer the role back if desired. ain controller acting as the RID master of the domain that currently contains the object. With a few exceptions, the infrastructure master should not be located on a global catalog server.
Managing the Schema You should know the following facts about schema management: The schema is the database of object classes and attributes that can be stored in Active Directory. Each object definition in the schema is stored as an object itself, so Active Directory can manage these definitions just as it does other objects. The schema includes definitions for classes and attributes (the definitions are also called metadata). Extending the schema allows Active Directory to recognize new attributes and classes. Adding a component like Microsoft Exchange requires the Active Directory to be extended. Only a member of the Schema Admins group has the permission to modify or extend the schema. To perform schema management tasks, use the Active Directory Schema snap-in.
Default Active Directory Objects When you install Active Directory, several objects and containers are
Contents
automatically created. The following table lists the default containers and their contents. Container Builtin Built-in domain local security
groups. These groups are pre-assigned permissions needed to perform domain management tasks.
Computers All computers joined to the domain without a computer account.
Domain Controllers* All domain controllers. This OU cannot be deleted.
ForeignSecurityPrincipals Proxy objects for security principals in NT 4.0 domains or domains outside of the forest.
LostAndFound** Objects moved or created at the same time an Organizational Unit is deleted. Because of Active Directory replication, the parent OU can be deleted on one domain controller. Administrators at other domain controllers can add or move objects to the deleted OU before the change has been replicated. During replication, new objects are placed in the LostAndFound container.
NTDS Quotas** Objects that contain limits on the number of objects users and groups can own.
Program Data** Application-specific data created by other programs. This container is empty until a program designed to store information in Active Directory uses it.
System** Configuration information about the domain including security groups and permissions,
the domain SYSVOL share, Dfs configuration information, and IP security policies. Users Built-in user and group accounts.
Users and groups are pre-assigned membership and permissions for completing domain and forest management tasks.
*Be aware that the Domain Controllers OU is the only default organizational unit object. All other default containers are just containers, not OUs. As such, you cannot apply a GPO to any default container except for the Domain Controllers OU. **By default, these containers are hidden in Active Directory Users and Computers. To view these containers, click View/Advanced Features from the menu. Object Management Tasks and Tools
The Active Directory Migration Tool (ADMT) is a GUI-based utility that lets you migrate users and other objects between domains. The tool requires that the source domain trust the target domain. You can use the ADMT to retain an object's SID. Moving an object within a domain retains its permissions. Deleting the object deletes existing permissions. You should rename or move an object rather than delete and recreate the object. The Ldp utility allows you to search for and view the properties of multiple Active Directory objects. If a computer that does not have an account is joined to the domain, a computer object is created by default in the built-in Computers OU. Use the Dsadd command to add an OU object to Active Directory from the command line. The easiest way to create a single OU in Active Directory is to use the Active Directory Users and Computers snap-in in the MMC. To view the LostAndFound folder, select Advanced Features from the View menu in the Active Directory Users and Computers snap-in. The LostAndFound folder is used when, for example, a container is deleted on one replica, but objects are added or moved beneath the same container on another replica. In this case, the objects added or moved under the deleted container are stored in the LostAndFound container
Group Policy Facts Group policy is a tool used to implement system configurations that can be deployed from a central location through GPOs (Group Policy Objects). You should know the following Group Policy facts: GPOs contain hundreds of configuration settings. GPOs can be linked to Active Directory sites, domain, or organizational units (OUs). GPOs include computer and user sections. Computer settings are applied at startup. User settings are applied at logon. A GPO only affects the users and computers beneath the object to which the GPO is linked. Group policy settings take precedence over user profile settings. A local GPO is stored on a local machine. It can be used to define settings even if the computer is not connected to a network. GPOs are applied in the following order: 1. Local 2. Site 3. Domain 4. OU If GPOs conflict, the last GPO to be applied overrides conflicting settings. The Computers container is not an OU, so it cannot have a GPO applied to it. Group policy is not available for Windows 98/NT clients or Windows NT 4.0 domains.
You can use a GPO for document redirection, which customizes where user files are saved. (For example, you can redirect the My Documents folder to point to a network drive where regular backups occur. Folder redirection requires Active Directory-based group policy.) Configuring a domain group policy to delete cached copies of roaming user profiles will remove the cached versions of the profile when a user logs off.
Refreshing Group Policy By default, Computer Configuration group policy settings (except Software Installation and Folder Redirection) refresh every 5 minutes on domain controllers and every 90 minutes (plus a random offset between 0 and 30 minutes) for other computers. By default, User Configuration group policy settings (except Software Installation and Folder Redirection) refresh every 90 minutes (plus a random offset between 0 and 30 minutes). You can modify refresh rates by editing the properties of the following settings in Group Policy: o Group Policy refresh interval for computers. o Group Policy refresh interval for Domain Controllers. o Group Policy refresh intervals for users. Software Installation and Folder Redirection don't refresh because it is too risky to install/uninstall software or move files while users are using their computers.
To manually refresh group policy settings, use the Gpupdate command with the following switches:
Switch Function No switch Refresh user and
computer-related group policy.
/target:user Refresh user-related group policy.
/target:computer Refresh computer-related group policy.
Editing GPO Facts Group Policy Object Editor has two nodes: o Computer Configuration to set Group Policies for computers. o User Configuration to set Group Policies for users. You can extend each node's capabilities by using snap-ins. Use an Administrative Template file (.adm) to extend registry settings available in the Group Policy Editor. Use the Software setting to automate installation, update, repair, and removal of software for users or computers. The Windows setting automates tasks that occur during startup, shutdown, logon, or logoff.
Security settings allow administrators to set security levels assigned to a local or non-local GPO.
Controlling GPO Application You should know the following controlling GPO application: All GPOs directly linked to or inherited by a site, domain, or OU apply to all users and computers within that container that have Apply Group Policy and Read permissions. By default, each GPO you create grants the Authenticated Users group (basically all network users) Apply Group Policy and Read permissions. To apply settings to computers, configure the Computer Configuration node of a GPO.
Edit Permissions You can control the application of GPOs by editing the permissions in the GPO access control list (ACL). (When you deny an object the required permissions to a GPO, the object will not receive the GPO.) To deny access to a GPO, add the user, group, or computer to the GPO permissions and deny the Apply Group Policy and Read permissions. To apply a GPO to specific users, groups, or computers, remove the Authenticated Users group from the GPO permissions. Add the specific user, group, or computer and grant the Apply Group Policy and Read permissions.
Block Inheritance You can prevent Active Directory child objects from inheriting GPOs that are linked to the parent objects. To block GPO inheritance, 1. Click the Group Policy tab for the domain or OU for which you want to block GPO inheritance. 2. Select the Block Policy inheritance check box.
You cannot block inheritance on a per-GPO basis. Blocking policy inheritance prevents the domain or OU (along with all the containers and objects beneath them) from inheriting GPOs. No Override You should know the following facts about the No Override option: The no override option prevents a GPO from being overridden by another GPO. When no override is set on more than one GPO, the GPO highest in the Active Directory hierarchy takes precedence. No override cannot be set on a local GPO.
WMI Filtering You should know the following facts about WMI filtering: You can use WMI queries to filter the scope of GPOs. WMI filtering is similar to using security groups to filter the scope of GPOs. WMI queries are written in WMI query language (WQL).
Loopback Processing By default, Group Policy configuration applies Computer Configuration GPOs during startup and User Configuration GPOs during logon. User Configuration settings take precedence in the event of a conflict. You can control how Group Policy is applied by enabling loopback processing. Following are some circumstances when you might use loopback processing: If you want Computer Configuration settings to take precedence over User Configuration settings. If you want to prevent User Configuration settings from being applied. If you want to apply User Configuration settings for the computer, regardless of the location of the user account in Active Directory.
Loopback processing is typically used to apply User Configuration settings to special computers located in public locations, such as kiosks and public Internet stations. Keep in mind the following about how loopback processing works. Loopback processing runs in Merge or Replace Mode. Merge mode gathers the Computer Configuration GPOs and appends them to the User Configuration GPOs when the user logs on. Replace mode prevents the User Configuration GPOs from being applied.
To enable loopback processing: 1. Create or edit a GPO to distribute to computers on which you want to enable loopback processing mode. 2. Choose Group Policy from the System node of Administrative Templates in Computer Configuration. 3. Right-click Users Group Policy loopback processing mode and click Properties. 4. Click Enabled. 5. Choose Merge mode or Replace Mode.
Group Policy Tools You should be familiar with the use of the following Group Policy tools: Gpresult Gpresult is a command line tool that allows you to examine the policy settings of specific users and computers. Start Gpresult by entering Gpresult at the command line (use the /? switch for syntax help). Gpresult can show the following: o Last application of Group Policy and the domain controller from which policy was applied. o Detailed list of the applied GPOs. o Detailed list of applied Registry settings. o Details of redirected folders. o Software management information, like information about assigned and published software.
RSoP RSoP (Resultant Set of Policy) is the accumulated results of the group policies applied to a user or computer. You should know the following facts about RSoP: The RSoP wizard reports on how GPO settings affect users and computers. The wizard runs in two modes: logging and planning. The RSoP wizard logging mode reports on existing group policies applied against computers or users. The RSoP wizard planning mode simulates the effects policies would have if applied to computers or users.
RSoP Access You can access the Resultant Set of Policy (RSoP) wizard in various ways. Here are some common ways: Install the RSoP wizard as an MMC snap-in Use the Start > Run sequence and run Rsop.msc. You can also select an object in Active Directory Users and Computer and select Resultant Set of Policy (in planning or logging mode) from the All Tasks menu.
Delegation Facts You should know the following facts about trust delegating control of group policies: Decentralized administrative delegation means that administration is delegate to OU level administrators. In decentralized administrative delegation, assign full-control permission to the OU administrators for GPOs. Centralized administrators only delegate full-control permissions to top level OU administrators. Those administrators are responsible for everything downward. In task-based delegation, administration of specific group policies to administrators who handle specific tasks. For example, security administrators would get full-control of security GPOs, and application administrators would get full-control of application GPOs.
Software Distribution Facts You should be familiar with the use of the following software distribution: When you configure the option Uninstall this application when it falls out of the scope of management on a user assigned software application installed through a GPO, you force the software to uninstall automatically when an account is moved out of the OU to which the GPO was applied. There are two default settings for software restriction policies: Unrestricted and Disallowed. o Unrestricted allows software to run according to the rights of the user who is accessing the software. o Disallowed does not allow software to run regardless of the logged on user's rights.
If the default restriction level is Disallowed then no software will be able to run unless there is an additional rule configured that explicitly makes the software unrestricted. The Always wait for the network at computer startup and logon GPO setting forces a computer to wait for the network to fully initialize before attempting to refresh Group Policy settings. The source path to the location of an MSI file must always be a UNC path: \\servername\sharename\filename. To fix the source path for an existing software package you need to delete and recreate the package. In order for users to run installation files from the software distribution point, they need to have Read and Execute permissions.
Use software restriction policies to prevent users from running specific software. Configure rules to identify the method Windows uses to identify unique software packages.
Restriction Option Characteristic Certificate Rule A certificate rule uses the software
application's certificate. Windows locates the certificate of the software to identify allowed or restricted software.
Hash Rule When you create a hash rule, Windows performs a hashing function on the executable file. When
users try to run software, Windows compares the hash value of the executable with the hash value stored in group policy. Use a hash rule to restrict software regardless of its location. Internet Zone Rule The Internet Zone rule uses Internet
Explorer zones to identify software based on zones.
Path Rule With a path rule, Windows identifies restricted or allowed software by path and name. However, the same executable file in a different location will not be governed by the rule.
Administrative Template Facts You should be familiar with the following facts about Administrative templates: Computer Configuration and User Configuration each have the following three nodes: o Windows Components: Use to administer Windows 2003 Server components. The Computer Configuration node has settings for IIS. The User Configuration node has settings for Internet Explorer. o System: Use to administer the functionality of the Windows 2003 OS. o Network: Use to control the functionality of the network. In the Computer Configuration node, Administrative Templates contains a Print node for printer administration.
In the User Configuration node, Administrative Templates contains nodes of administering the Start menu, Taskbar, Desktop, Control Panel, and shared folders.
Folder Redirection Facts You should know the following facts about folder redirection: To put user profile data back to the local system, make sure the GPO is enabled and select the Redirect to the local userprofile location option. Folder redirection works best by distributing a Group Policy, but you can redirect folders manually on the local system by modifying the folder's properties (not through a local GPO, though). The following folders can be redirected: o My Documents o Application Data o Start Menu o My Pictures o Desktop Redirected folders are made available offline automatically.
Logon Facts You should know the following facts about managing logon: Password policies are only effective in GPOs applied to the domain. To create different password policies, you must create additional domains. Each forest has a single alternate user principle name (UPN) suffix list that you can edit from the properties of the Active Directory Domains and Trusts node. After adding an alternate UPN suffix, you can configure all user accounts to use the same UPN suffix, thus simplifying user logon for users in all domains in the forest.
You should be familiar with the following password and account lockout policy settings:
Setting Description Enforce password history Keeps a history of user
passwords (up to 24) so that users cannot reuse passwords.
Minimum password length Configures how many characters a valid password must have.
Minimum password age Forces the user to use the new password for whatever length of time you determine before changing it again.
Password must meet complexity requirements
Determines that user passwords cannot contain the user name, the user's real name, the company name, or a complete dictionary word. The password must also contain multiple types
of characters, such as upper and lowercase letters, numbers, and symbols.
Maximum password age Forces the user to change passwords at whatever time interval you determine.
Account lockout threshold Configures how many incorrect passwords can be entered before being locked out.
Account lockout duration Identifies how long an account will stay locked out once it has been locked. A value of 0 indicates that an administrator must manually unlock the account. Any other number indicates the number of minutes before the account will be automatically unlocked.
Reset account lockout after Specifies the length of time that must pass after a failed login attempt before the counter resets to zero.
Automatic Certificate Enrollment Facts You should know the following facts about using Group Policy to configure automatic certificate enrollment: Before you can add an automatic certificate request, you must have certificate templates configured on your system. Run Certtmpl.msc to install the certificate templates. For a completely automatic certificate installation, set the Request Handling options of the certificate template to enroll the subject without requiring any user input. Without the Request Handling option selected, the user will be prompted for input during the certificate enrollment phase. An icon on the taskbar will also appear, which users can click to start the enrollment process.
Managing Sites and Subnets You should know the following facts about managing sites and subnets: 1. When a client attempts to find a domain controller for authentication, it receives a list of DC IP addresses from DNS. 2. The client passes a query to the DCs to find a good match for authentication. 3. Active Directory grabs the query and passes it to Net Logon. 4. Net Logon looks for the client IP address in the subnet-to-site mapping table. 5. If the client IP address isn't found in the subnet-to-site mapping table, the DC returns a NULL site value, and the client authenticates using the returned DC.
Replication Facts You should know the following facts about replication:
Active Directory automatically decides which servers are the bridgehead servers (generally, the first domain controller in the site). To force a specific server to be the bridgehead server, you must manually configure it as the bridgehead server. To designate a preferred bridgehead server, edit the server object properties in Active Directory Sites and Services. Replication between sites occurs only between the bridgehead servers. To have different replication settings for different WAN links, you need to configure multiple site links. For complete flexibility, you should create a site link for each network connection between sites. The default link cost is 100. A higher cost for a link is less desirable. To force traffic over one link, set a lower cost. For example, set a lower cost for high-speed links to force traffic over the high speed link. Configure a higher cost for dial-up links that are used as backup links. Costs are additive when multiple links are required between sites. Use SMTP replication for high latency links where RPC replication would probably fail.
Managing Replication Facts You should know the following facts about managing replication: Use Replication Monitor (Replmon) or Active Directory Sites and Services to force replication. Replmon has an Update Automatically feature that allows you to specify the how often replication reports are refreshed. The Sysvol share replicates using the File Replication Service (this includes things like group policy and logon scripts). Replication uses port 135. DCs must be able to contact each other for replication. This means they need to have a valid network connection, valid IP address configuration, and DNS must be available so the servers can locate each other. You can use the Directory Service and the File Replication Service logs in Event Viewer to monitor replication services.
You should also know the following facts about Replmon: Replmon allows you to perform the following administrative tasks: o force synchronization between domain controllers. o monitor domain controller replication. o perform simultaneous monitoring of domain controllers in different forests. Replmon gives a graphical view of the topology. Replmon must run on a computer running Windows Server 2003. You can start Replmon by entering Replmon at the command line.
Tombstones and Garbage Collection You should know the following facts about tombstones and garbage collection:
When an object is removed from the Active Directory database, it is moved to a hidden Deleted Objects container. Objects in the Deleted Objects container are called tombstones. The default storage time for tombstones is 60 days. Every 12 hours (default setting) a domain controller examines its Deleted Objects folder for tombstones that have exceeded the storage period. Objects beyond the storage period are removed in a process called garbage collection.
Global Catalogs and Universal Group Membership Caching You should know the following facts about global catalogs and universal group membership caching: A global catalog server needs to be contacted during logon. Place a global catalog server in each site to speed up logon. A global catalog server also maintains universal group membership. Group membership needs to be consulted during resource access. Only one server per site needs to be a global catalog server. Enabling the universal group membership caching feature for a site will let users who are members of a universal group log on in the event of a WAN link failure. If the only need is to obtain universal group membership information, enabling this feature for a site is a better solution than creating a global catalog server in the site. All servers in a site must be running Windows Server 2003 for universal group membership caching to work.
Site License Facts You should know the following facts about site licensing: Set up a site license servers to monitor license o Purchases. o Deletions. o Usage. The license logging service runs on each server within a site, collecting information to send to the site license server. The information in the site license server database can be viewed using the Licensing tool in Administrative Tools. By default, the site license server is the first domain controller created for a site. The site license server does not have to be a domain controller.
Application Directory Partitions Application directory partitions are used to store dynamic objects. Most information stored in Active Directory is relatively static, meaning that it changes infrequently enough to allow it to be replicated across a domain with a high degree of regularity. Dynamic objects, however, changes more frequently than they can be efficiently and effectively replicated. (Dynamic objects are created with a time-to-live (TTL) value, which, when it expires, allows Active Directory to delete the object.)
Application directory partitions allow you to configure replication and replicas to accommodate the unique requirements of dynamic objects. Where domain partitions must replicate to all domain controllers in a domain, application directory partitions do not have to meet this requirement. For example, if DNS service is configured to use AD, the DNS zone data will be replicated across a domain (because zone data will be stored in a domain partition) even if the DNS server is not configured to run on the domain controller. However, if you put the DNS zone data in an application directory partition, you can limit the scope of replication. Application directory partitions are not limited, however, in the types of data they can hold. They can hold, for instance, user, computer, and group objects--every object type, in fact, but security principals. However, objects in an active directory partition operate under certain limitations including the following: They cannot maintain DN-value references to objects in other application directory or domain partitions. Neither can objects in other partitions maintain DN-value references to objects in an application directory partition. They are not replicated to the Global Catalog. (However, a global catalog server can be configured to replicate an application directory partition.) They cannot be moved to other application directory partitions outside the partition in which they were created.
To create an application directory partition: 1. At the command line prompt, enter Ntdsutil. 2. Enter Domain management. 3. Enter Create nc [distinguished name of the application partition directory] [domain controller name]
To delete an application directory partition: 1. At the command line prompt, enter Ntdsutil. 2. Enter Domain management. 3. Enter Delete nc [distinguished name of the application partition directory]
To add an application directory partition replica: 1. At the command line prompt, enter Ntdsutil. 2. Enter Domain management. 3. Enter Add nc [distinguished name of the application partition directory] [domain controller name]
To remove an application directory partition replica: 1. At the command line prompt, enter Ntdsutil. 2. Enter Domain management. 3. Enter Remove nc [distinguished name of the application partition directory] [domain controller name]
Technical Interview Questions – Active Directory What is Active Directory?
Active Directory (AD) is a technology created by Microsoft to provide network services including LDAP directory services; Kerberos based authentication, DNS naming, secure access to resources, and more
What is LDAP?The Lightweight Directory Access Protocol (LDAP) is a directory service protocol that runs directly over the TCP/IP stack
Can you connect Active Directory to other 3rd-party Directory Services? Name a few options.Yes you can Connect Active Directory to other 3rd -party Directory Services such as dictionaries used by SAP, Domino etc with the help of MIIS (Microsoft Identity Integration Server). you can use dirXML or LDAP to connect to other directories (ie. E-directory from Novell).
Where is the AD database held? What other folders are related to AD? AD Database is saved in %systemroot%/ntds. You can see other files also in this folder. These are the main files controlling the AD structure ntds.dit, edb.log, res1.log, res2.log, edb.chk
What is the SYSVOL folder? All active directory data base security related information store in SYSVOL folder and it’s only created on NTFS partition. The Sysvol folder on a Windows domain controller is used to replicate file-based data among domain controllers.
Name the AD NCs and replication issues for each NC*Schema NC, *Configuration NC, * Domain NC
Schema NC This NC is replicated to every other domain controller in the forest. It contains information about the Active Directory schema, which in turn defines the different object classes and attributes within Active Directory.
Configuration NC Also replicated to every other DC in the forest, this NC contains forest-wide configuration information pertaining to the physical layout of Active Directory, as well as information about display specifiers and forest-wide Active Directory quotas.
Domain NC This NC is replicated to every other DC within a single Active Directory domain. This is the NC that contains the most commonly-accessed Active Directory data: the actual users, groups, computers, and other objects that reside within a particular Active Directory domain.
What are application partitions? When do I use themApplication Directory Partition is a partition space in Active Directory which an application can use to store that application
specific data. This partition is then replicated only to some specific domain controllers. The application directory partition can contain any type of data except security principles (users, computers, groups).
Application directory partitions are usually created by the applications that will use them to store and replicate data. For testing and troubleshooting purposes, members of the Enterprise Admins group can manually create or manage application directory partitions using the Ntdsutil command-line tool.
One of the benefits of an application directory partition is that, for redundancy, availability, or fault tolerance, the data in it can be replicated to different domain controllers in a forest
How do you create a new application partitionThe DnsCmd command is used to create a new application directory partition. Ex. to create a partition named “NewPartition “ on the domain controller DC1.contoso.com, log on to the domain controller and type following command.
DnsCmd DC1/createdirectorypartition NewPartition.contoso.com
How do you view replication properties for AD partitions and DCs?By using replication monitor go to start > run > type repadmingo to start > run > type replmon
What is the Global Catalog?The global catalog contains a complete replica of all objects in Active Directory for its Host domain, and contains a partial replica of all objects in Active Directory for every other domain in the forest.
How do you view all the GCs in the forest? C:\>repadmin /showreps
domain_controller
OR You can use Replmon.exe for the same purpose. OR AD Sites and Services and nslookup gc._msdcs.
To find the in GC from the command line you can try using DSQUERY command. dsquery server -isgc to find all the gc's in the forest you can try dsquery server -forest -isgc.
Why not make all DCs in a large forest as GCs?The reason that all DCs are not GCs to start is that in large (or even Giant) forests the DCs would all have to hold a reference to every
object in the entire forest which could be quite large and quite a replication burden. For a few hundred, or a few thousand users even, this not likely to matter unless you have really poor WAN lines.
Trying to look at the Schema, how can I do that?register schmmgmt.dll using this commandc:\windows\system32>regsvr32 schmmgmt.dllOpen mmc --> add snapin --> add Active directory schemaname it as schema.mscOpen administrative tool --> schema.msc
What are the Support Tools? Why do I need them?Support Tools are the tools that are used for performing the complicated tasks easily. You need them because you cannot properly manage an Active Directory network without them. Here they are, it would do you well to familiarize yourself with all of them. Acldiag.exe , Adsiedit.msc, Bitsadmin.exe, Dcdiag.exe Dfsutil.exe Dnslint.exe Dsacls.exe, Iadstools.dll Ktpass.exe Ldp.exe Netdiag.exe Netdom.exe Ntfrsutl.exe Portqry.exe Repadmin.exe Replmon.exe Setspn.exe
What is LDP? What is REPLMON? What is ADSIEDIT? What is NETDOM? What is REPADMIN?
The Lightweight Directory Access Protocol, or LDAP is an application protocol for querying and modifying directory services running over TCP/IP
Replmon is the first tool you should use when troubleshooting Active Directory replication issues. As it is a graphical tool, replication issues are easy to see and somewhat easier to diagnose than using its command line counterparts. The purpose of this document is to guide you in how to use it, list some common replication errors and show some examples of when replication issues can stop other network installation actions
ADSIEdit is a Microsoft Management Console (MMC) snap-in that acts as a low-level editor for Active Directory. It is a Graphical User Interface (GUI) tool. Network administrators can use it for common administrative tasks such as adding, deleting, and moving objects with a directory service. The attributes for each object can be edited or deleted by using this tool. ADSIEdit uses the ADSI application programming interfaces (APIs) to access Active Directory. The following are the required files for using this tool: · ADSIEDIT.DLL · ADSIEDIT.MSC
Regarding system requirements, a connection to an Active Directory environment and Microsoft Management Console (MMC) is necessary
NETDOM is a command-line tool that allows management of Windows domains and trust relationships. It is used for batch management of trusts, joining computers to domains, verifying trusts, and secure channels
REPADMIN.EXE is a command line tool used to monitor and troubleshoot replication on a computer running Windows. This is a command line tool that allows you to view the replication topology as seen from the perspective of each domain controller
What are sites? What are they used for?Sites in Active Directory represent the physical structure, or topology, of your network. Active Directory uses topology information, stored as site and site link objects in the directory, to build the most efficient replication topology. You use Active Directory Sites and Services to define sites and site links. A site is a set of well-connected subnets. Sites differ from domains; sites represent the physical structure of your network, while domains represent the logical structure of your organization
What's the difference between a site link's schedule and interval?
Schedule enables you to list weekdays or hours when the site link is available for replication to happen in the give interval. Interval is the re occurrence of the inter site replication in given minutes. It ranges from 15 - 10,080 mins. The default interval is 180 mins.
What is the KCC?The Knowledge Consistency Checker (KCC) is an Active Directory component that is responsible for the generation of the replication topology between domain controllers
What is the ISTG? Who has that role by default?Intersite Topology Generator (ISTG), which is responsible for the connections among the sites. By default Windows 2003 Forest level functionality has this role. By Default the first Server has this role. If that server can no longer preform this role then the next server with the highest GUID then takes over the role of ISTG.
What are the requirements for installing AD on a new server?
An NTFS partition with enough free space (250MB minimum)
An Administrator's username and password The correct operating system version A NIC Properly configured TCP/IP (IP address, subnet mask and -
optional - default gateway) A network connection (to a hub or to another computer via
a crossover cable) An operational DNS server (which can be installed on the
DC itself) A Domain name that you want to use The Windows 2000 or Windows Server 2003 CD media (or
at least the i386 folder)
What can you do to promote a server to DC if you're in a remote location with slow WAN link?
First available in Windows 2003, you will create a copy of the system state from an existing DC and copy it to the new remote server. Run "Dcpromo /adv". You will be prompted for the location of the system state files
How can you forcibly remove AD from a server, and what do you do later?
Demote the server using dcpromo /forceremoval, then remove the metadata from Active directory using ndtsutil. There is no way to get user passwords from AD that I am aware of, but you should still be able to change them.
Another way out too
Restart the DC is DSRM mode
a. Locate the following registry subkey:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\ProductOptions
b. In the right-pane, double-click ProductType.
c. Type ServerNT in the Value data box, and then click OK.
Restart the server in normal mode
its a member server now but AD entries are still there. Promote teh server to a fake domain say ABC.com and then remove gracefully using DCpromo. Else after restart you can also use ntdsutil to do metadata as told in teh earlier post
Can I get user passwords from the AD database?Demote the server using dcpromo /forceremoval, then remove the metadata from Active directory using ndtsutil. There is no way to get user passwords from AD that I am aware of, but you should still be able to change them.Another way out tooRestart the DC is DSRM mode
a. Locate the following registry subkey:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\ProductOptionsb. In the right-pane, double-click ProductType.c. Type ServerNT in the Value data box, and then click OK.
Restart the server in normal mode it’s a member server now but AD entries are still there. Promote teh server to a fake domain say ABC.com and then remove gracefully using DCpromo. Else after restart you can also use ntdsutil to do metadata as told in teh earlier post
What tool would I use to try to grab security related packets from the wire?
You must use sniffer-detecting tools to help stop the snoops. ...A good packet sniffer would be "ethereal".www.ethereal.com
Name some OU design considerations.OU design requires balancing requirements for delegating administrative rights - independent of Group Policy needs - and the need to scope the application of Group Policy. The following OU design recommendations address delegation and scope issues:
Applying Group Policy An OU is the lowest-level Active Directory container to which you can assign Group Policy settings.
Delegating administrative authority - usually don't go more than 3 OU levels
What is tombstone lifetime attribute? The number of days before a deleted object is removed from the directory services. This assists in removing objects from replicated servers and preventing restores from reintroducing a deleted object. This value is in the Directory Service object in the configuration NIC
Default Tombstone Lifetime for New Active Directory Forests
Operating System Default Tombstone Lifetime
Windows 2000 Server 60 daysWindows Server 2003 no service pack
60 days
Windows Server 2003 SP1 180 daysWindows Server 2003 R2 60 daysWindows Server 2003 SP2 180 daysWindows Server 2008 180 days
What do you do to install a new Windows 2003 DC in a Windows 2000 AD? If you plan to install windows 2003 server domain controllers into an existing windows 2000 domain or upgrade a windows 2000 domain controllers to windows server 2003, you first need to run the Adprep.exe utility on the windows 2000 domain controllers currently holding the schema master and infrastructure master roles. The adprep / forestprep command must first be issued on the windows 2000 server holding schema master role in the forest root domain to prepare the existing schema to support windows 2003 active directory. The adprep /domainprep command must be issued on the sever holding the infrastructure master role in the domain where 2000 server will be deployed
What do you do to install a new Windows 2003 R2 DC in a Windows 2003 AD? If you're installing Windows 2003 R2 on an existing Windows 2003 server with SP1 installed, you require only the second R2 CD-ROM. Insert the second CD and the r2auto.exe will display the Windows 2003 R2 Continue Setup screen.
If you're installing R2 on a domain controller (DC), you must first upgrade the schema to the R2 version (this is a minor change and mostly related to the new Dfs replication engine). To update the schema, run the Adprep utility, which you'll find in the Cmpnents\r2\adprep folder on the second CD-ROM. Before running this command, ensure all DCs are running Windows 2003 or Windows 2000 with SP2 (or later). Here's a sample execution of the Adprep /forestprep command:
D:\CMPNENTS\R2\ADPREP>adprep /forestprep
ADPREP WARNING:
Before running adprep, all Windows 2000 domain controllers in the forest should be upgraded to Windows 2000 Service Pack 1 (SP1) with QFE 265089, or to Windows 2000 SP2 (or later).
QFE 265089 (included in Windows 2000 SP2 and later) is required to prevent potential domain controller corruption.
For more information about preparing your forest and domain see KB article Q3311 61 at http://support.microsoft.com.
[User Action]
If ALL your existing Windows 2000 domain controllers meet this requirement, type C and then press ENTER to continue. Otherwise, type any other key and press ENT ER to quit.
C
Opened Connection to SAVDALDC01
SSPI Bind succeeded
Current Schema Version is 30
Upgrading schema to version 31
Connecting to "SAVDALDC01"
Logging in as current user using SSPI
Importing directory from file "C:\WINDOWS\system32\sch31.ldf"
Loading entries.....................................................
......................................................
139 entries modified successfully.
The command has completed successfully
Adprep successfully updated the forest-wide information.
After running Adprep, install R2 by performing these steps:1. Click the "Continue Windows Server 2003 R2 Setup" link, as
thefigureshows.2. At the "Welcome to the Windows Server 2003 R2 Setup
Wizard" screen, click Next.3. You'll be prompted to enter an R2 CD key (this is different from
your existing Windows 2003 keys) if the underlying OS wasn't installed from R2 media (e.g., a regular Windows 2003 SP1 installation). Enter the R2 key and click Next. Note: The license key entered for R2 must match the underlying OS type, which means if you installed Windows 2003 using a volume-license version key, then you can't use a retail or Microsoft Developer Network (MSDN) R2 key.
4. You'll see the setup summary screen which confirms theactions to be performed (e.g., Copy files). Click Next.
5. After the installation is complete, you'll see a confirmation dialog box. Click Finish.
How would you find all users that have not logged on since last month?
Using only native commands, JSILLD.bat produces a sorted/formated report of Users who have not logged on since YYYYMMDD.
The report is sorted by UserName and list the user's full name and last logon date.
The syntax for using JSILLD.bat is: JSILLD \Folder\OutputFile.Ext YYYYMMDD [/N] where: YYYYMMDD will report all users who have not logged on since
this date. /N is an optional parameter that will bypass users who have
never logged on. JSILLD.bat contains:
@echo off setlocal if {%2}=={} goto syntax if "%3"=="" goto begin if /i "%3"=="/n" goto begin :syntax @echo Syntax: JSILLD File yyyymmdd [/N] endlocal goto :EOF :begin if /i "%2"=="/n" goto syntax set dte=%2 set XX=%dte:~0,4% if "%XX%" LSS "1993" goto syntax set XX=%dte:~4,2% if "%XX%" LSS "01" goto syntax if "%XX%" GTR "12" goto syntax set XX=%dte:~6,2% if "%XX%" LSS "01" goto syntax if "%XX%" GTR "31" goto syntax set never=X if /i "%3"=="/n" set never=/n set file=%1 if exist %file% del /q %file% for /f "Skip=4 Tokens=*" %%i in ('net user /domain^|findstr /v /c:"----"^|findstr /v /i /c:"The command completed"') do ( do call :parse "%%i" ) endlocal goto :EOF :parse set str=#%1# set str=%str:#"=% set str=%str:"#=% set substr=%str:~0,25%# set substr=%substr: =% set substr=%substr: #=% set substr=%substr:#=% if "%substr%"=="" goto :EOF for /f "Skip=1 Tokens=*" %%i in ('net user "%substr%" /domain') do call :parse1 "%%i" set substr=%str:~25,25%# set substr=%substr: =% set substr=%substr: #=% set substr=%substr:#=% if "%substr%"=="" goto :EOF for /f "Skip=1 Tokens=*" %%i in ('net user "%substr%" /domain') do call :parse1 "%%i" set substr=%str:~50,25%# set substr=%substr: =% set substr=%substr: #=% set substr=%substr:#=%
if "%substr%"=="" goto :EOF for /f "Skip=1 Tokens=*" %%i in ('net user "%substr%" /domain') do call :parse1 "%%i" goto :EOF :parse1 set ustr=%1 if %ustr%=="The command completed successfully." goto :EOF set ustr=%ustr:"=% if /i "%ustr:~0,9%"=="Full Name" set fullname=%ustr:~29,99% if /i not "%ustr:~0,10%"=="Last logon" goto :EOF set txt=%ustr:~29,99% for /f "Tokens=1,2,3 Delims=/ " %%i in ('@echo %txt%') do set MM=%%i&set DD=%%j&set YY=%%k if /i "%MM%"=="Never" goto tstnvr goto year :tstnvr if /i "%never%"=="/n" goto :EOF goto report :year if "%YY%" GTR "1000" goto mmm if "%YY%" GTR "92" goto Y19 set /a YY=100%YY%%%100 set YY=%YY% + 2000 goto mmm :Y19 set YY=19%YY% :mmm set /a XX=100%MM%%%100 if %XX% LSS 10 set MM=0%XX% set /a XX=100%DD%%%100 if %XX% LSS 10 set DD=0%XX% set YMD=%YY%%MM%%DD% if "%YMD%" GEQ "%dte%" goto :EOF :report set fullname=%fullname% # set fullname=%fullname:~0,35% set substr=%substr% # set substr=%substr:~0,30% @echo %substr% %fullname% %txt% >> %file%
What are the DS* commands?New DS (Directory Service) Family of built-in command line utilities for Windows Server 2003 Active Directory
New DS built-in tools for Windows Server 2003 The DS (Directory Service) group of commands are split into two families. In one branch are DSadd, DSmod, DSrm and DSMove and in the other branch are DSQuery and DSGet.
When it comes to choosing a scripting tool for Active Directory objects, you really are spoilt for choice. The the DS family of
built-in command line executables offer alternative strategies to CSVDE, LDIFDE and VBScript.
Let me introduce you to the members of the DS family:
DSadd - add Active Directory users and groups DSmod - modify Active Directory objects DSrm - to delete Active Directory objects DSmove - to relocate objects DSQuery - to find objects that match your query attributes DSget - list the properties of an object DS Syntax These DS tools have their own command structure which you can split into five parts:
1 2 3 4 5 Tool object "DN" (as in LDAP distinguished name) -switch value For example: DSadd user "cn=billy, ou=managers, dc=cp, dc=com" -pwd cX49pQba
This will add a user called Billy to the Managers OU and set the password to cx49Qba
Here are some of the common DS switches which work with DSadd and DSmod -pwd (password) -upn (userPrincipalName) -fn (FirstName) -samid (Sam account name).The best way to learn about this DS family is to logon at a domain controller and experiment from the command line. I have prepared examples of the two most common programs. Try some sample commands for DSadd.
Two most useful Tools: DSQuery and DSGet The DSQuery and DSGet remind me of UNIX commands in that they operate at the command line, use powerful verbs, and produce plenty of action. One pre-requisite for getting the most from this DS family is a working knowledge of LDAP.
If you need to query users or computers from a range of OU's and then return information, for example, office, department manager. Then DSQuery and DSGet would be your tools of choice. Moreover, you can export the information into a text file
What's the difference between LDIFDE and CSVDE? Usage considerations?
Ldifde
Ldifde creates, modifies, and deletes directory objects on computers running Windows Server 2003 operating systems or Windows XP Professional. You can also use Ldifde to extend the schema, export Active Directory user and group information to other applications or
services, and populate Active Directory with data from other directory services.
The LDAP Data Interchange Format (LDIF) is a draft Internet standard for a file format that may be used for performing batch operations against directories that conform to the LDAP standards. LDIF can be used to export and import data, allowing batch operations such as add, create, and modify to be performed against the Active Directory. A utility program called LDIFDE is included in Windows 2000 to support batch operations based on the LDIF file format standard. This article is designed to help you better understand how the LDIFDE utility can be used to migrate directories.
Csvde
Imports and exports data from Active Directory Domain Services (AD DS) using files that store data in the comma-separated value (CSV) format. You can also support batch operations based on the CSV file format standard.
Csvde is a command-line tool that is built into Windows Server 2008 in the/system32 folder. It is available if you have the AD DS or Active Directory Lightweight Directory Services (AD LDS) server role installed. To use csvde, you must run the csvde command from an elevated command prompt. To open an elevated command prompt, click Start, right-click Command Prompt, and then click Run as administrator.
DIFFERENCE USAGE WISE
Csvde.exe is a Microsoft Windows 2000 command-line utility that is located in the SystemRoot\System32 folder after you install Windows 2000. Csvde.exe is similar to Ldifde.exe, but it extracts information in a comma-separated value (CSV) format. You can use Csvde to import and export Active Directory data that uses the comma-separated value format. Use a spreadsheet program such as Microsoft Excel to open this .csv file and view the header and value information. See Microsoft Excel Help for information about functions such asConcatenate that can simplify the process of building a .csv file.
Note Although Csvde is similar to Ldifde, Csvde has a significant limitation: it can only import and export Active Directory data by using a comma-separated format (.csv). Microsoft recommends that you use the Ldifde utility for Modify or Delete operations. Additionally, the distinguished name (also known as DN) of the item that you are trying to import must be in the first column of the .csv file or the import will not work.
The source .csv file can come from an Exchange Server directory export. However, because of the difference in attribute mappings between the Exchange Server directory and Active Directory, you must make some modifications to the .csv file. For example, a directory export from Exchange Server has a column that is named "obj-class"
that you must rename to "objectClass." You must also rename "Display Name" to "displayName."
What are the FSMO roles? Who has them by default? What happens when each one fails?
FSMO stands for the Flexible single Master Operation
It has 5 Roles: - Schema Master:
The schema master domain controller controls all updates and modifications to the schema. Once the Schema update is complete, it is replicated from the schema master to all other DCs in the directory. To update the schema of a forest, you must have access to the schema master. There can be only one schema master in the whole forest.
Domain naming master:The domain naming master domain controller controls the addition or removal of domains in the forest. This DC is the only one that can add or remove a domain from the directory. It can also add or remove cross references to domains in external directories. There can be only one domain naming master in the whole forest.
Infrastructure Master:When an object in one domain is referenced by another object in another domain, it represents the reference by the GUID, the SID (for references to security principals), and the DN of the object being referenced. The infrastructure FSMO role holder is the DC responsible for updating an object's SID and distinguished name in a cross-domain object reference. At any one time, there can be only one domain controller acting as the infrastructure master in each domain.Note: The Infrastructure Master (IM) role should be held by a domain controller that is not a Global Catalog server (GC). If the Infrastructure Master runs on a Global Catalog server it will stop updating object information because it does not contain any references to objects that it does not hold. This is because a Global Catalog server holds a partial replica of every object in the forest. As a result, cross-domain object references in that domain will not be updated and a warning to that effect will be logged on that DC's event log. If all the domain controllers in a domain also host the global catalog, all the domain controllers have the current data, and it is not important which domain controller holds the infrastructure master role.
Relative ID (RID) Master:The RID master is responsible for processing RID pool requests from all domain controllers in a particular domain. When a DC creates a security principal object such as a user or group, it attaches a unique Security ID (SID) to the object. This SID consists of a domain SID (the same for all SIDs created in a domain), and a relative ID (RID) that is unique for each security principal SID created in a domain. Each DC in a domain is allocated a pool of RIDs that it is allowed to assign to the security
principals it creates. When a DC's allocated RID pool falls below a threshold, that DC issues a request for additional RIDs to the domain's RID master. The domain RID master responds to the request by retrieving RIDs from the domain's unallocated RID pool and assigns them to the pool of the requesting DC. At any one time, there can be only one domain controller acting as the RID master in the domain.
PDC Emulator:The PDC emulator is necessary to synchronize time in an enterprise. Windows 2000/2003 includes the W32Time (Windows Time) time service that is required by the Kerberos authentication protocol. All Windows 2000/2003-based computers within an enterprise use a common time. The purpose of the time service is to ensure that the Windows Time service uses a hierarchical relationship that controls authority and does not permit loops to ensure appropriate common time usage.The PDC emulator of a domain is authoritative for the domain. The PDC emulator at the root of the forest becomes authoritative for the enterprise, and should be configured to gather the time from an external source. All PDC FSMO role holders follow the hierarchy of domains in the selection of their in-bound time partner.:: In a Windows 2000/2003 domain, the PDC emulator role holder retains the following functions::: Password changes performed by other DCs in the domain are replicated preferentially to the PDC emulator.Authentication failures that occur at a given DC in a domain because of an incorrect password are forwarded to the PDC emulator before a bad password failure message is reported to the user.Account lockout is processed on the PDC emulator.Editing or creation of Group Policy Objects (GPO) is always done from the GPO copy found in the PDC Emulator's SYSVOL share, unless configured not to do so by the administrator.The PDC emulator performs all of the functionality that a Microsoft Windows NT 4.0 Server-based PDC or earlier PDC performs for Windows NT 4.0-based or earlier clients.This part of the PDC emulator role becomes unnecessary when all workstations, member servers, and domain controllers that are running Windows NT 4.0 or earlier are all upgraded to Windows 2000/2003. The PDC emulator still performs the other functions as described in a Windows 2000/2003 environment.
What FSMO placement considerations do you know of?Windows 2000/2003 Active Directory domains utilize a Single Operation Master method called FSMO (Flexible Single Master Operation), as described in Understanding FSMO Roles in Active Directory. In most cases an administrator can keep the FSMO role holders (all 5 of them) in the same spot (or actually, on the same DC) as has been configured by the Active Directory installation process. However, there are scenarios where an administrator would want
to move one or more of the FSMO roles from the default holder DC to a different DC. Windows Server 2003 Active Directory is a bit different than the Windows 2000 version when dealing with FSMO placement. In this article I will only deal with Windows Server 2003 Active Directory, but you should bear in mind that most considerations are also true when planning Windows 2000 AD FSMO roles
I want to look at the RID allocation table for a DC. What do I do? install support tools from OS disk(OS Inst: Disk=>support=>tools=>suptools.msi)
In Command prompt type dcdiag /test:ridmanager /s:system1 /v (system1 is the name of our DC)
What's the difference between transferring a FSMO role and seizing one? Which one should you NOT seize? Why?
Seizing an FSMO can be a destructive process and should only be attempted if the existing server with the FSMO is no longer available.
If the domain controller that is the Schema Master FSMO role holder is temporarily unavailable, DO NOT seize the Schema Master role. If you are going to seize the Schema Master, you must permanently disconnect the current Schema Master from the network. If you seize the Schema Master role, the boot drive on the original Schema Master must be completely reformatted and the operating system must be cleanly installed, if you intend to return this computer to the network.
NOTE: The Boot Partition contains the system files (\System32). The System Partition is the partition that contains the startup files, NTDetect.com, NTLDR, Boot.ini, and possibly Ntbootdd.sys.
The Active Directory Installation Wizard (Dcpromo.exe) assigns all 5 FSMO roles to the first domain controller in the forest root domain. The first domain controller in each new child or tree domain is assigned the three domain-wide roles. Domain controllers continue to own FSMO roles until they are reassigned by using one of the following methods:
An administrator reassigns the role by using a GUI administrative tool.
An administrator reassigns the role by using the ntdsutil /roles command.
An administrator gracefully demotes a role-holding domain controller by using the Active Directory Installation Wizard. This wizard reassigns any locally-held roles to an existing domain controller in the forest. Demotions that are performed by using the dcpromo /forceremoval command leave FSMO roles in an invalid state until they are reassigned by an administrator.
We recommend that you transfer FSMO roles in the following scenarios:
The current role holder is operational and can be accessed on the network by the new FSMO owner.
You are gracefully demoting a domain controller that currently owns FSMO roles that you want to assign to a specific domain controller in your Active Directory forest.
The domain controller that currently owns FSMO roles is being taken offline for scheduled maintenance and you need specific FSMO roles to be assigned to a "live" domain controller. This may be required to perform operations that connect to the FSMO owner. This would be especially true for the PDC Emulator role but less true for the RID master role, the Domain naming master role and the Schema master roles.
We recommend that you seize FSMO roles in the following scenarios: The current role holder is experiencing an operational error that
prevents an FSMO-dependent operation from completing successfully and that role cannot be transferred.
A domain controller that owns an FSMO role is force-demoted by using the dcpromo /forceremoval command.
The operating system on the computer that originally owned a specific role no longer exists or has been reinstalled.
As replication occurs, non-FSMO domain controllers in the domain or forest gain full knowledge of changes that are made by FSMO-holding domain controllers. If you must transfer a role, the best candidate domain controller is one that is in the appropriate domain that last inbound-replicated, or recently inbound-replicated a writable copy of the "FSMO partition" from the existing role holder. For example, the Schema master role-holder has a distinguished name path of CN=schema,CN=configuration,dc=<forest root domain>, and this mean that roles reside in and are replicated as part of the CN=schema partition. If the domain controller that holds the Schema master role experiences a hardware or software failure, a good candidate role-holder would be a domain controller in the root domain and in the same Active Directory site as the current owner. Domain controllers in the same Active Directory site perform inbound replication every 5 minutes or 15 seconds.
The partition for each FSMO role is in the following list: Collapse this tableExpand this table FSMO role Partition Schema CN=Schema,CN=configuration,DC=<forest root domain> Domain Naming Master CN=configuration,DC=<forest root domain> PDC DC=<domain> RID DC=<domain> Infrastructure DC=<domain>
A domain controller whose FSMO roles have been seized should not be permitted to communicate with existing domain controllers in the forest. In this scenario, you should either format the hard disk and reinstall the operating system on such domain controllers or forcibly demote such domain controllers on a private network and then remove their metadata on a surviving domain controller in the forest by using the ntdsutil /metadata cleanup command. The risk of introducing a former FSMO role holder whose role has been seized into the forest is
that the original role holder may continue to operate as before until it inbound-replicates knowledge of the role seizure. Known risks of two domain controllers owning the same FSMO roles include creating security principals that have overlapping RID pools, and other problems. Back to the top
Transfer FSMO rolesTo transfer the FSMO roles by using the Ntdsutil utility, follow these steps:
1. Log on to a Windows 2000 Server-based or Windows Server 2003-based member computer or domain controller that is located in the forest where FSMO roles are being transferred. We recommend that you log on to the domain controller that you are assigning FSMO roles to. The logged-on user should be a member of the Enterprise Administrators group to transfer Schema master or Domain naming master roles, or a member of the Domain Administrators group of the domain where the PDC emulator, RID master and the Infrastructure master roles are being transferred.
2. Click Start, click Run, type ntdsutil in the Open box, and then click OK.
3. Type roles, and then press ENTER.
Note To see a list of available commands at any one of the prompts in the Ntdsutil utility, type ?, and then press ENTER.
4. Type connections, and then press ENTER.5. Type connect to server servername, and then press ENTER,
where servername is the name of the domain controller you want to assign the FSMO role to.
6. At the server connections prompt, type q, and then press ENTER.7. Type transfer role, where role is the role that you want to
transfer. For a list of roles that you can transfer, type ? at the fsmo maintenance prompt, and then press ENTER, or see the list of roles at the start of this article. For example, to transfer the RID master role, type transfer rid master. The one exception is for the PDC emulator role, whose syntax is transfer pdc, not transfer pdc emulator.
8. At the fsmo maintenance prompt, type q, and then press ENTER to gain access to the ntdsutil prompt. Type q, and then press ENTER to quit the Ntdsutil utility.
Seize FSMO rolesTo seize the FSMO roles by using the Ntdsutil utility, follow these steps:
1. Log on to a Windows 2000 Server-based or Windows Server 2003-based member computer or domain controller that is located in the forest where FSMO roles are being seized. We recommend that you log on to the domain controller that you are assigning FSMO roles to. The logged-on user should be a member of the Enterprise Administrators group to transfer schema or domain naming master roles, or a member of the Domain
Administrators group of the domain where the PDC emulator, RID master and the Infrastructure master roles are being transferred.
2. Click Start, click Run, type ntdsutil in the Open box, and then click OK.
3. Type roles, and then press ENTER.4. Type connections, and then press ENTER.5. Type connect to server servername, and then press ENTER,
where servername is the name of the domain controller that you want to assign the FSMO role to.
6. At the server connections prompt, type q, and then press ENTER.7. Type seize role, where role is the role that you want to seize. For
a list of roles that you can seize, type ? at the fsmo maintenance prompt, and then press ENTER, or see the list of roles at the start of this article. For example, to seize the RID master role, type seize rid master. The one exception is for the PDC emulator role, whose syntax is seize pdc, not seize pdc emulator.
8. At the fsmo maintenance prompt, type q, and then press ENTER to gain access to the ntdsutil prompt. Type q, and then press ENTER to quit the Ntdsutil utility.
Noteso Under typical conditions, all five roles must be assigned to
"live" domain controllers in the forest. If a domain controller that owns a FSMO role is taken out of service before its roles are transferred, you must seize all roles to an appropriate and healthy domain controller. We recommend that you only seize all roles when the other domain controller is not returning to the domain. If it is possible, fix the broken domain controller that is assigned the FSMO roles. You should determine which roles are to be on which remaining domain controllers so that all five roles are assigned to a single domain controller. For more information about FSMO role placement, click the following article number to view the article in the Microsoft Knowledge Base: 223346 (http://support.microsoft.com/kb/223346/ ) FSMO placement and optimization on Windows 2000 domain controllers
o If the domain controller that formerly held any FSMO role is not present in the domain and if it has had its roles seized by using the steps in this article, remove it from the Active Directory by following the procedure that is outlined in the following Microsoft Knowledge Base article: 216498 (http://support.microsoft.com/kb/216498/ ) How to remove data in active directory after an unsuccessful domain controller demotion
o Removing domain controller metadata with the Windows 2000 version or the Windows Server 2003 build 3790 version of the ntdsutil /metadata cleanup command does not relocate FSMO roles that are assigned to live domain controllers. The Windows Server 2003 Service Pack 1 (SP1) version of the Ntdsutil utility automates this task and removes additional elements of domain controller metadata.
o Some customers prefer not to restore system state backups of FSMO role-holders in case the role has been reassigned since the backup was made.
o Do not put the Infrastructure master role on the same domain controller as the global catalog server. If the Infrastructure master runs on a global catalog server it stops updating object information because it does not contain any references to objects that it does not hold. This is because a global catalog server holds a partial replica of every object in the forest.
To test whether a domain controller is also a global catalog server:1. Click Start, point to Programs, point to Administrative Tools, and
then click Active Directory Sites and Services.2. Double-click Sites in the left pane, and then locate the
appropriate site or click Default-first-site-name if no other sites are available.
3. Open the Servers folder, and then click the domain controller.4. In the domain controller's folder, double-click NTDS Settings.5. On the Action menu, click Properties.6. On the General tab, view the Global Catalog check box to see if it
is selected.
How do you configure a "stand-by operation master" for any of the roles?
Open Active Directory Sites and Services.Expand the site name in which the standby operations master is located to display the Servers folder.Expand the Servers folder to see a list of the servers in that site.Expand the name of the server that you want to be the standby operations master to display its NTDS Settings.Right-click NTDS Settings, click New, and then click Connection.In the Find Domain Controllers dialog box, select the name of the current role holder, and then click OK.In the New Object-Connection dialog box, enter an appropriate name for the Connection object or accept the default name, and click OK.
How do you backup AD? Backing up Active Directory is essential to maintain an Active
Directory database. You can back up Active Directory by using the Graphical User Interface (GUI) and command-line tools that the Windows Server 2003 family provides.
You frequently backup the system state data on domain controllers so that you can restore the most current data. By establishing a regular backup schedule, you have a better chance of recovering data when necessary.
To ensure a good backup includes at least the system state data and contents of the system disk, you must be aware of the
tombstone lifetime. By default, the tombstone is 60 days. Any backup older than 60 days is not a good backup. Plan to backup at least two domain controllers in each domain, one of at least one backup to enable an authoritative restore of the data when necessary.
System State Data Several features in the windows server 2003 family make it easy to backup Active Directory. You can backup Active Directory while the server is online and other network function can continue to function.
System state data on a domain controller includes the following components:
Active Directory system state data does not contain Active Directory unless the server, on which you are backing up the system state data, is a domain controller. Active Directory is present only on domain controllers. The SYSVOL shared folder: This shared folder contains Group policy templates and logon scripts. The SYSVOL shared folder is present only on domain controllers. The Registry: This database repository contains information about the computer's configuration. System startup files: Windows Server 2003 requires these files during its initial startup phase. They include the boot and system files that are under windows file protection and used by windows to load, configure, and run the operating system. The COM+ Class Registration database: The Class registration is a database of information about Component Services applications. The Certificate Services database: This database contains certificates that a server running Windows server 2003 uses to authenticate users. The Certificate Services database is present only if the server is operating as a certificate server. System state data contains most elements of a system's configuration, but it may not include all of the information that you require recovering data from a system failure. Therefore, be sure to backup all boot and system volumes, including the System State, when you back up your server.
Restoring Active Directory In Windows Server 2003 family, you can restore the Active Directory database if it becomes corrupted or is destroyed because of hardware or software failures. You must restore the Active Directory database when objects in Active Directory are changed or deleted.
Active Directory restore can be performed in several ways. Replication synchronizes the latest changes from every other replication partner. Once the replication is finished each partner has an updated version of Active Directory. There is another way to get these latest updates by Backup utility to restore replicated
data from a backup copy. For this restore you don't need to configure again your domain controller or no need to install the operating system from scratch.
Active Directory Restore Methods You can use one of the three methods to restore Active Directory from backup media: primary restore, normal (non authoritative) restore, and authoritative restore.
Primary restore: This method rebuilds the first domain controller in a domain when there is no other way to rebuild the domain. Perform a primary restore only when all the domain controllers in the domain are lost, and you want to rebuild the domain from the backup. Members of Administrators group can perform the primary restore on local computer, or user should have been delegated with this responsibility to perform restore. On a domain controller only Domain Admins can perform this restore. Normal restore: This method reinstates the Active Directory data to the state before the backup, and then updates the data through the normal replication process. Perform a normal restore for a single domain controller to a previously known good state. Authoritative restore: You perform this method in tandem with a normal restore. An authoritative restore marks specific data as current and prevents the replication from overwriting that data. The authoritative data is then replicated through the domain. Perform an authoritative restore individual object in a domain that has multiple domain controllers. When you perform an authoritative restore, you lose all changes to the restore object that occurred after the backup. Ntdsutil is a command line utility to perform an authoritative restore along with windows server 2003 system utilities. The Ntdsutil command-line tool is an executable file that you use to mark Active Directory objects as authoritative so that they receive a higher version recently changed data on other domain controllers does not overwrite system state data during replication.
How do you restore AD? Restoring Active Directory
in Windows Server 2003 family, you can restore the Active Directory database if it becomes corrupted or is destroyed because of hardware or software failures. You must restore the Active Directory database when objects in Active Directory are changed or deleted.
Active Directory restore can be performed in several ways. Replication synchronizes the latest changes from every other replication partner. Once the replication is finished each partner has an updated version of Active Directory. There is another way to get these latest updates by Backup utility to restore replicated data from a backup copy. For this restore you don't need to configure again your domain controller or no need to install the operating system from scratch.
Active Directory Restore Methods You can use one of the three methods to restore Active Directory from backup media: primary restore, normal (non authoritative) restore, and authoritative restore.
Primary restore: This method rebuilds the first domain controller in a domain when there is no other way to rebuild the domain. Perform a primary restore only when all the domain controllers in the domain are lost, and you want to rebuild the domain from the backup. Members of Administrators group can perform the primary restore on local computer, or user should have been delegated with this responsibility to perform restore. On a domain controller only Domain Admins can perform this restore. Normal restore: This method reinstates the Active Directory data to the state before the backup, and then updates the data through the normal replication process. Perform a normal restore for a single domain controller to a previously known good state. Authoritative restore: You perform this method in tandem with a normal restore. An authoritative restore marks specific data as current and prevents the replication from overwriting that data. The authoritative data is then replicated through the domain. Perform an authoritative restore individual object in a domain that has multiple domain controllers. When you perform an authoritative restore, you lose all changes to the restore object that occurred after the backup. Ntdsutil is a command line utility to perform an authoritative restore along with windows server 2003 system utilities. The Ntdsutil command-line tool is an executable file that you use to mark Active Directory objects as authoritative so that they receive a higher version recently changed data on other domain controllers does not overwrite system state data during replication.
How do you change the DS Restore admin password?
Method 1
If Windows 2000 Service Pack 2 or later is installed on your computer, you can use the Setpwd.exe utility to change the SAM-based Administrator password. To do this:
1. Log on to the computer as the administrator or a user who is a member of the Administrators group.
2. At a command prompt, change to the %SystemRoot%\System32 folder.
3. To change the local SAM-based Administrator password, type setpwd, and then press ENTER.
To change the SAM-based Administrator password on a remote domain controller, type the following command at a command prompt, and then press ENTER
setpwd /s:servername
where servername is the name of the remote domain controller.
4. When you are prompted to type the password for the Directory Service Restore Mode Administrator account, type the new password that you want to use.
NOTE: If you make a mistake, repeat these steps to run setpwd again.
Method 2
1. Log on to the computer as the administrator or a user who is a member of the Administrators group.
2. Shut down the domain controller on which you want to change the password.
3. Restart the computer. When the selection menu screen is displayed during restar, press F8 to view advanced startup options.
4. Click the Directory Service Restore Mode option.5. After you log on, use one of the following methods to change the
local Administrator password:
At a command prompt, type the following command: net user administrator *
Use the Local User and Groups snap-in (Lusrmgr.msc) to change the Administrator password.
6. Shut down and restart the computer.
You can now use the Administrator account to log on to Recovery Console or Directory Services Restore Mode using the new password
Why can't you restore a DC that was backed up 4 months ago?
Because of the tombstone life which is set to only 60 days
What are GPOs? Group Policy gives you administrative control over users and computers in your network. By using Group Policy, you can define the state of a user's work environment once, and then rely on Windows Server 2003 to continually force the Group Policy settings that you apply across an entire organization or to specific groups of users and computers.
Group Policy Advantages You can assign group policy in domains, sites and organizational units. All users and computers get reflected by group policy settings in domain, site and organizational unit. No one in network has rights to change the settings of Group policy; by default only administrator has full privilege to change, so it is very secure. Policy settings can be removed and can further rewrite the changes. Where GPO's store Group Policy Information
Group Policy objects store their Group Policy information in two locations:
Group Policy Container: The GPC is an Active Directory object that contains GPO status, version information, WMI filter information, and a list of components that have settings in the GPO. Computers can access the GPC to locate Group Policy templates, and domain controller does not have the most recent version of the GPO, replication occurs to obtain the latest version of the GPO. Group Policy Template: The GPT is a folder hierarchy in the shared SYSVOL folder on a domain controller. When you create GPO, Windows Server 2003 creates the corresponding GPT which contains all Group Policy settings and information, including administrative templates, security, software installation, scripts, and folder redirection settings. Computers connect to the SYSVOL folder to obtain the settings. The name of the GPT folder is the Globally Unique Identifier (GUID) of the GPO that you created. It is identical to the GUID that Active Directory uses to identify the GPO in the GPC. The path to the GPT on a domain controller is systemroot\SYSVOL\sysvol.
Managing GPOs to avoid conflicts in replication, consider the selection of domain controller, especially because the GPO data resides in SYSVOL folder and the Active Directory. Active Directory uses two independent replication techniques to replicate GPO data among all domain controllers in the domain. If two administrator's changes can overwrite those made by other administrator, depends on the replication latency. By default the Group Policy Management console uses the PDC Emulator so that all administrators can work on the same domain controller.
WMI Filter WMI filters is use to get the current scope of GPOs based on attributes of the user or computer. In this way, you can increase the GPOs filtering capabilities beyond the security group filtering mechanisms that were previously available.
Linking can be done with WMI filter to a GPO. When you apply a GPO to the destination computer, Active Directory evaluates the filter on the destination computer. A WMI filter has few queries that active Directory evaluates in place of WMI repository of the destination computer. If the set of queries is false, Active Directory does not apply the GPO. If set of queries are true, Active Directory applies the GPO. You write the query by using the WMI Query Language (WQL); this language is similar to querying SQL for WMI repository.
Planning a Group Policy Strategy for the Enterprise When you plan an Active Directory structure, create a plan for
GPO inheritance, administration, and deployment that provides the most efficient Group Policy management for your organization.
Also consider how you will implement Group Policy for the organization. Be sure to consider the delegation of authority, separation of administrative duties, central versus decentralized administration, and design flexibility so that your plan will provide for ease of use as well as administration.
Planning GPOs Create GPOs in way that provides for the simplest and most manageable design -- one in which you can use inheritance and multiple links.
Guidelines for Planning GPOs Apply GPO settings at the highest level: This way, you take advantage of Group Policy inheritance. Determine what common GPO settings for the largest container are starting with the domain and then link the GPO to this container. Reduce the number of GPOs: You reduce the number by using multiple links instead of creating multiple identical GPOs. Try to link a GPO to the broadest container possible level to avoid creating multiple links of the same GPO at a deeper level. Create specialized GPOs: Use these GPOs to apply unique settings when necessary. GPOs at a higher level will not apply the settings in these specialized GPOs. Disable computer or use configuration settings: When you create a GPO to contain settings for only one of the two levels-user and computer-disable the logon and prevents accidental GPO settings from being applied to the other area.
What is the order in which GPOs are applied?Local, Site, Domain, OU
Group Policy settings are processed in the following order:
1:- Local Group Policy object-each computer has exactly one Group Policy object that is stored locally. This processes for both computer and user Group Policy processing.
2:- Site-Any GPOs that have been linked to the site that the computer belongs to are processed next. Processing is in the order that is specified by the administrator, on the Linked Group Policy Objects tab for the site in Group Policy Management Console (GPMC). The GPO with the lowest link order is processed last, and therefore has the highest precedence.
3:- Domain-processing of multiple domain-linked GPOs is in the order specified by the administrator, on the Linked Group Policy Objects tab for the domain in GPMC. The GPO with the lowest link order is processed last, and therefore has the highest precedence.
4:- Organizational units-GPOs that are linked to the organizational unit that is highest in the Active Directory hierarchy are processed first, then GPOs that are linked to its child organizational unit, and so on. Finally, the GPOs that are linked to the organizational unit that contains the user or computer are processed.
At the level of each organizational unit in the Active Directory hierarchy, one, many, or no GPOs can be linked. If several GPOs are linked to an organizational unit, their processing is in the order that is specified by the administrator, on the Linked Group Policy Objects tab for the organizational unit in GPMC. The GPO with the lowest link order is processed last, and therefore has the highest precedence.
This order means that the local GPO is processed first, and GPOs that are linked to the organizational unit of which the computer or user is a direct member are processed last, which overwrites settings in the earlier GPOs if there are conflicts. (If there are no conflicts, then the earlier and later settings are merely aggregated.)
Name a few benefits of using GPMC.Microsoft released the Group Policy Management Console (GPMC) years ago, which is an amazing innovation in Group Policy management. The tool provides control over Group Policy in the following manner:
Easy administration of all GPOs across the entire Active Directory Forest
View of all GPOs in one single list Reporting of GPO settings, security, filters, delegation, etc. Control of GPO inheritance with Block Inheritance, Enforce, and
Security Filtering Delegation model Backup and restore of GPOs Migration of GPOs across different domains and forests
With all of these benefits, there are still negatives in using the GPMC alone. Granted, the GPMC is needed and should be used by everyone for what it is ideal for. However, it does fall a bit short when you want to protect the GPOs from the following:
Role based delegation of GPO management Being edited in production, potentially causing damage to
desktops and servers Forgetting to back up a GPO after it has been modified Change management of each modification to every GPO
What are the GPC and the GPT? Where can I find them?GPOs store group policy settings in two locations: a Group Policy container (GPC) (preferred) and a Group Policy template (GPT). The GPC is an Active Directory object that stores version information, status information, and other policy information (for
example, application objects).
The GPT is used for file-based data and stores software policy, script, and deployment information. The GPT is located on the system volume folder of the domain controller. A GPO can be associated with one or more Active Directory containers, such as a site, domain, or organizational unit. Multiple containers can be associated with the same GPO, and a single container can have more than one associated GPO.
What are GPO links? What special things can I do to them?To apply the settings of a GPO to the users and computers of a domain, site, or OU, you need to add a link to that GPO. You can add one or more GPO links to each domain, site, or OU by using GPMC. Keep in mind that creating and linking GPOs is a sensitive privilege that should be delegated only to administrators who are trusted and understand Group Policy.
What can I do to prevent inheritance from above? IN OOPS Concept.
Declare your class as Final. A final class cannot be inherited by any other class.You can block policy inheritance for a domain or organizational unit. Using block inheritance prevents GPOs linked to higher sites, domains, or organizational units from being automatically inherited by the child-level. By default, children inherit all GPOs from the parent, but it is sometimes useful to block inheritance. For example, if you want to apply a single set of policies to an entire domain except for one organizational unit, you can link the required GPOs at the domain level (from which all organizational units inherit policies by default), and then block inheritance only on the organizational unit to which the policies should not be applied
How can I override blocking of inheritance? if you want to override the block of method form base classyou must use the method in base class as virtual and use themethod in sub class in override..
like an example:
class A //base class{public virtual void add(){// some operations...}
}
class B : A //derived class from base class{public override void add(){//}}
If you call the method add() it should execute the derivedclass method only not execute the base class add() method..base class add() was blocked or hidden..
How can you determine what GPO was and was not applied for a user? Name a few ways to do that. Simply use the Group Policy Management Console created by MS for that very purpose, allows you to run simulated policies on computers or users to determine what policies are enforced. Link in sources
A user claims he did not receive a GPO, yet his user and computer accounts are in the right OU, and everyone else there gets the GPO. What will you look for? Here interviewer want to know the troubleshooting steps what gpo is applying ? if it applying in all user and computer? what gpo are implemented on ou? make sure user not be member of loopback policy as in loopback policy it doesn't effect user settings only computer policy will applicable. if he is member of gpo filter grp or not?You may also want to check the computers event logs. If you find event ID 1085 then you may want to download the patch to fix this and reboot the computer.
Name some GPO settings in the computer and user parts.Group Policy Object (GPO) computer=Computer Configuration, User=User ConfigurationName some GPO settings in the computer and user parts
What are administrative templates? The GPO settings is divided between the Computer settings and
the User settings. In both parts of the GPO you can clearly see a large section called Administrative Templates.
Administrative Templates are a large repository of registry-based changes (in fact, over 1300 individual settings) that can be found in any GPO on Windows 2000, Windows XP, and Windows Server 2003.
By using the Administrative Template sections of the GPO you can deploy modifications to machine (called
HKEY_LOCAL_MACHINE in the registry) and user (called HKEY_CURRENT_USER in the registry) portions of the Registry of computers that are influenced by the GPO.
The Administrative Templates are Unicode-formatted text files with the extension .ADM and are used to create the Administrative Templates portion of the user interface for the GPO Editor.
What's the difference between software publishing and assigning?ANS An administrator can either assign or publish software applications.
Assign UsersThe software application is advertised when the user logs on. It is installed when the user clicks on the software application icon via the start menu, or accesses a file that has been associated with the software application. Assign ComputersThe software application is advertised and installed when it is safe to do so, such as when the computer is next restarted. Publish to usersThe software application does not appear on the start menu or desktop. This means the user may not know that the software is available. The software application is made available via the Add/Remove Programs option in control panel, or by clicking on a file that has been associated with the application. Published applications do not reinstall themselves in the event of accidental deletion, and it is not possible to publish to computers.
Can I deploy non-MSI software with GPO?yes we can deploy non msi package with GPO with the help of zap file. .zap files can be written to allow non-windows installer - compliant applications to be deployed. zap files donot support automatic repair, customized installations, or automatic software removal. In adition, these files must be published.
You want to standardize the desktop environments (wallpaper, My Documents, Start menu, printers etc.) on the computers in one department. How would you do that?
Login on client as Domain Admin user change whatever you need add printers etc go to system-User profiles copy this user profile to any location by select Everyone in permitted to use after copy change ntuser.dat to ntuser.man and assgin this path under user profile
What is an IP address? Internet Protocol Address (or IP Address) is an unique address that computing devices use to identify itself and communicate with other devices in the Internet Protocol network
What is a subnet mask? A subnet mask separates the IP address into the network and host addresses
What is ARP? Address Resolution Protocol, a network layer protocol used to convert an IP address into a physical address (called a DLC address), such as an Ethernet address
What is ARP Cache Poisoning? ARP cache poisoning, also known as ARP spoofing, is the process of falsifying the source Media Access Control (MAC) addresses of packets being sent on an Ethernet network.
What is the ANDing process? In order to determine whether a destination host is local or remote, a computer will perform a simple mathematical computation referred to as an AND operation. While the sending host does this operation internally, understanding what takes place is the key to understanding how an IP-based system knows whether to send packets directly to a host or to a router
What is a default gateway? What happens if I don't have one? Default gateway is a node (a router) on a TCP/IP Network that serves as an access point to another network.a default geteway is used by a host when the ip's packet destination address belongs to someplace outside the local subnet,
Can a workstation computer be configured to browse the Internet and yet NOT have a default gateway? Without default gateway you cannot browse internet. It doesnt matter if you are on public or private network. Default Gateway is required to route your IP packets from your network to the other networks.
What is a subnet? A subnet is an identifiably separate part of an organization's network. A subnet specifies a range of IP addresses.
What is APIPA? A Windows-based computer that is configured to use DHCP can automatically assign itself an Internet Protocol (IP) address if a DHCP server is not available. For example, this could occur on a network without a DHCP server or on a network if a DHCP server is temporarily down for maintenance.
What is an RFC? Name a few if possible (not necessarily the numbers, just the ideas behind them) A Request For Comments (RFC) document defines a protocol or policy used on the Internet. An RFC can be submitted by anyone. Eventually, if it gains enough interest, it may evolve into an Internet Standard Each RFC is designated by an RFC number. Once published, an RFC never changes. Modifications to an original RFC are assigned a new RFC number.
What is RFC 1918? RFC 1918 is Address Allocation for Private Internets The Internet Assigned Numbers Authority (IANA) has reserved the following three blocks of the IP address space for private internets: 10.0.0.0 - 10.255.255.255 (10/8 prefix) 172.16.0.0 - 172.31.255.255 (172.16/12 prefix) 192.168.0.0 - 192.168.255.255 (192.168/16 prefix) We will refer to the first block as "24-bit block", the second as "20-bit block", and to the third as "16-bit" block.
What is CIDR? In Internet Protocol terminology, a private network is typically a network that uses private IP address space, following the standards set by RFC 1918 and RFC 4193. These addresses are common in home and office local area networks (LANs), as globally routable addresses are scarce, expensive to obtain, or their use is not necessary. Private IP address spaces were originally defined in efforts to delay IPv4 address exhaustion, but they are also a feature of the next generation Internet Protocol, IPv6.
You have the following Network ID: 192.115.103.64/27. What is the IP range for your network?It ranges from 192.115.103.64 - 192.115.103.96But the usable addresses are from 192.115.103.64 - 192.115.103.94 192.115.103.95 - it is the broadcast address 192.115.103.96 - will be the ip address of next rangeWe can use 30 hostes in this network
You have the following Network ID: 131.112.0.0. You need at least 500 hosts per network. How many networks can you create? What subnet mask will you use? If you need to divide it up into the maximum number of subnets containing at least 500 hosts each, you should use a /23 subnet mask. This will provide you with 128 networks of 510 hosts each. If you used a /24 mask, you would be limited to 254 hosts. Similarly, a /22 mask would be wasteful, allowing you 1022 hosts.
You need to view at network traffic. What will you use? Name a few tools? winshark or tcp dumpyou can use Network Monitor. You can also use Etheral
How do I know the path that a packet takes to the destination?use "tracert" command-line
What does the ping 192.168.0.1 -l 1000 -n 100 command do?
What is DHCP? What are the benefits and drawbacks of using it? DHCP, Dynamic Host Configuration Protocol, is a communications protocol that dynamically assigns unique IP addresses to network devices
Benefits of using DHCP
DHCP provides the following benefits for administering your TCP/IP-based network:
Safe and reliable configuration DHCP avoids configuration errors caused by the need to manually type in values at each computer. Also, DHCP helps prevent address conflicts caused by a previously assigned IP address being reused to configure a new computer on the network.
Reduces configuration management Using DHCP servers can greatly decrease time spent configuring and reconfiguring computers on your network. Servers can be configured to supply a full range of additional configuration values when assigning address leases. These values are assigned using DHCP options.
Also, the DHCP lease renewal process helps assure that where client configurations need to be updated often (such as users with mobile or portable computers who change locations frequently), these changes can be made efficiently and automatically by clients communicating directly with DHCP servers.
Benefits:
1. DHCP minimizes configuration errors caused by manual IP address configurationDHCP minimizes configuration errors caused by manual IP address configuration
2. Reduced network administration.
DisadvantageYour machine name does not change when you get a new IP address. The DNS (Domain Name System) name is associated with your IP address and therefore does change. This only presents a problem if other clients try to access your machine by its DNS name.
Benefits:
1. DHCP minimizes configuration errors caused by manual IP address configurationDHCP minimizes configuration errors caused by manual IP address configuration
2. Reduced network administration.
DisadvantageYour machine name does not change when you get a new IP address. The DNS (Domain Name System) name is associated with your IP address and therefore does change. This only presents a problem if other clients try to access your machine by its DNS name.
Describe the steps taken by the client and DHCP server in order to obtain an IP address.At least one DHCP server must exist on a network. Once the DHCP server software is installed, you create a DHCP scope, which is a pool of IP addresses that the server manages. When clients log on, they request an IP address from the server, and the server provides an IP address from its pool of available addresses.
DHCP was originally defined in RFC 1531 (Dynamic Host Configuration Protocol, October 1993) but the most recent update is RFC 2131 (Dynamic Host Configuration Protocol, March 1997). The IETF Dynamic Host Configuration (dhc) Working Group is chartered to produce a protocol for automated allocation, configuration, and management of IP addresses and TCP/IP protocol stack parameters.
What is the DHCPNACK and when do I get one? Name 2 scenarios.
DHCPNAK (server response to indicate to the client that its lease has expired or if the client announces a bad network configuration)
DHCP server will issue a NAK to the client ONLY IF it is sure that the client, "on the local subnet", is asking for an address that doesn't exist on that subnet.
The server will send a NAK EXCEPT in the following scenarios:-
1. Requested address from possibly the same subnet but not in the address pool of the server:-
This can be the failover scenario in which 2 DHCP servers are serving the same subnet so that when one goes down, the other should not NAK to clients which got an IP from the first server.
2. Requested address on a different subnet:-
If the Address is from the same superscope to which the subnet belongs, DHCP servers will ACK the REQUEST.
What ports are used by DHCP and the DHCP clients?Requests are on UDP port 68, Server replies on UDP 67
The DHCP protocol utilizes UDP ports 67 and 68, which are the same ports used by BOOTP.
Describe the process of installing a DHCP server in an AD infrastructure.
Terms you'll need to understand: DHCP Lease duration Scopes Superscopes Multicast scopes Scope options
Techniques you'll need to master: Installing DHCP Understanding the DHCP lease process Creating scopes, superscopes, and multicast scopes Configuring the lease duration Configuring optional IP parameters that can be assigned
to DHCP clients Understanding how DHCP interacts with DNS Configuring DHCP for DNS integration Authorizing a DHCP server in Active Directory Managing a DHCP server Monitoring a DHCP server
Introduction The TCP/IP protocol is an Active Directory operational requirement. This means that all computers on a Windows 2000 network require a unique IP address to communicate with the Active Directory. Static IP addresses can add a lot of administrative overhead. Not only can management of static IP addresses become time consuming, but such management also increases the chances of misconfigured parameters. Imagine having to manually type 10,000 IP addresses and not make a single error. The Dynamic Host Configuration Protocol (DHCP) can be implemented to centralize the administration of IP addresses. Through DHCP, many of the tasks associated withIP addressing can be automated. However, implementing DHCP also introduces some security issues because anyone with physical access to the network can plug in a laptop and obtain IP information about the internal network.
In this chapter, you'll learn how to implement a DHCP server, including the installation process, authorization of the server, and the configuration of DHCP scopes. The chapter ends by looking at how to manage a DHCP server and monitor its performance.
There must be a working DNS in the environment to install a DHCP server. To validate your DNS server, click Start, click Run, type cmd, press ENTER, type ping friendly name of an existing DNS server in your environment, and then press ENTER. An unsuccessful reply generates an "Unknown Host My DNS server name" message.
To install the DHCP Service on an existing Windows 2003 Server:
Click Start, click Settings, and then click Control Panel. Double-click Add/Remove Programs, and then click Add/Remove
Windows Components. In the Windows Component Wizard, click Networking Services in
the Componentsbox, and then click Details. Click to select the Dynamic Host Configuration Protocol
(DHCP) check box if it is not already selected, and then click OK. In the Windows Components Wizard, click Next to start Windows
2003 Setup. Insert the Windows 2003 Server CD-ROM into the CD-ROM drive if you are prompted to do so. Setup copies the DHCP server and tool files to your computer.
When Setup is complete, click Finish.
What is DHCPINFORM? DHCPInform is a DHCP message used by DHCP clients to obtain DHCP options. The DHCPInform message received by the remote access server is then forwarded to a DHCP server. The remote access server forwards DHCPInform messages only if it has been configured with the DHCP Relay Agent.
Describe the integration between DHCP and DNS.Traditionally, DNS and DHCP servers have been configured and managed one at a time. Similarly, changing authorization rights for a particular user on a group of devices has meant visiting each one and making configuration changes. DHCP integration with DNS allows the aggregation of these tasks across devices, enabling a company's network services to scale in step with the growth of network users, devices, and policies, while reducing administrative operations and costs. This integration provides practical operational efficiencies that lower total cost of ownership. Creating a DHCP network automatically creates an associated DNS zone, for example, reducing the number of tasks required of network administrators. And integration of DNS and DHCP in the same database instance provides unmatched consistency between service and management views of IP address-centric network services data
Traditionally, DNS and DHCP servers have been configured and managed one at a time. Similarly, changing authorization rights for a particular user on a group of devices has meant visiting each one and making configuration changes. DHCP integration with DNS allows the aggregation of these tasks across devices, enabling a company's network services to scale in step with the growth of network users, devices, and policies, while reducing administrative operations and costs.
This integration provides practical operational efficiencies that lower total cost of ownership. Creating a DHCP network automatically creates
an associated DNS zone, for example, reducing the number of tasks required of network administrators. And integration of DNS and DHCP in the same database instance provides unmatched consistency between service and management views of IP address-centric network services data.
Windows Server 2003 DNS supports DHCP by means of the dynamic update of DNS zones. By integrating DHCP and DNS in a DNS deployment, you can provide your network resources with dynamic addressing information stored in DNS. To enable this integration, you can use the Windows Server 2003 DHCP service.The dynamic update standard, specified in RFC 2136: Dynamic Updates in the Domain Name System (DNS UPDATE), automatically updates DNS records. Both Windows Server 2003 and Windows 2000 support dynamic update, and both clients and DHCP servers can send dynamic updates when their IP addresses change.Dynamic update enables a DHCP server to register address (A) and pointer (PTR) resource records on behalf of a DHCP client by using DHCP Client FQDN option 81. Option 81 enables the DHCP client to provide its FQDN to the DHCP server. The DHCP client also provides instructions to the DHCP server describing how to process DNS dynamic updates on behalf of the DHCP client.The DHCP server can dynamically update DNS A and PTR records on behalf of DHCP clients that are not capable of sending option 81 to the DHCP server. You can also configure the DHCP server to discard client A and PTR records when the DHCP client lease is deleted. This reduces the time needed to manage these records manually and provides support for DHCP clients that cannot perform dynamic updates. In addition, dynamic update simplifies the setup of Active Directory by enabling domain controllers to dynamically register SRV resource records.If the DHCP server is configured to perform DNS dynamic updates, it performs one of the following actions:
The DHCP server updates resource records at the request of the client. The client requests the DHCP server to update the DNS PTR record on behalf of the client, and the client registers A.
The DHCP server updates DNS A and PTR records regardless of whether the client requests this action or not.
By itself, dynamic update is not secure because any client can modify DNS records. To secure dynamic updates, you can use the secure dynamic update feature provided in Windows Server 2003. To delete outdated records, you can use the DNS server aging and scavenging feature.
What options in DHCP do you regularly use for an MS network?
Automatic providing IP address Subnet mask DNS server
Domain name Default getaway or router
Gernerlly we use the options like Automatic providing IPaddress, Subnet mask,DNS server,Domain name,Default getaway or routers ip address
What are User Classes and Vendor Classes in DHCP? Vendor-defined classes are used for managing DHCP options assigned to clients identified by vendor type. User-defined classes are used for managing DHCP options assigned to clients identified by a common need for a similar DHCP options configuration.
How do I configure a client machine to use a specific User Class?The command to configure a client machine to use a specific user class is ipconfig /setclassid "<Name of your Network card>" <Name of the class you created on DHCP and you want to join (Name is case sensitive)> Eg: ipconfig /setclassid " Local Area Network" Accounting
What is the BOOTP protocol used for, where might you find it in Windows network infrastructure? BootP (RFC951) provides
a unique IP address to the requester (using port 67) similar to the DHCP request on port 68 AND
can provide (where supported) the ability to boot a system without a hard drive (ie: a diskless client)
Apple OS X 10.* Server supports BootP (albeit) renamed as NetBoot. The facility allows the Admin to maintain a selected set of configurations as boot images and then assign sets of client systems to share(or boot from) that image. For example Accounting, Management, and Engineering departments have elements in common, but which can be unique from other departments. Performing upgrades and maintenance on three images is far more productive that working on all client systems individually.
Startup is obviously network intensive, and beyond 40-50 clients, the Admin needs to carefully subnet the infrastructure, use gigabit switches, and host the images local to the clients to avoid saturating the network. This will expand the number of BootP servers and multiply the number of images, but the productivity of 1 BootP server per 50 clients is undeniable :)
Sunmicro, Linux, and AIX RS/600 all support BootP.
Todate, Windows does not support booting "diskless clients".
DNS zones – describe the differences between the 4 types.Dns zone is actual file which contains all the records for a specific domain.
i) Forward Lookup Zones :-This zone is responsible to resolve host name to ip.
ii) Reverse Lookup Zones :- This zone is responsible to resolve ip to host name.
iii) Stub Zone :-Stubzone is read only copy of primary zone.but it contains only 3 records the SOA for the primary zone, NS record and a Host (A) record.
A DNS zone is the contiguous portion of the DNS domain name space over which a DNS server has authority, or is authoritative. A zone is a portion of a namespace. It is not a domain. A domain is a branch of the DNS namespace. A DNS zone can contain one or more contiguous domains. A DNS server can be authoritative for multiple DNS zones. A noncontiguous namespace cannot be a DNS zone.
A zone contains the resource records for all of the names within the particular zone. Zone files are used if DNS data is not integrated with Active Directory. The zone files contain the DNS database resource records which define the zone. If DNS and Active Directory are integrated, then DNS data is stored in Active Directory.
The different types of zones used in Windows Server 2003 DNS are listed below:
Primary zone Secondary zone Active Directory-integrated zone Reverse lookup zone Stub zone
A primary zone is the only zone type that can be edited or updated because the data in the zone is the original source of the data for all domains in the zone. Updates made to the primary zone are made by the DNS server that is authoritative for the specific primary zone. You can also back up data from a primary zone to a secondary zone.A secondary zone is a read-only copy of the zone that was copied from the master server during zone transfer. In fact, a secondary zone can only be updated through zone transfer.
An Active Directory-integrated zone is a zone that stores its data in Active Directory. DNS zone files are not needed. This type of zone is an authoritative primary zone. Zone data of an Active Directory-integrated zone is replicated during the Active Directory replication process. Active
Directory-integrated zones also enjoy the security features of Active Directory.
A reverse lookup zone is an authoritative DNS zone. These zones are mainly used to resolve IP addresses to resource names on the network. A reverse lookup zone can be either of the following zones:
Primary zone Secondary zone Active Directory-integrated zone
A stub zone is a new Windows Server 2003 feature. Stub zones only contain those resource records necessary to identify the authoritative DNS servers for the master zone. Stub zones therefore contain only a copy of a zone, and are used to resolve recursive queries and iterative queries:
Iterative queries: The DNS server provides the best answer it can. This can be:
The resolved name A referral to a different DNS server
Recursive queries: The DNS server has to reply with the requested information, or with an error. The DNS server cannot provide a referral to a different DNS server Stub zones contain the following information:
Start of Authority (SOA) resource records of the zone. Resource records that list the authoritative DNS servers of the
zone Glue addresses (A) resource records that are necessary for
contacting the authoritative servers of the zone.
DNS record types – describe the most important ones. A (Host) Classic resource record. Maps hostname to
IP(ipv4) PTR Maps IP to hostname (Reverse of A (Host) AAAA Maps hostname to ip (ipv6) Cname Canonical name, in plain English an alias.such
as Web Server,FTP Server, Chat Server NS Identifies DNS name servers. Important for forwarders MX Mail servers, particularly for other domains.MX records
required to deliver internet email. _SRV Required for Active Directory. Whole family
of underscore service,records, for example, gc = global catalog.
SOA Make a point of finding the Start of Authority (SOA) tab at the DNS Server.