Windows 2008 R2 Questions DNS questions DHCP questions OPS
Manager questions Soft skill questions Active Directory
questions
1. What is Active Directory?Active Directory is a network-based
object store and service that locates and manages resources, and
makes these resources available to authorized users and groups. An
underlying principle of the Active Directory is that everything is
considered an objectpeople, servers, workstations, printers,
documents, and devices. Each object has certain attributes and its
own security access control list (ACL).
2. What is LDAP?"LDAP is a client-server protocol for accessing
a directory service. It was initially used as a frontend to X.500,
but can also be used with stand-alone and other kinds of directory
servers." LDAP lets you "locate organizations, individuals, and
other resources such as files and devices in a network, whether on
the Internet or on a corporate intranet," and whether or not you
know the domain name, IP address, or geographic whereabouts. An
LDAP directory can be distributed among many servers on a network,
then replicated and synchronized regularly. An LDAP server is also
known as a Directory System Agent (DSA).
LDAP (Lightweight Directory Access Protocol) is a software
protocolfor enabling anyone to locate organizations, individuals,
and other resources such as files and devices in a network, whether
on the public Internetor on a corporate intranet. LDAP is a
"lightweight" (smaller amount of code) version of Directory Access
Protocol (DAP), which is part of X.500, a standard for
directoryservices in a network. LDAP is lighter because in its
initial version it did not include security features
An LDAP directory is organized in a simple "tree" hierarchy
consisting of the following levels:y
The root directory (the starting place or the source of the
tree), which branches out to
y y y y
Countries, each of which branches out to Organizations, which
branch out to Organizational units (divisions, departments, and so
forth), which branches out to (includes an entry for) Individuals
(which includes people, files, and shared resources such as
printers)
3. Where is the AD database held? What other folders are related
to AD?Default location %systemroot%\NTDS Ntds.dit Active Directory
database Edb*.log Transaction log files Checkpoint file to check
data Edb.chk not yet written to database Res*.log Reserved
transaction log files (10MB each to reserve space in case disk
fills up) System State Includes everything that AD depends on, not
just database files Database and log files SYSVOL shared folder
Registry System startup files Class registration database
Certificate Services database
4. Talk about all the AD-related roles in Windows Server
2008/R2.Flexibility Schema Operations Master (FSMO) Roles in 2008
Server As we are all aware that certain tasks needs to be performed
by single one, so as far AD 2008 goes some tasks are performed by
single domain controller and they jointly called as FSMO roles.
There are five roles: They are further classified in two
1. Forest Roles
y
y
Schema Master - As name suggests, the changes that are made
while creation of any object in AD or changes in attributes will be
made by single domain controller and then it will be replicated to
another domain controllers that are present in your environment.
There is no corruption of AD schema if all the domain controllers
try to make changes. This is one of the very important roles in
FSMO roles infrastructure. Domain Naming Master - This role is not
used very often, only when you add/remove any domain controllers.
This role ensures that there is a unique name of domain controllers
in environment.
2. Domain Rolesy y y
Infrastructure Master - This role checks domain for changes to
any objects. If any changes are found then it will replicate to
another domain controller. RID Master - This role is responsible
for making sure each security principle has a different identifier.
PDC emulator - This role is responsible for Account policies such
as client password changes and time synchronization in the
domain
Where these roles are configured?1. Domain wide roles are
configured in Active Directory users and computers. Right click and
select domain and here option is operations master. 2. Forest roles
Domain Naming master is configured in active directory domain and
trust right click and select operations master. It will let you
know the roles. 3. (c)Forest roles Schema Master is not accessible
from any tool as they want to prevent this. Editing schema can
create serious problem in active directory environment. To gain
access you need to create snap-in and register dll file by regsvr32
schmmgmt.dll.
Seizing of RolesIn case of failures of any server you need to
seize the roles. This is how it can be done:
For Schema Master:Go to cmd prompt and type ntdsutil 1.
Ntdsutil: prompt type roles to enter fsmo maintenance. 2. Fsmo
maintenance: prompt type connections to enter server connections.
3. Server connections: prompt, type connect to server domain
controller, where Domain controller is the name of the domain
controller to which you are going to transfer the role 4. Server
connections: prompt, type quit to enter fsmo maintenance. 5. Fsmo
maintenance: prompt, type seize schema master. After you have Seize
the role, type quit to exit NTDSUtil.
For Domain Naming Master:Go to cmd prompt and type ntdsutil 1.
Ntdsutil: prompt type roles to enter fsmo maintenance. 2. Fsmo
maintenance: prompt type connections to enter server connections.
3. Server connections: prompt, type connect to server domain
controller, where Domain controller is the name of the domain
controller to which you are going to transfer the role 4. Server
connections: prompt, type quit to enter fsmo maintenance. 5. Fsmo
maintenance: prompt, type seize domain naming master. After you
have Seize the role, type quit to exit NTDSUtil.
For Infrastructure Master Role:Go to cmd prompt and type
ntdsutil 1. Ntdsutil: prompt type roles to enter fsmo maintenance.
2. Fsmo maintenance: prompt type connections to enter server
connections. 3. Server connections: prompt, type connect to server
domain controller, where Domain controller is the name of the
domain controller to which you are going to transfer the role 4.
Server connections: prompt, type quit to enter fsmo maintenance. 5.
Fsmo maintenance: prompt, type seize infrastructure master. After
you have Seize the role, type quit to exit NTDSUtil.
For RID Master Role:Go to cmd prompt and type ntdsutil 1.
Ntdsutil: prompt type roles to enter fsmo maintenance. 2. Fsmo
maintenance: prompt type connections to enter server connections.
3. Server connections: prompt, type connect to server domain
controller, where Domain controller is the name of the domain
controller to which you are going to transfer the role 4. Server
connections: prompt, type quit to enter fsmo maintenance. 5. Fsmo
maintenance: prompt, type seize RID master. After you have Seize
the role, type quit to exit NTDSUtil.
For PDC Emulator Role:Go to cmd prompt and type ntdsutil
1. Ntdsutil: prompt type roles to enter fsmo maintenance. 2.
Fsmo maintenance: prompt type connections to enter server
connections. 3. Server connections: prompt, type connect to server
domain controller, where Domain controller is the name of the
domain controller to which you are going to transfer the role 4.
Server connections: prompt, type quit to enter fsmo maintenance. 5.
Fsmo maintenance: prompt, type seize PDC. After you have Seize the
role, type quit to exit NTDSUtil.
5. What are the new Domain and Forest Functional Levels in
Windows Server 2008/R2?Windows Server 2008 R2 was released in
August, and it introduced new functional levels for Active
Directory. This article takes a look back at the different
functional levels of the past and what is new in the latest release
of the server operating system for Active Directory (yes, a recycle
bin for AD objects!). Functional levels were first introduced when
Active Directory made its appearance in Windows 2000 Server. They
allowed you to run different versions of domain controllers in your
environment, and when all the domain controllers were brought up to
a certain version of Windows, you could raise the functional levels
to gain the added features of that operating system version. Now
that Windows 2008 R2 is released, it is unlikely that you will mass
deploy this new operating system to your entire forest or domain.
Instead, youll deploy a single domain controller and kick the
tires, so to speak. The time will eventually come when youve
upgraded every domain controller to R2, and at that point you can
raise the functional level to 2008 R2 to take advantage of the new
features. Functional levels can be raised in domains or, as of
Windows 2003 Server, in the forest, providing different features in
each. They are differentiated by labeling them Domain Functional
Level and Forest Functional Level.
Whats new in 2008 R2Domain Functional LevelThere are two
features added when raising the domain functional level to 2008 R2.
They are Authentication Mechanism Assurance and Automatic SPN
Management. Authentication mechanism assurance is meant for domains
that utilize federation services (ADFS) or certificatebased
authentication methods, such as smart card or token-based
authentication. This mechanism adds information to the users
kerberos token on the type of authentication used. This allows
administrators to modify group membership based on how the user
authenticates. For example, a user can have access to different
resources if they log in with a certificate versus when they log in
with just their username and password. Automatic SPN management
provides a method for managing service accounts for applications
such as Exchange, SQL and IIS. In the past, regular domain accounts
were used for these purposes, adding management headaches in terms
of password management and service principle names (SPNs). This new
feature provides the following benefits:
y
A class of domain accounts can be used to manage and maintain
services on local computers.
y y y
Passwords for these accounts will be reset automatically. Do not
have to complete complex SPN management tasks to use managed
service accounts. Administrative tasks for managed service accounts
can be delegated to non-administrators.
Forest Functional LevelThere is one new feature in raising the
forest functional level to Server 2008 R2, and it is long overdue.
It is the Active Directory recycle bin. In the days of old, when an
IT administrator or help desk operator accidentally deleted an OU
filled with user or computer objects (this has happened more times
than you would think), there would be a scramble to perform a
restore. The delete replicates to all domain controllers, so an
authoritative restore in Active Directory restore mode from a good
backup using NTDSutil would be in order. With 2008 R2 forest
functional level, a powershell cmd-let will undo this instantly.
Note that this feature is not enabled automatically when raising
forest functional level. Additionally, you must run the following
command in the Active Directory Module for Powershell.
Enable-ADOptionalFeature Identity CN=Recycle Bin
Feature,CN=Optional Features,CN=Directory Service,CN=Windows
NT,CN=Services,CN=Configuration, DC=mydomain,DC=com Scope
ForestOrConfigurationSet Target mydomain.com
Functional levels of previous versionThe following are the
previous functional levels and what features they added, as
documented in Technet.
Domain Functional Levels:Windows 2000 Native:y y y yUniversal
groups are enabled for both distribution groups and security
groups. Group nesting. Group conversion is enabled, which makes
conversion between security groups and distribution groups
possible. Security identifier (SID) history.
Windows Server 2003y y y yThe availability of the domain
management tool, Netdom.exe, to prepare for domain controller
rename. Update of the logon time stamp. The lastLogonTimestamp
attribute will be updated with the last logon time of the user or
computer. This attribute is replicated within the domain. The
ability to set the userPassword attribute as the effective password
on inetOrgPerson and user objects. The ability to redirect Users
and Computers containers. By default, two well-known containers are
provided for housing computer and user/group accounts: namely,
cn=Computers, and cn=Users,. This feature makes possible the
definition of a new well-known location for these accounts. Makes
it possible for Authorization Manager to store its authorization
policies in Active Directory Domain Services (AD DS). Includes
constrained delegation so that applications can take advantage of
the secure delegation of user credentials by means of the Kerberos
authentication protocol. Delegation can be configured to be allowed
only to specific destination services.
y y
y
Supports selective authentication, through which it is possible
to specify the users and groups from a trusted forest who are
allowed to authenticate to resource servers in a trusting
forest.
Windows Server 2008y y y yDistributed File System (DFS)
Replication support for SYSVOL, which provides more robust and
detailed replication of SYSVOL contents. Advanced Encryption
Services (AES 128 and 256) support for the Kerberos authentication
protocol. Last Interactive Logon Information, which displays the
time of the last successful interactive logon for a user, from what
workstation, and the number of failed logon attempts since the last
logon. Fine-grained password policies (FGPP), which make it
possible for password and account lockout policies to be specified
for users and global security groups in a domain.
Forest Functional Levels:Windows 2000:There were no forest
functional levels, just domain.
Windows Server 2003:y y yForest trust. Domain rename.
Linked-value replication (changes in group membership store and
replicate values for individual members instead of replicating the
entire membership as a single unit). This change results in lower
network bandwidth and processor usage during replication and
eliminates the possibility of lost updates when different members
are added or removed concurrently at different domain controllers.
The ability to deploy a read-only domain controller (RODC) that
runs Windows Server 2008. Improved Knowledge Consistency Checker
(KCC) algorithms and scalability. The Intersite Topology Generator
(ISTG) uses improved algorithms that scale to support forests with
a greater number of sites than can be supported at the Windows 2000
forest functional level. The improved ISTG election algorithm is a
less intrusive mechanism for choosing the ISTG at the Windows 2000
forest functional level. An improved ISTG algorithm (better scaling
of the algorithm that the ISTG uses to connect all sites in the
forest). The ability to create instances of the dynamic auxiliary
class called dynamicObject in a domain directory partition. The
ability to convert an inetOrgPerson object instance into a User
object instance, and the reverse. The ability to create instances
of the new group types, called application basic groups and
Lightweight Directory Access Protocol (LDAP) query groups, to
support role-based authorization. Deactivation and redefinition of
attributes and classes in the schema.
y y
y y y y y
Windows Server 2008:No forest functional level changes occurred
from Windows 2003 to Windows 2008.
6. What is the SYSVOL folder?The Sysvol folder on a Windows
domain controller is used to replicate file-based data among domain
controllers. Because junctions are used within the Sysvol folder
structure, Windows NT file system (NTFS) version 5.0 is required on
domain controllers throughout a Windows distributed file system
(DFS) forest. This is a quote from microsoft themselves, basically
the domain controller info stored in files like your group policy
stuff is replicated through this folder structure
7. What are the AD naming contexts (partitions)s and replication
issues for each NC?Active Directory NC (Naming Context's)y y y
y
Active Directory consists of three partitions or naming contexts
(NC) o Domain, Configuration and Schema Naming Contexts Each are
replicated independently An Active Directory forest has single
schema and configuration o Every domain controller (DC) holds a
copy of each (schema, configuration NC's) Forest can have multiple
domains o Every domain controller in a domain holds a copy of the
domain NC
8. What are application partitions?Active Directory supports
application directory partitions. Typically, data in a given
application directory partition is managed through the application
that created it or that uses it. Application directory partitions
provide the ability to control the scope of replication and allow
the placement of replicas in a manner more suitable for dynamic
data. As a result, the application directory partition provides the
capability of hosting dynamic data in Active Directory, thus
allowing ADSI/LDAP access to it, without significantly impacting
network performance. Application directory partitions hold the data
that is used by applications. An application directory partition
can contain a hierarchy of any type of objects, except security
principals, and can be configured to replicate to any set of domain
controllers in the forest. Unlike a domain partition, an
application directory partition is not required to replicate to all
domain controllers in a domain and the partition can replicate to
domain controllers in different domains of the forest. As an
example of application partition, if you use a Domain Name System
(DNS) that is integrated with Active Directory you have two
application partitions for DNS zones ForestDNSZones and
DomainDNSZones
9. What applications or services use AD application partitions?
Name a couple.Application directory partitions are usually created
by the applications that will use them to store and replicate data.
TAPI is an example it. For testing and troubleshooting purposes,
members of the Enterprise Admins group can manually create or
manage application directory partitions using the Ntdsutil
command-line tool.
10. How do you create a new application partition?Application
directory partitions are usually created by the applications that
will use them to store and replicate data. TAPI is an example it.
For testing and troubleshooting purposes, members of the Enterprise
Admins group can manually create or manage application directory
partitions using the Ntdsutil command-line tool.
11. What are the requirements for installing AD on a new
server?An NTFS partition with enough free space (250MB minimum) An
Administrator's username and password The correct operating system
version A NIC Properly configured TCP/IP (IP address, subnet mask
and - optional - default gateway) A network connection (to a hub or
to another computer via a crossover cable) An operational DNS
server (which can be installed on the DC itself) A Domain name that
you want to use
12. What can you do to promote a server to DC if you're in a
remote location with slow WANlink?Take a System State Backup from
another DC and restore locally to the server that are going to be
the next Domain Controller. Run DCPromo /adv which will prompt in
the next screen to specify the path to restore the System Backup.
This will prevent replication of the entire configuration over the
slow network.
13. How do you view replication properties for AD partitions and
DCs?By using replication monitor go to start > run > type
repadmin go to start > run > type replmon
14. What is the Global Catalog?The GC is a special form of a
Windows 2000 domain controller (DC) that holds a complete set of
objects (i.e., user accounts, contacts, distribution groups, and
configuration data) from all domains in a Win2K forest. The GC
stores read-only partial copies of objects from other domains
alongside read/write full copies of objects from the GC's home
domain. Partial copies include the important attributes of an
Exchange mailbox (e.g., email address, phone numbers) but not all
the mailbox attributes. In a singledomain implementation, all DCs
are effectively GCs, but single-domain implementations are unusual
in large, distributed enterprises. GCs come into their own in large
enterprises.
15. How do you view all the GCs in the forest?C:\>repadmin
/showreps domain_controller OR You can use Replmon.exe for the same
purpose. OR AD Sites and Services and nslookup gc._msdcs. To find
the in GC from the command line you can try using DSQUERY command.
dsquery server -isgc to find all the gc's in the forest you can try
dsquery server -forest -isgc.
16. Why not make all DCs in a large forest as GCs?There can be
only one GC. If we make all DCs as GC then There will be huge
amount network traffic which can choke the network There will be
problems in replications There will be issues in consistency of
objects in the forest There would be issues in authentications
There will be chances of duplicate objects in the domains That is
why there is only ONE GC per forest which has all the info about
the objects groups etc.
17. Talk about GCs and Universal Groups.
18. Describe the time synchronization mechanism in AD.the
serverthat holds the primarydomain controller (PDC) emulator role
acts as the default time source foryour entire network. Each
workstation and server in this network will try tolocate a time
source for synchronization. Using an internal algorithm designedto
reduce network traffic, systems will make up to six attempts to
find a timesource. Here's a look at the order of these attempts:y y
y y y y
Parent domain controller (on-site) Local domain controller
(on-site) Local PDC emulator (on-site) Parent domain controller
(off-site) Local domain controller (off-site) Local PDC emulator
(off-site)
To ensure that your servers are finding the proper time, youmust
configure your PDC emulator to receive the time from a valid and
accuratetime source. To configure this role, follow these steps: 1.
Log on to the domain controller. 2. Enter the following at the
command line:W32tm /config /manualpeerlist:
/syncfromflags:manual
is a space-delimited list of DNS and/or IP addresses. When
specifying multiple timeservers, enclose the list in quotation
marks. 3. Update the Windows Time Service configuration. At the
command line, you can either enter W32tm /config /update, or you
can enter the following:Net stop w32timeNet start w32time
19. What is ADSIEDIT? What is NETDOM? What is REPADMIN?
20. LDP : Label Distribution Protocol (LDP) is often used to
establish MPLS LSPs when traffic engineering is not required. It
establishes LSPs that follow the existing IP routing, and is
particularly well suited for establishing a full mesh of LSPs
between all of the routers on the network. Replmon : Replmon
displays information about Active Directory Replication. ADSIEDIT
:ADSIEdit is a Microsoft Management Console (MMC) snap-in that acts
as a low-level editor for Active Directory. It is a Graphical User
Interface (GUI) tool. Network administrators can use it for common
administrative tasks such as adding, deleting, and moving objects
with a directory service. The attributes for each object can be
edited or deleted by using this tool. ADSIEdit uses the ADSI
application programming interfaces (APIs) to access Active
Directory. The following are the required files for using this
tool: ADSIEDIT.DLL ADSIEDIT.MSCNETDOM : NETDOM is a command-line
tool that allows management of Windows domains and trust
relationships. It is used for batch management of trusts, joining
computers to domains, verifying trusts, and secure channels.
REPADMIN : This command-line tool assists administrators in
diagnosing replication problems between Windows domain
controllers.Administrators can use Repadmin to view the replication
topology (sometimes referred to as RepsFrom and RepsTo) as seen
from the perspective of each domain controller. In addition,
Repadmin can be used to manually create the replication topology
(although in normal practice this should not be necessary), to
force replication events between domain controllers, and to view
both the replication metadata and up-to-dateness vectors.
21. What is DCDIAG? When would you use it?This command-line tool
analyzes the state of one or all domain controllers in a forest and
reports any problems to assist in troubleshooting. DCDiag.exe
consists of a variety of tests that can be run individually or as
part of a suite to verify domain controller health.
22. What are sites? What are they used for?One or more
well-connected (highly reliable and fast) TCP/IP subnets. A site
allows administrators to configure Active Directory access and
replication topology to take advantage of the physical network. B:
A Site object in Active Directory represents a physical geographic
location that hosts networks. Sites contain objects called
Subnets.[3] Sites can be used to Assign Group Policy Objects,
facilitate the discovery of resources, manage active directory
replication, and manage network link traffic. Sites can be linked
to other Sites. Site-linked objects may be assigned a cost value
that represents the speed, reliability, availability, or other real
property of a physical resource. Site Links may also be assigned a
schedule.
23. What's the difference between a site link's schedule and
interval?Schedule enables you to list weekdays or hours when the
site link is available for replication to happen in the give
interval. Interval is the re occurrence of the inter site
replication in given minutes. It ranges from 15 - 10,080 mins. The
default interval is 180 mins.
24. What is the KCC?With in a Site, a Windows server 2003
service known as the KCC automatically generates a topology for
replication among the domain controllers in the domain using a ring
structure.Th Kcc is a built in process that runs on all domain
controllers. The KCC analyzes the replication topology within a
site every 15 minute to ensure that it still works. If you add or
remove a domain controller from the network or a site, the KCC
reconfigures the topology to relect the change.
25. What is the ISTG? Who has that role by default?Intersite
Topology Generator (ISTG), which is responsible for the connections
among the sites. By default Windows 2003 Forest level functionality
has this role. By Default the first Server has this role. If that
server can no longer preform this role then the next server with
the highest GUID then takes over the role of ISTG.
26. Talk about sites and GCs.
27. Talk about sites and Exchange Server 2007/2010.
28. What is GPO?In the Windows 2000 operating system, a Group
Policy Object (GPO) is a collection of settings that define what a
system will look like and how it will behave for a defined group of
users. Microsoft provides a program snap-in that allows you to use
the Group Policy Microsoft Management Console (MMC). The selections
result in a Group Policy Object. The GPO is associated with
selected Active Directory containers, such as sites, domains, or
organizational units (OUs). The MMC allows you to
create a GPO that defines registry-based polices, security
options, software installation and maintenance options, scripts
options, and folder redirection options.
Group Policy gives you administrative control over users and
computers in your network. By using Group Policy, you can define
the state of a user's work environment once, and then rely on
Windows Server 2003 to continually force the Group Policy settings
that you apply across an entire organization or to specific groups
of users and computers.
Group Policy Advantages You can assign group policy in domains,
sites and organizational units. All users and computers get
reflected by group policy settings in domain, site and
organizational unit. No one in network has rights to change the
settings of Group policy; by default only administrator has full
privilege to change, so it is very secure. Policy settings can be
removed and can further rewrite the changes. Where GPO's store
Group Policy Information Group Policy objects store their Group
Policy information in two locations: Group Policy Container: The
GPC is an Active Directory object that contains GPO status, version
information, WMI filter information, and a list of components that
have settings in the GPO. Computers can access the GPC to locate
Group Policy templates, and domain controller does not have the
most recent version of the GPO, replication occurs to obtain the
latest version of the GPO. Group Policy Template: The GPT is a
folder hierarchy in the shared SYSVOL folder on a domain
controller. When you create GPO, Windows Server 2003 creates the
corresponding GPT which contains all Group Policy settings and
information, including administrative templates, security, software
installation, scripts, and folder redirection settings. Computers
connect to the SYSVOL folder to obtain the settings. The name of
the GPT folder is the Globally Unique Identifier (GUID) of the GPO
that you created. It is identical to the GUID that Active Directory
uses to identify the GPO in the GPC. The path to the GPT on a
domain controller is systemroot\SYSVOL\sysvol. Managing GPOs To
avoid conflicts in replication, consider the selection of domain
controller, especially because the GPO data resides in SYSVOL
folder and the Active Directory. Active Directory uses two
independent replication techniques to replicate GPO data among all
domain controllers in the domain. If two administrator's changes
can overwrite those made by other administrator, depends on the
replication latency. By default the Group Policy Management console
uses the PDC Emulator so that all administrators can work on the
same domain controller. WMI Filter WMI filters is use to get the
current scope of GPOs based on attributes of the user or computer.
In this way, you can increase the GPOs filtering capabilities
beyond the security group filtering mechanisms that were previously
available.
Linking can be done with WMI filter to a GPO. When you apply a
GPO to the destination computer, Active Directory evaluates the
filter on the destination computer. A WMI filter has few queries
that active Directory evaluates in place of WMI repository of the
destination computer. If the set of queries is false, Active
Directory does not apply the GPO. If set of queries are true,
Active Directory applies the GPO. You write the query by using the
WMI Query Language (WQL); this language is similar to querying SQL
for WMI repository. Planning a Group Policy Strategy for the
Enterprise When you plan an Active Directory structure, create a
plan for GPO inheritance, administration, and deployment that
provides the most efficient Group Policy management for your
organization. Also consider how you will implement Group Policy for
the organization. Be sure to consider the delegation of authority,
separation of administrative duties, central versus decentralized
administration, and design flexibility so that your plan will
provide for ease of use as well as administration. Planning GPOs
Create GPOs in way that provides for the simplest and most
manageable design -- one in which you can use inheritance and
multiple links. Guidelines for Planning GPOs Apply GPO settings at
the highest level: This way, you take advantage of Group Policy
inheritance. Determine what common GPO settings for the largest
container are starting with the domain and then link the GPO to
this container. Reduce the number of GPOs: You reduce the number by
using multiple links instead of creating multiple identical GPOs.
Try to link a GPO to the broadest container possible level to avoid
creating multiple links of the same GPO at a deeper level. Create
specialized GPOs: Use these GPOs to apply unique settings when
necessary. GPOs at a higher level will not apply the settings in
these specialized GPOs. Disable computer or use configuration
settings: When you create a GPO to contain settings for only one of
the two levels-user and computer-disable the logon and prevents
accidental GPO settings from being applied to the other area.
Read more:
http://wiki.answers.com/Q/What_are_GPOs#ixzz1NYp4SAFa
29. Describe the way GPO is applied throughout the domain.Local,
Site, Domain, OU Group Policy settings are processed in the
following order: 1:- Local Group Policy object-each computer has
exactly one Group Policy object that is stored locally. This
processes for both computer and user Group Policy processing. 2:-
Site-Any GPOs that have been linked to the site that the computer
belongs to are processed next. Processing is in the order that is
specified by the administrator, on the Linked Group Policy Objects
tab for the site in Group Policy Management Console (GPMC). The GPO
with the lowest link order is processed last, and therefore has the
highest precedence. 3:- Domain-processing of multiple domain-linked
GPOs is in the order specified by the administrator, on the Linked
Group Policy Objects tab for the domain in GPMC. The GPO with the
lowest link order is processed last, and therefore has the highest
precedence. 4:- Organizational units-GPOs that are linked to the
organizational unit that is highest in the Active Directory
hierarchy are processed first, then GPOs that are linked to its
child organizational unit, and so on. Finally, the GPOs that are
linked to the organizational unit that contains the user or
computer are processed. At the level of each organizational unit in
the Active Directory hierarchy, one, many, or no GPOs can be
linked. If several GPOs are linked to an organizational unit, their
processing is in the order that is specified by the administrator,
on the Linked Group Policy Objects tab for the organizational unit
in GPMC. The GPO with the lowest link order is processed last, and
therefore has the highest precedence. This order means that the
local GPO is processed first, and GPOs that are linked to the
organizational unit of which the computer or user is a direct
member are processed last, which overwrites settings in the earlier
GPOs if there are conflicts. (If there are no conflicts, then the
earlier and later settings are merely aggregated.)
30. What can you do to prevent inheritance from above?
31. How can you override blocking of inheritance?
32. Name some of the major changes in GPO in Windows Server
2008.The following changes are available in Windows Server 2008 R2
and in Windows 7 with Remote Server Administration Tools (RSAT):
Windows PowerShell Cmdlets for Group Policy: Ability to manage
Group Policy from the Windows PowerShell command line and to run
PowerShell scripts during logon and startup Group Policy
Preferences: Additional types of preference items Starter Group
Policy Objects: Improvements to Starter GPOs Administrative
Template Functionality: Improved user interface Administrative
Template Settings: New and changed policy settings
y
y y y y
33. What are ADM files? What replaced them in Windows Server
2008?in Windows Server 2003, then you know that group policies are
stored in the .ADM file format. In Windows Vista and Longhorn
Server, this file format has been replaced by .ADMX file format.
The .ADMX file format it is based on XML, whereas .ADM files used
their own proprietary file format. There are several major
differences between the way that .ADMX files and .ADM files are
implemented. One major difference is that while .ADM files were all
encompassing, there are actually two different files used by their
.ADMX counterparts. ADMX files are divided into language neutral
files and language specific files. This allows .ADMX files to be
used in a variety of different languages. The language neutral file
contains the actual policy components. The language specific file
simply provides the text associated with the policy in various
localizations. For example, you could have English, French, and
Japanese language specific files that all apply to the same
language neutral file. The location in which these files are stored
has also changed. In Windows Server 2003, ADM files were stored in
the %systemroot%\inf folder. In Windows Vista and in Longhorn
Server, the language neutral .ADMX files are stored in the
%systemroot%\policyDefinitions folder. The language specific files
are stored in a subfolder whose name reflects the files'
localization. For example, language specific files for the
English-language are stored in the
%systemroot%\policyDefinition\en-us folder.
34. What's the GPO repository?
35. How do you use it? 36. What are GPO Preferences? 37. Which
client OSs can use GPO Preferences? 38. What are GPO 39. Templates?
40. What are WMI Filters? 41. What is the concept behind GPO
Filtering? 42. How can you determine what GPO was and was not
applied for a user? Name a few ways todo that.1. Group Policy
Management Console (GPMC) can provide assistance when you need to
troubleshoot GPO behaviour. It allows you to examine the settings
of a specific GPO, and is can also be used to determine how your
GPOs are linked to sites, domains, and OUs. The Group Policy
Results report collects information on a computer and user, to list
the policy settings which are enabled. To create a Group Policy
Results report, right-click Group Policy Results, and select Group
Policy Results Wizard on the shortcut menu. This launches the Group
Policy Results Wizard, which guides you through various pages to
set parameters for the information that should be displayed in the
Group Policy Results report. 2. Gpresult.exe Click Start > RUN
> CMD > gpresult, this will also give you information of
applied group policies.
43. A user claims he did not receive a GPO, yet his user and
computer accounts are in the rightOU, and everyone else there gets
the GPO. What will you look for?Here interviewer want to know the
troubleshooting steps what gpo is applying ? if it applying in all
user and computer? what gpo are implemented on ou? make sure user
not be member of loopback policy as in loopback policy it doesn't
effect user settings only computer policy will applicable. if he is
member of gpo filter grp or not?
You may also want to check the computers event logs. If you find
event ID 1085 then you may want to download the patch to fix this
and reboot the computer.
=============================================== Answer 2: Start
Troubleshooting by running RSOP.MSC (Resultant Set of Policy) or
gpresult /z to verify whether relevant GPO actually apply to that
user?. This also can be a reason of slow network, you can change
the default setting by using the Group Policy MMC snap-in. This
feature is enabled by default, but you can disable it by using the
following policy: Administrative Templates\System\Logon\Always wait
for the network at computer startup and logon. Identify which GPOs
they correspond to, verify that they are applicable to the
computer/user (based on the output of RSOP.MSC/gpresult)
44. You want to standardize the desktop environments (wallpaper,
My Documents, Start menu,printers etc.) on the computers in one
department. 45. How would you do that? 46. What are the major
changes in AD in Windows Server 2008?The following changes are
available in Windows Server 2008 R2: Active Directory Recycle Bin
Information technology (IT) professionals can use Active Directory
Recycle Bin to undo an accidental deletion of an Active Directory
object. Accidental object deletion causes business downtime.
Deleted users cannot log on or access corporate resources. This is
the number one cause of Active Directory recovery scenarios. Active
Directory Recycle Bin works for both AD DS and Active Directory
Lightweight Directory Services (AD LDS) objects. This feature is
enabled in AD DS at the Windows Server 2008 R2 forest functional
level. For AD LDS, all replicas must be running in a new
"application mode." For more information, see What's New in AD DS:
Active Directory Recycle Bin. Active Directory module for Windows
PowerShell and Windows PowerShell cmdlets The Active Directory
module for Windows PowerShell provides command-line scripting for
administrative, configuration, and diagnostic tasks, with a
consistent vocabulary and syntax. It provides predictable discovery
and flexible output formatting. You can easily pipe cmdlets to
build complex operations. The Active Directory module enables
end-to-end manageability with Exchange Server, Group Policy, and
other services. For more information, see What's New in AD DS:
Active Directory Module for Windows PowerShell. Active Directory
Administrative Center
y
y
y
The Active Directory Administrative Center has a task-oriented
administration model, with support for larger datasets. The Active
Directory Administrative Center can help increase the productivity
of IT professionals by providing a scalable, task-oriented user
experience for managing AD DS. In the past, the lack of a
task-oriented user interface (UI) could make certain activities,
such as resetting user passwords, more difficult than they had to
be. The Active Directory Administrative Center enumerates and
organizes the activities that you perform when you manage a system.
These activities may be maintenance tasks, such as backup;
event-driven tasks, such as adding a user; or diagnostic tasks that
you perform to correct system failures. For more information, see
What's New in AD DS: Active Directory Administrative Center. Active
Directory Best Practices Analyzer The Active Directory Best
Practices Analyzer (BPA) identifies deviations from best practices
to help IT professionals better manage their Active Directory
deployments. BPA uses Windows PowerShell cmdlets to gather run-time
data. It analyzes Active Directory settings that can cause
unexpected behavior. It then makes Active Directory configuration
recommendations in the context of your deployment. The Active
Directory BPA is available in Server Manager. For more information,
see What's New in AD DS: Active Directory Best Practices Analyzer.
Active Directory Web Services Active Directory Web Services (ADWS)
provides a Web service interface to Active Directory domains and AD
LDS instances, including snapshots, that are running on the same
Windows Server 2008 R2 server as ADWS. For more information, see
What's New in AD DS: Active Directory Web Services. Authentication
mechanism assurance Authentication mechanism assurance makes it
possible for applications to control resource access based on
authentication strength and method. Administrators can map various
properties, including authentication type and authentication
strength, to an identity. Based on information that is obtained
during authentication, these identities are added to Kerberos
tickets for use by applications. This feature is enabled at the
Windows Server 2008 R2domain functional level. For more
information, see What's New in AD DS: Authentication Mechanism
Assurance. Offline domain join Offline domain join makes
provisioning of computers easier in a datacenter. It provides the
ability to preprovision computer accounts in the domain to prepare
operating system images for mass deployment. Computers are joined
to the domain when they first start. This reduces the steps and
time necessary to deploy computers in a datacenter. For more
information, see What's New in AD DS: Offline Domain Join. Managed
Service Accounts Managed Service Accounts provide simple management
of service accounts. At the Windows Server 2008 R2 domain
functional level, this feature provides better management of
service principal names (SPNs). Managed Service Accounts help lower
total cost of ownership (TCO) by reducing service outages (for
manual password resets and related issues). You can run one Managed
Service Account for each service that is running on a server,
without any human intervention for password management. For
more
y
y
y
y
y
information, see the Service Accounts Step-by-Step Guide
(http://go.microsoft.com/fwlink/?LinkId=134695). Active Directory
Management Pack The Active Directory Management Pack enables
proactive monitoring of availability and performance of AD DS. It
discovers and detects computer and software states, and it is
aligned with the health state definitions. The Active Directory
Management Pack works with Windows Server 2008 and Windows Server
2008 R2 and Microsoft Systems Center Operations Manager 2007.
Bridgehead Server Selection The bridgehead server selection process
enables domain controllers to load balance incoming connections.
The new logic for bridgehead server selection allows for even
distribution of workload among bridgehead servers. For more
information see, Bridgehead Server Selection
(http://go.microsoft.com/fwlink/?LinkId=208721).
y
y
47. What are the major changes in AD in Windows Server 2008 R2?
48. What is the AD Recycle Bin?Starting in Windows Server 2008 R2,
Active Directory now implements a true recycle bin. No longer will
you need an authoritative restore to recover deleted users, groups,
OU s, or other objects. Instead, it is now possible to use
PowerShell commands to bring back objects with all their
attributes, backlinks, group memberships, and metadata. AD Recycle
Bin (ADRB) was a long time coming and it definitely has its
idiosyncrasies
49. How do you use it?
50. What is tombstone lifetime attribute?51. The number of days
before a deleted object is removed from the directory services.
This assists in removing objects from replicated servers and
preventing restores from reintroducing a deleted object. This value
is in the Directory Service object in the configuration NIC by
default 2000 (60 days) 2003 (180 days)
52. What are AD Snapshots?
This feature is currently known as the Database Mounting Tool
(DMT), which is better than the previous name of Data Mining Tool.
Who knows what well end up calling this at RTM, but I like the
previous name Snapshot Viewer the best so this is what I entitled
the post. DMT allows you to quickly take snapshots of your AD
database at any point in time and view those snapshots using the
LDP viewer of your choice. At first I was extremely excited about
this feature, but after realizing the command-line action you have
to go through in order to do this (see below), it killed my buzz a
little bit. If you compare this to automating ldifde/csvde backups
of your AD, I can see these advantages to snapshots:
y y y
You can mount a snapshot and attach GUI LDP tools to it.
Ldifde/csvde method doesnt do this. You can backup the entire
database in one shot. Ldifde/csvde only allows a single DN or
partition per shot. The ldifde/csvde dump of your entire partition
is in clear text and snapshots are not. However, from a security
standpoint theres not much difference considering if someone has
the snapshot file they can also open it up but not as easily.
53. How do you use them? 54. What is Offline Domain Join?
55. How do you use it? 56. What are Fine-Grained Passwords?You
can use fine-grained password policies to specify multiple password
policies within a single domain. You can use fine-grained password
policies to apply different restrictions for password and account
lockout policies to different sets of users in a domain. For
example, you can apply stricter settings to privileged accounts and
less strict settings to the accounts of other users. In other
cases, you might want to apply a special password policy for
accounts whose passwords are synchronized with other data
sources
57. How do you use them?
58. Talk about Restartable Active Directory Domain Services in
Windows Server 2008/R2. Whatis this feature good for?
Restartable AD DS is a feature in Windows Server 2008 that you
can use to perform routine maintenance tasks on a domain
controller, such as applying updates or performing offline
defragmentation, without restarting the server. While AD DS is
running, a domain controller running Windows Server 2008 behaves
the same way as a domain controller running Microsoft Windows 2000
Server or Windows Server 2003. While AD DS is stopped, you can
continue to log on to the domain by using a domain account if other
domain controllers are available to service the logon request. You
can also log on to the domain with a domain account while the
domain controller is started in Directory Services Restore Mode
(DSRM) if other domain controllers are available to service the
logon request. If no other domain controller is available, you can
log on to the domain controller where AD DS is stopped in Directory
Services Restore Mode (DSRM) only by using the DSRM Administrator
account and password by default, as in Windows 2000 Server Active
Directory or Windows Server 2003 Active Directory. You can change
the default by modifying the DsrmAdminLogonBehavior registry entry.
By modifying the value for that registry entry, you can log on
using the DSRM Administrator account in normal startup mode to a
domain controller that has AD DS stopped even if no other domain
controller is available. You do not need to start the domain
controller in DSRM. This can help prevent you from getting
inadvertently locked out of a domain controller to which you have
logged on locally and stopped the AD DS service. For more
information, see Modifying the default logon behavior. You cannot
run the dcpromo command normally to remove AD DS from a domain
controller while AD DS is stopped. However, you can run dcpromo
/forceremoval to forcefully remove AD DS from a domain controller
while AD DS is stopped. For more information about how to
forcefully remove AD DS, see the Step-by-Step Guide for Windows
Server 2008 Active Directory Domain Services Installation and
Removal
59. What are the changes in auditing in Windows Server 2008/R2?
60. How can you forcibly remove AD from a server, and what do you
do later? 61. Can I get user passwords from the AD database?The
passwords in AD are not stored encrypted by default, so they cannot
be decrypted. They are hashed. The only way to recover the data
from a hash is with some sort of a hacking algorithm that attempts
to crack the hash (such tools exist).
62. What tool would I use to try to grab security related
packets from the wire?you must use sniffer-detecting tools to help
stop the snoops. ... A good packet sniffer would be "ethereal
(wireshark, tcpdump)
63. Talk about PowerShell and AD.
64. How do you backup AD?Backing up Active Directory is
essential to maintain an Active Directory database. You can back up
Active Directory by using the Graphical User Interface (GUI) and
command-line tools that the Windows Server 2003 family
provides.
You frequently backup the system state data on domain
controllers so that you can restore the most current data. By
establishing a regular backup schedule, you have a better chance of
recovering data when necessary. To ensure a good backup includes at
least the system state data and contents of the system disk, you
must be aware of the tombstone lifetime. By default, the tombstone
is 60 days. Any backup older than 60 days is not a good backup.
Plan to backup at least two domain controllers in each domain, one
of at least one backup to enable an authoritative restore of the
data when necessary. System State Data Several features in the
windows server 2003 family make it easy to backup Active Directory.
You can backup Active Directory while the server is online and
other network function can continue to function. System state data
on a domain controller includes the following components: Active
Directory system state data does not contain Active Directory
unless the server, on which you are backing up the system state
data, is a domain controller. Active Directory is present only on
domain controllers. The SYSVOL shared folder: This shared folder
contains Group policy templates and logon scripts. The SYSVOL
shared folder is present only on domain controllers. The Registry:
This database repository contains information about the computer's
configuration. System startup files: Windows Server 2003 requires
these files during its initial startup phase. They include the boot
and system files that are under windows file protection and used by
windows to load, configure, and run the operating system. The COM+
Class Registration database: The Class registration is a database
of information about Component Services applications. The
Certificate Services database: This database contains certificates
that a server running Windows server 2003 uses to authenticate
users. The Certificate Services database is present only if the
server is operating as a certificate server. System state data
contains most elements of a system's configuration, but it may not
include all of the information that you require recovering data
from a system failure. Therefore, be sure to backup all boot and
system volumes, including the System State, when you back up your
server.
Restoring Active Directory In Windows Server 2003 family, you
can restore the Active Directory database if it becomes corrupted
or is destroyed because of hardware or software failures. You must
restore the Active Directory database when objects in Active
Directory are changed or deleted. Active Directory restore can be
performed in several ways. Replication synchronizes the latest
changes from every other replication partner. Once the replication
is finished each partner has an updated version of Active
Directory. There is another way to get these latest updates by
Backup utility to restore replicated data from a backup copy. For
this restore you don't need to configure again your domain
controller or no need to install the operating system from scratch.
Active Directory Restore Methods You can use one of the three
methods to restore Active Directory from backup media: primary
restore, normal (non authoritative) restore, and authoritative
restore. Primary restore: This method rebuilds the first domain
controller in a domain when there is no other way to rebuild the
domain. Perform a primary restore only when all the domain
controllers in the domain are lost, and you want to rebuild the
domain from the backup. Members of Administrators group can perform
the primary restore on local computer, or user should have been
delegated with this responsibility to perform restore. On a domain
controller only Domain Admins can perform this restore. Normal
restore: This method reinstates the Active Directory data to the
state before the backup, and then updates the data through the
normal replication process. Perform a normal restore for a single
domain controller to a previously known good state. Authoritative
restore: You perform this method in tandem with a normal restore.
An authoritative restore marks specific data as current and
prevents the replication from overwriting that data. The
authoritative data is then replicated through the domain. Perform
an authoritative restore individual object in a domain that has
multiple domain controllers. When you perform an authoritative
restore, you lose all changes to the restore object that occurred
after the backup. Ntdsutil is a command line utility to perform an
authoritative restore along with windows server 2003 system
utilities. The Ntdsutil command-line tool is an executable file
that you use to mark Active Directory objects as authoritative so
that they receive a higher version recently changed data on other
domain controllers does not overwrite system state data during
replication.
65. How do you restore AD?
66. Talk about Windows Backup and AD backups. 67. How do you
change the DS Restore admin password?1. Click, Start, click Run,
type ntdsutil, and then click OK.
2. At the Ntdsutil command prompt, type set dsrm password. 3. At
the DSRM command prompt, type one of the following lines: o To
reset the password on the server on which you are working, type
reset password on server null. The null variable assumes that the
DSRM password is being reset on the local computer. Type the new
password when you are prompted. Note that no characters appear
while you type the password. -orTo reset the password for another
server, type reset password on server servername, where servername
is the DNS name for the server on which you are resetting the DSRM
password. Type the new password when you are prompted. Note that no
characters appear while you type the password. 4. At the DSRM
command prompt, type q. 5. At the Ntdsutil command prompt, type q
to exit.o
68. Why can't you restore a DC that was backed up 7 months
ago?Because of the tombstone life which is set to only 60 days
69. What's NTDSUTIL? When do you use it?Ntdsutil.exe is a
command-line tool that provides management facilities for Active
Directory Domain Services (AD DS) and Active Directory Lightweight
Directory Services (AD LDS). You can use the ntdsutil commands to
perform database maintenance of AD DS, manage and control single
master operations, and remove metadata left behind by domain
controllers that were removed from the network without being
properly uninstalled. This tool is intended for use by experienced
administrators
70. What are RODCs?When physical security is lacking, it becomes
essential to increase the focus on data security. Windows Server
2008 and R2 provide some new ways to do so that seem uniquely
tailored for environments like remote offices where physical
security may not be as tight. Read-only domain controllers (RODCs)
are a new feature of the Active Directory Domain Services (AD DS)
in the Windows Server systems. They represent a fundamental change
to how you'd typically use domain controllers (DCs). Because many
of RODCs' new capabilities impact key aspects of the design and
deployment process, it's important to understand how you can
leverage them in your enterprise. There are also critical design
and planning considerations you must take into account before
introducing them into your environment. RODCs are DCs that host
complete, read-only copies of Active Directory database partitions,
a read-only copy of SYSVOL, and a Filtered Attribute Set (FAS) that
restricts the inbound replication of certain application data from
writable DCs. The most common environments for RODCs using AD DS
are still branch offices. These types of environments are typically
end points in a hub-and-spoke network topology. They're widely
distributed geographically, in large numbers, and they individually
host small user populations, connect to hub sites by slow,
unreliable network links. Additionally, they often lack local,
experienced administrators.
For branch offices already hosting writable DCs, it's probably
unnecessary to deploy RODCs. In this scenario, however, RODCs may
not only meet existing AD DS-related requirements, but also exceed
them with regard to tighter security, enhanced management,
simplified architecture and lower total cost of ownership (TCO).
For locations where security or manageability requirements prohibit
using DCs, RODCs can help you introduce DCs into the environment
and provide a number of beneficial, localized services. Although
the new features and benefits make evaluating RODCs compelling,
there are additional factors to consider, like application
compatibility issues and service impact conditions. These could
render RODC deployments unacceptable for certain environments. For
example, because many directory-enabled applications and services
read data from AD DS, they should continue to function and work
with an RODC. However, if certain applications require writable
access at all times, an RODC may not be acceptable. RODCs also
depend on network connectivity to a writable DC for write
operations. Although failed write operations may be the cause of
most well-known application-related issues, there are other issues
to consider, such as inefficient or failed read operations, failed
write-read-back operations, and general application failures
associated with the RODC itself. Besides application issues,
fundamental user and computer operations can be affected when
connectivity to a writable DC is disrupted or lost. For example,
basic authentication services may fail if account passwords are not
both cacheable and cached locally on the RODC. You can easily
mitigate this issue by making accounts cacheable through an RODC's
Password Replication Policy (PRP), and then caching the passwords
through pre-population. Performing these steps also requires
connectivity to a writable DC. Along with other authentication
issues, password expirations and account lockouts are significantly
impacted when connectivity to a writable DC is unavailable.
Password change requests and any attempts to manually unlock a
locked account will continue to fail until connectivity to a
writable DC is restored. Understanding these dependencies and
subsequent changes in operational behavior is critical to ensuring
your requirements and any service level agreements (SLAs). There
are several general scenarios in which you can deploy RODCs.
They're useful in locations that don't have existing DCs, or in
locations that currently host DCs that will either be replaced or
upgraded to a newer version of Windows. Although there are
comprehensive planning considerations specific to each scenario,
we'll focus here on non-specific approaches. They are, however,
distinct to RODCs, rather than to traditional writable DCs.
71. What are the major benefits of using RODCs? 72. How do you
install an RODC? 73. Talk about RODCs and passwords. 74. What is
Read Only DNS?
DNS Server and DNS Server Roles OverviewBefore DNS, HOSTS files
were used to resolve host names to IP addresses. The HOSTS files
were manually maintained by administrators. The HOSTS file was
located on a centrally administered server on the Internet. Because
of the shortcomings of the HOSTS files, DNS was designed and
introduced. From the days of Windows NT Server 4.0, DNS has been
included with the operating system. DNS is a hierarchically
distributed and scalable database. DNS provides name registration,
name resolution and service location for Windows 2000 and Windows
Server 2003 clients.
A DNS zone is the contiguous portion of the DNS domain name
space over which a DNS server has authority, or is authoritative. A
zone is a portion of a namespace it is not a domain. A domain is a
branch of the DNS namespace. A DNS zone can contain one or more
contiguous domains. A DNS server can be authoritative for multiple
DNS zones. A DNS server is a computer running the DNS Server
service, or BIND; that provides domain name services. The DNS
server manages the DNS database that is located on it. The DNS
server program, whether it is the DNS Server service or BIND;
manages and maintains the DNS database located on the DNS server.
The information in the DNS database of a DNS server pertains to a
portion of the DNS domain tree structure or namespace. This
information is used to provide responses to client requests for
name resolution. When a DNS server is queried for name resolution,
it can respond to the request directly by providing the requested
information, provide a pointer (referral) to another DNS server
that can assist in resolving the query, or respond that the
information is unavailable or that is does not exist. A DNS server
is authoritative for the contiguous portion of the DNS namespace
over which it resides. You can configure different server roles for
your DNS servers. The server role that you configure for a name
server affects the following operations of the server:y y y
The way in which the DNS server stores DNS data The way in which
the DNS server maintains data Whether the DNS data in the database
file can be directly edited.
In DNS, a standard primary DNS server is the authoritative DNS
server for a DNS zone. There are a number of zones used in Windows
Server 2003 DNS:y
y y
Primary zone: This is only zone type that can be directly
updated or edited because the data in the zone is the original
source of the data for all domains in the zone. Updates made to the
primary zone are made by the DNS server that is authoritative for
the specific primary zone. Secondary zone: This is a read-only copy
of the zone that was copied from the master server during zone
transfer Active Directory-integrated zone: This is an authoritative
primary zone that stores its data in Active Directory. Active
Directory-integrated zones can be regarded as enhanced standard
primary zones.
y
Stub zone: Stub zones only contain those resource records
necessary to identify the authoritative DNS servers for the master
zone
Standard secondary DNS servers are usually implemented to
provide a number of features for the DNS environment,
including:y
y y
Provide redundancy: It is recommended to install one primary DNS
server, and one secondary DNS server for each DNS zone (minimum
requirement). Install the DNS servers on different subnets so that
if one DNS server fails, the other DNS server can continue to
resolve queries. Distribution of DNS processing load: Implementing
secondary DNS servers assist in reducing the load on the primary
DNS server. Provide fast access for clients in remote locations:
Secondary DNS servers can also assist in preventing clients from
transversing slow links for name resolution requests.
In addition to two server roles just mentioned, you can als
configure the DNS server as a DNS forwarder, or as a caching-only
DNS server. The remainder of this Article focuses on the different
DNS server roles that you can configure for your DNS servers.
Understanding Standard Primary DNS ServersA standard primary DNS
server is a name server that obtains zone data from the local DNS
database. This makes the primary DNS server authoritative for the
zone data that it contains. When a change needs to be made to the
resource records of the zone, it has to be done on the primary DNS
server so that is can be included in the local zone database. A DNS
primary server is created when a new primary zone is added. The
primary server that is created becomes the mechanism for updating
the specific primary zone. When a query is sent to the standard
primary DNS server for name resolution, the following events take
place: 1. The request for name resolution is sent to the primary
DNS server. 2. The primary DNS server compares the requested name
to the information it contains in its local zone database. 3. If
the primary DNS server locates a match for the queried name, the
requested information is returned to the client. 4. If the DNS
server cannot find a matching record in its local zone database
file, the DNS server then attempts a number of name resolution
methods to resolve the request on behalf of the client. 5. If all
attempts for name resolution in unsuccessful, the DNS server
returns an error message to the client.
Understanding Standard Secondary DNS ServersThis DNS server type
obtains a read-only copy of zone information through DNS zone
transfers. A secondary DNS server cannot make any changes to the
information contained in its read-only zone copy. A secondary DNS
server can however resolve queries for name resolution. Secondary
DNS servers are usually implemented to provide fault tolerance,
provide fast access for clients in remote locations, and to
distribute the DNS server processing load evenly. If a secondary
DNS server is implemented, that DNS server can continue to handle
queries when the primary DNS becomes unavailable. Secondary DNS
servers also assist in reducing the processing load of the primary
DNS server. It is recommended to install at least one primary DNS
server, and one secondary DNS server for each DNS zone. A secondary
DNS server obtains its data from the primary DNS server's zone
database, as a copy of that database. During zone transfer, the
primary DNS server's zone database is replicated to the secondary
DNS server. A secondary DNS server cannot make changes to its zone
information. All changes have to be made on the primary zone, and
then have to be replicated to the secondary DNS server through DNS
zone transfer. DNS Notify is a mechanism that enables a primary DNS
server to inform secondary DNS servers when its database has been
updated. The mechanism informs the secondary DNS servers when they
need to initiate a zone transfer so that the updates of the primary
DNS server can be replicated to them. When a secondary DNS server
receives the notification from the primary DNS server, it can start
an incremental zone transfer or a full zone transfer to pull zone
changes from the primary DNS server.
Understanding Caching-Only DNS ServersThe main characteristics
of caching-only DNS servers are:y y y
Caching-only DNS servers do not host zones. They are not
authoritative for any DNS domain. The information stored by
caching-only DNS servers is the name resolution data that it has
collected through name resolution queries.
A caching-only DNS server just performs queries and then stores
the results of these queries. All information stored on the
caching-only DNS server is therefore only that data which has been
cached while the server performed queries. Caching-only DNS servers
only cache information when the queries have been resolved. when a
caching-only DNS servers starts or the first time, it has no cached
information. The caching-only DNS server collects information as it
sends and resolves queries. One of the main advantages of
implementing caching-only DNS servers is that they are excluded
from the zone transfer process, and therefore do not generate
network traffic from zone transfers.
Understanding Master DNS ServersThe servers from which secondary
DNS servers obtain zone information in the DNS hierarchy are called
master servers. When a secondary DNS server is configured, you have
to specify the master server from whom it will obtain zone
information. Zone transfer enables a secondary DNS server to obtain
zone information from its configured primary DNS server, and
enables these servers to continue handling queries if the primary
DNS server fails. In this case, the primary DNS server is the
master server of the secondary DNS server. A secondary DNS server
can also transfer its zone data to other secondary DNS servers, who
are beneath it in the DNS hierarchy. In this case, the secondary
DNS server is regarded as the master server to the other
subordinate secondary DNS servers. A secondary DNS server initiates
the zone transfer process from its particular master server when it
is brought online.
Understanding Dynamic DNS ServersWindows 2000, Windows XP and
Windows Server 2003 computers can dynamically update the resource
records of a DNS server when a client's IP addressing information
is added, or renewed via Dynamic Host Configuration Protocol
(DHCP). Both DHCP and Dynamic DNS (DDNS) updates make this
possible. When dynamic DNS updates are enabled, a client sends a
message to the DNS server when changes are made to its IP
addressing data. This indicates to the DNS server that the A type
resource record of the client needs to be updated.
How to implement a caching-only DNS server1. Open Control Panel
2. Double-click Add/Remove Programs., and then click Add/Remove
Windows Components. 3. The Windows Components Wizard starts. 4.
Click Networking Services, and then click Details. 5. In the
Networking Services dialog box, select the checkbox for Domain Name
System (DNS) in the list. 6. Click OK. Click Next. 7. Click Finish.
8. Do not add or configure any zones for the DNS server. The DNS
Server service functions as a caching-only DNS server by default.
This basically means no configuration is necessary to set up a
caching-only DNS server. 9. You should verify that the server root
hints are configured correctly.
How to add a new zone to a DNS server1. Click Start,
Administrative Tools, and then click DNS to open the DNS console.
2. In the console tree, find and select the DNS server that you
want to create a new DNS zone. 3. From the Action menu, click the
New Zone option.
4. On the initial page of the New Zone Wizard, click Next. 5.
Select the zone type that you want to create. The options are: o
Primary, to create a new standard primary zone. o Secondary, to
create a copy of the primary zone. o Stub, to create a copy of zone
but for only the NS record, SOA record, and the glue A record. 6.
Select the default selected option Primary zone. 7. To integrate
the new zone with Active Directory, and if the DNS server is a
domain controller; then you can select the Store the zone in Active
Directory (available only if DNS server is a domain controller)
checkbox. 8. Click Next. 9. On the Active Directory Zone
Replication Scope page, accept the default setting for DNS
replication: To all domain controllers in the Active Directory
domain. Click Next. 10. Select the Forward lookup zone option on
the following page which is displayed by the New Zone Wizard, and
then click Next. 11. Enter a zone name for the new zone. Click
Next. The options that you can select on the following page with
regar to dynamic updates are: o Allow only secure dynamic updates
(recommended for Active Directory) option: This option is only
available if you are using Active Directory-integrated zones. o
Allow both non-secure and secure dynamic updates option: Select
this option with caution! o Do not allow dynamic updates option:
You have to manually update zone information and resource records.
12. Choose the best option for your circumstance, and then click
Next. 13. Click Finish to add the new zone to your DNS server.
How to enable dynamic updating on your DNS serversActive
Directory- integrated zones are set up to only allow secure dynamic
updates. 1. Click Start, Administrative Tools, and then click DNS
to open the DNS console. 2. In the console tree, expand the DNS
server node that contains the authoritative zone that you want to
work with. 3. Expand the Forward Lookup Zones folder. 4. Locate the
specific zone that you want to configure. 5. Right-click the zone,
and then select Properties on the shortcut menu. 6. When the Zone's
Properties dialog box opens, leave the General tab displayed. 7.
The options available in the Dynamic updates: list box are: o None
o Non-secure and secure o Secure only 8. Select the Secure only
option, and then click OK.
How to disable dynamic updates for a host computer or
interface
You can also disable dynamic updates for a host computer, for a
specific interface on that computer, or for multiple interfaces on
the computer. 1. Open the Registry Editor tool. 2. In the left
pane, expand the HKEY_LOCAL_MACHINE key, expand System, expand
CurrentControlSet, and then expand Services. 3. Locate Tcpip, and
then expand this node as well. 4. Find the Parameters node. 5. To
disable dynamic updates for the host computer, click the Parameters
node. In the details pane, double-click the DisableDynamicUpdate
entry. Change the value data of DisableDynamicUpdate to 1 to
disable dynamic updates. Click OK. 6. To disable dynamic updates
for a single interface, expand the Parameters node, and then expand
the Interface node. Select the interface, and then double-click the
DisableDynamicUpdate entry in the details pane. Change the value
data of DisableDynamicUpdate to 1 to disable dynamic updates. Click
OK.
How to test a query on a DNS server1. Click Start,
Administrative Tools, and then click DNS to open the DNS console.
2. In the console tree, right-click the DNS server that you want to
test and then select Properties on the shortcut menu. 3. When the
DNS Server's Properties dialog box opens, click the Monitoring tab.
4. You can choose to perform a simple query test, a recursive query
test, or you can specify that the DNS server automatically performs
testing at an interval that you set. 5. In the Select A Test Type
area of the Monitoring tab, select the A Simple Query Against This
DNS Server checkbox. 6. Click the Test Now button. 7. The Test
Results area of the tab displays the results of the test. 8. Click
OK.
75. What happens when a remote site with an RODC loses
connectivity to the main site? 76. Talk about Server Core and
AD.Server Core is a new feature in the Windows Server world. It
installs a command-line administration-only version of Windows
Server 2008 that helps reduce the attack surface of the server.
Traditionally, there are many attack options on a Microsoft server,
and you, the administrator, need to be aware of that and take
action to ensure security. However, with Server Core, less code is
installed (that is, there is a smaller footprint), and with that
reduction in code comes a reduction in the number of places an
attacker can hit. Fewer moving parts equals fewer
vulnerabilities.
The supported roles in Server Core include the following:y y y y
y y y y y
Active Directory Domain Services (ADDS) Active Directory
Lightweight Directory Services (AD LDS) DHCP Server DNS Server File
Services Internet Information Services (IIS) Print Services
Streaming Media Services Windows Virtualization (Hyper-V)
77. How do you promote a Server Core to DC? 78. What are the
FSMO roles? Who has them by default? What happens when each one
fails? 79. How can you tell who holds each FSMO role? Name a 2-3 of
methods. 80. What FSMO placement considerations do you know of? 81.
You want to look at the RID allocation table for a DC. What do you
need to do?1.install support tools from OS disk(OS Inst:
Disk=>support=>tools=>suptools.msi) 2.In Command prompt
type dcdiag /test:ridmanager /s:system1 /v (system1 is the name of
our DC)
82. What's the difference between transferring a FSMO role and
seizing one? Which one shouldyou NOT seize? Why?Seizing an FSMO can
be a destructive process and should only be attempted if the
existing server with the FSMO is no longer available.
If the domain controller that is the Schema Master FSMO role
holder is temporarily unavailable, DO NOT seize the Schema Master
role.
If you are going to seize the Schema Master, you must
permanently disconnect the current Schema Master from the
network.
If you seize the Schema Master role, the boot drive on the
original Schema Master must be completely reformatted and the
operating system must be cleanly installed, if you intend to return
this computer to the network.
NOTE: The Boot Partition contains the system files (\System32).
The System Partition is the partition that contains the startup
files, NTDetect.com, NTLDR, Boot.ini, and possibly
Ntbootdd.sys.
The Active Directory Installation Wizard (Dcpromo.exe) assigns
all 5 FSMO roles to the first domain controller in the forest root
domain. The first domain controller in each new child or tree
domain is assigned the three domain-wide roles. Domain controllers
continue to own FSMO roles until they are reassigned by using one
of the following methods:y y y
An administrator reassigns the role by using a GUI
administrative tool. An administrator reassigns the role by using
the ntdsutil /roles command. An administrator gracefully demotes a
role-holding domain controller by using the Active Directory
Installation Wizard. This wizard reassigns any locally-held roles
to an existing domain controller in the forest. Demotions that are
performed by using the dcpromo /forceremoval command leave FSMO
roles in an invalid state until they are reassigned by an
administrator.
We recommend that you transfer FSMO roles in the following
scenarios:y y y
The current role holder is operational and can be accessed on
the network by the new FSMO owner. You are gracefully demoting a
domain controller that currently owns FSMO roles that you want to
assign to a specific domain controller in your Active Directory
forest. The domain controller that currently owns FSMO roles is
being taken offline for scheduled maintenance and you need specific
FSMO roles to be assigned to a "live" domain controller. This may
be required to perform operations that connect to the FSMO owner.
This would be especially true for the PDC Emulator role but less
true for the RID master role, the Domain naming master role and the
Schema master roles.
We recommend that you seize FSMO roles in the following
scenarios:
y y y
The current role holder is experiencing an operational error
that prevents an FSMO-dependent operation from completing
successfully and that role cannot be transferred. A domain
controller that owns an FSMO role is force-demoted by using the
dcpromo /forceremoval command. The operating system on the computer
that originally owned a specific role no longer exists or has been
reinstalled.
As replication occurs, non-FSMO domain controllers in the domain
or forest gain full knowledge of changes that are made by
FSMO-holding domain controllers. If you must transfer a role, the
best candidate domain controller is one that is in the appropriate
domain that last inbound-replicated, or recently inbound-replicated
a writable copy of the "FSMO partition" from the existing role
holder. For example, the Schema master role-holder has a
distinguished name path of CN=schema,CN=configuration,dc=, and this
mean that roles reside in and are replicated as part of the
CN=schema partition. If the domain controller that holds the Schema
master role experiences a hardware or software failure, a good
candidate role-holder would be a domain controller in the root
domain and in the same Active Directory site as the current owner.
Domain controllers in the same Active Directory site perform
inbound replication every 5 minutes or 15 seconds. The partition
for each FSMO role is in the following list:
Collapse this tableExpand this table FSMO role Partition Schema
CN=Schema,CN=configuration,DC= Domain Naming Master
CN=configuration,DC= PDC DC= RID DC= Infrastructure DC=
A domain controller whose FSMO roles have been seized should not
be permitted to communicate with existing domain controllers in the
forest. In this scenario, you should either format the hard disk
and reinstall the operating system on such domain controllers or
forcibly demote such domain controllers on a private network and
then remove their metadata on a surviving domain controller in the
forest by using the ntdsutil /metadata cleanup command. The risk of
introducing a former FSMO role holder whose role has been seized
into the forest is that the original role holder may continue to
operate as before until it inbound-replicates knowledge of the role
seizure. Known risks of two domain controllers owning the same FSMO
roles include creating security principals that have overlapping
RID pools, and other problems. Back to the top
Transfer FSMO rolesTo transfer the FSMO roles by using the
Ntdsutil utility, follow these steps:
1. Log on to a Windows 2000 Server-based or Windows Server
2003-based member computer or domain controller that is located in
the forest where FSMO roles are being transferred. We recommend
that you log on to the domain controller that you are assigning
FSMO roles to. The logged-on user should be a member of the
Enterprise Administrators group to transfer Schema master or Domain
naming master roles, or a member of the Domain Administrators group
of the domain where the PDC emulator, RID master and the
Infrastructure master roles are being transferred. 2. Click Start,
click Run, type ntdsutil in the Open box, and then click OK. 3.
Type roles, and then press ENTER. Note To see a list of available
commands at any one of the prompts in the Ntdsutil utility, type ?,
and then press ENTER. Type connections, and then press ENTER. Type
connect to server servername, and then press ENTER, where
servername is the name of the domain controller you want to assign
the FSMO role to. At the server connections prompt, type q, and
then press ENTER. Type transfer role, where role is the role that
you want to transfer. For a list of roles that you can transfer,
type ? at the fsmo maintenance prompt, and then press ENTER, or see
the list of roles at the start of this article. For example, to
transfer the RID master role, type transfer rid master. The one
exception is for the PDC emulator role, whose syntax is transfer
pdc, not transfer pdc emulator. At the fsmo maintenance prompt,
type q, and then press ENTER to gain access to the ntdsutil prompt.
Type q, and then press ENTER to quit the Ntdsutil utility.
4. 5. 6. 7.
8.
Back to the top
Seize FSMO rolesTo seize the FSMO roles by using the Ntdsutil
utility, follow these steps: 1. Log on to a Windows 2000
Server-based or Windows Server 2003-based member computer or domain
controller that is located in the forest where FSMO roles are being
seized. We recommend that you log on to the domain controller that
you are assigning FSMO roles to. The logged-on user should be a
member of the Enterprise Administrators group to transfer schema or
domain naming master roles, or a member of the Domain
Administrators group of the domain where the PDC emulator, RID
master and the Infrastructure master roles are being transferred.
2. Click Start, click Run, type ntdsutil in the Open box, and then
click OK. 3. Type roles, and then press ENTER. 4. Type connections,
and then press ENTER. 5. Type connect to server servername, and
then press ENTER, where servername is the name of the domain
controller that you want to assign the FSMO role to. 6. At the
server connections prompt, type q, and then press ENTER. 7. Type
seize role, where role is the role that you want to seize. For a
list of roles that you can seize, type ? at the fsmo maintenance
prompt, and then press ENTER, or see the list of roles at
the start of this article. For example, to seize the RID master
role, type seize rid master. The one exception is for the PDC
emulator role, whose syntax is seize pdc, not seize pdc emulator.
8. At the fsmo maintenance prompt, type q, and then press ENTER to
gain access to the ntdsutil prompt. Type q, and then press ENTER to
quit the Ntdsutil utility. Noteso
o
o
o o
Under typical conditions, all five roles must be assigned to
"live" domain controllers in the forest. If a domain controller
that owns a FSMO role is taken out of service before its roles are
transferred, you must seize all roles to an appropriate and healthy
domain controller. We recommend that you only seize all roles when
the other domain controller is not returning to the domain. If it
is possible, fix the broken domain controller that is assigned the
FSMO roles. You should determine which roles are to be on which
remaining domain controllers so that all five roles are assigned to
a single domain controller. For more information about FSMO role
placement, click the following article number to view the article
in the Microsoft Knowledge Base: 223346
(http://support.microsoft.com/kb/223346/ ) FSMO placement and
optimization on Windows 2000 domain controllers If the domain
controller that formerly held any FSMO role is not present in the
domain and if it has had its roles seized by using the steps in
this article, remove it from the Active Directory by following the
procedure that is outlined in the following Microsoft Knowledge
Base article: 216498 (http://support.microsoft.com/kb/216498/ ) How
to remove data in active directory after an unsuccessful domain
controller demotion Removing domain controller metadata with the
Windows 2000 version or the Windows Server 2003 build 3790 version
of the ntdsutil /metadata cleanup command does not relocate FSMO
roles that are assigned to live domain controllers. The Windows
Server 2003 Service Pack 1 (SP1) version of the Ntdsutil utility
automates this task and removes additional elements of domain
controller metadata. Some customers prefer not to restore system
state backups of FSMO role-holders in case the role has been
reassigned since the backup was made. Do not put the Infrastructure
master role on the same domain controller as the global catalog
server. If the Infrastructure master runs on a global catalog
server it stops updating object information because it does not
contain any references to objects that it does not hold. This is
because a global catalog server holds a partial replica of every
object in the forest.
To test whether a domain controller is also a global catalog
server: 1. Click Start, point to Programs, point to Administrative
Tools, and then click Active Directory Sites and Services. 2.
Double-click Sites in the left pane, and then locate the
appropriate site or click Default-first-sitename if no other sites
are available. 3. Open the Servers folder, and then click the
domain controller. 4. In the domain controller's folder,
double-click NTDS Settings. 5. On the Action menu, click
Properties. 6. On the General tab, view the Global Catalog check
box to see if it is selected.
1. What is Active Directory? Active Directory is Microsoft
implementation of LDAP being used in Windows Server platform post
NT and built around DNS. It is a distributed and hierarchical
directory service which stores information about the resources on
the network and provide t