ACTIVE DIRECTORY DNS FSMO GROUP POLICYWhat Is Active Directory?

ry? Active Directory consists of a series of components that constitute both its logicalstructure and its physical structure. It provides a way for organizations to centrallymanage and store their user objects, computer objects, group membership, anddefine security boundaries in a logical database structure. Purpose of Active Directory Active Directory stores information about users, computers, and network resourcesand makes the resources accessible to users and applications. It provides aconsistent way to name, describe, locate, access, manage, and secure informationabout these resources Functions of Active Directory Active Directory provides the following functions: Centralizes control of network resources By centralizing control of resources such as servers, shared files, and printers,only authorized users can access resources in Active Directory. Centralizes and decentralizes resource management Administrators have Centralized Administration with the ability to delegateadministration of subsets of the network to a limited number of individuals givingthem greater granularity in resource management. Store objects securely in a logical structure Active Directory stores all of the resources as objects in a secure, hierarchicallogical structure. Optimizes network traffic The physical structure of Active Directory enables you to use network bandwidthmore efficiently. For example, it ensures that, when users log on to the network,the authentication authority that is nearest to the user, authenticates themreducing the amount of network traffic. Sites within Active Directory Sites are defined as groups of well-connected computers. When you establish sites, domaincontrollers within a single site communicate frequently. This communication minimizes thelatency within the site; that is, the time required for a change that is made on one domaincontroller to be replicated to other domain controllers. You create sites to optimize the use of bandwidth between domain controllers that are in different locations

Operations Master Roles When a change is made to a domain, the change is replicated across all of thedomain controllers in the domain. Some changes, such as those made to the schema,are replicated across all of the domains in the forest. This replication is called multimaster replication

.During multimaster replication, a replication conflict can occur if originating updatesare performed concurrently on the same object attribute on two domain controllers. Toavoid replication conflicts, Active Directory uses single master replication , whichdesignates one domain controller as the only domain controller on which certaindirectory changes can be made. This way, changes cannot occur at different places inthe network at the same time. Active Directory uses single master replication for important changes, such as the addition of a new domain or a change to the forest-wide schema.Operations that use single-master replication are arranged together in specific roles ina forest or domain. These roles are called operations master roles . For eachoperations master role, only the domain controller that holds that role can make theassociated directory changes. The domain controller that is responsible for a particular role is called an operations master for that role. Active Directory stores informationabout which domain controller holds a specific role. Forest-wide Roles Forest-wide roles are unique to a forest, forest-wide roles are: Schema master Controls all updates to the schema. The schema contains the master list of objectclasses and attributes that are used to create all Active Directory objects, such asusers, computers, and printers. Domain naming master Controls the addition or removal of domains in the forest. When you add a newdomain to the forest, only the domain controller that holds the domain namingmaster role can add the new domain.There is only one schema master and one domain naming master in the entire forest. Domain-wide Roles Domain-wide roles are unique to each domain in a forest, the domain-wide roles are: Primary domain controller emulator (PDC) Acts as a Windows NT PDC to support any backup domain controllers (BDCs)running Microsoft Windows NT within a mixed-mode domain. This type of domain has domain controllers that run Windows NT 4.0. The PDC emulator is thefirst domain controller that you create in a new domain.

 Relative identifier master (RID) When a new object is created, the domain controller creates a new securityprincipal that represents the object and assigns the object a unique securityidentifier (SID). This SID consists of a domain SID, which is the same for allsecurity principals created in the domain, and a RID, which is unique for eachsecurity principal created in the domain. The RID master allocates blocks of RIDsto each domain controller in the domain. The domain controller then assigns aRID to objects that are created from its allocated block of RIDs. Infrastructure master when objects are moved from one domain to another, the infrastructure master updates object references in its domain that point to the object in the other domain. The object reference contains the objects globally unique identifier (GUID), distinguished name, and a SID. Active Directory periodically updates thedistinguished name and the SID on the object reference to reflect changes madeto the actual object, such as moves within and between domains and the deletionof the object. The global catalog contains: The attributes that are most frequently used in queries, such as a users firstname, last name, and logon name. The information that is necessary to determine the location of any object in thedirectory. The access permissions for each object and attribute that is stored in the globalcatalog. If you search for an object that you do not have the appropriatepermissions to view, the object will not appear in the search results. Accesspermissions ensure that users can find only objects to which they have beenassigned access.A global catalog server is a domain controller that, in addition to its full, writabledomain directory partition replica, also stores a partial, read-only replica of all other domain directory partitions in the forest. Taking a user object as an example, it wouldby default have many different attributes such as first name,

last name, phonenumber, and many more. The GC will by default only store the most common of thoseattributes that would be used in search operations (such as a users first and lastnames, or login name, for example). The partial attributes that it has for that objectwould be enough to allow a search for that object to be able to locate the full replica of the object in active directory. This allows searches done against a local GC, andreduces network traffic over the WAN in an attempt to locate objects somewhere elsein the network.Domain Controllers always contain the full attribute list for objects belonging to their domain. If the Domain Controller is also a GC, it will also contain a partial replica of objects from all other domains in the forest.Active Directory uses DNS as the name resolution service to identify domains anddomain host computers during processes such as logging on to the network.

Similar to the way a Windows NT 4.0 client will query WINS for a NetBIOSDOMAIN[1B] record to locate a PDC, or a NetBIOS DOMAIN[1C] record for domaincontrollers, a Windows 2000, 2003, or Windows XP client can query DNS to find adomain controller by looking for SRV records. Integration of DNS and Active Directory The integration of DNS and Active Directory is essential because a client computer ina Windows 2000 network must be able to locate a domain controller so that users canlog on to a domain or use the services that Active Directory provides. Clients locatedomain controllers and services by using A resource records and SRV records. The A resource record contains the FQDN and IP address for the domain controller. The SRV record contains the FQDN of the domain controller and the name of the servicethat the domain controller provides. What Are Active Directory Integrated Zones?

One benefit of integrating DNS and Active Directory is the ability to integrate DNSzones into an Active Directory database. A zone is a portion of the domain namespacethat has a logical grouping of resource records, which allows zone transfers of theserecords to operate as one unit. Active Directory Integrated Zones Microsoft DNS servers store information that is used to resolve host names to IPaddresses and IP addresses to host names in a database file that has the extension .dns for each zone.Active Directory integrated zones are primary zones that are stored as objects in theActive Directory database. If zone objects are stored in an Active Directory domainpartition, they are replicated to all domain controllers in the domain. What Are DNS Zones? A zone starts as a storage database for a single DNS domain name. If other domainsare added below the domain used to create the zone, these domains can either bepart of the same zone or belong to another zone. Once a subdomain is added, it canthen either be: Managed and included as part of the original zone records, or Delegated away to another zone created to support the subdomain

Types of Zones 1There are two types of zones, forward lookup and reverse lookup. Forward lookupzones contain information needed to resolve names within the DNS domain. Theymust include SOA and NS records and can include any type of resource record exceptthe PTR resource record. Reverse lookup zones contain information needed toperform reverse lookups. They usually include SOA, NS, PTR, and CNAME records.With most queries, the client supplies a name and requests the IP address thatcorresponds to that name. This type of query is typically described as a forwardlookup. Active Directory requires forward lookup zones.However, what if a client already has a computer's IP address and wants to determinethe DNS name for the computer? This is important for programs that implementsecurity based on the connecting FQDN, and is used for TCP/IP networktroubleshooting. The DNS standard provides for this possibility through reverselookups.Once you have installed Active Directory, you have two options for storing your zoneswhen operating the DNS server at the new domain controller: Standard Zone Zones stored this way are located in .dns text files that are stored in the %SystemRoot%\System32\Dns folder on each computer operating a DNS server.Zone file names correspond to the name you choose for the zone when creating it,such as Example.microsoft.com.dns if the zone name was example.microsoft.com .This type offers the choice of using either a Standard Primary zone or a StandardSecondary zone. Standard Primary Zone

For standard primary-type zones, only a single DNS server can host and load themaster copy of the zone. If you create a zone and keep it as a standard primary zone,no additional primary servers for the zone are permitted. Only one server is allowed toaccept dynamic updates, also known as DDNS, and process zone changes. Thestandard primary model implies a single point of failure. Standard Secondary Zone A secondary name server gets the data for its zones from another name server (either a primary name server or another secondary name server) for that zone across thenetwork. The data in a Secondary zone is Read only, and updated information mustcome from additional zone transfers. The process of obtaining this zone information(i.e., the database file) across the network is referred to as a zone transfer. Zonetransfers occur over TCP port 53.Secondary servers can provide a means to offload DNS query traffic in areas of thenetwork where a zone is heavily queried and used. Additionally, if a primary server isdown, a secondary server can provide some name resolution in the zone until theprimary server is available.

Note A Standard Primary zone will not replicate its information to any other DNSservers, but may allow zone transfers to Secondary zones. Win2003 also supportsstub zones. A secondary or stub zone cannot be hosted on a DNS server thathosts a primary zone for the same domain name. Directory-integrated Zone Zones stored this way are located in the Active Directory tree under the domain objectcontainer. Each directory-integrated zone is stored in a dnsZone container objectidentified by the name you choose for the zone when creating it. Active Directoryintegrated zones will replicate this information to other domain controllers in thatdomain. Note If DNS is running on a Windows 2000 server that is not a domain controller, it willnot be able to use an Active Directory integrated zones, or replicate with other domain controllers since it does not have Active Directory installed. DNS Records After you create a zone, additional resource records need to be added to it. The mostcommon resource records (RRs) to be added are:Table 1. Record Types N a m e D e s c r i p t i o n Host (A) For mapping a DNS domain name to an IP address used by acomputer. Alias (CNAME) For mapping an alias DNS domain name to another primary or canonical name. Mail Exchanger (MX) For mapping a DNS domain, name to the name of a computer thatexchanges or forwards mail. Pointer (PTR) For mapping a reverse DNS domain name based on the IP address of a computer that points to the forward DNS domain name of thatcomputer. Service location(SRV)

For mapping a DNS domain name to a specified list of DNS hostcomputers that offer a specific type of service, such as Active Directorydomain controllers.Other resource records as needed. 6

Q1. What does the logical component of the Active Directory structure include? Objects:-Resources are stored in the Active Directory as objects.Sub category: object class An object is really just a collection of attributes. A user object, for example, is made up of attributes such as name, password, phone number, group membership, and so on. Theattributes that make up an object are defined by an object class . The user class, for example,specifies the attributes that make up the user object. The Active Directory Schema:The classes and the attributes that they define are collectively referred to as the ActiveDirectory Schema in database terms, a schema is the structure of the tables and fields andhow they are related to one another. You can think of the Active Directory Schema as acollection of data (object classes) that defines how the real data of the directory (the attributesof an object) is organized and stored Domains The basic organizational structure of the Windows Server 2003 networking model is thedomain. A domain represents an administrative boundary. The computers, users, and other objects within a domain share a common security database. Trees

Multiple domains are organized into a hierarchical structure called a tree. Actually, even if youhave only one domain in your organization, you still have a tree. The first domain you create ina tree is called the root domain. The next domain that you add becomes a child domain of thatroot. This expandability of domains makes it possible to have many domains in a tree. Figure1-1 shows an example of a tree. Microsoft.com was the first domain created in Active Directoryin this example and is therefore the root domain. 7 Microsoft.com sales.microsoft.co RND.Microsoft.comWest.Microsoft.comEast.Microsoft.com

Figure 1-1 A tree is a hierarchical organization of multiple domains.All domains in a tree share a common schema and a contiguous namespace. In the exampleshown in Figure 1-1, all of the domains in the tree under the microsoft.com root domain sharethe namespace microsoft.com. Using a single tree is fine if your organization is confined withina single DNS namespace. However, for organizations that use multiple DNS namespaces,your model must be able to expand outside the boundaries of a single tree. This is where theforest comes in. Forest A forest is a group of one or more domain trees that do not form a contiguous namespace butmay share a common schema and global catalog. There is always at least one forest on anetwork, and it is created when the first Active Directoryenabled computer (domain controller)on a network is installed.This first domain in a forest, called the forest root domain, is special because it holds theschema and controls domain naming for the entire forest. It cannot be removed from the forestwithout removing the entire forest itself. Also, no

other domain can ever be created above theforest root domain in the forest domain hierarchy.Figure 1-2 shows an example of a forest with two trees. Each tree in the forest has its ownnamespace. In the figure, microsoft.com is one tree and contoso.com is a second tree. Bothare in a forest named microsoft.com (after the first domain created)Figure 1-2 Trees in a forest share the same schema, but not the same namespace. 8 Microsoft.com sales.microsoft.co RND.Microsoft.comWest.Microsoft.comEast.Microsoft.com Root domain of microsoft.comforest & treeContoso.com West.contoso.comEast.contoso.com Root domain of Contoso.com

A forest is the outermost boundary of Active Directory; the directory cannot be larger than theforest. However, you can create multiple forests and then create trust relationships betweenspecific domains in those forests; this would let you grant access to resources and accountsthat are outside of a particular forest. Organizational Units Organizational Units (OUs) provide a way to create administrative boundaries within a domain.Primarily, this allows you to delegate administrative tasks within the domain.OUs serve as containers into which the resources of a domain can be placed. You can thenassign administrative permissions on the OU itself. Typically, the structure of OUs follows anorganizations business or functional structure. For example, a relatively small organizationwith a single domain might create separate OUs for departments within the organization. Q2. What does the physical structure of active directory contain? Physical structures include domain controllers and sites. Q3.What is nesting? The creation of an OU inside another OU.IMP: - once you go beyond about 12 OUs deep in a nesting structure, you start running intosignificant performance issues. Q4. What is trust relationship and how many types of trust relationship is there inexchange 2003? Since domains represent security boundaries, special mechanisms called trust relationshipsallow objects in one domain (called the trusted domain) to access resources in another domain (called the trusting domain).Windows Server 2003 supports six types of trust relationships: Parent and child trusts Treeroot trusts External trusts Shortcut trusts Realm trusts Forest trusts

Q5. What is a site? A Windows Server 2003 site is a group of domain controllers that exist on one or more IPsubnets (see Lesson 3 for more on this) and are connected by a fast, reliable networkconnection. Fast means connections of at least 1Mbps. In other words, a site usually followsthe boundaries of a local area network (LAN). If different LANs on the network are connectedby a wide area network (WAN), youll likely create one site for each LAN. Q6. What is the use of site? Sites are primarily used to control replication traffic. Domain controllers within a site are prettymuch free to replicate changes to the Active Directory database whenever changes are made.Domain controllers in different sites compress the replication traffic and operate based on adefined schedule, both of which are intended to cut down on network traffic.More specifically, sites are used to control the following: Workstation logon traffic Replication traffic Distributed File System (DFS)Distributed File System (DFS) is a server component that provides a unified namingconvention for folders and files stored on different servers on a network. DFS lets you create asingle logical hierarchy for folders and files that is consistent on a network, regardless of where on the network those items are actually stored. Files represented in the DFS might bestored in multiple locations on the network, so it makes sense that Active Directory should beable to direct users to the closest physical location of the data they need. To this end, DFSuses site information to direct a client to the server that is hosting the requested data withinthe site. If DFS does not find a copy of the data within the same site as the client, DFS usesthe site information in Active Directory to determine which file server that has DFS shared datais closest to the client. File Replication Service (FRS) Every domain controller has a built-in collection of folders named SYSVOL (for SystemVolume). The SYSVOL folders provide a default Active Directory location for files that must bereplicated throughout a domain. You can use SYSVOL to replicate Group Policy Objects,startup and shutdown scripts, and logon and logoff scripts. A Windows Server 2003 servicenamed File Replication Service (FRS) is responsible for replicating files in the SYSVOL foldersbetween domain controllers. FRS uses site boundaries to govern the replication of items in theSYSVOL folders. Q7. What are the objects a site contains? Sites contain only two types of objects. The first type is the domain controllers contained in thesite. The second type of object is the site links configured to connect the site to other sites. 10 Q8.What is a Site link? Within a site, replication happens automatically. For replication to occur between sites, youmust establish a link between the sites. There are two components to this link: the actualphysical connection between the sites (usually a WAN link) and a site link object. The site linkobject is created within Active Directory and determines the protocol used for transferringreplication traffic (Internet Protocol [IP] or Simple Mail Transfer Protocol [SMTP]). The site linkobject also governs when replication is scheduled to occur. Q9. Explain Replication in Active directory? Windows Server 2003 uses a replication model called multimaster replication , in which allreplicas of the Active Directory database are considered equal masters. You can makechanges to the database on any domain controller and the changes will be replicated to other domain controllers in the domain.Domain controllers in the same site replicate on the basis of notification. When changes aremade on a domain controller, it notifies its replication partners (the other domain controllers inthe site);

the partners then request the changes and replication occurs. Because of the high-speed, low-cost connections assumed within a site, replication occurs as needed rather thanaccording to a schedule.You should create additional sites when you need to control how replication traffic occurs over slower WAN links. For example, suppose you have a number of domain controllers on your main LAN and a few domain controllers on a LAN at a branch location. Those two LANs areconnected to one another with a slow (256K) WAN link. You would want replication traffic tooccur as needed between the domain controllers on each LAN, but you would want to controltraffic across the WAN link to prevent it from affecting higher priority network traffic. To addressthis situation, you would set up two sites one site that contained all the domain controllerson the main LAN and one site that contained all the domain controllers on the remote LAN. Q10. What are the different types of replication? Single site (called intrasite replication)Replication between sites (called intersite replication). Intrasite Replication Intrasite replication sends replication traffic in an uncompressedformat. This is because of the assumption that all domain controllers within the site areconnected by high-bandwidth links. Not only is the traffic uncompressed, but replication occursaccording to a change notification mechanism. This means that if changes are made in thedomain, those changes are quickly replicated to the other domain controllers. Intersite Replication Intersite replication sends all data compressed. This shows anappreciation for the fact that the traffic will probably be going across slower WAN links (asopposed to the LAN connectivity intrasite replication assumes), but it increases the server loadbecause compression/decompression is added to the processing requirements. In addition tothe compression, the replication can be scheduled for times that are more appropriate to your organization. For example, you may decide to allow replication only during slower times of the day. Of course, this delay in replication (based on the schedule) can cause inconsistencybetween servers in different sites. Q11. What is LDAP? LDAP, Lightweight Directory Access Protocol, is an Internet protocol that email and other programs use to look up information from a server.An LDAP-aware directory service (such as Active Directory) indexes all the attributes of all theobjects stored in the directory and publishes them. LDAP-aware clients can query the server ina wide variety of ways. Q12.What types of naming convention active directory uses? Active Directory supports several types of names for the different formats that canaccessActive Directory.These names include: Relative Distinguished NamesThe relative distinguished name (RDN) of an object identifies an object uniquely, but onlywithin its parent container. Thus the name uniquely identifies the object relative to the other objects within the same container. In the exampleCN=wjglenn,CN=Users,DC=contoso,DC=com,the relative distinguished name of the object is CN=wjglenn. The relative distinguished nameof the parent organizational unit is Users. For most objects, the relative distinguished name of an object is the same as that objects Common Name attribute. Active Directory creates therelative distinguished name automatically, based on information provided when the object iscreated. Active Directory does not allow two objects with the same relative distinguished nameto exist in the same parent container.The notations used in the relative distinguished name (and in the

distinguished namediscussed in the next section) use special notations called LDAP attribute tags to identify eachpart of the name. The three attribute tags used include: DC The Domain Component (DC) tag identifies part of the DNS name of the domain, suchas COM or ORG. OU The Organizational Unit (OU) tag identifies an organizational unit container. CN The Common Name (CN) tag identifies the common name configured for an ActiveDirectory object. Distinguished Names Each object in the directory has a distinguished name (DN) that is globally unique andidentifies not only the object itself, but also where the object resides in the overall objecthierarchy. You can think of the distinguished name as the relative distinguished name of an 12 object concatenated with the relative distinguished names of all parent containers that makeup the path to the object.An example of a typical distinguished name would be:CN=wjglenn,CN=Users,DC=contoso,DC=com.This distinguished name would indicate that the user object wjglenn is in the Users container,which in turn is located in the contoso.com domain. If the wjglenn object is moved to another container, its DN will change to reflect its new position in the hierarchy. Distinguished namesare guaranteed to be unique in the forest, similar to the way that a fully qualified domain nameuniquely identifies an objects placement in a DNS hierarchy. You cannot have two objects withthe same distinguished name. User Principal Names The user principal name that is generated for each object is in the form username@domain_name. Users can log on with their user principal name, and an administrator candefine suffixes for user principal names if desired. User principal names should be unique, butActive Directory does not enforce this requirement. Its best, however, to formulate a namingconvention that avoids duplicate user principal names. Canonical Names An objects canonical name is used in much the same way as the distinguished name it justuses a different syntax. The same distinguished name presented in the preceding sectionwould have the canonical name:contoso.com/Users/wjglenn.As you can see, there are two primary differences in the syntax of distinguished names andcanonical names. The first difference is that the canonical name presents the root of the pathfirst and works downward toward the object name. The second difference is that the canonicalname does not use the LDAP attribute tags (e.g., CN and DC). Q13. What is multimaster replication? Active Directory follows the multimaster replication which every replica of the Active Directorypartition held on every domain is considered an equal master. Updates can be made toobjects on any domain controller, and those updates are then replicated to other domaincontrollers. Q14.Which two operations master roles should be available when new securityprincipals are being created and named? Domain naming master and the relative ID master Q15. What are different types of groups? Security groups

Security groups are used to group domain users into a singleadministrative unit. Security groups can be assigned permissions and can also be used as e-mail distribution lists. Users placed into a group inherit the permissions assigned to the groupfor as long as they remain members of that group. Windows itself uses only security groups. Distribution groups These are used for nonsecurity purposes by applications other thanWindows. One of the primary uses is within an e-mailAs with user accounts, there are both local and domain-level groups. Local groups are storedin a local computers security database and are intended to control resource access on thatcomputer. Domain groups are stored in Active Directory and let you gather users and controlresource access in a domain and on domain controllers. Q16. What is a group scope and what are the different types of group scopes? Group scopes determine where in the Active Directory forest a group is accessible and whatobjects can be placed into the group. Windows Server 2003 includes three group scopes:global, domain local, and universal. Global groups are used to gather users that have similar permissions requirements. Globalgroups have the following characteristics:1. Global groups can contain user and computer accounts only from the domain in which theglobal group is created.2. When the domain functional level is set to Windows 2000 native or Windows Server 2003(i.e., the domain contains only Windows 2000 or 2003 servers), global groups can also containother global groups from the local domain.3. Global groups can be assigned permissions or be added to local groups in any domain in aforest. Domain local groups exist on domain controllers and are used to control access toresources located on domain controllers in the local domain (for member servers andworkstations, you use local groups on those systems instead). Domain local groups share thefollowing characteristics:1. Domain local groups can contain users and global groups from any domain in a forest nomatter what functional level is enabled.2. When the domain functional level is set to Windows 2000 native or Windows Server 2003,domain local groups can also contain other domain local groups and universal groups. Universal groups are normally used to assign permissions to related resources in multipledomains. Universal groups share the following characteristics:1. Universal groups are available only when the forest functional level is set to Windows 2000native or Windows Server 2003.2. Universal groups exist outside the boundaries of any particular domain and are managed byGlobal Catalog servers.3. Universal groups are used to assign permissions to related resources in multiple domains. 14 4. Universal groups can contain users, global groups, and other universal groups from anydomain in a forest.5. You can grant permissions for a universal group to any resource in any domain. Q17. What are the items that groups of different scopes can contain in mixed and nativemode domains?Q18. What is group nesting? Placing of one group in another is called as group nestingFor example, suppose you had juniorlevel administrators in four different geographic locations,as shown in Figure 4-10. You could create a separate group for each location (namedsomething like Dallas Junior Admins). Then, you could create a single group named Junior Admins and make each of thelocation-based groups a member of the main group. This approach would allow you to setpermissions on a single group and have those permissions flow down to the members, yet stillbe able to subdivide the junior administrators by location.

Q19. How many characters does a group name contain?64Q20. Is site part of the Active Directory namespace?NO: When a user browses the logical namespace, computers and users are grouped intodomains and OUs without reference to sites. However, site names are used in the DomainName System (DNS) records, so sites must be given valid DNS names. Q21. What is DFS? The Distributed File System is used to build a hierarchical view of multiple file servers andshares on the network. Instead of having to think of a specific machine name for each set of files, the user will only have to remember one name; which will be the 'key' to a list of sharesfound on multiple servers on the network. Think of it as the home of all file shares with linksthat point to one or more servers that actually host those shares.DFS has the capability of routing a client to the closest available file server by using ActiveDirectory site metrics. It can also be installed on a cluster for even better performance andreliability. Understanding the DFS Terminology It is important to understand the new concepts that are part of DFS. Below is an definition of each of them. Dfs root: You can think of this as a share that is visible on the network, and in this share youcan have additional files and folders. Dfs link: A link is another share somewhere on the network that goes under the root. When auser opens this link they will be redirected to a shared folder. Dfs target (or replica): This can be referred to as either a root or a link. If you have twoidentical shares, normally stored on different servers, you can group them together as DfsTargets under the same link.The image below shows the actual folder structure of what the user sees when using DFS andload balancing. Figure 1: The actual folder structure of DFS and load balancingWindows 2003 offers a revamped version of the Distributed File System found in Windows2000, which has been improved to better performance and add additional fault tolerance, loadbalancing and reduced use of network bandwidth. It also comes with a powerful set of command-line scripting tools which can be used to make administrative backup andrestoration tasks of the DFS namespaces easier. The client windows operating systemconsists of a DFS client which provides additional features as well as caching. 16

Q22. What are the types of replication in DFS?

There are two types of replication:* Automatic - which is only available for Domain DFS* Manual which is available for stand alone, DFS and requires all files to be replicatedmanually. Q23. Which service is responsible for replicating files in SYSVOL folder? File Replication Service (FRS) Q24. What all can a site topology owner do? The site topology owner is the name given to the administrator (or administrators) that overseethe sitetopology. The owner is responsible for making any necessary changes to the site as thephysical network grows and changes. The site topology owners responsibilities include: Making changes to the site topology based on changes to the physical network topology. Tracking subnetting information for the network. This includes IP addresses, subnet masks,and the locations of the subnets. Monitoring network connectivity and setting the costs for links between sites. Q1. What is DNS. DNS provides name registration and name to address resolution capabilities. And DNSdrastically lowers the need to remember numeric IP addresses when accessing hosts on theInternet or any other TCP/IP-based network.Before DNS, the practice of mapping friendly host or computer names to IP addresses washandled via host files. Host files are easy to understand. These are static ASCII text files thatsimply map a host name to an IP address in a table-like format. Windows ships with aHOSTS file in the \winnt\system32\drivers\etc subdirectoryThe fundamental problem with the host files was that these files were labor intensive. A hostfile is manually modified, and it is typically centrally administrated.The DNS system consists of three components: DNS data (called resource records ), servers(called name servers ), and Internet protocols for fetching data from the servers. Q2. Which are the four generally accepted naming conventions?N e t B I O S N a m e ( f o r i n s t a n c e , S P R I N G E R S 0 1 ) T C P / I P A d d r e s s (121.133.2.44) H o s t N a m e (Abbey) Media Access Control (MAC) this is the network adapter hardware address Q3. How DNS really works DNS uses a client/server model in which the DNS server maintains a static database of domain names mapped to IP addresses. The DNS client, known as the resolver, performqueries against the DNS servers. The bottom line? DNS resolves domain names to IPaddress using these stepsStep 1. A client (or resolver) passes its request to its local name server. For example, theURL term www.idgbooks.com typed into Internet Explorer is passed to the DNS server identified in the client TCP/IP configuration. This DNS server is known as the local nameserver.Step 2. If, as often happens, the local name server is unable to resolve the request, other name servers are queried so that the resolver may be satisfied.Step 3. If all else fails, the request is passed to more and more, higher-level name serversuntil the query

resolution process starts with far-right term (for instance, com) or at the top of the DNS tree with root name servers 18 Below is the Steps explained with the help of a chart.F i g u r e 8 5 : H o w D N S w o r k s Q4. Which are the major records in DNS?1. Host or Address Records (A):map the name of a machine to its numeric IP address. Inclearer terms, this record states the hostname and IP address of a certain machine. Havethree fields: Host Name, Domain, Host IP Address. E.g.:eric.foobarbaz.com. IN A 36.36.1.6It is possible to map more than one IP address to a given hostname. This often happens for people who run a firewall and have two 19thernet cards in one machine. All you must do isadd a second A record, with every column the same save for the IP address. 2. Aliases or Canonical Name Records ( CNAME ) CNAME records simply allow a machine to be known by more than one hostname. Theremust always be an A record for the machine before aliases can be added. The host name of a machine that is stated in an A record is called the canonical, or official name of themachine. Other records should point to the canonical name. Here is an example of aCNAME:www.foobarbaz.com. IN CNAME eric.foobarbaz.com.You can see the similarities to the previous record. Records always read from left to right,with the subject to be queried about on the left and the answer to the query on the right. Amachine can have an unlimited number of CNAME aliases. A new record must be enteredfor each alias.You can add A or CNAME records for the service name pointing to the machines you want to load balance.3. Mail Exchange Records (MX) MX records are far more important than they sound. They allow all mail for a domain to berouted to one host. This is exceedingly useful it abates the load on your internal hostssince they do not have to route incoming mail, and it allows your mail to be sent to anyaddress in your domain even if that particular address does not have a computer associatedw i t h i t . F o r e x a m p l e , w e h a v e a m a i l s e r v e r r u n n i n g o n t h e f i c t i t i o u s m a c h i n e eric.foobarbaz.com. For convenience sake, however, we want our email address to be user@foobarbaz.com rather than user@eric.foobarbaz.com. This is accomplished by therecord shown below:foobarbaz.com. IN MX 10 eric.foobarbaz.com.The column on the far left signifies the address that you want to use as an Internet emailaddress. The next two entries have been explained thoroughly in previous records. The nextcolumn, the number 10, is different from the normal DNS record format. It is a signifier of priority. Often larger systems will have backup mail servers, perhaps more tha n one.Obviously, you will only want the backups receiving mail if something goes wrong with theprimary mail server. You can indicate this with your MX records. A lower number in an MXrecord means a higher priority, and mail will be sent to the server with the lowest number ( t h e l o w e s t p o s s i b l e b e i n g 0 ) . If s o m e t h i n g h a p p e n s s o t h a t t h i s s e r v e r b e c o m e s unreachable, the computer delivering the mail will attempt every other server

listed in theDNS tables, in order of priority.Obviously, you can have as many MX records as you would like. It is also a good idea toinclude an MX record even if you are having mail sent directly to a machine with an A record.Some sendmail programs only look for MX records.It is also possible to include wildcards in MX records. If you have a domain where your userseach have their own machine running mail clients on them, mail could be sent directly toeach machine. Rather than clutter your DNS entry, you can add an MX record like this one:*.foobarbaz.com. IN MX 10 eric.foobarbaz.com.This would make any mail set to any individual workstation in the foobarbaz.com domain gothrough the server eric.foobarbaz.com. 20

One should use caution with wildcards; specific records will be given precedence over onescontaining wildcards. 4. Pointer Records (PTR) Although there are different ways to set up PTR records, we will be explaining only the mostfrequently used method, called in-addr.arpa.In-addr.arpa PTR records are the exact inverse of A records. They allow your machine to berecognized by its IP address. Resolving a machine in this fashion is called a r everse lookup. It is becoming more and more common that a machine will do a reverse lookup onyour machine before allowing you to access a service (such as a World Wide Web page).Reverse lookups are a good security measure, verifying that your machine is exactly who itclaims to be. In-addr.arpa records look as such:6.1.36.36.in-addr.arpa. IN PTR eric.foobarbaz.com.As you can see from the example for the A record in the beginning of this document, therecord simply has the IP address in reverse for the host name in the last column.A note for those who run their own name servers: although Allegiance Internet is capable of pulling zones from your name server, we cannot pull the inverse zones (these in-addr.arparecords) unless you have been assigned a full class C network. If you would like us to putPTR records in our name servers for you, you will have to fill out the online web form on thesupport.allegianceinternet.com page. 5. Name Server Records (NS) NS records are imperative to functioning DNS entries. They are very simple; they merelystate the authoritative name servers for the given domain. There must be at least two NSrecords in every DNS entry. NS records look like this:foobarbaz.com. IN NS draven.foobarbaz.com.There also must be an A record in your DNS for each machine you enter as A NAME server in your domain.If Allegiance Internet is doing primary and secondary names service, we will set up theserecords for you automatically, with nse.algx.net and nsf.algx.net as your two authoritativename servers. 6. Start Of Authority Records (SOA) The SOA record is the most crucial record in a DNS entry. It conveys more information thanall the other records combined. This record is called the start of authority because it denotesthe DNS entry as the official source of information for its domain. Here is an example of aSOA record, then each part of it will be explained:foobarbaz.com. IN SOA draven.foobarbaz.com. hostmaster.foobarbaz.com. (1996111901 ; Serial10800 ; Refresh

2. Active Directory Domains and Trusts

- use this snap-in to find out where theDomain Naming Master FSMO role is and to change it's location.The process is the same as it is when viewing and changing the Domain level FSMOroles in Active Directory Users and Computers, except you use the Active DirectoryDomains and Trusts snap-in. Open Active Directory Domains and Trusts, right click"Active Directory Domains and Trusts" at the top of the tree, and choose "OperationsMaster". When you do, you will see the dialog box below. Changing the server thathouses the Domain Naming Master requires that you first connect to the new domaincontroller, then click the Change button. You can connect to another domain controller by right clicking "Active Directory Domains and Trusts" at the top of the ActiveDirectory Domains and Trusts snap-in and choosing "Connect to Domain Controller". 3. Active Directory Schema - this snap-in is used to view and change the SchemaMaster FSMO role. However... the Active Directory Schema snap-in is not part of thedefault Windows 2000 administrative tools or installation. You first have to install theSupport Tools from the \Support directory on the Windows 2000 server CD or installthe Windows 2000 Server Resource Kit. Once you install the support tools you canopen up a blank Microsoft Management Console (start, run, mmc) and add the snap-in to the console. Once the snap-in is open, right click "Active Directory Schema" atthe top of the tree and choose "Operations Masters". You will see the dialog boxbelow. Changing the server the Schema Master resides on requires you first connectto another domain controller, and then click the Change button.You can connect to another domain controller by right clicking "Active DirectorySchema" at the top of the Active Directory Schema snap-in and choosing "Connect toDomain Controller 35

4.Netdom The easiest and fastest way to find out what server holds what FSMO role is by usingthe Netdom

command line utility. Like the Active Directory Schema snap-in, theNetdom utility is only available if you have installed the Support Tools from theWindows 2000 CD or the Win2K Server Resource Kit.To use Netdom to view the FSMO role holders, open a command prompt window andtype:netdom query fsmo and press enter. You will see a list of the FSMO role servers: 36

5. Active Directory Relication Monitor another tool that comes with the SupportTools is the Active Directory Relication Monitor . Open this utility from Start,Programs, Windows 2000 Support Tools. Once open, click Edit, Add MonitoredServer and add the name of a Domain Controller. Once added, right click the Server name and choose properties. Click the FSMO Roles tab to view the servers holdingthe 5 FSMO roles (below).

You cannot change roles using Replication Monitor, but thistool has many other useful purposes in regard to Active Directory information. It issomething you should check out if you haven't already.