1. 2. 3. ". %. ). *. ,. .. 1/. 11. 12. 13. 1". 1%. 1). 1*. 1,. 1.. 2/. 21. 22. 23.

2". 2%. 2). 2*. 2,. 2.. 3/. 31. 32. 33. 3". 3%. 3). 3*. 3,. 3.. "/. "1. "2. "3. "". "%. "). "*.

What is Active Directory? What is LDAP? Can you connect Active Directory to other 3rd-party Directory Services? Name a e! options. Where is the AD data#ase he$d? What other o$ders are re$ated to AD? What is the S&S'(L o$der? Name the AD NCs and rep$ication issues or each NC What are app$ication partitions? When do + use them -o! do you create a ne! app$ication partition -o! do you vie! rep$ication properties or AD partitions and DCs? What is the 0$o#a$ Cata$o1? -o! do you vie! a$$ the 0Cs in the orest? Why not ma2e a$$ DCs in a $ar1e orest as 0Cs? 3ryin1 to $oo2 at the Schema4 ho! can + do that? What are the Support 3oo$s? Why do + need them? What is LDP? What is 56PL7(N? What is ADS+6D+3? What is N63D(7? What is 56PAD7+N? What are sites? What are they used or? What8s the di erence #et!een a site $in28s schedu$e and interva$? What is the 9CC? What is the +S30? Who has that ro$e #y de au$t? What are the re:uirements or insta$$in1 AD on a ne! server? What can you do to promote a server to DC i you8re in a remote $ocation !ith s$o! WAN $in2? -o! can you orci#$y remove AD rom a server4 and !hat do you do $ater? ;<=>?@< Can + 1et user pass!ords rom the AD data#ase? What too$ !ou$d + use to try to 1ra# security re$ated pac2ets rom the !ire? Name some (A desi1n considerations. What is tom#stone $i etime attri#ute? What do you do to insta$$ a ne! Windo!s 2//3 DC in a Windo!s 2/// AD? What do you do to insta$$ a ne! Windo!s 2//3 52 DC in a Windo!s 2//3 AD? -o! !ou$d you ind a$$ users that have not $o11ed on since $ast month? What are the DSB commands? What8s the di erence #et!een LD+CD6 and CS'D6? Asa1e considerations? What are the CS7( ro$es? Who has them #y de au$t? What happens !hen each one ai$s? What CS7( p$acement considerations do you 2no! o ? + !ant to $oo2 at the 5+D a$$ocation ta#$e or a DC. What do + do? What8s the di erence #et!een trans errin1 a CS7( ro$e and seiDin1 one? Which one shou$d you N(3 seiDe? Why? -o! do you con i1ure a ;<=>?EFstand-#y operation master;<=>?@ or any o the ro$es? -o! do you #ac2up AD? -o! do you restore AD? -o! do you chan1e the DS 5estore admin pass!ord? Why can8t you restore a DC that !as #ac2ed up " months a1o? What are 0P(s? What is the order in !hich 0P(s are app$ied? Name a e! #ene its o usin1 0P7C. What are the 0PC and the 0P3? Where can + ind them? What are 0P( $in2s? What specia$ thin1s can + do to them? What can + do to prevent inheritance rom a#ove? -o! can + override #$oc2in1 o inheritance? -o! can you determine !hat 0P( !as and !as not app$ied or a user? Name a e! !ays to do that.

",. A user c$aims he did not receive a 0P(4 yet his user and computer accounts are in the ri1ht (A4 and everyone e$se there 1ets the 0P(. What !i$$ you $oo2 or? ".. Name a e! di erences in 'ista 0P(s %/. Name some 0P( settin1s in the computer and user parts. %1. What are administrative temp$ates? %2. What8s the di erence #et!een so t!are pu#$ishin1 and assi1nin1? %3. Can + dep$oy non-7S+ so t!are !ith 0P(? %". &ou !ant to standardiDe the des2top environments G!a$$paper4 7y Documents4 Start menu4 printers etc.H on the computers in one department. -o! !ou$d you do that?

Answer:
1. What is Active Directory?

AnsI +t8s a Directory Service !hich stores and mana1es the in ormation o (#Jects GAser4 computer4 printer4 shared o$der etcH 2. What is LDAP?

AnsI LDAP G$i1ht !ei1ht directory access protoco$H is an internet protoco$ !hich 6mai$ and other services is used to $oo2 up in ormation rom the server. 3. Can you connect Active Directory to other 3rd-party Directory Services? Name a e! options.

AnsI &es4 you can use dirK7L or LDAP to connect to other directories. +n Nove$$ you can use 6-directory ". Where is the AD data#ase he$d? What other o$ders are re$ated to AD?

AnsI 3he AD data #ase is store in N3DS.D+3 i$e (ther i$e re$ated to it is #e$o!I

%.

ntds.dit edb.log res1.log res2.log edb.chk

What is the S&S'(L o$der?

AnsI Sys'o$ Co$der contains the pu#$ic in ormation o the domain. 3he in ormation or rep$ication. 6LI 0roup po$icy o#Ject4 scripts can #e ound in this directory.

).

Name the AD Namin* Conte+t and rep$ication issues or each Namin* conte+t.

AnsI Active

Directory NC (Naming Context's) Active Directory consists of three artitions or naming contexts (NC) o Domain! Config"ration and #chema Naming Contexts $ach are re licated inde endently An Active Directory forest has single schema and config"ration o $very domain controller (DC) holds a co y of each (schema! config"ration NC's) %orest can have m"lti le domains o $very domain controller in a domain holds a co y of the domain NC
What are app$ication partitions? When do - use them?

,. AnsI A

lication Directory &artition is a artition s ace in Active Directory 'hich an a lication can "se to store that a lication s ecific data. (his artition is then re licated only to some s ecific domain controllers. (he a lication directory artition can contain any ty e of data exce t sec"rity rinci les ("sers! com "ters! gro" s).
.. /o! do you create a ne! app$ication partition

)se the DnsCmd command to create an a lication directory artition. (o do this! "se the follo'ing syntax* DnsCmd #erverName +CreateDirectory&artition %,DN of artition
AnsI 0. AnsI /o! do you vie! rep$ication properties or AD partitions and DCs?

go to start - r"n - ty e re lmon

11. What is the 2$o#a$ Cata$o*? AnsI Domains

and %orests can also share reso"rces available in active directory. (hese reso"rces are searched by .lobal Catalog across domains and forests and this search is trans arent to "ser. %or exam le! if yo" make a search for all of the rinters in a forest! this search goes to global catalog server for its /"ery and then global catalog ret"rns the res"lts. 0itho"t a global catalog server this /"ery needs to go to every domain in the forest of its res"lt.
11. /o! do you vie! a$$ the 2Cs in the orest? AnsI C*1-re

admin +sho're s domain2controller

34 5o" can "se 4e lmon.exe for the same "r ose. 34 AD #ites and #ervices and nslook" gc.2msdcs.6)#$4DN#D37A8N6

12. Why not ma3e a$$ DCs in a $ar*e orest as 2Cs? AnsI 0ith

too many DCs are config"red to become the .C servers! it 'ill ca"se the re lication overhead bet'een the DCs across the forest.
13. 4ryin* to $oo3 at the Schema5 ho! can - do that? AnsI Different

database servers "se different commands to look at a schema. Additionally! the client soft'are that yo" "se has feat"res that make it easier to mani "late database ob9ects. MS SQL Server s 2hel lists all tables in a schema s 2hel :tablename; dis lays information for table :tablename; option to view the schema register schmmgmt.dll "sing this command c*1'indo's1system<2-regsvr<2 schmmgmt.dll 3 en mmc ==- add sna in ==- add Active directory schema name it as schema.msc 3 en administrative tool ==- schema.msc

1". What are the Support 4oo$s? Why do - need them? AnsI #"

ort (ools are the tools that are "sed for erforming the com licated tasks easily. (hese can also be the third arty tools. #ome of the #" ort tools incl"de Deb"g>ie'er! De endency>ie'er! 4egistry7onitor! etc. =edit by Cas/"ehead 8 beleive this /"estion is reffering to the 0indo's #erver 2??< #" ort (ools! 'hich are incl"ded 'ith 7icrosoft 0indo's #erver 2??< #ervice &ack 2. (hey are also available for do'nload here* htt *++'''.microsoft.com+do'nloads+details.as x@familyidABCA<D?11=%DE<= F1BD=B<BG=BAHH2$A2D%B?Idis laylangAen 5o" need them beca"se yo" cannot ro erly manage an Active Directory net'ork 'itho"t them. Jere they are! it 'o"ld do yo" 'ell to familiariKe yo"rself 'ith all of them. Acldiag.exe Adsiedit.msc Gitsadmin.exe

Dcdiag.exe Dfs"til.exe Dnslint.exe Dsacls.exe 8adstools.dll Lt ass.exe Md .exe Netdiag.exe Netdom.exe Ntfrs"tl.exe &ort/ry.exe 4e admin.exe 4e lmon.exe #ets n.exe
1%. What is LDP? What is 67PL8(N? What is ADS-7D-4? What is N74D(8? What is 67PAD8-N?

MD& * Mabel Distrib"tion &rotocol (MD&) is often "sed to establish 7&M# M#&s 'hen traffic engineering is not re/"ired. 8t establishes M#&s that follo' the existing 8& ro"ting! and is artic"larly 'ell s"ited for establishing a f"ll mesh of M#&s bet'een all of the ro"ters on the net'ork. 4e lmon * 4e lmon dis lays information abo"t Active Directory 4e lication. AD#8$D8( *AD#8$dit is a 7icrosoft 7anagement Console (77C) sna =in that acts as a lo'=level editor for Active Directory. 8t is a .ra hical )ser 8nterface (.)8) tool. Net'ork administrators can "se it for common administrative tasks s"ch as adding! deleting! and moving ob9ects 'ith a directory service. (he attrib"tes for each ob9ect can be edited or deleted by "sing this tool. AD#8$dit "ses the AD#8 a lication rogramming interfaces (A&8s) to access Active Directory. (he follo'ing are the re/"ired files for "sing this tool* AD#8$D8(.DMM AD#8$D8(.7#CN$(D37 * N$(D37 is a command=line tool that allo's management of 0indo's domains and tr"st relationshi s. 8t is "sed for batch management of tr"sts! 9oining com "ters to domains! verifying tr"sts! and sec"re channels.
AnsI

4$&AD78N * (his command=line tool assists administrators in diagnosing re lication roblems bet'een 0indo's domain controllers.Administrators can "se 4e admin to vie' the re lication to ology (sometimes referred to as 4e s%rom and 4e s(o) as seen from the ers ective of each domain controller. 8n addition! 4e admin can be "sed to man"ally create the re lication to ology (altho"gh in normal ractice this sho"ld not be necessary)! to force re lication events bet'een domain controllers! and to vie' both the re lication metadata and " =to=dateness vectors.

1). What are sites? What are they used or? AnsI 3ne

or more 'ell=connected (highly reliable and fast) (C&+8& s"bnets. A site allo's administrators to config"re Active Directory access and re lication to ology to take advantage of the hysical net'ork. G* A #ite ob9ect in Active Directory re resents a hysical geogra hic location that hosts net'orks. #ites contain ob9ects called #"bnets.:<; #ites can be "sed to Assign .ro" &olicy 3b9ects! facilitate the discovery of reso"rces! manage active directory re lication! and manage net'ork link traffic. #ites can be linked to other #ites. #ite= linked ob9ects may be assigned a cost val"e that re resents the s eed! reliability! availability! or other real ro erty of a hysical reso"rce. #ite Minks may also be assigned a sched"le.
1*. What8s the di erence #et!een a site $in28s schedu$e and interva$? AnsI Any

time t'o net'orks are se arated by links that are heavily "sed d"ring arts of the day and are idle d"ring other arts of the day! "t those net'orks into se arate sites. 5o" can "se the ability to sched"le re lication bet'een sites to revent re lication traffic from com eting 'ith other traffic d"ring high "sage ho"rs. 8n sim le 'ords yo" can define it as the time 'hen yo" allo' the re lication to ha en. 8nterval is also a art of sched"le b"t it takes cares of the re lication olling fre/"ency. 8n other 'ords in a said sched"le of say B*?? A7 to 1 &7 re lication olling sh"ld occ"r in every 1D min"tes. #ched"le here is B*?? A7 to 1 &7 8nterval is every 1D min"tes.
1,. What is the 9CC? AnsI 0ith

in a #ite! a 0indo's server 2??< service kno'n as the LCC a"tomatically generates a to ology for re lication among the domain controllers in the domain "sing a ring str"ct"re.(h Lcc is a b"ilt in rocess that r"ns on all domain controllers. (he LCC analyKes the re lication to ology 'ithin a site every 1D min"te to ens"re that it still 'orks. 8f yo" add or remove a domain controller from the net'ork or a site! the LCC reconfig"res the to ology to relect the change. (hanks! 4akesh (#8#3) Ans'er

LCC is Lno'ledge Consistency Checker! 'hich creates the connection ob9ect that links the DCs into common re lication to ology and dictates the re lication ro"tes bet'een one DC to another in Active Directory forest.
1.. What is the +S30? Who has that ro$e #y de au$t? AnsI 8ntersite

(o ology .enerator (8#(.)! 'hich is res onsible for the connections among the sites. Gy defa"lt 0indo's 2??< %orest level f"nctionality has this role.
2/. What are the re:uirements or insta$$in1 AD on a ne! server? AnsI

An N(%# artition 'ith eno"gh free s ace (2D?7G minim"m)

N An Administrator's "sername and ass'ord N (he correct o erating system version N A N8C N &ro erly config"red (C&+8& (8& address! s"bnet mask and = o tional = defa"lt gate'ay) N A net'ork connection (to a h"b or to another com "ter via a crossover cable) N An o erational DN# server ('hich can be installed on the DC itself) N A Domain name that yo" 'ant to "se N (he 0indo's 2??? or 0indo's #erver 2??< CD media (or at least the i<EC folder)

21. What can you do to promote a server to DC i you8re in a remote $ocation !ith s$o! WAN $in2? AnsI (ake

the system state back" of c"rrent .lobal Catalog server

'rite+b"rn it on the CD send the CD to the destination ( remote location ) 3n the ne' server 'hich needs to be romoted to be DC ty e dc romo+adv on r"n then follo' the ste s. N click 4"n! ty e dc romo +adv to o en the Active Directory 8nstallation 0iKard 'ith the o tion to create an additional domain controller from restored back" files.

N 3n the Domain Controller (y e age! click Additional domain controller for an existing domain! and then click Next. N 3n the Co ying Domain 8nformation age! can do any of the follo'ing ste s* o Click %rom these restored back" files! and ty e or Gro'se to locate the restored files! and then click Next. N 3n the Net'ork Credentials age! ty e the "ser name! ass'ord! and "ser domain of the "ser acco"nt yo" 'ant to "se for this o eration! and then click Next. (he "ser acco"nt m"st be a member of the Domain Admins gro" for the target domain. N 3n the Database and Mog %olders age! ty e the location in 'hich yo" 'ant to install the database and log folders! or click Gro'se to choose a location! and then click Next. N 3n the #hared #ystem >ol"me age! ty e the location in 'hich yo" 'ant to install the #ysvol folder! or click Gro'se to choose a location! and then click Next. N 3n the Directory #ervices 4estore 7ode Administrator &ass'ord age! ty e and confirm the ass'ord that yo" 'ant to assign to the Administrator acco"nt for this server! and then click Next. )se this ass'ord 'hen starting the com "ter in Directory #ervices 4estore 7ode. 4estart the com "ter. 22. Jo' can yo" forcibly remove AD from a server and 'hat do yo" do later Can 8 get "ser ass'ords from the AD database@
AnsI Demote

the server "sing dc romo +forceremoval! then remove the metadata from Active directory "sing ndts"til. (here is no 'ay to get "ser ass'ords from AD that 8 am a'are of! b"t yo" sho"ld still be able to change them. Another 'ay o"t too 4estart the DC is D#47 mode a. Mocate the follo'ing registry s"bkey* JL$52M3CAM27ACJ8N$1#5#($71C"rrentControl#et1Control1&rod"ct3 tions b. 8n the right= ane! do"ble=click ProductType. c. (y e ServerNT in the Value data box! and then click OK. 4estart the server in normal mode

its a member server no' b"t AD entries are still there. &romote teh server to a fake domain say AGC.com and then remove gracef"lly "sing DC romo. $lse after restart yo" can also "se ntds"til to do metadata as told in teh earlier ost
23. What too$ !ou$d + use to try to 1ra# security re$ated pac2ets rom the !ire? AnsI yo"

m"st use sni er!detectin" tools to hel sto the snoo s. ###

2". Name some (A desi1n considerations. AnsI 3)

design re/"ires balancing re/"irements for delegating administrative rights = inde endent of .ro" &olicy needs = and the need to sco e the a lication of .ro" &olicy. (he follo'ing 3) design recommendations address delegation and sco e iss"es* Applyin" $roup Policy An 3) is the lo'est=level Active Directory container to 'hich yo" can assign .ro" &olicy settings. %ele"atin" administrative authority "s"ally don't go more than < 3) levels
2%. What is tom#stone $i etime attri#ute? AnsI (he

n"mber of days before a deleted ob9ect is removed from the directory services. (his assists in removing ob9ects from re licated servers and reventing restores from reintrod"cing a deleted ob9ect. (his val"e is in the Directory #ervice ob9ect in the config"ration N8C by defa"lt 2??? (C? days) 2??< (1E? days)
2). What do you do to insta$$ a ne! Windo!s 2//3 DC in a Windo!s 2/// AD? AnsI 8f

yo" lan to install 'indo's 2??< server domain controllers into an existing 'indo's 2??? domain or " grade a 'indo's 2??? domain controllers to 'indo's server 2??<! yo" first need to r"n the Ad re .exe "tility on the 'indo's 2??? domain controllers c"rrently holding the schema master and infrastr"ct"re master roles. (he ad re + forest rer command m"st first be iss"ed on the 'indo's 2??? server holding schema master role in the forest root doman to re are the existing schema to s" ort 'indo's 2??< active directory. (he ad re +domain re command m"st be iss"ed on the sever holding the infrastr"ct"re master role in the domain 'here 2??? server 'ill be de loyed
2*. What do you do to insta$$ a ne! Windo!s 2//3 52 DC in a Windo!s 2//3 AD? AnsI 8f

yo"'re installing 0indo's 2??< 42 on an existing 0indo's 2??< server 'ith #&1 installed! yo" re/"ire only the second 42 CD=437. 8nsert the second CD and the r2a"to.exe 'ill dis lay the 0indo's 2??< 42 Contin"e #et" screen.

8f yo"'re installing 42 on a domain controller (DC)! yo" m"st first " grade the schema to the 42 version (this is a minor change and mostly related to the ne' Dfs re lication engine). (o " date the schema! r"n the Ad re "tility! 'hich yo"'ll find in the Cm nents1r21ad re folder on the second CD=437. Gefore r"nning this command! ens"re all DCs are r"nning 0indo's 2??< or 0indo's 2??? 'ith #&2 (or later). Jere's a sam le exec"tion of the Ad re +forest re command* D*1C7&N$N(#1421AD&4$&-ad re +forest re AD&4$& 0A4N8N.* Gefore r"nning ad re ! all 0indo's 2??? domain controllers in the forest sho"ld be " graded to 0indo's 2??? #ervice &ack 1 (#&1) 'ith ,%$ 2CD?EB! or to 0indo's 2??? #&2 (or later). ,%$ 2CD?EB (incl"ded in 0indo's 2??? #&2 and later) is re/"ired to revent otential domain controller corr" tion. %or more information abo"t re aring yo"r forest and domain see LG article ,<<11 C1 at htt *++s" ort.microsoft.com. :)ser Action; 8f AMM yo"r existing 0indo's 2??? domain controllers meet this re/"irement! ty e C and then ress $N($4 to contin"e. 3ther'ise! ty e any other key and ress $N( $4 to /"it. C 3 ened Connection to #A>DAMDC?1 ##&8 Gind s"cceeded C"rrent #chema >ersion is <? ) grading schema to version <1 Connecting to O#A>DAMDC?1O Mogging in as c"rrent "ser "sing ##&8 8m orting directory from file OC*108ND30#1system<21sch<1.ldfO Moading entries..................................................... ...................................................... 1<B entries modified s"ccessf"lly. (he command has com leted s"ccessf"lly Ad re s"ccessf"lly " dated the forest= 'ide information. After r"nning Ad re ! install 42 by erforming these ste s* 1. Click the OContin"e 0indo's #erver 2??< 42 #et" O link! as the fig"resho's. 2. At the O0elcome to the 0indo's #erver 2??< 42 #et" 0iKardO screen! click Next. <. 5o"'ll be rom ted to enter an 42 CD key (this is different from yo"r existing 0indo's 2??< keys) if the "nderlying 3# 'asn't installed from 42 media (e.g.! a reg"lar 0indo's 2??< #&1 installation). $nter the 42 key and click Next. Note* (he license key entered for 42 m"st match the "nderlying 3# ty e! 'hich means if yo" installed 0indo's 2??< "sing a vol"me=license version key! then yo" can't "se a retail or 7icrosoft Develo er Net'ork (7#DN) 42 key. F. 5o"'ll see the set" s"mmary screen 'hich confirms the actions to be erformed (e.g.! Co y files). Click Next.

D. After the installation is com lete! yo"'ll see a confirmation dialog box. Click %inish
2,. -o! !ou$d you ind a$$ users that have not $o11ed on since $ast month? AnsI )sing

only native commands! &S'LL%#(at rod"ces a sorted+formated re ort of )sers 'ho have not logged on since 555577DD. (he re ort is sorted by )serName and list the "ser's f"ll name and last logon date. (he syntax for "sing &S'LL%#(at is* &S'LL% )*older)Output*ile#+,t ----MM%% ./N0 'here* ----MM%% 'ill re ort all "sers 'ho have not logged on since this date. /N is an o tional arameter that 'ill by ass "sers 'ho have never logged on. &S'LL%#(at contains* Pecho off setlocal if Q62RAAQR goto syntax if O6<OAAOO goto begin if +i O6<OAAO+nO goto begin *syntax Pecho #yntax* S#8MMD %ile yyyymmdd :+N; endlocal goto *$3% *begin if +i O62OAAO+nO goto syntax set dteA62 set TTA6dte*U?!F6 if O6TT6O M## O1BB<O goto syntax set TTA6dte*UF!26 if O6TT6O M## O?1O goto syntax if O6TT6O .(4 O12O goto syntax set TTA6dte*UC!26 if O6TT6O M## O?1O goto syntax if O6TT6O .(4 O<1O goto syntax set neverAT if +i O6<OAAO+nO set neverA+n set fileA61 if exist 6file6 del +/ 6file6 for +f O#ki AF (okensAVO 66i in ('net "ser +domainWXfindstr +v +c*O====OWXfindstr +v +i +c*O(he command com letedO') do ( do call * arse O66iO

) endlocal goto *$3% * arse set strAY61Y set strA6str*YOA6 set strA6str*OYA6 set s"bstrA6str*U?!2D6Y set s"bstrA6s"bstr* A6 set s"bstrA6s"bstr* YA6 set s"bstrA6s"bstr*YA6 if O6s"bstr6OAAOO goto *$3% for +f O#ki A1 (okensAVO 66i in ('net "ser O6s"bstr6O +domain') do call * arse1 O6 6iO set s"bstrA6str*U2D!2D6Y set s"bstrA6s"bstr* A6 set s"bstrA6s"bstr* YA6 set s"bstrA6s"bstr*YA6 if O6s"bstr6OAAOO goto *$3% for +f O#ki A1 (okensAVO 66i in ('net "ser O6s"bstr6O +domain') do call * arse1 O6 6iO set s"bstrA6str*UD?!2D6Y set s"bstrA6s"bstr* A6 set s"bstrA6s"bstr* YA6 set s"bstrA6s"bstr*YA6 if O6s"bstr6OAAOO goto *$3% for +f O#ki A1 (okensAVO 66i in ('net "ser O6s"bstr6O +domain') do call * arse1 O6 6iO goto *$3% * arse1 set "strA61 if 6"str6AAO(he command com leted s"ccessf"lly.O goto *$3% set "strA6"str*OA6 if +i O6"str*U?!B6OAAO%"ll NameO set f"llnameA6"str*U2B!BB6 if +i not O6"str*U?!1?6OAAOMast logonO goto *$3% set txtA6"str*U2B!BB6 for +f O(okensA1!2!< DelimsA+ O 66i in ('Pecho 6txt6') do set 77A66iIset DDA 669Iset 55A66k if +i O6776OAAONeverO goto tstnvr goto year *tstnvr if +i O6never6OAAO+nO goto *$3% goto re ort *year if O6556O .(4 O1???O goto mmm if O6556O .(4 OB2O goto 51B set +a 55A1??6556661?? set 55A6556 Z 2??? goto mmm *51B

set 55A1B6556 *mmm set +a TTA1??6776661?? if 6TT6 M## 1? set 77A?6TT6 set +a TTA1??6DD6661?? if 6TT6 M## 1? set DDA?6TT6 set 57DA655667766DD6 if O657D6O .$, O6dte6O goto *$3% *re ort set f"llnameA6f"llname6 Y set f"llnameA6f"llname*U?!<D6 set s"bstrA6s"bstr6 Y set s"bstrA6s"bstr*U?!<?6 Pecho 6s"bstr6 6f"llname6 6txt6 -- 6file6
2.. What are the DSB commands? AnsI Ne'

%S (Directory #ervice) %amily of b"ilt=in command line "tilities for 0indo's #erver 2??< Active Directory A* Ne' D# b"ilt=in tools for 0indo's #erver 2??< (he D# (Directory #ervice) gro" of commands are s lit into t'o families. 8n one branch are D#add! D#mod! D#rm and D#7ove and in the other branch are D#,"ery and D#.et. 0hen it comes to choosing a scri ting tool for Active Directory ob9ects! yo" really are s oilt for choice. (he the D# family of b"ilt=in command line exec"tables offer alternative strategies to C#>D$! MD8%D$ and >G#cri t. Met me introd"ce yo" to the members of the D# family* D#add = add Active Directory "sers and gro" s D#mod = modify Active Directory ob9ects D#rm = to delete Active Directory ob9ects D#move = to relocate ob9ects D#,"ery = to find ob9ects that match yo"r /"ery attrib"tes D#get = list the ro erties of an ob9ect D# #yntax (hese D# tools have their o'n command str"ct"re 'hich yo" can s lit into five arts* 12<FD (ool ob9ect ODNO (as in MDA& disting"ished name) =s'itch val"e %or exam le* D#add "ser OcnAbilly! o"Amanagers! dcAc ! dcAcomO = 'd cTFB ,ba (his 'ill add a "ser called Gilly to the 7anagers 3) and set the ass'ord to cxFB,ba

Jere are some of the common D# s'itches 'hich 'ork 'ith D#add and D#mod = 'd ( ass'ord) =" n ("ser&rinci alName) =fn (%irstName) =samid (#am acco"nt name). (he best 'ay to learn abo"t this D# family is to logon at a domain controller and ex eriment from the command line. 8 have re ared exam les of the t'o most common rograms. (ry some sam le commands for D#add. [ ('o most "sef"l (ools* D#,"ery and D#.et (he D#,"ery and D#.et remind me of )N8T commands in that they o erate at the command line! "se o'erf"l verbs! and rod"ce lenty of action. 3ne re=re/"isite for getting the most from this D# family is a 'orking kno'ledge of MDA&. 8f yo" need to /"ery "sers or com "ters from a range of 3)'s and then ret"rn information! for exam le! office! de artment manager. (hen D#,"ery and D#.et 'o"ld be yo"r tools of choice. 7oreover! yo" can ex ort the information into a text file
3/. What8s the di erence #et!een LD+CD6 and CS'D6? Asa1e considerations?

Ans9

Ldi de

Mdifde creates! modifies! and deletes directory ob9ects on com "ters r"nning 0indo's #erver 2??< o erating systems or 0indo's T& &rofessional. 5o" can also "se Mdifde to extend the schema! ex ort Active Directory "ser and gro" information to other a lications or services! and o "late Active Directory 'ith data from other directory services. (he MDA& Data 8nterchange %ormat (MD8%) is a draft 8nternet standard for a file format that may be "sed for erforming batch o erations against directories that conform to the MDA& standards. MD8% can be "sed to ex ort and im ort data! allo'ing batch o erations s"ch as add! create! and modify to be erformed against the Active Directory. A "tility rogram called MD8%D$ is incl"ded in 0indo's 2??? to s" ort batch o erations based on the MD8% file format standard. (his article is designed to hel yo" better "nderstand ho' the MD8%D$ "tility can be "sed to migrate directories. htt *++s" ort.microsoft.com+kb+2<HCHH

1svde
8m orts and ex orts data from Active Directory Domain #ervices (AD D#) "sing files that store data in the comma=se arated val"e (C#>) format. 5o" can also s" ort batch o erations based on the C#> file format standard. 1svde is a command=line tool that is b"ilt into 0indo's #erver 2??E in the+system<2 folder. 8t is available if yo" have the AD D# or Active Directory Might'eight

Directory #ervices (AD MD#) server role installed. (o "se csvde! yo" m"st r"n the csvde command from an elevated command rom t. (o o en an elevated command rom t! click Start! right=click 1ommand Prompt! and then click 2un as administrator. htt *++technet.microsoft.com+en="s+library+ccH<21?1.as x

%'**+2+N1+ 3SA$+ 4'S+

Csvde.exe is a 7icrosoft 0indo's 2??? command=line "tility that is located in the #ystem4oot1#ystem<2 folder after yo" install 0indo's 2???. Csvde.exe is similar to Mdifde.exe! b"t it extracts information in a comma=se arated val"e (C#>) format. 5o" can "se Csvde to im ort and ex ort Active Directory data that "ses the comma= se arated val"e format. )se a s readsheet rogram s"ch as 7icrosoft $xcel to o en this .csv file and vie' the header and val"e information. #ee 7icrosoft $xcel Jel for information abo"t f"nctions s"ch as 1oncatenate that can sim lify the rocess of b"ilding a .csv file. Note Altho"gh Csvde is similar to Mdifde! Csvde has a significant limitation* it can only im ort and ex ort Active Directory data by "sing a comma=se arated format (.csv). 7icrosoft recommends that yo" "se the Mdifde "tility for 7odify or Delete o erations. Additionally! the disting"ished name (also kno'n as DN) of the item that yo" are trying to im ort m"st be in the first col"mn of the .csv file or the im ort 'ill not 'ork. (he so"rce .csv file can come from an $xchange #erver directory ex ort. Jo'ever! beca"se of the difference in attrib"te ma ings bet'een the $xchange #erver directory and Active Directory! yo" m"st make some modifications to the .csv file. %or exam le! a directory ex ort from $xchange #erver has a col"mn that is named Oob9=classO that yo" m"st rename to Oob9ectClass.O 5o" m"st also rename ODis lay NameO to Odis layName.O
31. What are the CS7( ro$es? Who has them #y de au$t? What happens !hen each one ai$s? AnsI %#73

stands for the %lexible single 7aster 3 eration

8t has D 4oles* =

Schema Master: (he schema master domain controller controls all " dates and modifications to the schema. 3nce the #chema " date is com lete! it is re licated from the schema master to all other DCs in the directory. (o " date the schema of a forest! yo" m"st have access to the schema master. (here can be only one schema master in the 'hole forest. %omain namin" master: (he domain naming master domain controller controls the addition or removal of domains in the forest. (his DC is the only one that can add or remove a

domain from the directory. 8t can also add or remove cross references to domains in external directories. (here can be only one domain naming master in the 'hole forest. 'n rastructure Master: 0hen an ob9ect in one domain is referenced by another ob9ect in another domain! it re resents the reference by the .)8D! the #8D (for references to sec"rity rinci als)! and the DN of the ob9ect being referenced. (he infrastr"ct"re %#73 role holder is the DC res onsible for " dating an ob9ect's #8D and disting"ished name in a cross=domain ob9ect reference. At any one time! there can be only one domain controller acting as the infrastr"ct"re master in each domain. Note* (he 8nfrastr"ct"re 7aster (87) role sho"ld be held by a domain controller that is not a .lobal Catalog server (.C). 8f the 8nfrastr"ct"re 7aster r"ns on a .lobal Catalog server it 'ill sto " dating ob9ect information beca"se it does not contain any references to ob9ects that it does not hold. (his is beca"se a .lobal Catalog server holds a artial re lica of every ob9ect in the forest. As a res"lt! cross=domain ob9ect references in that domain 'ill not be " dated and a 'arning to that effect 'ill be logged on that DC's event log. 8f all the domain controllers in a domain also host the global catalog! all the domain controllers have the c"rrent data! and it is not im ortant 'hich domain controller holds the infrastr"ct"re master role. 2elative '% 52'%6 Master: (he 48D master is res onsible for rocessing 48D ool re/"ests from all domain controllers in a artic"lar domain. 0hen a DC creates a sec"rity rinci al ob9ect s"ch as a "ser or gro" ! it attaches a "ni/"e #ec"rity 8D (#8D) to the ob9ect. (his #8D consists of a domain #8D (the same for all #8Ds created in a domain)! and a relative 8D (48D) that is "ni/"e for each sec"rity rinci al #8D created in a domain. $ach DC in a domain is allocated a ool of 48Ds that it is allo'ed to assign to the sec"rity rinci als it creates. 0hen a DC's allocated 48D ool falls belo' a threshold! that DC iss"es a re/"est for additional 48Ds to the domain's 48D master. (he domain 48D master res onds to the re/"est by retrieving 48Ds from the domain's "nallocated 48D ool and assigns them to the ool of the re/"esting DC. At any one time! there can be only one domain controller acting as the 48D master in the domain. P%1 +mulator: (he &DC em"lator is necessary to synchroniKe time in an enter rise. 0indo's 2???+2??< incl"des the 0<2(ime (0indo's (ime) time service that is re/"ired by the Lerberos a"thentication rotocol. All 0indo's 2???+2??<= based com "ters 'ithin an enter rise "se a common time. (he "r ose of the time service is to ens"re that the 0indo's (ime service "ses a hierarchical relationshi that controls a"thority and does not ermit loo s to ens"re a ro riate common time "sage. (he &DC em"lator of a domain is a"thoritative for the domain. (he &DC em"lator at the root of the forest becomes a"thoritative for the enter rise! and sho"ld be config"red to gather the time from an external so"rce. All &DC %#73 role holders follo' the hierarchy of domains in the selection of their in=bo"nd time artner.

** 8n a 0indo's 2???+2??< domain! the &DC em"lator role holder retains the follo'ing f"nctions* ** &ass'ord changes erformed by other DCs in the domain are re licated referentially to the &DC em"lator. A"thentication fail"res that occ"r at a given DC in a domain beca"se of an incorrect ass'ord are for'arded to the &DC em"lator before a bad ass'ord fail"re message is re orted to the "ser. Acco"nt locko"t is rocessed on the &DC em"lator. $diting or creation of .ro" &olicy 3b9ects (.&3) is al'ays done from the .&3 co y fo"nd in the &DC $m"lator's #5#>3M share! "nless config"red not to do so by the administrator. (he &DC em"lator erforms all of the f"nctionality that a 7icrosoft 0indo's N( F.? #erver=based &DC or earlier &DC erforms for 0indo's N( F.?= based or earlier clients. (his art of the &DC em"lator role becomes "nnecessary 'hen all 'orkstations! member servers! and domain controllers that are r"nning 0indo's N( F.? or earlier are all " graded to 0indo's 2???+2??<. (he &DC em"lator still erforms the other f"nctions as described in a 0indo's 2???+2??< environment.
32. What CS7( p$acement considerations do you 2no! o ? AnsI 0indo's

2???+2??< Active Directory domains "tiliKe a #ingle 3 eration 7aster method called %#73 (%lexible #ingle 7aster 3 eration)! as described in )nderstanding %#73 4oles in Active Directory. 8n most cases an administrator can kee the %#73 role holders (all D of them) in the same s ot (or act"ally! on the same DC) as has been config"red by the Active Directory installation rocess. Jo'ever! there are scenarios 'here an administrator 'o"ld 'ant to move one or more of the %#73 roles from the defa"lt holder DC to a different DC. 0indo's #erver 2??< Active Directory is a bit different than the 0indo's 2??? version 'hen dealing 'ith %#73 lacement. 8n this article 8 'ill only deal 'ith 0indo's #erver 2??< Active Directory! b"t yo" sho"ld bear in mind that most considerations are also tr"e 'hen lanning 0indo's 2??? AD %#73 roles
33. + !ant to $oo2 at the 5+D a$$ocation ta#$e or a DC. What do + do? AnsI 8n

Command rom t ty e dcdiag +test*ridmanager +s*system1 +v (system1 is the name of o"r DC)
3". What8s the di erence #et!een trans errin1 a CS7( ro$e and seiDin1 one? Which one shou$d you N(3 seiDe? Why? AnsI

<D. Jo' do yo" config"re a stand=by o eration master for any of the roles@ Ans* 3 en Active Directory #ites and #ervices. $x and the site name in 'hich the standby o erations master is located to dis lay the #ervers folder.

$x and the #ervers folder to see a list of the servers in that site. $x and the name of the server that yo" 'ant to be the standby o erations master to dis lay its N(D# #ettings. 4ight=click N(D# #ettings! click Ne'! and then click Connection. 8n the %ind Domain Controllers dialog box! select the name of the c"rrent role holder! and then click 3L. 8n the Ne' 3b9ect=Connection dialog box! enter an a ro riate name for the Connection ob9ect or acce t the defa"lt name! and click 3L.
3). -o! do you #ac2up AD? AnsI 3*. -o! do you restore AD? AnsI 3,. -o! do you chan1e the DS 5estore admin pass!ord?

Ans9

7ow to 1han"e the 2ecovery 1onsole Administrator Password on a %omain 1ontroller

>ie' rod"cts that this article a lies to. Article 8D * 2<BE?< Mast 4evie' * 7arch 1! 2??H 4evision * 2.2 (his article 'as revio"sly "blished "nder ,2<BE?< 3n (his &age #)77A45 734$ 8N%347A(83N7ethod 1 7ethod 2

S3MMA20hen yo" romote a 0indo's 2??? #erver=based com "ter to a domain controller! yo" are rom ted to ty e a Directory #ervice 4estore 7ode Administrator ass'ord. (his ass'ord is also "sed by 4ecovery Console! and is se arate from the Administrator ass'ord that is stored in Active Directory after a com leted romotion. Gack to the to

MO2+ 'N*O2MAT'ON

(he Administrator ass'ord that yo" "se 'hen yo" start 4ecovery Console or 'hen yo" ress %E to start Directory #ervice 4estore 7ode is stored in the registry=based #ec"rity Acco"nts 7anager (#A7) on the local com "ter. (he #A7 is located in the1#ystem<21Config folder. (he #A7=based acco"nt and ass'ord are com "ter s ecific and they are not re licated to other domain controllers in the domain. %or ease of administration of domain controllers or for additional sec"rity meas"res! yo" can change the Administrator ass'ord for the local #A7. (o change the local Administrator ass'ord that yo" "se 'hen yo" start 4ecovery Console or 'hen yo" start Directory #ervice 4estore 7ode! "se one of the follo'ing methods. Gack to the to

Method 1
8f 0indo's 2??? #ervice &ack 2 or later is installed on yo"r com "ter! yo" can "se the #et 'd.exe "tility to change the #A7=based Administrator ass'ord. (o do this* 1. Mog on to the com "ter as the administrator or a "ser 'ho is a member of the Administrators gro" . 2. At a command rom t! change to the1#ystem<2 folder. <. (o change the local #A7=based Administrator ass'ord! ty e set 'd! and then ress $N($4. (o change the #A7=based Administrator ass'ord on a remote domain controller! ty e the follo'ing command at a command rom t! and then ress $N($4 set 'd +s*servername 'here servername is the name of the remote domain controller. F. 0hen yo" are rom ted to ty e the ass'ord for the Directory #ervice 4estore 7ode Administrator acco"nt! ty e the ne' ass'ord that yo" 'ant to "se.
3.. Why can8t you restore a DC that !as #ac2ed up " months a1o? AnsI Geca"se

of the tombstone life 'hich is set to only C? days

"/. What are 0P(s? AnsI "1. What is the order in !hich 0P(s are app$ied? AnsI Mocal!

#ite! Domain! 3)

"2. Name a e! #ene its o usin1 0P7C. AnsI 7icrosoft

released the .ro" &olicy 7anagement Console (.&7C) years ago! 'hich is an amaKing innovation in .ro" &olicy management. (he tool rovides control over .ro" &olicy in the follo'ing manner*

$asy administration of all .&3s across the entire Active Directory %orest

>ie' of all .&3s in one single list 4e orting of .&3 settings! sec"rity! filters! delegation! etc. Control of .&3 inheritance 'ith Glock 8nheritance! $nforce! and #ec"rity %iltering Delegation model Gack" and restore of .&3s 7igration of .&3s across different domains and forests

0ith all of these benefits! there are still negatives in "sing the .&7C alone. .ranted! the .&7C is needed and sho"ld be "sed by everyone for 'hat it is ideal for. Jo'ever! it does fall a bit short 'hen yo" 'ant to rotect the .&3s from the follo'ing*

4ole based delegation of .&3 management Geing edited in rod"ction! otentially ca"sing damage to deskto s and servers %orgetting to back " a .&3 after it has been modified Change management of each modification to every .&3

"3. What are the 0PC and the 0P3? Where can + ind them? AnsI .ro"

&olicy (em late and .ro" &olicy Container.

"". What are 0P( $in2s? What specia$ thin1s can + do to them? AnsI "%. What can + do to prevent inheritance rom a#ove? "). -o! can + override #$oc2in1 o inheritance? "*. -o! can you determine !hat 0P( !as and !as not app$ied or a user? Name a e! !ays to do that. ",. A user c$aims he did not receive a 0P(4 yet his user and computer accounts are in the ri1ht (A4 and everyone e$se there 1ets the 0P(. What !i$$ you $oo2 or? ".. Name a e! di erences in 'ista 0P(s %/. Name some 0P( settin1s in the computer and user parts. %1. What are administrative temp$ates? %2. What8s the di erence #et!een so t!are pu#$ishin1 and assi1nin1? %3. Can + dep$oy non-7S+ so t!are !ith 0P(? %". &ou !ant to standardiDe the des2top environments G!a$$paper4 7y Documents4 Start menu4 printers etc.H on the computers in one department. -o! !ou$d you do that? AnsI Mogin

on client as Domain Admin "ser change 'hatever yo" need add rinters etc go to system=)ser rofiles co y this "ser rofile to any location by select $veryone in ermitted to "se after co y change nt"ser.dat to nt"ser.man and assgin this ath "nder "ser rofile