Ads

1. What is Active Directory?
Ans: Microsoft’s directory database for Windows 2000/2003 networks. Stores information
about resources on the network and provides a means of centrally organizing, managing, and
controlling access to the resources.
What is Active Directory? Active Directory is a network-based object store and
service that locates and manages resources, and makes these resources available to
authorized users and groups. An underlying principle of the Active Directory is that
everything is considered an object—people, servers, workstations, printers,
documents, and devices. Each object has certain attributes and its own security access
control list (ACL).
2. What is LDAP?
Ans: Lightweight Directory Access Protocol. It is a database of active directory and is used to
store the active directory objects in windows 2000. It is named as Active Directory in windows
2000/2003.
How can you authenticate between forests? Four types of authentication are used
across forests: (1) Kerberos and NTLM network logon for remote access to a server
in another forest; (2) Kerberos and NTLM interactive logon for physical logon
outside the user’s home forest; (3) Kerberos delegation to N-tier application in
another forest; and (4) user principal name (UPN) credentials.
What snap-in administrative tools are available for Active Directory? Active
Directory Domains and Trusts Manager, Active Directory Sites and Services
Manager, Active Directory Users and Group Manager, Active Directory Replication
(optional, available from the Resource Kit), Active Directory Schema Manager
(optional, available from adminpak)
 What types of classes exist in Windows Server 2003 Active Directory?
• Structural class. The structural class is important to the system administrator in that
it is the only type from which new Active Directory objects are created. Structural
classes are developed from either the modification of an existing structural type or the
use of one or more abstract classes.
• Abstract class. Abstract classes are so named because they take the form of templates
that actually create other templates (abstracts) and structural and auxiliary classes.
Think of abstract classes as frameworks for the defining objects.
• Auxiliary class. The auxiliary class is a list of attributes. Rather than apply numerous
attributes when creating a structural class, it provides a streamlined alternative by
applying a combination of attributes with a single include action.
• 88 class. The 88 class includes object classes defined prior to 1993, when the 1988
X.500 specification was adopted. This type does not use the structural, abstract, and
auxiliary definitions, nor is it in common use for the development of objects in
Windows Server 2003 environments.
How do you delete a lingering object? Windows Server 2003 provides a command
called Repadmin that provides the ability to delete lingering objects in the Active
Directory.
3. What are backed up in System State Backup.

In System State Backup
I. The System Registry
II. The (Component Object Model )COM+ Class Registration Database
III. The boot files
a) Boot.ini
b) Ntdetect.com
c) Ntldr
d) Bootsect.dos
e) Ntbootdd.sys
IV. System files protected by windows File Protection Service
V. Certificate Service Database if installed.
VI. Active Directory and Sysvol folder on the DC.
VII. Cluster Service information on cluster server
VIII. Internet Information Server Metabase.
4. What is the difference between Authoritative and Non-Authoritative Restore?

Total ADS removed then we can use non-authoritative Restore.
Only particular objects like user, ou, group ..like patches need to restore we can use
Authoritative Restore.
a. Authoritative Restore:
The main purpose of Authoritative restore is to undo or roll back changes that have
been made to active directory, or to reset data stored in a distributed directory such
as sysvol.
b. Non-Authoritative Restore.
The data and distributed services on a domain controller are restored from a backup
media and then updated through normal replication.
Example: If a restore backup contains a user named “Mark” and the user was deleted
after last backup, the mark user object will also be deleted on the restored domain
controller via the replication process
Reason for Non-Authoritative Restore
I. Restoring a single domain controller in an environment that includes
multiple domain controller
II. Attempting to restore SYSVOL or File Replication Service data on
domain controllers.
c. Primary Restore
New in windows 2003
Reason for Primary Restore
I. Restoring the only domain controller in an Active Directory
Environment
II. Restoring the first of several domain controllers
III. Restoring the first domain controller in a replica set.
When All the domain controller or the only domain controller in a domain have failed,
primary restore in needed. If a domain is lost, the first domain controller should be
restored as primary restore, and any subsequent domain controller should be
restored using a Normal or Non-Authoritative restore.
What is the difference between Authoritative and Non-Authoritative Restore?
n environments with multiple domain controllers (DCs) providing fault tolerance,
there are two ways to restore the active directory.
Note: To restore the active directory, the System State for Windows 2000 Servers and
Shadow Copy Components for Windows 2003 Servers must be backed up. The system
directories on the servers such as C:\winnt or C:\Windows must also be backed up
regularly.
The default method of restoring an active directory is Non-Authoritative. This method

will restore an active directory to the server in question and will then receive all of the
recent updates from its replication partners in the domain. For example, a server that has
a System State backup from two days ago goes down. A restore of the two-day old active
directory would be performed and it would then be updated from the other domain
controllers when the next replication takes place. No other steps would be required.
The second method of restoring an active directory is Authoritative restore. This method
restores the DC directory to the state that it was in when the backup was made, then
overwrites all the other DCs to match the restored DC, thereby removing any changes
made since backup. Authoritative restores do not have to be made of the entire directory,
as you can choose to restore only parts of the directory. When only parts of the active
directory are restored, say an organizational unit, this information is pushed out to the
remaining DCs and they are overwritten. However, the rest of the directory's information
is then replicated to the restored DC's directory and it is updated.
An example of when an Authoritative restore would be used is when an organizational

unit is deleted but everything else in the active directory is working as required. A good
backup of an active directory is available and it is decided to just restore this
organizational unit authoritatively. This will ensure that it will not be deleted again as it
will overwrite all other DCs and let the rest of the restored DC's directory be updated
from its replication partners.
If the environment only has a single domain controller, then there is never a reason to
perform an authoritative restore as there are no replication partners.
Normal restore/ non authoritative
During a normal restore operation, Backup operates in nonauthoritative restore mode. That is,
any data that you restore, including Active Directory objects, will have their original update
sequence number. The Active Directory replication system uses this number to detect and
propagate Active Directory changes among the servers in your organization. Because of this,
any data that is restored nonauthoritatively will appear to the Active Directory replication
system as though it is old, which means the data will never get replicated to your other
servers. Instead, if newer data is available from your other servers, the Active Directory
replication system will use this to update the restored data. To replicate the restored data to
the other servers, you must use an authoritative restore.
Distributed DataReason for using Normal Restore of System State Data

Active Restoring a single domain controller in a replicated environment.
Directory
Distributed DataReason for using Normal Restore of System State Data
SYSVOL Restoring a single domain controller in a replicated environment.
Replica Sets Restoring all but the first replica sets (that is, sets 2 through n, for n replica
sets).
Authoritative restore
To authoritatively restore Active Directory data, you need to run the Ntdsutil
utility after you have restored the System State data but before you restart the
server. The Ntdsutil utility lets you mark Active Directory objects for
authoritative restore. When an object is marked for authoritative restore its
update sequence number (USN - Each object has an Update Sequence
Number (USN), and if the object is modified, the USN is incremented. This
number is different on each domain controller.) Is changed so that it is
higher than any other update sequence number in the Active Directory
replication system. This will ensure that any replicated or distributed data that
you restore is properly replicated or distributed throughout your organization.
For example, if you inadvertently delete or modify objects stored in the Active
Directory directory service, and those objects are replicated or distributed to
other servers, you will need to authoritatively restore those objects so they are
replicated or distributed to the other servers. If you do not authoritatively restore
the objects, they will never get replicated or distributed to your other servers
because they will appear to be older than the objects currently on your other
servers. Using the Ntdsutil utility to mark objects for authoritative restore
ensures that the data you want to restore gets replicated or distributed
throughout your organization. On the other hand, if your system disk has failed
or the Active Directory database is corrupted, then you can simply restore the
data nonauthoritatively without using the Ntdsutil utility.
You can run the Ntdsutil command-line utility from the command prompt. For more
information about using ntsustil to perform an authoritative restore, see Ntdsutil . Help for
the Ntdsutil utility is also available through the command prompt by typing ntdsutil /?.
Distributed Data Reason for using Authoritative Restore of System State Data
Active DirectoryRolling back or undoing changes.
SYSVOL Resetting data.
Replica Sets Rolling back or undoing changes.
Caution
•
When you restore the System State data, and you do not designate an alternate location for the
data, Backup will erase the System State data that is currently on your computer and replace it
with the System State data you are restoring.
Notes
•To restore the System State data on a domain controller, you must first start your computer
in Directory Services Restore Mode. This will allow you to restore the SYSVOL directory
and the Active Directory. For more information on starting your computer in Directory
Services Restore Mode, see Startup options .
•You can only restore the System State data on a local computer. You cannot restore the
System State data on a remote computer.
MAIN DIFFERENCE:
To replicate the restored data to the other servers, you must use an authoritative
restore.
In single Domain Controller Environment we should use only Non-Authoritative
Restore.
Running NTDSUTIL
Run NTDSUTIL and mark all appropriate objects as “Authoritative." To mark just a subtree
as authoritative, type in the text "restore subtree <name>", where <name> is a string (e.g.
"restore subtree
cn=DomainController,ou=DomainControllers,c=DomainName,dc=TopLevelDomainName"),
at the authoritative restore prompt and press "Enter." For more information, see Microsoft's
documentation on restoring subtrees. NTDSUTIL can be run from the Command prompt.
NOTE: Type “ntdsutil/?” for help on this utility.
1. From the Command prompt type "NTDSUTIL" and press "Enter."

2. Type "authoritative restore" at the NTDSUTIL.EXE prompt and press "Enter."
3. Type in the text "restore database" at the "authoritative restore" prompt and press
"Enter" to make the full Active Directory restore Authoritative. This command will be
used in most cases.
4. Select "Yes" when prompted with the Authoritative Restore confirmation screen.
Fig. 3 - Authoritative restore confirmation prompt.
5. NTDSUTIL will return the number of records that need updating, as well as the
number of records updated.
OR
E:\ntdsutil>ntdsutil
ntdsutil: authoritative restore
authoritative restore: restore object OU=bosses,DC=ourdom,DC=com
Opening DIT database... Done.
The current time is 06-17-05 12:34.12.

Most recent database update occurred at 06-16-05 00:41.25.
Increasing attribute version numbers by 100000.
Counting records that need updating...

Records found: 0000000012
Fig. 4 - NTDSUTIL from a DOS prompt.
6. Type in "quit" at the "authoritative restore" prompt and press "Enter."

7. Type in "quit" at the NTDSUTIL.EXE prompt and press "Enter."
8. Reboot.
Learning Points for Authoritative Restore

1) NTDSutil has about 8 modes, we want specifically, Authoritative Restore.
2) Success or failure depends employing ADSI Edit to get the correct path, for me this is the
most nerve wracking part of the exercise.
3) Notice how NTDSutil increases the version number by 100000. This makes sure that these
restored object have a later version number than any equivalent object on the other domain
controllers. As a result, when you reboot this machine it will replicate the restored
OU=bosses to the other domain controllers.
4) NTDSutil is a Microsoft utility built-in to Windows Servers.
5. What is File Replication Service

The replication service maintains identical sets of files and directories on different servers
and workstations. When files are updated on one server, the file replication service replaces
the corresponding files on other servers and workstations with the updated files. The
replication process simplifies the task of updating and coordinating files, and maintains the
integrity of the replicated data
6. What is Forest, Domain, Schema, Global Catalogue, Universal Group Caching?
Forest:
Tree is collection of hierarchal structure of domains that share a common name space and
are connected by transitive trust relationship. And the collections of such trees are called
forest.
Domain:
Active Directory environment are logical groupings of resources that ultimately forms units of
replication. And logical grouping of these units are Domains.
Schema:
Schema represents the definitions of all objects types that exists within Active Directory and
their associated attributes. The schema is stored on all domain controllers throughout the
forest. It controls all updates and modification to schema. Schema is make up of class and
attributes.
Global Catalogue:
It:
I. Information about all Active Directory Objects from all domains in a single
forest.
II. Stores information of universal groups and their associated membership.
III. Forwarding authentication request to the appropriate domain when user
principal name is used to log on.
IV. Validate object references within a forest.
Universal Group Membership Caching:
UGMC helps to reduce the number of universal group membership queries that need to be
forwarded across a WAN link when a user attempts to log on.
By default UGMC updates the Universal Group Membership information every 8 hours for a
user.
Benefit of UGMC:
I. Faster user login times, because the global catalogue server does not need
to be contacted for all logon requests.
II. Reducing the need to place global catalogue servers in each site.
III. Reducing the usage of WAN bandwidth usage associated with Global
Catalogue replication.
Note: Where a high member of directory queries are expected global catalogue at each site
represents the best possible solution.
What is Global Catalog? The Global Catalog authenticates network user logons and
fields inquiries about objects across a forest or tree. Every domain has at least one GC
that is hosted on a domain controller. In Windows 2000, there was typically one GC
on every site in order to prevent user logon failures across the network.
How is user account security established in Windows Server 2003? When an
account is created, it is given a unique access number known as a security identifier
(SID). Every group to which the user belongs has an associated SID. The user and
related group SIDs together form the user account’s security token, which determines
access levels to objects throughout the system and network. SIDs from the security
token are mapped to the access control list (ACL) of any object the user attempts to
access.
If I delete a user and then create a new account with the same username and
password, would the SID and permissions stay the same? No. If you delete a user
account and attempt to recreate it with the same user name and password, the SID
will be different.
7. How to know the size of Active directory Database?
The size of ntds.dit will often be different sizes across the domain controllers in a domain.
Remember that Active Directory is a multi-master independent model where updates are
occuring in each of the ADs with the changes being replicated over time to the other domain
controllers. The changed data is replicated between domain controllers, not the database, so
there is no guarantee that the files are going to be the same size across all domain
controllers.
Start/Reboot
Press F8
Choose Directory Services Restore Mode and press ENTER.
Press ENTER again to start the boot process.
Logon using the password defined for the local Administrator account
Open the Command Prompt
At the command prompt,
Run the ntdsutil command.
When ntdsutil has started
Type files and press ENTER.
Type info and then press ENTER. This will display current information about the path
and size of the Active Directory database and its log files
8. What are the FSMO roles?

In a forest there are 5 FSMO roles.
I. Schema Master
II. Domain Naming Master
III. Infrastructure Master
IV. Relative ID Master.
V. PDC Emulator
I. Schema Master:
The schema master domain controller controls all updates and modifications to the
schema. Once the Schema update is complete, it is replicated from the schema
master to all other DCs in the directory. To update the schema of a forest, you must
have access to the schema master. There can be only one schema master in the
whole forest.
II. Domain Naming Master
The domain naming master domain controller controls the addition or removal of
domains in the forest. This DC is the only one that can add or remove a domain from
the directory. It can also add or remove cross references to domains in external
directories. There can be only one domain naming master in the whole forest.
III. Infrastructure Master

When an object in one domain is referenced by another object in another domain, it
represents the reference by the GUID, the SID (for references to security principals),
and the DN of the object being referenced. The infrastructure FSMO role holder is
the DC responsible for updating an object's SID and distinguished name in a cross-
domain object reference. At any one time, there can be only one domain controller
acting as the infrastructure master in each domain.
Note: The Infrastructure Master (IM) role should be held by a domain controller that is
not a Global Catalog server (GC). If the Infrastructure Master runs on a Global
Catalog server it will stop updating object information because it does not contain any
references to objects that it does not hold. This is because a Global Catalog server
holds a partial replica of every object in the forest. As a result, cross-domain object
references in that domain will not be updated and a warning to that effect will be
logged on that DC's event log. If all the domain controllers in a domain also host the
global catalog, all the domain controllers have the current data, and it is not important
which domain controller holds the infrastructure master role.
IV. Relative ID Master

The RID master is responsible for processing RID pool requests from all domain
controllers in a particular domain. When a DC creates a security principal object such
as a user or group, it attaches a unique Security ID (SID) to the object. This SID
consists of a domain SID (the same for all SIDs created in a domain), and a relative
ID (RID) that is unique for each security Principal SID created in a domain. Each DC
in a domain is allocated a pool of RIDs that it is allowed to assign to the security
principals it creates. When a DC's allocated RID pool falls below a threshold, that DC
issues a request for additional RIDs to the domain's RID master. The domain RID
master responds to the request by retrieving RIDs from the domain's unallocated RID
pool and assigns them to the pool of the requesting DC. At any one time, there can
be only one domain controller acting as the RID master in the domain.
V. PDC Emulator
The PDC emulator is necessary to synchronize time in an enterprise. Windows
2000/2003 includes the W32Time (Windows Time) time service that is required by
the Kerberos authentication protocol. All Windows 2000/2003-based computers
within an enterprise use a common time. The purpose of the time service is to ensure
that the Windows Time service uses a hierarchical relationship that controls authority
and does not permit loops to ensure appropriate common time usage.
The PDC emulator of a domain is authoritative for the domain. The PDC emulator at
the root of the forest becomes authoritative for the enterprise, and should be
configured to gather the time from an external source. All PDC FSMO role holders
follow the hierarchy of domains in the selection of their in-bound time partner.
In a Windows 2000/2003 domain, the PDC emulator role holder retains the following
functions:
• Password changes performed by other DCs in the domain are replicated

preferentially to the PDC emulator.
• Authentication failures that occur at a given DC in a domain because of an
incorrect password are forwarded to the PDC emulator before a bad password failure
message is reported to the user.
• Account lockout is processed on the PDC emulator.
• Editing or creation of Group Policy Objects (GPO) is always done from the
GPO copy found in the PDC Emulator's SYSVOL share, unless configured not to do
so by the administrator.
• The PDC emulator performs all of the functionality that a Microsoft Windows
NT 4.0 Server-based PDC or earlier PDC performs for Windows NT 4.0-based or
earlier clients.
This part of the PDC emulator role becomes unnecessary when all workstations, member
servers, and domain controllers that are running Windows NT 4.0 or earlier are all upgraded
to Windows 2000/2003. The PDC emulator still performs the other functions as described in a
Windows 2000/2003 environment
9. What are the files of active directory

NTDS.DIT Main Database File
Edb.chk Checkpoint log file
Edb.log Transaction Log Files (If more than one log files, its name becomes
edbhhhhhh.log. Where hhhhhh is the hexadecimal numbers.
.pat Patch files - Manages data while backups are done.
res1.log
& res2.log Reserve log files - Reserves hard drive space for transaction log files
10. What is the location of NTDS.DIT file?

%systemroot%\ntds\ntds.dit
11. What is difference between Primary and Secondary DNS servers?

Primary DNS server contains the read-write copy of the zone data base
Secondary DNS server contains read only copy of the zone database.
Primary DNS server can be an Active Directory Integrated.
Secondary DNS server can not be.
Secondary DNS server updates the DNS records from the Primary DNS server.
Which is the FIVE FSMO roles?
Schema Master Forest Level One per forest
Domain Naming Master Forest Level One per forest
PDC Emulator Domain Level One per domain
RID Master Domain Level One per domain
Infrastructure Master Domain Level One per domain
Q2. What are their functions?

1. Schema Master (Forest level)
The schema master FSMO role holder is the Domain Controller responsible for performing updates to
the active directory schema. It contains the only writable copy of the AD schema. This DC is the
only one that can process updates to the directory schema, and once the schema update is
complete, it is replicated from the schema master to all other DCs in the forest. There is only one
schema master in the forest.
2. Domain Naming Master (Forest level)
The domain naming master FSMO role holder is the DC responsible for making changes to the forest-
wide domain name space of the directory. This DC is the only one that can add or remove a domain
from the directory, and that is it's major purpose. It can also add or remove cross references to
domains in external directories. There is only one domain naming master in the active directory or
forest.
3. PDC Emulator (Domain level)
In a Windows 2000 domain, the PDC emulator server role performs the following functions:
Password changes performed by other DCs in the domain are replicated preferentially to the PDC
emulator first.
Authentication failures that occur at a given DC in a domain because of an incorrect password are
forwarded to the PDC emulator for validation before a bad password failure message is reported to
the user.
Account lockout is processed on the PDC emulator.
Time synchronization for the domain.
Group Policy changes are preferentially written to the PDC emulator.
Additionally, if your domain is a mixed mode domain that contains Windows NT 4 BDCs, then the
Windows 2000 domain controller, that is the PDC emulator, acts as a Windows NT 4 PDC to the
BDCs.
There is only one PDC emulator per domain.
Note: Some consider the PDC emulator to only be relevant in a mixed mode domain. This is not
true. Even after you have changed your domain to native mode (no more NT 4 domain controllers),
the PDC emulator is still necessary for the reasons above.
4. RID Master (Domain level)
The RID master FSMO role holder is the single DC responsible for processing RID Pool requests from
all DCs within a given domain. It is also responsible for removing an object from its domain and
putting it in another domain during an object move.
When a DC creates a security principal object such as a user, group or computer account, it attaches
a unique Security ID (SID) to the object. This SID consists of a domain SID (the same for all SIDs
created in a domain), and a relative ID (RID) that makes the object unique in a domain.
Each Windows 2000 DC in a domain is allocated a pool of RIDs that it assigns to the security
principals it creates. When a DC's allocated RID pool falls below a threshold, that DC issues a request
for additional RIDs to the domain's RID master. The domain RID master responds to the request by
retrieving RIDs from the domain's unallocated RID pool and assigns them to the pool of the
requesting DC.
There is one RID master per domain in a directory.

5. Infrastructure Master (Domain level)
The DC that holds the Infrastructure Master FSMO role is responsible for cross domain updates and
lookups. When an object in one domain is referenced by another object in another domain, it
represents the reference by the GUID, the SID (for references to security principals), and the
distinguished name (DN) of the object being referenced. The Infrastructure role holder is the DC
responsible for updating an object's SID and distinguished name in a cross-domain object reference.
When a user in DomainA is added to a group in DomainB, then the Infrastructure master is involved.
Likewise, if that user in DomainA, who has been added to a group in DomainB, then changes his
username in DomainA, the Infrastructure master must update the group membership(s) in DomainB
with the name change.
There is only one Infrastructure master per domain.
Q3. What if a FSMO server fails?
Schema Master No updates to the Active Directory schema will be possible. Since schema
updates are rare (usually done by certain applications and possibly an
Administrator adding an attribute to an object), then the malfunction of the
server holding the Schema Master role will not pose a critical problem.
Domain Naming Master The Domain Naming Master must be available when adding or removing a
domain from the forest (i.e. running DCPROMO). If it is not, then the domain
cannot be added or removed. It is also needed when promoting or demoting
a server to/from a Domain Controller. Like the Schema Master, this
functionality is only used on occasion and is not critical unless you are
modifying your domain or forest structure.
PDC Emulator The server holding the PDC emulator role will cause the most problems if it is
unavailable. This would be most noticeable in a mixed mode domain where
you are still running NT 4 BDCs and if you are using downlevel clients (NT
and Win9x). Since the PDC emulator acts as a NT 4 PDC, then any actions
that depend on the PDC would be affected (User Manager for Domains,
Server Manager, changing passwords, browsing and BDC replication).
In a native mode domain the failure of the PDC emulator isn't as critical
because other domain controllers can assume most of the responsibilities of
the PDC emulator.
RID Master The RID Master provides RIDs for security principles (users, groups,
computer accounts). The failure of this FSMO server would have little impact
unless you are adding a very large number of users or groups.
Each DC in the domain has a pool of RIDs already, and a problem would
occur only if the DC you adding the users/groups on ran out of RIDs.
Infrastructure Master This FSMO server is only relevant in a multi-domain environment. If you only
have one domain, then the Infrastructure Master is irrelevant. Failure of this
server in a multi-domain environment would be a problem if you are trying
to add objects from one domain to another.
Q4. Where are these FSMO server roles found?

The first domain controller that is installed in a Windows 2000 domain, by default, holds all five of the FSMO
server roles. Then, as more domain controllers are added to the domain, the FSMO roles can be moved to
other domain controllers.
Q5. Can you Move FSMO roles?
Yes, moving a FSMO server role is a manual process, it does not happen automatically. But what if you only
have one domain controller in your domain? That is fine. If you have only one domain controller in your
organization then you have one forest, one domain, and of course the one domain controller. All 5 FSMO
server roles will exist on that DC. There is no rule that says you have to have one server for each FSMO server
role.
Q6. Where to place the FSMO roles?
Assuming you do have multiple domain controllers in your domain, there are some best practices to follow for
placing FSMO server roles.
The Schema Master and Domain Naming Master should reside on the same server, and that machine should
be a Global Catalog server. Since all three are, by default, on the first domain controller installed in a forest,
then you can leave them as they are.
Note: According to MS, the Domain Naming master needs to be on a Global Catalog Server. If you are going
to separate the Domain Naming master and Schema master, just make sure they are both on Global Catalog
servers.
IMP:- Why Infrastructure Master should not be on the same server that acts as a Global Catalog
server?
The Infrastructure Master should not be on the same server that acts as a Global Catalog server.
The reason for this is the Global Catalog contains information about every object in the forest. When the
Infrastructure Master, which is responsible for updating Active Directory information about cross domain object
changes, needs information about objects not in it's domain, it contacts the Global Catalog server for this
information. If they both reside on the same server, then the Infrastructure Master will never think there are
changes to objects that reside in other domains because the Global Catalog will keep it constantly updated.
This would result in the Infrastructure Master never replicating changes to other domain controllers in its
domain.
Note: In a single domain environment this is not an issue.
Microsoft also recommends that the PDC Emulator and RID Master be on the same server. This is not
mandatory like the Infrastructure Master and the Global Catalog server above, but is recommended. Also, since
the PDC Emulator will receive more traffic than any other FSMO role holder, it should be on a server that can
handle the load.
It is also recommended that all FSMO role holders be direct replication partners and they have high bandwidth
connections to one another as well as a Global Catalog server.
Q7.What permissions you should have in order to transfer a FSMO role?
Before you can transfer a role, you must have the appropriate permissions depending on which role you plan to
transfer:
Schema Master member of the Schema Admins group
Domain Naming Master member of the Enterprise Admins group
member of the Domain Admins group and/or the

PDC Emulator
Enterprise Admins group

RID Master

Infrastructure Master
FSMO TOOLS
Q8. Tools to find out what servers in your domain/forest hold what server roles?
1. Active Directory Users and Computers:- use this snap-in to find out where the domain level FSMO roles
are located (PDC Emulator, RID Master, Infrastructure Master), and also to change the location of one or more
of these 3 FSMO roles.
Open Active Directory Users and Computers, right click on the domain you want to view the FSMO roles for and
click "Operations Masters". A dialog box (below) will open with three tabs, one for each FSMO role. Click each
tab to see what server that role resides on. To change the server roles, you must first connect to the domain
controller you want to move it to. Do this by right clicking "Active Directory Users and Computers" at the top
of the Active Directory Users and Computers snap-in and choose "Connect to Domain Controller". Once
connected to the DC, go back into the Operations Masters dialog box, choose a role to move and click the
Change button.
When you do connect to another DC, you will notice the name of that DC will be in the field below the Change
button (not in this graphic).
2. Active Directory Domains and Trusts - use this snap-in to find out where the Domain Naming Master
FSMO role is and to change it's location.
The process is the same as it is when viewing and changing the Domain level FSMO roles in Active Directory
Users and Computers, except you use the Active Directory Domains and Trusts snap-in. Open Active Directory
Domains and Trusts, right click "Active Directory Domains and Trusts" at the top of the tree, and choose
"Operations Master". When you do, you will see the dialog box below. Changing the server that houses the
Domain Naming Master requires that you first connect to the new domain controller, then click the Change
button. You can connect to another domain controller by right clicking "Active Directory Domains and Trusts"
at the top of the Active Directory Domains and Trusts snap-in and choosing "Connect to Domain Controller".
3. Active Directory Schema - this snap-in is used to view and change the Schema Master FSMO role.
However... the Active Directory Schema snap-in is not part of the default Windows 2000 administrative tools or
installation. You first have to install the Support Tools from the \Support directory on the Windows 2000
server CD or install the Windows 2000 Server Resource Kit. Once you install the support tools you can open
up a blank Microsoft Management Console (start, run, mmc) and add the snap-in to the console. Once the
snap-in is open, right click "Active Directory Schema" at the top of the tree and choose "Operations Masters".
You will see the dialog box below. Changing the server the Schema Master resides on requires you first
connect to another domain controller, and then click the Change button.
You can connect to another domain controller by right clicking "Active Directory Schema" at the top of the
Active Directory Schema snap-in and choosing "Connect to Domain Controller".
4.Netdom
The easiest and fastest way to find out what server holds what FSMO role is by using the Netdom command
line utility. Like the Active Directory Schema snap-in, the Netdom utility is only available if you have installed
the Support Tools from the Windows 2000 CD or the Win2K Server Resource Kit.
To use Netdom to view the FSMO role holders, open a command prompt window and type:
netdom query fsmo and press enter. You will see a list of the FSMO role servers:
5. Active Directory Relication Monitor
Another tool that comes with the Support Tools is the Active Directory Relication Monitor. Open this utility
from Start, Programs, Windows 2000 Support Tools. Once open, click Edit, Add Monitored Server and add the
name of a Domain Controller. Once added, right click the Server name and choose properties. Click the FSMO
Roles tab to view the servers holding the 5 FSMO roles (below). You cannot change roles using Replication
Monitor, but this tool has many other useful purposes in regard to Active Directory information. It is
something you should check out if you haven't already.
Finally, you can use the Ntdsutil.exe utility to gather information about and change servers for FSMO roles.
Ntdsutil.exe, a command line utility that is installed with Windows 2000 server, is rather complicated and
beyond the scope of this document.
6. DUMPFSMOS
Command-line tool to query for the current FSMO role holders
Part of the Microsoft Windows 2000 Server Resource Kit
Downloadable from http://www.microsoft.com/windows2000
/techinfo/reskit/default.asp
Prints to the screen, the current FSMO holders
Calls NTDSUTIL to get this information
7. NLTEST
Command-line tool to perform common network administrative tasks
Type “nltest /?” for syntax and switches
Common uses
Get a list of all DCs in the domain
Get the name of the PDC emulator
Query or reset the secure channel for a server
Call DsGetDCName to query for an available domain controller
12. What are common reasons to split domain?

These are:
I. Different password requirements are defined for different domains
II. Administration of specific domain wide feature, user account, security
policy is decentralized.
III. Extraordinarily large amounts (numbers) of objects are created.
IV. More control over replication is required.
Active Directory Support Files

The ESE engine used by Active Directory is based on Microsoft's Jet database technology.
Jet uses a b-tree file structure with transaction logs to ensure recoverability in the event of a
system or drive failure.
When you promote a server to a domain controller, you select where to put the Active
Directory files. The default path is in the boot partition under \Windows\NTDS. Generally, it
is a good idea to put them on a separate volume from the operating system files to improve
performance.
The following list contains the Active Directory support files and their functions:
• Ntds.dit. This is the main AD database. NTDS stands for NT Directory Services. The
DIT stands for Directory Information Tree. The Ntds.dit file on a particular domain
controller contains all naming contexts hosted by that domain controller, including the
Configuration and Schema naming contexts. A Global Catalog server stores the
partial naming context replicas in the Ntds.dit right along with the full Domain
naming context for its domain.
• Edb.log. This is a transaction log. Any changes made to objects in Active Directory
are first saved to a transaction log. During lulls in CPU activity, the database engine
commits the transactions into the main Ntds.dit database. This ensures that the
database can be recovered in the event of a system crash. Entries that have not been
committed to Ntds.dit are kept in memory to improve performance. Transaction log
files used by the ESE engine are always 10MB.
• Edbxxxxx.log. These are auxiliary transaction logs used to store changes if the main
Edb.log file gets full before it can be flushed to Ntds.dit. The xxxxx stands for a
sequential number in hex. When the Edb.log file fills up, an Edbtemp.log file is
opened. The original Edb.log file is renamed to Edb00001.log, and Edbtemp.log is
renamed to Edb.log file, and the process starts over again. ESENT uses circular
logging. Excess log files are deleted after they have been committed. You may see
more than one Edbxxxxx.log file if a busy domain controller has many updates
pending.
• Edb.chk. This is a checkpoint file. It is used by the transaction logging system to
mark the point at which updates are transferred from the log files to Ntds.dit. As
transactions are committed, the checkpoint moves forward in the Edb.chk file. If the
system terminates abnormally, the pointer tells the system how far along a given set
of commits had progressed before the termination.
• Res1.log and Res2.log. These are reserve log files. If the hard drive fills to capacity
just as the system is attempting to create an Edbxxxxx.log file, the space reserved by
the Res log files is used. The system then puts a dire warning on the screen prompting
you to take action to free up disk space quickly before Active Directory gets
corrupted. You should never let a volume containing Active Directory files get even
close to being full. File fragmentation is a big performance thief, and fragmentation
increases exponentially as free space diminishes. Also, you may run into problems as
you run out of drive space with online database defragmentation (compaction). This
can cause Active Directory to stop working if the indexes cannot be rebuilt.
• Temp.edb. This is a scratch pad used to store information about in-progress
transactions and to hold pages pulled out of Ntds.dit during compaction.
• Schema.ini. This file is used to initialize the Ntds.dit during the initial promotion of a
domain controller. It is not used after that has been accomplished.
Active Directory Replication
As mentioned in an earlier section, the Active Directory database is replicated between domain
controllers. The data replicated between controllers called "data" are also called "naming
context". Only the changes are replicated, once a domain controller has been established.
Active Directory uses a multimaster model which means changes can be made on any
controller and the changes are sent to all other controllers. The replication path in Active
Directory forms a ring which adds reliability to the replication.
How Replication is Tracked
• USN - Each object has an Update Sequence Number (USN), and if the object is
modified, the USN is incremented. This number is different on each domain controller.
• Stamps - Each object has a stamp with the version number, timestamp, and the GUID of
the domain controller where the change was made
Domain controllers each contain a "replica" which is a copy of the domain directory. The
"directory update type" indicates how the data is replicated. The two types are:
• Origination update - A change made by an administrator at the local domain controller.
• Replicated update - A change made to the replica because of a replication from a
replication partner.
Replication Sequence
Terms:
• Latency - The required time for all updates to be completed throughout all comain
controllers on the network domain or forest.
• Convergence - The state at which all domain controllers have the same replica contents
of the Active directory database.
• Loose consistency - The state at which all changes to the database are not yet replicated
throughout all controllers in the database (not converged).
A change is made to the Active Directory database on a domain controller. The attribute of
the object and the new USN is written to the database. The entire object is NOT
replicated. This is called an atomic operation because both changes are done, or neither
change is done. This is an origination update. There are four types:
• Add - An object is added to the database.
• Delete - An object is deleted from the database.
• Modify - An object in the database has its attributes modified.
• Modify DN - An object is renamed or moved to another domain.
The controller the change was made on (after five minutes of stablilty), notifies its
replication partners that a change was made. It sends a change notification to these
partners, but only notifies one partner every 30 seconds so it is not overwhelmed with
update requests. Each controller, in turn, when it is updated, sends a change notice to its
respective replication partners.
The replication partners each send an update request with a USN to the domain controller
that the change was made on. The USN identifies the current state of the domain
controller making the change. Each change has a unique USN. This way the domain
controller that has the change knows the state of the domain controller requesting the
changes and only the changes are required to be sent. The time on each controller,
therefore, does not need to be synchronized exactly although timestamps are used to
If no changes have been performed in six hours, replication procedures are performed to be
sure no information has been missed.
Information sent during an update includes:
• Updated object
• The GUID and USN of the domain server with the originating update.
• A local USN of the update on the updated object.
Replication Path
The replication path that domain controller Active Directory replicated data travels through
an enterprise is called the replication topology. Connection objects are used to define the
replication paths between domain controllers. Active Directory, by default, sets up a two way
ring replication path. The data can travel in both directions around the ring which provides
redundancy and reliability. Two types of replication occur in the path:
• Direct replication - When replication is done from a primary source of data.
• Transitive replication - When replication is done from a secondhand or replicated
source of data.
The Knowledge Consistency Checker (KCC) (running on all domain controllers) generates
the replication topology by specifying what domain controllers will replicate to which other
domain controllers in the site. The KCC maintains a list of connections, called a replication
topology, to other domain controllers in the site. The KCC ensures that changes to any object
are replicated to all site domain controllers and updates go through no more than three
connections. Also an administrator can configure connection objects.
The KCC uses information provided by the administrator about sites and subnets to
automatically build the Active Directory replication topology.
Propagation Dampening
Terms:
• Propagation dampening is used to prevent unnecessary replication by preventing
updates from being sent to servers that are already updated. Each domain controller
keeps a list of other known domain controllers and the last USN received from each
controller. Two up-to-date vector numbers support this:
• Replica GUID
• Update Sequence Number (USN) - Mentioned earlier it is incremented
anytime an origination or replicated update is received. The USN stored is
from the originating server. It is stored as metadata with:
• An attribute indicating "added" or "changed" for the object being
updated.
• The GUID (above).
• A local USN for the object attribute changed.
• The changed data.
The up-to-date vector numbers are incremented when replication occurs with
the originating server. Each domain controller has its own different USN
(They may not start at the same number). The highest USN from each domain
controller that is stored in other domain controllers is called the high
watermark for that domain controller.
• Propagation delay describes the amount of time required for a change to be replicated
to domain controllers throughout the domain.
• Ring Topology - The Active Directory replication process uses a ring topology where
the replication partners form a ring. This adds reliability to the process and also helps
decrease propagation delay.
The information sent in an update request includes the high water mark entry for the
originating server for the last change received. If the highwater mark received from the server
that sent the update request is the same as the highwatermark for the originating server on the
server receiving the request, the receiving server will not send the replicated information.
The usnChanged parameter is the highest USN number for any object.
Replication Partitions
Types of Active Directory data storage categories which are called partitions:
• Schema partition - Defines rules for object creation and modification for all objects in
the forest. Replicated to all domain controllers in the forest. Replicated to all domain
controllers in the forest, it is known as an enterprise partition.
• Configuration partition - Information about the forest directory structure is defined
including trees, domains, domain trust relationships, and sites (TCP/IP subnet group).
Replicated to all domain controllers in the forest, it is known as an enterprise
partition.
• Domain partition - Has complete information about all domain objects (Objects that
are part of the domain including OUs, groups, users and others). Replicated only to
domain controllers in the same domain.
• Partial domain directory partition - Has a list of all objects in the directory
with a partial list of attributes for each object.
These partitions are all replicated between domain controllers by Active directory. Different
partitions may be replicated between different replication partners.
Replication Conflict
Replication conflict occurs when changes are made to the same object and attribute before the
changes can be replicated throughout all domain controller's copies of the database.
Additional data (metadata) stored for each object attribute includes (not related to USN):
• Time stamp of the last change.
• Attribute version number - For each object's attributes, this value is the same on all
domain controllers.
When an Active Directory database update is received on a domain controller, one of the
following happens:
• If the update attribute version number is higher than the current version number on the
controller, the new value of the attribute is stored and the version number is updated.
• If the update attribute version number and stored attribute version number are the
same, timestamps are used to resolve the conflict.
• If the both version numbers and both timestamps are the same, the update from the
controller with the highest GUID is used.
File Replication Service
In Windows 2000, the SYSVOL share is used to to authenticate users. The SYSVOL share
includes group policy information which is replicated to all local domain controllers. File
replication service (FRS) is used to replicate the SYSVOL share. The "Active Directory
Users and Computers" tool is used to change the file replication service schedule.
Intrasite Replication
Replication that happens between controllers inside one site. All of the subnets inside the site
should be connected by high speed network wires. Replication between two sites may need to
be sent over a slower WAN link or leased line. Intrasite replication data is sent
uncompressed.
Site replication is done using Remote Procedure Call (RPC). If a change is made,
replication occurs within five minutes, and replication is done every six hours if no changes
were made. Domain controllers that receive updates replicate that information to other
domain controllers on their route list. All changes are therefore completed within a site within
15 minutes since there can only be three hops.
The topology used here is the ring topology talked about earlier and this replication is
automatically set up by Active Directory, but may be modified by an administrator.
DNS Replication
The DNS IP address and computer name is stored in Active Directory for Active Directory
integrated DNS zones and replicated to all local domain controllers. DNS information is not
replicated to domain controllers outside the domain.
Intersite Replication
Intrasite replication is replication between sites and must be set up by an administrator.
Replication Management
The administrative tool, "Active Directory Sites and Services", is used to manage Active
Directory replication. Replication data is compressed before being sent to minimze
bandwidth use. There are two protocols used to replicate AD:
• Normally Remote Procedure Call (RPC) is used to replicate data and is always used
for intrasite replication since it is required to support the FRS. RPC depends on IP
(internet protocol) for transport.
• Simple Mail Transfer Protocol (SMTP) may be used for replication between sites.
SMTP can't replicate the domain partition, however. Therefore the remote site would need to
be in another domain to be able to effectively use SMTP for carrying replication data.
Bridgehead server - A domain controller that is used to send replication information to one or
more other sites.
Flexible Single Master Operations (FSMO) (discussed in an earlier section) can be
transferred manually to various domain controllers. Roles and tools used to transfer are:
• Schema Master - Use "Active Directory Domains and Trusts". Makes changes to the
database schema. Applications may remotely connect to the schema master.
• Domain Naming Master - Use the MMC "Active Directory Schema Snap-in". Adds or
removes domains to or from the forest.
• Primary Domain Controller (PDC) Emulator - Use the "Active Directory Users and
Computers" administrative tool. When Active Directory is in mixed mode, the
computer Active Directory is on acts as a Windows NT PDC. Mixed mode occurs
when Active Directory interfaces with NT 4.0 BDCs or ones without Windows 2000
Directory Service client software. In mixed mode, computers without Windows 2000
client software must contact the PDC emulator to change user account information.
• Relative ID Master (RID Master) - Use the "Active Directory Users and Computers"
administrative tool. All objects have a Security Identifier (SID) and a domain SID.
The RID assigns relative IDs to each domain controller.
• Infrastructure Master - Use the "Active Directory Users and Computers"
administrative tool. Updates group membership information when users from other
domains are moved or renamed.
Any master role can be transferred by using the command line program, ntdsutil.exe. When a
server performing a master role fails and goes offline, you can perform "seizing master
operations" to have another server perform that role. Only the ntdsutil.exe program can
perform this function. Commands include:
• connections - A connections prompt appears:
• connect to server "FQDN of server to connect to"
• quit
• sieze "name of role to transfer". Role names are:
• PDC
• RID master
• schema master
• domain naming master
• infastructure master
Example: "sieze RID master"
Replication Associated Performance Monitor Counters
• DRA Inbound Bytes Not Compressed - Replicated uncompressed bytes that are
probably from a Directory Services Agent (another controller sending data) in the
same site.
• DRA Inbound Bytes Compressed (Before Compression) - Replicated bytes received
(as though in uncompressed form).
• DRA Inbound Bytes Not Compressed (After Compression) - Replicated bytes
received (as in compressed form).
• DRA Inbound Bytes Total The sum of the DRA Inbound Bytes Not Compressed plus
the DRA Inbound Bytes Not Compressed (After Compression).
• DRA Outbound Bytes Not Compressed - Replicated uncompressed bytes that are
being sent to another domain controller in the same site.
Schema Cache
A schema cache which is a copy of the schema in memory can be used to speed up schema
queries but should be used sparingly due to the high memory requirements. If the
schemaUpdateNow attribute is added to the RootDSE a schema cache update is done
immediately. Normally the schema cache is stored in memory when the system boots and
updated every five minutes.
Active Directory Sites
A site is a grouping of machines based on a subnet of TCP/IP addresses. An administrator
determines what a site is. Sites may contain multiple subnets. There can be several domains in a
site.
Active Directory replication to various sites is performed using Active Directory Sites and
Services. (Make section explaining how to use this). Sites and subnets are not related to the
structure of the domain.
The following may be created:
• Sites - One or more IP subnets. Generally this refers to a physical site such as a portion
of the organization in particular city or part of a city which is linked by leased lines or
other media to other parts of the organization.
• Subnets - Subnets must be created in each site object before it is really active. A
network address and subnet mask is used to define the subnet.
• Site links - It is a list of two or more connected sites. Whether the link will use RPC or
SMTP for passing data must be determined before creating the link since it cannot be
changed. Selection IP means selection RPC over IP. Site link information includes:
• Replication schedule - Specify the times the sites can replicate and how often
they attempt replication.
• Link cost - High for a low bandwidth link. A high cost link gets lower priority.
A lower priority link is normally used if there are more than one link to the same
location.
• Member sites - Lists sites that are connected using the site link.
• Transport Mechanism - RPC or SMTP (Mail) is specified.
• SMTP (Mail) - It cannon be used for replication inside the same site and
is a form of asynchronous replication.
• RPC - Requires more bandwidth than SMTP.
Bridgehead server - A domain controller that is used to send replication information to
one or more other sites across a site link.
• Site link bridges - Allows one site in a string of sites to replicate through one or two
sites to a second or third site. These are only used for fine control of how replication
will occur across WAN links. This is actually done automatically by AD, without fine
control. To use this feature, automatic bridging of site links must be turned off. You
must have three sites to create a site link bridge since it takes three sites and two site
links to make a string of sites.
• Global catalog servers - The global catalog is a searchable master index with data about
all objects in a forest. The global catalog server maintains this catalog. It:
• Helps Active Directory resources be located by users.
• During logon, it provides group membership information.
There is one in each domain by default, and the first domain controller in the domain is
originally the global catalog server. It is worthwhile to have a global catalog server on
each side of a WAN connection if the domain is spread out across a WAN.
13. What is DNS ?
Ans: Domain Name System) - The Internet naming scheme which consists of a hierarchical
sequence of names, from the most specific to the most general (left to right), separated by
dots,
And it is the system which translates the internet domain name into IP address and vice-
versa.
The Server, which translates such types of request, is DNS server.
14. What is stub zone?
Stub zone is new in Windows 2003 Server. It contains read-only resource record which it
obtains from other name servers. But it contains only three types of resource record
I. A copy of SOA record for the servers
II. Copies of NS records for all name servers authoritative for the zone.
III. Copies of A records for all name servers authoritative for the zone
It does not contain CNAME records, MX records, SRV records, or A records for other hosts in
the zone. The most important benefit for stub zone is to reduce the network traffic over
WAN link connection and time to resolve the resource records queries.
15. What is the steps and commands to restore?

I. Start the computer in Directory Service Restore Mode.
II. Restore the backup from the media as in Non-Authoritative Mode.
III. After restore complete do not restart the computer.
IV. Go to command prompt
V. Enter into ntdsutil
E:\ntdsutil>ntdsutil
ntdsutil: authoritative restore
authoritative restore: restore object OU=bosses,DC=ourdom,DC=com
Opening DIT database... Done.
The current time is 06-17-05 12:34.12.

Most recent database update occurred at 06-16-05 00:41.25.
Increasing attribute version numbers by 100000.
Counting records that need updating...

Records found: 0000000012
After Completing the authoritative restore restart the computer.
If several domain controllers are placed on the network, and later the network is
broken into sites, appropriate servers must be manually moved to the appropriate site
that they are on. If the domain controller is created after the site is created, the server
is placed automatically in the correct site (based on IP address).
16. How do you check DNS is working or how do you check the service record of DNS is
working?
Ans: nslookup command is used to check the DNS server.
Go to command prompt
After you have setup your DNS Server, it’s very important to check that the entries which are
populated to the Internet are correct. You can use the following checklist using nslookup.
Start nslookup for the desired DNS Server
nslookup
> server 193.247.121.196
Default Server: rabbit.akadia.ch
Address: 193.247.121.196
Check Start of Authority (SOA)

• set q=SOA
> akadia.com
Server: rabbit.akadia.ch
Address: 193.247.121.196
akadia.com
origin = rabbit.akadia.com
mail addr = postmaster.akadia.com
serial = 2000061501
refresh = 10800 (3H)
retry = 3600 (1H)
expire = 604800 (1W)
minimum ttl = 86400 (1D)
akadia.com nameserver = rabbit.akadia.com
akadia.com nameserver = lila.thenet.ch
rabbit.akadia.com internet address = 193.247.121.196
lila.thenet.ch internet address = 193.135.252.2
Check the Nameservers (NS)
• set q=NS
> akadia.com
Address: 193.247.121.196

Check E-Mail MX-Records (MX)
• set q=MX
> akadia.com
Address: 193.247.121.196
akadia.com preference = 20, mail exchanger = opal.akadia.com

akadia.com preference = 10, mail exchanger = rabbit.akadia.com
opal.akadia.com internet address = 193.247.121.197
Check everything (ANY)
• set q=any
> akadia.com
Address: 193.247.121.196
akadia.com preference = 10, mail exchanger = rabbit.akadia.com

akadia.com preference = 20, mail exchanger = opal.akadia.com
akadia.com
origin = rabbit.akadia.com
mail addr = postmaster.akadia.com
serial = 2000061501
refresh = 10800 (3H)
retry = 3600 (1H)
expire = 604800 (1W)
minimum ttl = 86400 (1D)
opal.akadia.com internet address = 193.247.121.197
Lookup all hosts within a domain

• ls -d akadia.com
type=X - set query type (ex. A,ANY,CNAME,MX,NS,PTR,SOA,SRV)
17. What is WINS? And what is the difference between WINS and DNS.
Windows Internet Name Server, it translates the NetBIOS name to IP address.
DNS translate the FQDN name to IP address. FQDN Name consists of zone name, domain
name and host name and these are separated by dots. And it resolves this address into IP
address.
WINS does not translate from FQDN name to IP address.
18. Why DNS is required for AD not WINS?

The naming structure of Active Directory objects is based on Internet Naming System. It
consists of hierarchal naming structure separated by dots. And to resolve computer record/
service record / mail exchange records, a service is required which support such type of
translation/ resolution. And DNS fits very much to this service. In fact Active Directory is of no
use without DNS. That’s why DNS is very much required for Active directoy.
19. What is Disaster Recovery?

Disaster recovery is the process to bring the server on line in short period of time and less
effect to the business in disaster.
Disaster recovery is consists of
b. Backup
c. Recovery console
d. ASR ( Automated System Recovery) in Windows 2003 and ERD in Windows
2000
.
20. How may types of backup and advantage and disadvantage?
Types of Backup
There are different kinds of backups, the following lists some of them:
Full Backup
Full backup is the starting point for all other backups, and contains all the data in the folders
and files that are selected to be backed up. Because full backup stores all files and folders,
frequent full backups result in faster and simpler restore operations. Remember that when
you choose other backup types, restore jobs may take longer.
Advantages Restore is the fastest

Disadvantages Backing up are the slowest
The storage space requirements are the highest
Incremental Backup
An incremental backup backs up only those files created or changed since the last normal or
incremental backup. It marks files as having been backed up (in other words, the archive
attribute is cleared). If you use a combination of normal and incremental backups, you will
need to have the last normal backup set as well as all incremental backup sets in order to
restore your data.
Advantages Backing up are the fastest

The storage space requirements are the lowest
Disadvantages Restore is the slowest
Differential Backup
A differential backup copies files created or changed since the last normal or incremental
backup. It does not mark files as having been backed up (in other words, the archive attribute
is not cleared). If you are performing a combination of normal and differential backups,
restoring files and folders requires that you have the last normal as well as the last differential
backup.
Advantages Restore is faster than restoring from incremental backup
Backing up is faster than a full backup
The storage space requirements are lower than for full
backup
Disadvantages Restore is slower than restoring from full backup
Backing up is slower than incremental backup
The storage space requirements are higher than for
incremental backup
21. What are the ports numbers of these?

TCP/UDP Port Number Secure
DNS 53 N/A
DHCP 67 & 68 N/A
RDP 3389 N/A
LDAP 389 636
SMTP 25 465
POP 110 995
IMAP 143 993
HTTP 80 443
TELNET 23 992
KERBEROS 88 N/A
SNMP 161 N/A
IRC 194 N/A
NNTP 119 563
MS EXCH ROUTING 691
MS SQL 1433
Global Catalog port 3268
22. How the Secondary DNS servers get the updates from Primary DNS server? Tell me the
process
The actual data transfer process is started by the client on client server mechanism.
With every new record entry, edit or update in the primary server, the serial number
increases and it makes two changes one to the record and other to the zone serial
number
The first record updated is SOA record.

Others are not any specified order
The end of update is signaled by SOA record
23. What is conditional forwarding in DNS?

Conditional forwarding is the process to forward the client request to the exact DNS server for
a particular domain name resolution request. DNS server needs to configure for conditional
forwarding.
For example a DNS server is configured for domain.com
And a client sends a request for name resolution for host.microsoft.com. And this DNS server
does not host any record for Microsoft.com domain. In this case this DNS server may be
configured to forward all the name resolution request for Microsoft.com to the DNS server
which host such types of records.
http://www.windowsnetworking.com/articles_tutorials/DNS_Conditional_Forwarding_in_Windo
ws_Server_2003.html
To configure conditional forwarding
Go to DNS server properties
Forwarders
Click New
Enter the domain name in DNS domain text box
OK
Add the IP address for that domain
OK
24. What is TCP and IP?
TCP:
1. It provides a reliable-connection oriented packet delivery service
2. Guarantees delivery of IP datagram.
3. Perform segmentation and reassembly of large block of data sent by programs.
4. Ensures proper sequencing and ordered delivery of segmented data.
5. Perform check on the integrity of transmitted data by using checksum calculation
6. Sends acknowledgement of the received data.
IP:
IP is a connectionless, unreliable datagram protocol.
Primarily responsible for addressing and routing packets
between hosts
IP does not attempt to recover from these types of error..
6)What is Global catalog ---?
The global catalog contains a partial replica of every Windows 2000 domain in the directory. The GC
lets users and applications find objects in an Active Directory domain tree given one or more attributes
of the target object. It also contains the schema and configuration of directory partitions. This means
the global catalog holds a replica of every object in the Active Directory, but with only a small number
of their attributes
Q1. What is DNS.

DNS provides name registration and name to address resolution capabilities. And DNS drastically
lowers the need to remember numeric IP addresses when accessing hosts on the Internet or any
other TCP/IP-based network.
Before DNS, the practice of mapping friendly host or computer names to IP addresses was handled
via host files. Host files are easy to understand. These are static ASCII text files that simply map a
host name to an IP address in a table-like format. Windows ships with a HOSTS file in the
\winnt\system32\drivers\etc subdirectory
The fundamental problem with the host files was that these files were labor intensive. A host file is
manually modified, and it is typically centrally administrated.
The DNS system consists of three components: DNS data (called resource records), servers
(called name servers), and Internet protocols for fetching data from the servers.
Q2. Which are the four generally accepted naming conventions?
NetBIOS Name (for instance, SPRINGERS01)
TCP/IP Address (121.133.2.44)
Host Name (Abbey)
Media Access Control (MAC)—this is the network adapter hardware address

Q3. How DNS really works
DNS uses a client/server model in which the DNS server maintains a static database of domain
names mapped to IP addresses. The DNS client, known as the resolver, perform queries against the
DNS servers. The bottom line? DNS resolves domain names to IP address using these steps
Step 1. A client (or “resolver”) passes its request to its local name server. For example, the URL term
www.idgbooks.com typed into Internet Explorer is passed to the DNS server identified in the client
TCP/IP configuration. This DNS server is known as the local name server.
Step 2. If, as often happens, the local name server is unable to resolve the request, other name
servers are queried so that the resolver may be satisfied.
Step 3. If all else fails, the request is passed to more and more, higher-level name servers until the
query resolution process starts with far-right term (for instance, com) or at the top of the DNS tree with
root name servers
Q4. Which are the major records in DNS?
1. Host or Address Records (A):- map the name of a machine to its numeric IP address. In clearer
terms, this record states the hostname and IP address of a certain machine. Have three fields: Host Name,
Domain, Host IP Address.
E.g.:- eric.foobarbaz.com. IN A 36.36.1.6
It is possible to map more than one IP address to a given hostname. This
often happens for people who run a firewall and have two Ethernet cards in
one machine. All you must do is add a second A record, with every column
the same save for the IP address.
2. Aliases or Canonical Name Records (CNAME)

“CNAME” records simply allow a machine to be known by more than one hostname.
There must always be an A record for the machine before aliases can be added. The host
name of a machine that is stated in an A record is called the canonical, or official name
of the machine. Other records should point to the canonical name. Here is an example of
a CNAME:
www.foobarbaz.com. IN CNAME eric.foobarbaz.com.
You can see the similarities to the previous record. Records always read from left to
right, with the subject to be queried about on the left and the answer to the query on
the right. A machine can have an unlimited number of CNAME aliases. A new record
must be entered for each alias.
You can add A or CNAME records for the service name pointing to the machines you
want to load balance.
3. Mail Exchange Records (MX)
MX” records are far more important than they sound. They allow all mail for a domain to
be routed to one host. This is exceedingly useful – it abates the load on your internal
hosts since they do not have to route incoming mail, and it allows your mail to be sent to
any address in your domain even if that particular address does not have a computer
associated with it. For example, we have a mail server running on the fictitious machine
eric.foobarbaz.com. For convenience sake, however, we want our email address to be
“user@foobarbaz.com” rather than “user@eric.foobarbaz.com”. This is accomplished by
the record shown below:
foobarbaz.com. IN MX 10 eric.foobarbaz.com.
The column on the far left signifies the address that you want to use as an Internet
email address. The next two entries have been explained thoroughly in previous records.
The next column, the number “10”, is different from the normal DNS record format. It is
a signifier of priority. Often larger systems will have backup mail servers, perhaps more
than one. Obviously, you will only want the backups receiving mail if something goes
wrong with the primary mail server. You can indicate this with your MX records. A lower
number in an MX record means a higher priority, and mail will be sent to the server with
the lowest number (the lowest possible being 0). If something happens so that this
server becomes unreachable, the computer delivering the mail will attempt every other
server listed in the DNS tables, in order of priority.
Obviously, you can have as many MX records as you would like. It is also a good idea to
include an MX record even if you are having mail sent directly to a machine with an A
record. Some sendmail programs only look for MX records.
It is also possible to include wildcards in MX records. If you have a domain where your
users each have their own machine running mail clients on them, mail could be sent
directly to each machine. Rather than clutter your DNS entry, you can add an MX record
like this one:
*.foobarbaz.com. IN MX 10 eric.foobarbaz.com.
This would make any mail set to any individual workstation in the foobarbaz.com domain
go through the server eric.foobarbaz.com.
One should use caution with wildcards; specific records will be given precedence over
ones containing wildcards.
4. Pointer Records (PTR)

Although there are different ways to set up PTR records, we will be explaining only the
most frequently used method, called “in-addr.arpa”.
In-addr.arpa PTR records are the exact inverse of A records. They allow your machine to
be recognized by its IP address. Resolving a machine in this fashion is called a “reverse
lookup”. It is becoming more and more common that a machine will do a reverse lookup
on your machine before allowing you to access a service (such as a World Wide Web
page). Reverse lookups are a good security measure, verifying that your machine is
exactly who it claims to be. In-addr.arpa records look as such:
6.1.36.36.in-addr.arpa. IN PTR eric.foobarbaz.com.
As you can see from the example for the A record in the beginning of this document, the
record simply has the IP address in reverse for the host name in the last column.
A note for those who run their own name servers: although Allegiance Internet is
capable of pulling zones from your name server, we cannot pull the inverse zones (these
in-addr.arpa records) unless you have been assigned a full class C network. If you would
like us to put PTR records in our name servers for you, you will have to fill out the online
web form on the support.allegianceinternet.com page.
5. Name Server Records (NS)
NS records are imperative to functioning DNS entries. They are very simple; they merely
state the authoritative name servers for the given domain. There must be at least two
NS records in every DNS entry. NS records look like this:
foobarbaz.com. IN NS draven.foobarbaz.com.
There also must be an A record in your DNS for each machine you enter as A NAME
server in your domain.
If Allegiance Internet is doing primary and secondary names service, we will set up these
records for you automatically, with “nse.algx.net” and “nsf.algx.net” as your two
authoritative name servers.
6. Start Of Authority Records (SOA)
The “SOA” record is the most crucial record in a DNS entry. It conveys more information
than all the other records combined. This record is called the start of authority because it
denotes the DNS entry as the official source of information for its domain. Here is an
example of a SOA record, then each part of it will be explained:
foobarbaz.com. IN SOA draven.foobarbaz.com. hostmaster.foobarbaz.com. (
1996111901 ; Serial
10800 ; Refresh
3600 ; Retry
3600000 ; Expire
86400 ) ; Minimum
The first column contains the domain for which this record begins authority for. The next
two entries should look familiar. The “draven.foobarbaz.com” entry is the primary name
server for the domain. The last entry on this row is actually an email address, if you
substituted a “@” for the first “.”. There should always be a viable contact address in the
SOA record.
The next entries are a little more unusual then what we have become used to. The serial
number is a record of how often this DNS entry has been updated. Every time a change
is made to the entry, the serial number must be incremented. Other name servers that
pull information for a zone from the primary only pull the zone if the serial number on
the primary name server’s entry is higher than the serial number on it’s entry. In this
way the name servers for a domain are able to update themselves. A recommended way
of using your serial number is the YYYYMMDDNN format shown above, where the NN is
the number of times that day the DNS has been changed.
Also, a note for Allegiance Internet customers who run their own name servers: even if
the serial number is incremented, you should still fill out the web form and use the
comment box when you make changes asking us to pull the new zones.
All the rest of the numbers in the record are measurements of time, in seconds. The
“refresh” number stands for how often secondary name servers should check the
primary for a change in the serial number. “Retry” is how long a secondary server should
wait before trying to reconnect to primary server if the connection was refused. “Expire”
is how long the secondary server should use its current entry if it is unable to perform a
refresh, and “minimum” is how long other name servers should cache, or save, this
entry.
There can only be one SOA record per domain. Like NS records, Allegiance
Internet sets up this record for you if you are not running your own name
server.
Quick Summary of the major records in DNS
Record Type Definition

Host (A) Maps host name to IP address in a DNS zone. Has three fields:
Domain, Host Name, Host IP Address.
Aliases (CNAME) Canonical name resource record that creates an alias for a host name.
CNAME records are typically used to hide implementation details
from clients. Fields include: Domain, Alias Name, For Host DNS
Name.
Nameservers (NS) Identifies the DNS name servers in the DNS domain. NS records
appear in all DNS zones and reverse zones. Fields include: Domain,
Name Server DNS Name.
Pointer (PTR) Maps IP address to host name in a DNS reverse zone. Fields include:
IP Address, Host DNS Name.
Mail Exchange (MX) Specifies a mail exchange server for a DNS domain name. Note that
the term “exchange” does not refer to Microsoft Exchange, a
BackOffice e-mail application. However, to connect Microsoft
Exchange to the Internet via the Internet Mail Server (IMS), the MX
record must be correctly configured by your ISP.
A mail exchange server is a host that will either process or forward

mail for the DNS domain name. Processing the mail means either
delivering it to the addressee or passing it to a different type of mail
transport. Forwarding the mail means sending it to its final destination
server, sending it using Simple Mail Transfer Protocol to another mail
server that is closer to the final destination, or queuing it for a
specified amount of time.
Fields include: Domain, Host Name (Optional), Mail Exchange Server

DNS Name, Preference Number.
Q5.What is a DNS zone

A zone is simply a contiguous section of the DNS namespace. Records for a zone are
stored and managed together. Often, subdomains are split into several zones to make
manageability easier. For example, support.microsoft.com and msdn.microsoft.com are
separate zones, where support and msdn are subdomains within the Microsoft.com
domain.
Q6. Name the two Zones in DNS?
DNS servers can contain primary and secondary zones. A primary zone is a copy of a
zone where updates can be made, while a secondary zone is a copy of a primary zone.
For fault tolerance purposes and load balancing, a domain may have several DNS servers
that respond to requests for the same information.
The entries within a zone give the DNS server the information it needs to satisfy
requests from other computers or DNS servers.
Q7. How many SOA record does each zone contain?
Each zone will have one SOA record. This records contains many miscellaneous settings
for the zone, such as who is responsible for the zone, refresh interval settings, TTL (Time
To Live) settings, and a serial number (incremented with every update).
Q8. Short summary of the records in DNS.
The NS records are used to point to additional DNS servers. The PTR record is used for
reverse lookups (IP to name). CNAME records are used to give a host multiple names.
MX records are used when configuring a domain for email.
Q9. What is an AD-integrated zone?
AD-integrated zones store the zone data in Active Directory and use the same replication
process used to replicate other data between domain controllers. The one catch with AD-
integrated zones is that the DNS server must also be a domain controller. Overloading DNS
server responsibilities on your domain controllers may not be something you want to do if
you plan on supporting a large volume of DNS requests.
Q11. What does a stub zone consists of?
A stub zone consists of:
The start of authority (SOA) resource record, name server (NS) resource records, and the glue A
•
resource records for the delegated zone.
• The IP address of one or more master servers that can be used to update the stub zone.
Q14. What is Scavenging?
DNS scavenging is the process whereby resource records are automatically removed if they
are not updated after a period of time. Typically, this applies to only resource records that
were added via DDNS, but you can also scavenge manually added, also referred to as static,
records. DNS scavenging is a recommended practice so that your DNS zones are
automatically kept clean of stale resource records.
Q1.
Q5. How are Group Policies Applied?
Group Polices can be configured locally, at the Site level, the Domain level or at the Organizational Unit (OU)
level. Group Policies are applied in a Specific Order, LSDO - Local policies first, then Site based policies, then
Domain level policies, then OU polices, then nested OU polices (OUs within OUs). Group polices cannot be
linked to a specific user or group, only container objects.
In order to apply Group Polices to specific users or computers, you add users (or groups) and computers to
container objects. Anything in the container object will then get the policies linked to that container. Sites,
Domains and OUs are considered container objects.
Computer and User Active Directory objects do not have to put in the same container object. For example,
Sally the user is an object in Active Directory. Sally's Windows 2000 Pro PC is also an object in Active
Directory. Sally the user object can be in one OU, while her computer object can be another OU. It all depends
on how you organize your Active Directory structure and what Group Policies you want applied to what objects.
Q14. Which are the two types of default policies?
There are two default group policy objects that are created when a domain is created. The Default Domain
policy and the Default Domain Controllers policy.
Default Domain Policy - this GPO can be found under the group policy tab for that domain. It is the first
policy listed. The default domain policy is unique in that certain policies can only be applied at the domain
level.
If you double click this GPO and drill down to Computer Configuration, Windows Settings, Security Settings,
Account Policies, you will see three policies listed:
Password Policy
Acount Lockout Policy
Kerberos Policy
These 3 policies can only be set at the domain level. If you set these policies anywhere else- Site or OU, they
are ignored. However, setting these 3 policies at the OU level will have the effect of setting these policies for
users who log on locally to their PCs. Login to the domain you get the domain policy, login locally you get the
OU policy.
If you drill down to Computer Configuration, Windows Settings, Security Settings, Local Policies, Security
Options, there are 3 policies that are affected by Default Domain Policy:
Automatically log off users when logon time expires

Rename Adminsitrator Account - When set at the domain level, it affects the Domain Administrator account
only.
Rename Guest Account - When set at the domain level, it affects the Domain Guest account only.
The Default Domain Policy should be used only for the policies listed above. If you want to create additional
domain level policies, you should create additional domain level GPOs.
Do not delete the Default Domain Policy. You can disable it, but it is not recommended.
Default Domain Controllers Policy - This policy can be found by right clicking the Domain Controllers OU,
choosing Properties, then the Group Policy tab. This policy affects all Domain Controllers in the domain
regardless of where you put the domain controllers. That is, no matter where you put your domain controllers
in Active Directory (whatever OU you put them in), they will still process this policy.
Use the Default Domain Controllers Policy to set local policies for your domain controllers, e.g. Audit Policies,
Event Log settings, who can logon locally and so on.
22 )Type of backup – I not need to tell u

Full backup
Full backup is the starting point for all other backups, and contains all the data in the folders and
files that are selected to be backed up. Because full backup stores all files and folders, frequent
full backups result in faster and simpler restore operations. Remember that when you choose other
backup types, restore jobs may take longer.
Read full backup page for more details. Our backup software performs full backups.
Differential backup
A differential backup contains all files that have changed since the last FULL backup. The
advantage of a differential backup is that it shortens restore time compared to a full backup or
an incremental backup. However, if you perform the differential backup too many times, the
size of the differential backup might grow to be larger than the baseline full backup.
Read differential backup page for more details. Our backup software performs differential
backups.
Incremental backup
An incremental backup stores all files that have changed since the last FULL OR
DIFFERENTIAL backup. The advantage of an incremental backup is that it takes the least time
to complete. However, during a restore operation, each incremental backup must be processed,
which could result in a lengthy restore job.
Read incremental backup page for more details. Our backup software performs incremental
backups.
Mirror backup
A mirror backup is identical to a full backup, with the exception that the files are not
compressed in zip files and they can not be protected with a password. A mirror backup is most
frequently used to create an exact copy of the backup data. It has the benefit that the backup files
can also be readily accessed using tools like Windows Explorer.
round robin DNS

A load balancing technique in which balance power is placed in the DNS server instead of a
strictly dedicated machine as other load techniques do.
Round robin works on a rotating basis in that one server IP address is handed out, then moves
to the back of the list; the next server IP address is handed out, and then it moves to the end
of the list; and so on, depending on the number of servers being used. This works in a looping
fashion.
Round robin DNS is usually used for balancing the load of geographically distributed Web
servers. For example, a company has one domain name and three identical home pages
residing on three servers with three different IP addresses. When one user accesses the home
page it will be sent to the first IP address. The second user who accesses the home page will
be sent to the next IP address, and the third user will be sent to the third IP address. In each
case, once the IP address is given out, it goes to the end of the list. The fourth user, therefore,
will be sent to the first IP address, and so forth.
25. What is DHCP?

Dynamic Host Configuration Protocol (DHCP) is a communications protocol that lets network
administrators manage and automate the assignment of Internet Protocol (IP) addresses in
an organization’s network. DHCP allows devices to connect to a network and be
automatically assigned an IP address.
DHCP (Dynamic Host Configuration Protocol) allows you to automate
the process of assigning IP addressing information to your
network hosts. When using DHCP, you don't have to worry so much
about problems related to duplicate IP addresses and keeping
track of which computers have what IP address. You can easily
manage your entire enterprise's IP addressing scheme via DHCP and
nary a server would require manual address assignment.
DHCP Lease Process
DHCP leases are used to reduce DHCP network traffic by giving clients specific addresses
for set periods of time. The DHCP process stages can be remembered using the ROSA
acronym:
Request - A broadcast is sent by the client with the client MAC address. This is a DHCP
discover message with source IP address of 0.0.0.0 and destination address of
255.255.255.255. The client tries to get its last address. If it is not available, the DHCP server
will send a NACK signal. The client state is initialization during the request stage.
Offer - A DHCP offer message is sent from the DHCP server with some or all the optional
information as listed above. Information sent includes the IP address of the DHCP server that
sent the accepted offer. All offered IP addresses are marked unavailable by the DHCP server
when the DHCP server offers them until they are rejected. The client is in the selecting state
during this offer stage.
Selection (or acceptance) - The first offer received by the client is accepted. The client
broadcasts its selected choice using a DHCP request message which includes the IP address
of the DNS server that sent the accepted offer. The client is in the requesting state during this
selection stage.
Acknowledgement - The server acknowledges with a DHCP acknowledge indicating the
client can use the address or it will send a DHCP Nak instructing the client that the address
became unavailable. Other DHCP servers retract their offers and mark the offered address as
available and the accepted address as unavailable. Any offered IP addresses not selected are
freed to be used again. The client state is the binding state during this acknowledgement
stage.
When the client sends the lease request, it then waits one second for an offer. If a response is
not received, the request is repeated at 9, 13, and 16 second intervals with additional 0 to
1000 milliseconds of randomness. The attempt is repeated every 5 minutes thereafter. The
client uses port 67 and the server uses port 68.
Client systems that are Windows 98 or later attempt to tell if another client is already using
the address received from the DHCP server by pinging the address. The DHCP server can be
configured to pretest addresses by pinging them, but this will increase overhead and slow
server response time.
DHCP Client/Server Interactions
There are four main interactions or messages that are exchanged

between place between a DHCP client and DHCP Server. These are:
DHCPDISCOVER
DHCPOFFER
DHCPREQUEST
DHCP(N)ACK
A good way to remember this sequence is to think of aunt "DORA"

helping out the DHCP clients get their IP addresses from the DHCP
Server.
All of these messages are broadcast messages sent to the limited

broadcast address 255.255.255.255. There are no directed
datagrams exchanged between the DHCP Server and client during the
lease negotiation process for a client has does not have a bound
IP address. If someone told you otherwise, they are wrong. The
reason why is that the DHCP client doesn't have an IP address to
which to send a directed datagram until the end of the
negotiation.
DHCPDISCOVER
The DHCP client sends the DHCPDISCOVER message if the client has
never obtained a lease before, or if the client must obtain a new
lease because it was not able to renew a previous lease. The
message is broadcast to entire segment and all DHCP Server on the
segment will response to the DHCP client's DHCPDISCOVER message.
DHCPOFFER
All the DHCP Servers that received the message by the DHCP client
broadcast a DHCPOFFER message. After they all check to make sure
that they don't already have a lease for this client, they all
return an offer of an IP address to the DHCP client. The DHCP
client accepts the offer by the first DHCP server that responds
to the request. The remaining DHCP Servers withdraw their lease.
This is comparable to a desperate teenage boy that takes the
first offer he gets for a date to go to the prom. While there
might have been multiple offers, he accepts the first one and the
others withdraw their offers.
But, hey, wait a minute. How did the DHCP Server know who was
supposed to get the offer if the initial DCHPDISCOVER message was
a broadcast message? Well, there are all sorts of broadcasts. The
broadcast message in this case is an IP broadcast. The DHCP
Server knows who sent the request because the DHCP client
included in its request its MAC address, and the DHCP Server
includes the MAC address in its DCHPOFFER message.
DHCPREQUEST
After the DHCP client receives an offer, it broadcasts a

DHCPREQUEST message. Contained in the application header
information of this message is the IP address of the DHCP Server
that made the offer. When other DHCP Server receive this
broadcast, they see that the client accepted another offer and
they put the IP addresses they offered back into their list of
available IP addresses. The DHCPREQUEST message confirms that the
client wishes to keep the IP address offered by the DHCP Server.
DHCPACK/DHCPNACK
The DHCP Server responds to the DHCPREQUEST with a DHCPACK

message. This message is the final phase of the DHCP lease
negotiation and when complete, the DHCP client will have bound
the IP address and can fully initialize its TCP/IP stack. Its is
also at this point that the DHCP client will receive other IP
addressing information in addition to the IP address, such as the
address of a WINS Server, DNS Server or default gateway. These
values are referred to as DHCP Options.
The DCHPNACK message is a negative acknowledgement message sent

by the DHCP Server. These NACK messages are not seen when the
DHCP client is going through the discovery process as we've gone
through above. Rather, a NACK is sent to a DHCP client that
already has a lease and wishes to renew it. If the DHCP Server is
not able to renew the address, the DHCP Server will send...
Using superscopes
A superscope is an administrative feature of DHCP servers running Windows Server 2003
that you can create and manage through the DHCP console. Using a superscope, you can
group multiple scopes as a single administrative entity. With this feature, a DHCP server can:
•Support DHCP clients on a single physical network segment (such as a single Ethernet LAN
segment) where multiple logical IP networks are used. When more than one logical IP
network is used on each physical subnet or network, such configurations are often called
multinets.
•Support remote DHCP clients located on the far side of DHCP and BOOTP relay agents
(where the network on the far side of the relay agent uses multinets).
In multinet configurations, you can use DHCP superscopes to group and activate individual
scope ranges of IP addresses used on your network. In this way, the DHCP server computer
can activate and provide leases from more than one scope to clients on a single physical
network.
Superscopes can resolve certain types of DHCP deployment issues for multinets, including
situations in which:
•The available address pool for a currently active scope is nearly depleted, and more
computers need to be added to the network. The original scope includes the full addressable
range for a single IP network of a specified address class. You need to use another IP
network range of addresses to extend the address space for the same physical network
segment.
•Clients must be migrated over time to a new scope (such as to renumber the current IP
network from an address range used in an existing active scope to a new scope that contains
another IP network range of addresses).
•You want to use two DHCP servers on the same physical network segment to manage
separate logical IP networks.
Superscopes
In NT 4.0 and beyond, the DHCP Manager lets you create superscopes on DHCP servers. (To
create a superscope, select the server from the DHCP Manager, then select Scopes,
Superscopes). This feature makes it possible for several child scopes (address ranges) to be
defined on one DHCP server and then be grouped under the umbrella of a superscope.
Superscopes may be useful in the following situations:
More computers must be added to a network and the total number of new network interfaces
exceeds the capacity of the current scope.
Several networks have been combined into one physical network — for example, two
departments, Marketing and Sales, are merged into one — and you want to have IP addresses
from both scopes available to all. Interestingly, there appears to be no way of keeping these
two scopes separate with a single DHCP server. For example, Marketing and Sales (on the
same subnetwork) can’t arrange to draw IP addresses only from their own original scopes
because the only option most clients have is to “Obtain an IP address from a DHCP server”;
there is no provision for defining which DHCP server to use or which scope to use.
When you have a superscope defined, the client automatically attempts to renew or request a
lease from any available DHCP server or scope. If it can’t renew its current lease from within
one child scope (within the superscope), it may try to obtain a lease from within another child
scope. Some non-Microsoft DHCP servers have a user-class option that lets clients request an
address from a specified DHCP server or within a specified scope, but this isn’t the case with
Microsoft DHCP.
DHCP Options
You can configure Microsoft DHCP to give a DHCP client more than an IP address. In fact, a
DHCP server can give a DHCP client a total of 68 parameters. Using DHCP to assign these
parameters can eliminate much of the repetitious administrative work of configuring the
clients manually. These parameters are called DHCP options.
In Microsoft DHCP, you have three categories of options to choose from — global, scope, or
default.
Global — Option configurations pertain to all scopes on a DHCP server unless otherwise
configured within the scope or configured manually from the client. Use Global options when
most of the scopes will have the same parameters.
Scope — Option configurations pertain to only one scope on the DHCP server. Scope
configuration overrides global configuration, but it is superceded by manual configuration.
Use scope options for any scopes that have parameters that differ from the global options.
Default — In the absence of conflicting options (global, scope, or manual), the default
options apply.
Within these categories, some options are available to Windows-based DHCP clients while
others are available only to third-party clients that support these options. According to the
Microsoft Windows NT Server Networking Guide (Microsoft Press,1996), the options
available to Windows clients include
DNS servers — lists the IP addresses for DNS name servers.
Domain name — specifies the DNS domain name that the client should use for DNS
resolution.
Lease time — provides the time of the lease in a read-only format. Lease time is configured
in the Scope Properties dialog box shown in Figure 8.1. Lease time is the time from the
address assignment until the address expires.
NetBIOS scope ID — specifies NetBIOS over TCP/IP (NBT) scope ID as a text string.
Rebinding time — shows the time from address assignment until the rebinding state in a
read-only format. Rebinding occurs after the client updates its configuration values after a
renewal state.
Renewal time — provides the renewal time in a read-only format. Renewal time is the time
from address assignment until the client enters the renewal state. The renewal state starts at
one half the time to live (time to live is the same as lease time).
Router — lists the IP addresses for routers on the subnetwork.
Subnet Mask — provides the subnetwork mask in a read-only format. The subnetwork mask
is actually added in the Create Scope dialog box or Scope Properties dialog box, as shown in
Figure 8.1.
WINS/NBNS servers — specifies IP addresses for WINS name servers.
WINS/NBT node type — assigns a node type to a client, where 1=B node, 2=P node, 4=M
node, 8=H node.
Database files:
DCHP.MDB - The main database
DHCP.TMP - Temporary DHCP storage.
JET*.LOG - Transaction logs used to recover data.
SYSTEM.MDB - USed to track the structure of the DHCP database
Use the 80/20 design rule for balancing scope distribution of addresses where multiple DHCP
servers are deployed to service the same scope.
Use superscopes for multiple DHCP servers on each subnet in a LAN environment.
Deactivate scopes only when removing a scope permanently from service.
Use server-side conflict detection on DHCP servers only when it is needed.
Reservations should be created on all DHCP servers that can potentially service the reserved
client.
For server performance, note that DHCP is disk-intensive and purchase hardware with
optimal disk performance characteristics.
Integrate DHCP with other services, such as WINS and DNS.
Use the manual backup and restore methods in the DHCP server console.
DHCP Database
DHCP has its own database. Stored in this DHCP.mdb are the addresses, scopes and leases
of the clients. Understanding this database will help you backing up and restore a DHCP
server.
Check out this folder: %systemroot%\system32\dhcp\dhcp.mdb
As time goes by the database will grow, and best practice dictates that you should consolidate
the database by freeing up space taken up by old leases.
The procedure for compacting the dhcp.mdb database is this.
1) Stop the DHCP service. Either right click the DHCP Server icon, select All tasks then
Stop. Alternatively, go to the command line and type: NET Stop DHCPServer. (For once
the command really is DHCPserver, NOT DHCPyourservername.)
2) At the command line, navigate to: %systemroot%\system32\dhcp\dhcp.mdb.
3) Jetpack dhcp.mdb temp.mdb. What this does is copies the existing database, compacts it,
then copies it back to the original location - clever.
4) Remember to restart DHCP. Either use the GUI, or if you are at the command line, NET
Start DHCPServer
Warning: Do not 'mess' with any of the files that you find in the %systemroot
%\system32\dhcp folder, if you do, then DHCP will stop working and you will either have to
restore, or else re-install DHCP.
DHCP Relay Agent - Concept
DHCPDiscover packets, like all broadcasts, cannot pass across routers. In fact that was a lie,
if you have a modern Router which is RFC 1542 compliant, then you can forward the
DHCPDiscover packets to a DHCP server in a different subnet. In this instance, the Router
acts as a Relay Agent.
Relay Agent - Installation
It is rare for Microsoft to remove functionality, but while NT 4.0 Workstations could act as
DHCP Relay agents, XP and W2K Pro cannot. So you need to install the relay agent on a
Windows Server 2003.
What is not obvious is where you find the relay agent, the answer is in Routing and Remote
Access. When you think about it, the relay agent is a type of router, hence the RRAS
location to install and configure the DHCP Relay agent makes sense.
As I say once you find and install the Relay Agent, configuring is easy, all you need to do is
tell the router or DHCP relay agent the IP address of the real DHCP servers. Just right click
the DHCP Relay Agent, and then select properties from the shortcut menu.
Trap: you forget to add an interface. See that 'ISP' interface in the screen shot is Enabled.
TRUST RELATIONSHIPS
Windows 2003 supports six types of trusts (although the OS doesn't support all types for all
forest modes):
• Tree-root trust--Windows 2003 automatically creates a transitive, two-way trust when

you add a new tree-root domain to an existing forest. Tree-root trusts let every domain
in different trees in the same forest implicitly trust one another.
• Parent-child trust--Windows 2003 automatically creates a transitive, two-way trust
when you add a child domain to an existing domain. This trust lets every domain in a
particular tree implicitly trust one another.
• Shortcut trust--When domains that authenticate users are logically distant from one
another, the process of logging on to the network can take a long time. You can
manually add a shortcut trust between two domains in the same forest to speed
authentication. Shortcut trusts are transitive and can either be one way or two way.
• External trust--Administrators can manually create an external trust between domains
in different forests or from a Windows 2003 domain to a Windows NT 4.0 or earlier
domain controller (DC). External trusts are nontransitive and can be one way or two
way.
• Forest trust--When two forests have a functional level of Windows 2003, you can use
a forest trust to join the forests at the root. An administrator can manually create a
two-way forest trust that lets all domains in both forests transitively trust each other.
Forest trusts can also be one way, in which case the domains in only one of the forests
would trust the domains in the other forest. Multiple forest trusts aren't transitive.
Therefore, if forest A has a forest trust to forest B and forest B has a forest trust to
forest C, forest A does not implicitly trust forest C.
• Realm trust--An administrator can manually create a realm trust between a Windows
2003 domain and a non-Windows Kerberos 5 realm. Realm trusts can be transitive or
nontransitive and one way or two way.
New in Windows Server 2003
Regardless of the functional levels, many of the features are available immediately, such as:
• Universal Group Caching (No-GC logon)

• Create replica from media
• No-GC-full-synchronization (Reduced Traffic)
• Application partitions
• The use of DNS in Application Partitions
• All the mentioned administrative tools improvements
• DC rename
• Reset the Restore Mode Password while online
• ADMTv2.0 improvements
• Reduced storage requirements (Single instancing of Security Descriptors)
• Object quotas
There are two main features enabled at the Windows Server 2003 domain level:
• Two-stage DC rename
• Redirect default User and Computer creation
Note Another small feature enabled in Windows Server 2003 domain level is the
LastLogonTimeStamp attribute, which keeps the calculated last login time for a user in the
domain. This can be helpful since the current lastlogin attribute is per DC and is not
replicated to other DCs.
The following are enabled at the Windows Server 2003 forest level:
• Per-value replication (e.g. Link Value Replication of Group membership)

• New ISTG algorithm
• Domain rename
• Schema redefine
• Convert user to INetOrgPerson class
• Corrected Aux class support
• Cross-Forest Trusts
New Active Directory Features

With the new Active Directory features in Standard Edition, Enterprise Edition, and
Datacenter Edition, more efficient administration of Active Directory is available to you.
New features can be divided into those available on any domain controller running
Windows Server 2003, and those available only when all domain controllers of a domain
or forest are running Windows Server 2003.
Features Available If Any Domain Controller Is Running

Windows Server 2003
The following list summarizes the Active Directory features that are enabled by default
on any domain controller running Windows Server 2003.
• Multiple selection of user objects. Modify common attributes of multiple user

objects at one time.
• Drag-and-drop functionality. Move Active Directory objects from container to
container by dragging and dropping one or more objects to a desired location in
the domain hierarchy. You can also add objects to group membership lists by
dragging and dropping one or more objects (including other group objects) onto
the target group.
• Efficient search capabilities. Search functionality is object-oriented and
provides an efficient browse-less search that minimizes network traffic associated
with browsing objects.
• Saved queries. Save commonly used search parameters for reuse in Active
Directory Users and Computers.
• Active Directory command-line tools. Run new directory service commands
for administration scenarios.
• Selective class creation. Create instances of specified classes in the base
schema of a Windows Server 2003 forest. You can create instances of several
common classes, including: country or region, person, organizationalPerson,
groupOfNames, device, and certificationAuthority.
• InetOrgPerson class. The inetOrgPerson class has been added to the base
schema as a security principal and can be used in the same manner as the user
class. The userPassword attribute can also be used to set the account password.
• Application directory partitions. Configure the replication scope for
application-specific data among domain controllers running Standard Edition,
Enterprise Edition, and Datacenter Edition. For example, you can control the
replication scope of Domain Name System (DNS) zone data stored in Active
Directory so that only specific domain controllers in the forest participate in DNS
zone replication.
• Add additional domain controllers to existing domains using backup
media. Reduce the time it takes to add an additional domain controller in an
existing domain by using backup media.
• Universal group membership caching. Prevent the need to locate a global
catalog across a wide area network (WAN) during logons by storing user universal
group memberships on an authenticating domain controller.
Features Available When All Domain Controllers Are
Running Windows Server 2003
New domain- or forest-wide Active Directory features can be enabled only when all
domain controllers in a domain or forest are running Windows Server 2003 and the
domain functionality or forest functionality has been set to Windows Server 2003.
The following list summarizes the domain- and forest-wide Active Directory features that
can be enabled when either a domain or forest functional level has been raised to
Windows Server 2003.
• Domain controller rename tool. Rename domain controllers without first

demoting them.
• Domain rename. Rename any domain running Windows Server 2003 domain
controllers. You can change the NetBIOS name or DNS name of any child, parent,
tree- or forest-root domain.
• Forest trusts. Create a forest trust to extend two-way transitivity beyond the
scope of a single forest to a second forest.
• Forest restructuring. Move existing domains to other locations in the domain
hierarchy.
• Defunct schema objects. Deactivate unnecessary classes or attributes from the
schema.
• Dynamic auxiliary classes. Provides support for dynamically linking auxiliary
classes to individual objects, and not just to entire classes of objects. In addition,
auxiliary classes that have been attached to an object instance can subsequently
be removed from the instance.
• Global catalog replication tuning. Preserves the synchronization state of the
global catalog when an administrative action results in an extension of the partial
attribute set. This minimizes the work generated as a result of a partial attribute
set extension by only transmitting attributes that were added.
• Replication enhancements. Linked value replication allows individual group
members to be replicated across the network instead of treating the entire group
membership as a single unit of replication.
The following table describes the domain-wide features that are enabled for the
corresponding domain functional level:
Domain Feature Windows 2000 mixed Windows 2000 native Windows Server 2003
Domain controller Disabled Disabled Enabled
rename tool
Update logon Disabled Disabled Enabled
timestamp
Kerberos KDC key Disabled Disabled Enabled
version numbers
User password on Disabled Disabled Enabled
InetOrgPerson
object
Universal Groups Enabled for Enabled Enabled
distribution groups.
Allows both security Allows both security
Disabled for security and distribution and distribution
groups. groups. groups.
Group Nesting Enabled for Enabled Enabled
distribution groups.
Allows full group Allows full group
Disabled for security nesting. nesting.
groups, except for
domain local security
groups that can have
global groups as
members.
Converting Groups Disabled Enabled Enabled
No group conversions Allows conversion Allows conversion

allowed. between security between security
groups and groups and
distribution groups. distribution groups.
SID History Disabled Enabled Enabled
Allows migration of Allows migration of

security principals security principals
from one domain to from one domain to
another. another.
The following table describes the forest-wide features that are enabled for the
corresponding forest functional level:
Forest Feature Windows 2000 Windows Server 2003

Global catalog replication Disabled Enabled
tuning
Defunct schema objects Disabled Enabled
Forest trust Disabled Enabled
Linked value replication Disabled Enabled
Domain rename Disabled Enabled
Improved replication Disabled Enabled
algorithms
Dynamic auxiliary classes Disabled Enabled
InetOrgPerson objectClass Disabled Enabled
change
New DNS Topics for Windows Server 2003
DNS Stub Zones

Stub Zones are rather like DNS Secondary zones. The similarity is that both Zones have a
read only copy of the server that is authoritative for a child DNS domain. The difference is
that Stub Zones have only 3 records, SOA, NS and A, whereas Secondary zones have a full
set of A records. Finally, the logic is that you create the Stub Zone only in the Root domain
and the Stub Zone then has three records for each child domain. Incidentally, the A (Host)
records in the Stub zone are referred to as 'glue' records.
The point of Stub Zones is to streamline administration, improve name resolution and
possibly, reduce network traffic. Needless to say, Stub Zones are only needed in large
complicated Forests, and are unnecessary if you only have one domain.
When you need to create a Stub Zone, just call for the DNS snap-in. Right click on the
Forward Lookup Zones folder, and follow the wizard.
MSDCS DNS Zones
These DNS records beginning with an underscore are for servers to locate resources, for
example _GC, means Global Catalog and _DC means Domain controller. While these
resource records exist in Windows 2000, in Windows Server 2003 these _MSDCS records
have been moved to their own zone. The benefit of this new arrangement is that you can
control the resource replication. For example, you may want to replicate records to all
Domain Controllers in the Forest, or perhaps you want to restrict replication to Domain
Controllers in the local domain.
Conditional Forwarding
Conditional DNS forwarding is rather like taking a short cut. If I am in guybay.com and I am
running DNS and I want to contact quickgear.org, then I could go via the root ' . ' domain,
then the org server, then quckgear.org. Or, provided I knew the server IP address in
quickgear.org, I could set up conditional forwarding and so take a shortcut.
Debug Logging for DNS
If you are troubleshooting a DNS connectivity problem, for example mail delivery, 404 web
pages error, then master Debug Logging. To start Debug Logging navigate to the DNS snap-
in, then the server Icon properties. A bonus of learning about Debug Logging in DNS, is that
you can apply the technique to other services, for instance Exchange 2003.
DNSLint Utility
In the Windows Server 2003 support folder there is a marvellous utility called DNSLint.
What this does is display information about DNS in HTML format. The important features
are switches for Active Directory, MX records.
Related Feature - Universal Group Caching
Universal Groups sound great, and they are great if you only use them when Global groups
would NOT get the job done. Also stick to the best practice of only adding Global Groups to
Universal Groups. My point is avoid adding individual accounts to a security Universal
Group.
This is the logon problem that Universal Group Caching solves. A domain controller will not
let you logon until it has checked all the Universal groups that you could possible be a
member of. The operating system's paranoia is that you may be a member of a Universal
group in a distant part of the forest that has been used to deny permissions. So, unless the
domain controller is sure it has enumerated all the Universal groups it will not let you logon -
just in case there is a security violation.
The answer to the security versus speed dilemma is Universal Group Caching. If the domain
controller can check the cache for Universal Groups then it can logon the user with the
correct security tokens without troubling domain controllers in other parts of the forest.
Once you have decided to implementing Universal Group Caching, visit the Active Directory
Sites and Services. Drill down to Site-name, and find NTDS Site Settings, server, NTDS
Settings, properties, site Settings. (If you only see a general tab, then you have drilled down
too far. Back-track from the server NTDS, to the Site NTDS.)
Check the Box which says Enable Universal Group Caching. If you are really stuck then just
ask for Help : Enable Universal Group Caching.
.
1 GPO Controlling Block (GPO) Inheritance
Difference between GPO Bloking and Inheritance.
http://www.windowsecurity.com/articles/Controlling-Block-GPO-Inheritance-via-
Delegation.html
http://technet2.microsoft.com/windowsserver/en/library/212eb1fd-11f4-465f-b243-
73e542d06b2c1033.mspx?mfr=true
2.
What is difference between Basic and Dynamic Disks,
i.e Advantages/disadvantages of Basic and Dynamic disks.
3.
How to Security Patch management other than WSUS.
4.
Server Down, then how to aproch to solve the problem.
5.
IIS
6.
Clustering
7.
If u have a Domain in Hyd. Braches in Ban,Noida.
Need to install Domain Controllers in Ban and Noida.
How to do?
Install DC in Hyd and send to Ban as physical DC or any other method???
8.
What is the smart host in Exchange?
9.
How to recover mail box in Exchange?
10.
In your experience you feel critical problem respective of ads ?
Ans: Domain Crash, ie. Bootable Hard disk failed.
New hard disk installed and restored ADS from previous system state backup.
11.
What are the steps in authoritative Restore?
12.
Windows xp booting process??
13.
Explain PDC Emulator?
14.
Windows Xp Client just joined to Domain.
First Logon Process?
15.
Difference between TCP and UDP?
16.
DNS Records??
17.
Tell me one Critical Problem which is you faced respective of ADS?
18.
One user working on Windows xp client system.
You need to install software on the system
How do you install the software without disturbing his work?
19.
Tell me about your self? First question.
20.
What is your carrier plan in next 5 Years?
21.
How do you rate about your self in ADS?
22.
What is the DHCP client ip getting process?
23.
A client not getting ip from DHCP. What is the problem?
24.
What is 80-20 rule in DHCP?
25.
How many cluster nods can add in windows 2003 Enterprise server?
26.
What is KDC AND KCC IN Windows 2003
Ans:
Since Windows 2000 a Windows domain controller (DC) is able to act as Kerberos "Key
Distribution Center" (KDC).
27.
Dhcp console Two Options are there. What are those? Difference between them?
Ans.
Server sope option.
Scope option.
28.
ADS Loopback connection?
29.
If PDC Emulator down. Is user can login to DC?
30.
Domain local group can add in Global Group?
31.
IN A Single Dc, If Site creates what are the benefits?

If not creted what are the benefits?
32.
In DNS Explain SRV record?
33.
In Windows xp systems how to remove Games?
34.
If Global Catalog down in Exchange Environment.
I sent a mail to local user and internet user. Who can receive the mail?
Ans. No body will receive the mail.
35.
How do you change Administrator user name in Windows XP and 2003?
36.
Global Catalog and LDAP Port no?
3268 ,368
37.
Difference between Authoritative and non Authoritative Restores?
38.

Ads

Hochgeladen von

Dokumentinformationen

Originalbeschreibung:

Copyright

Verfügbare Formate

Dieses Dokument teilen

Dokument teilen oder einbetten

Freigabeoptionen

Stufen Sie dieses Dokument als nützlich ein?

Sind diese Inhalte unangemessen?

Copyright:

Verfügbare Formate

Ads

Hochgeladen von

Copyright:

Verfügbare Formate

1. What is Active Directory?

3. What are backed up in System State Backup.

4. What is the difference between Authoritative and Non-Authoritative Restore?

The default method of restoring an active directory is Non-Authoritative. This method

An example of when an Authoritative restore would be used is when an organizational

Normal restore/ non authoritative

Distributed DataReason for using Normal Restore of System State Data

NOTE: Type “ntdsutil/?” for help on this utility.

1. From the Command prompt type "NTDSUTIL" and press "Enter."

Fig. 3 - Authoritative restore confirmation prompt.

Opening DIT database... Done.

The current time is 06-17-05 12:34.12.

Counting records that need updating...

6. Type in "quit" at the "authoritative restore" prompt and press "Enter."

Learning Points for Authoritative Restore

5. What is File Replication Service

8. What are the FSMO roles?

III. Infrastructure Master

IV. Relative ID Master

• Password changes performed by other DCs in the domain are replicated

9. What are the files of active directory

10. What is the location of NTDS.DIT file?

11. What is difference between Primary and Secondary DNS servers?

Which is the FIVE FSMO roles?

Schema Master Forest Level One per forest

Domain Naming Master Forest Level One per forest

PDC Emulator Domain Level One per domain

RID Master Domain Level One per domain

Infrastructure Master Domain Level One per domain

Q2. What are their functions?

There is only one PDC emulator per domain.

There is one RID master per domain in a directory.

There is only one Infrastructure master per domain.

Q3. What if a FSMO server fails?

Q4. Where are these FSMO server roles found?

Q7.What permissions you should have in order to transfer a FSMO role?

Schema Master member of the Schema Admins group

Domain Naming Master member of the Enterprise Admins group

member of the Domain Admins group and/or the

member of the Domain Admins group and/or the

member of the Domain Admins group and/or the

12. What are common reasons to split domain?

Active Directory Support Files

15. What is the steps and commands to restore?

Opening DIT database... Done.

The current time is 06-17-05 12:34.12.

Counting records that need updating...

Check Start of Authority (SOA)

akadia.com nameserver = lila.thenet.ch

akadia.com preference = 20, mail exchanger = opal.akadia.com

akadia.com preference = 10, mail exchanger = rabbit.akadia.com

Lookup all hosts within a domain

type=X - set query type (ex. A,ANY,CNAME,MX,NS,PTR,SOA,SRV)

18. Why DNS is required for AD not WINS?

19. What is Disaster Recovery?

Advantages Restore is the fastest

Advantages Backing up are the fastest

21. What are the ports numbers of these?

The first record updated is SOA record.

23. What is conditional forwarding in DNS?

24. What is TCP and IP?

6)What is Global catalog ---?

Q1. What is DNS.