Combined Bbok

2010
FUNDAMENTALS OF MCSE & CCNA for Competition, Certification & Interviews
[Type the document title]
ZEEL ASPIRANTS GROUP 2/18/2010
ACKNOWLEDGEMENTS
The satisfaction and euphoria that accompany the successful completion of the task would be incomplete without the mention of people who are responsible for the completion of the work. I wish to express my gratitude to those whose guidance has made me accomplish this BOOK entitled FUNDAMENTALS OF MCSE & CCNA for competition, certification & Interviews of SYSTEM ADMINISTRATOR, SYSTEM ENGINEER & DESKTOP ENGINEER. I am fortunate to work with a wonderful group of people whose experience, timely help and advice has been of great help in the success of my work. I would like to express my sincere thanks to MR. MOHAMMAD KASHFUDDOJA, PROFESSOR, DEPT. OF MECHANICAL ENGINEERING, ISLAMIAH INSITITUTE OF TECHNOLOGY, BANGALORE, who guided and supervised me throughout this work period with his vast knowledge and helping nature. I am really indebted to him and seek the same support in my future endeavors. I affectionately render my sincere thanks to MR. MD MUBEEN, PROFESSOR, DEPT. OF MECHANICAL ENGINEERING, ISLAMIAH INSITITUTE OF TECHNOLOGY, BANGALORE, for providing the required resources. It is his constant support and care and well to do guidelines, which kept me enthusiastic always. I will forever be thankful to him. I am thankful to MR. MD MOHSIN AHMED, PROFESSOR, DEPT. OF COMPUTER SCIENCE ENGINEERING, ISLAMIAH INSITITUTE OF TECHNOLOGY, BANGALORE, for their faith in me and needful support during complete work period. It gives me pleasure to express my sincere gratitude to Mr. ISAQMIYYA, SYSTEM ADMINISTRATOR, INFOSYS, BANGALORE, for his inspiring advice, motivation, constant support, encouragement, guidance and help during the completion of this book. Words are insufficient to express my sincere gratitude to my Friends, who helped directly or indirectly to complete my dissertation. Mr. SYED MUNAWWER
AUTHOR &
PROFESSOR. CSE .DEPT. IIT, BANGALORE
PREFACE TO THE FIRST EDITION
This book on FUNDAMENTALS OF MCSE & CCNA has been written for competition, certification & Interviews of SYSTEM ADMINISTRATOR, SYSTEM ENGINEER & DESKTOP ENGINEER. The central aim has been to treat this subject as an engineering science. To this end, various fundamental considerations have been explicitly identified and related. It has been focus on these fundamental in an effort to bring unity to an elementary presentation of the subject or field. Further, in the process of writing a book particularly dealing with such a topic it is difficult to decide on the optimum content of the material. However the book has to serve its intended purpose. Keeping this in mind, an attempt has been made to discuss a fair degree in depth without making the book unduly bulky, the material contain presupposes on the part of reader an exposure to elementary fundamentals of MCSE and CCNA for competition, Certification and interviews for various field in IT sector. The material in the present book culled from a large number of books, website, ITIndustries and personal experts in order to make it useful to a large section of readers. The author will be most grateful to be notified of any error, repetition and miss prints. Further suggestions for the improvement of the book are welcome.
AUTHOR Professor. Syed Munawwer
ASPIRANTS GROUPS
GOVERNING MEMBERS
1. Mr. SYED MUNAWWER Professor Dept of Computer Science & Engineering, IIT, Bangalore syedmunawwer@gmail.com 2. Mr. MOHAMMAD KASHFUDDOJA Professor Dept of Mechanical Engineering, IIT, Bangalore mdkashfuddoja@gmail.com 3. Mr. MD MUBEEN Professor Dept of Mechanical Engineering, IIT, Bangalore mubeenhg@gmail.com 4. Mr. MD MOHSIN AHMED Professor Dept of Mechanical Engineering, IIT, Bangalore mohsincs@gmail.com 5. Mr. MD ISAQMIYYA System Administrator INFOSYS, Bangalore isaqmiyya- 226033@infosys.com
FUNDAMENTALS OF MCSE & CCNa FOR SYSTEM ADMINISTRATOR, SYSTEM ENGINEER & DESKTOP ENGINEER
Key Board Shortcuts:

F1 F11 Display Help Toggle between full-screen and regular views of the browser window Move forward through the items on a webpage, the Address bar, or the Links bar Move back through the items on a webpage, the Address bar, or the Links bar Go to your home page Go to the next page or Go to the previous page Display a shortcut menu for a link Move forward through frames and browser elements (only works if tabbed browsing is disabled) Move backward between frames (only works if tabbed browsing is disabled) Scroll toward the beginning of a document Scroll toward the end of a document Scroll toward the beginning of a document in larger increments Scroll toward the end of a document in larger increments Move to the beginning of a document Move to the end of a document Find on this page Refresh the current webpage Refresh the current webpage, even if the time stamp for the web version and your locally stored version are the same Stop downloading a page Open a new website or page
TAB
SHIFT+TAB ALT+HOME ALT+RIGHT ARROW ALT+LEFT BACKSPACE SHIFT+F10 CTRL+TAB or F6 ARROW
CTRL+SHIFT+TAB UP ARROW DOWN ARROW PAGE UP PAGE DOWN HOME END CTRL+F F5 CTRL+F5 ESC CTRL+O
INNOVATIVE EFFORT BY PROF. Syed Munawwer
For Knowledge Exploration
CTRL+N CTRL+W CTRL+S CTRL+P ENTER CTRL+I CTRL+H CTRL+J CTRL+click CTRL+SHIFT+click CTRL+T CTRL+TAB CTRL+SHIFT+TAB CTRL+W ALT+ENTER CTRL+n (where n is a number between 1 and 8) CTRL+9 CTRL+ALT+F4 CTRL+Q CTRL+PLUS SIGN CTRL+MINUS SIGN CTRL+0 CTRL+E ALT+ENTER CTRL+DOWN ARROW ALT+P ALT+U or
Open a new window Close the current window (if you only have one tab open) Save the current page Print the current page or active frame Activate a selected link Open Favorites Open History Open Feeds Open links in a new tab in the background Open links in a new tab in the foreground Open a new tab in the foreground Switch between tabs Close current tab (or the current window if tabbed browsing is disabled) Open a new tab in the foreground from the Address bar Switch to a specific tab number Switch to the last tab Close other tabs Toggles Quick Tabs (thumbnail view) on or off Increase zoom (+ 10%) Decrease zoom (- 10%) Zoom to 90% Go to the Toolbar Search box Open your search query in a new tab Open the search provider menu Set printing options and print the page Change paper, headers and footers, orientation, and
margins for this page ALT+HOME ALT+LEFT ARROW ALT+A ALT+RIGHT ARROW ALT+END ALT+MINUS SIGN ALT+PLUS SIGN ALT+Z Display the first page to be printed Display the previous page to be printed Type the number of the page you want displayed Display the next page to be printed Display the last page to be printed Zoom out Zoom in Display a list of zoom percentages Specify how you want frames to print (this option is ALT+F available only if you are printing a webpage that uses frames) ALT+C ALT+D F4 CTRL+LEFT ARROW Close Print Preview Select the text in the Address bar Display a list of addresses you've typed When in the Address bar, move the cursor left to the next logical break in the address (period or slash) When in the Address bar, move the cursor right to the next logical break in the address (period or slash) Add "www." to the beginning and ".com" to the end of the text typed in the Address bar Move forward through the list of AutoComplete matches Move back through the list of AutoComplete matches Add the current page to your favorites Open the Organize Favorites dialog box Move selected item up in the Favorites list in the Organize Favorites dialog box Move selected item down in the Favorites list in the Organize Favorites dialog box
CTRL+RIGHT ARROW
CTRL+ENTER UP ARROW DOWN ARROW CTRL+D CTRL+B ALT+UP ARROW
ALT+DOWN ARROW
CTRL+I CTRL+H CTRL+J CTRL+X CTRL+C CTRL+V CTRL ALT+N SPACEBAR
Open Favorites Center and display your favorites Open Favorites Center and display your history Open Favorites Center and display your web feeds Remove the selected items and copy them to the Clipboard Copy the selected items to the Clipboard Insert the contents of the Clipboard at the selected location Select all items on the current webpage Move focus to the Information bar Click the Information bar
Differences between Outlook and Outlook Express: NOTE: If you install and run MSN Explorer version 6, your MSN POP3 email account will be migrated to an MSN Hotmail account. If you have Outlook and Outlook Express configured for POP3, you will no longer receive your new MSN e-mail-messages. MORE INFORMATION: The Microsoft Outlook family of messaging and collaboration clients is based on the recognition that home and business users have different needs. The Outlook family of clients is optimized for these two distinct market segments: 1. Home users who need easy and reliable Internet, e-mail, and newsgroup functionality. 2. Business users who require reliability and ease of use, but who also need more e-mail functionality and tight integration between e-mail and tools for information management and collaboration. Most users find that their needs are best met by the client that is optimized for their usage patterns. The following sections provide more information about how Outlook Express meets the needs of home users and how Outlook meets the needs of business users.
Outlook Express: Outlook Express is the e-mail client that is included with Microsoft Internet Explorer 4.x, Microsoft Internet Explorer 5.x, the Microsoft Windows 98 operating system, the Microsoft Windows Millennium Edition (Me) operating system, the Microsoft Windows 2000 operating systems, and Microsoft Office 98 for the Macintosh. Outlook Express is designed for home users who gain access to their email messages by dialing in to an Internet service provider (ISP).
Built on open Internet standards, Outlook Express is designed for use with any Internet standard system, for example, Simple Mail Transfer Protocol (SMTP), Post Office Protocol 3 (POP3), and Internet Mail Access Protocol (IMAP). It provides full support for today's most important e-mail, news, and directory standards such as Lightweight Directory Access Protocol (LDAP), Multipurpose Internet Mail Extension Hypertext Markup Language (MHTML), Hypertext Markup Language (HTML), Secure/Multipurpose Internet Mail Extensions (S/MIME), and Network News Transfer Protocol (NNTP). Full support ensures that you can take advantage of new technologies as well as seamlessly send and receive e-mail. New migration tools that automatically import your existing mail settings, address book entries, and e-mail messages from Eudora, Netscape, Microsoft Exchange Server, the Windows Inbox, and Outlook make it easy for you to quickly take advantage of all that Outlook Express has to offer. The ability to receive mail from multiple e-mail accounts, as well as the ability to create Inbox rules, helps you manage and organize your e-mail. In addition, full support for HTML mail enables you to personalize your messages with custom backgrounds and graphics. This makes it easy to create unique, visually powerful messages. For special occasions, such as birthdays or holidays, Outlook Express includes stationery designed by Greetings Workshop and Hallmark. Outlook: Outlook is Microsoft's premier messaging and collaboration client. It is a standalone application that is integrated into Microsoft Office and Exchange Server. Outlook also provides performance and integration with Internet Explorer 5.5. Complete integration of e-mail, calendaring, and contact management, makes Outlook
the
perfect
client
for
many
business
users.
Outlook helps you find and organize information so that you can work seamlessly with Office applications. This helps you communicate and share information more effectively. Powerful Inbox rules enable you to filter and organize e-mail messages. With Outlook, you can integrate and manage e-mail from multiple e-mail accounts, personal and group calendars, contacts, and tasks. When you use Outlook with Exchange Server, you can use workgroup information sharing and workflow communications, group scheduling, public folders, forms, and enhanced Internet connectivity. Outlook is designed for use with the Internet (SMTP, POP3, and IMAP4), Exchange Server, or any other standards-based communication system that supports Messaging Application Programming Interface (MAPI), including voice mail. Outlook is based on Internet standards and supports today's most important email, news, and directory standards, including LDAP, MHTML, NNTP, MIME, and S/MIME, vCalendar, vCard, iCalendar, and full support for HTML mail. Outlook also offers the same import tools that are offered with Outlook Express. This enables easy migration from other e-mail clients, and offers further migration from Microsoft Mail, Microsoft Schedule+ 1.0, Microsoft Schedule+ 7.0, Lotus Organizer, NetManage ECCO, Starfish SideKick, Symantec ACT, as well as synchronization with leading Personal Digital Assistants (PDAs), such as the 3Com Palm Pilot. How to Decide Which Client Best Suits Your Needs: When choosing between Outlook Express and Outlook, users and organizations should base their usage decision on the following criteria: Outlook Express: Choose Outlook Express if: You require only Internet e-mail and newsgroup functionality (for versions of Windows later than Microsoft Windows 95, versions of Windows earlier than Microsoft Windows 95, Macintosh, and UNIX platforms You use or plan to use Office 98 for Macintosh, and you want to take advantage of the integration of Outlook Express with this version of the Office suite
Outlook (Choose Outlook if ): You require advanced Internet standards-based e-mail and discussion group functionality You require integrated personal calendars, group scheduling, task, and contact management You require integrated e-mail and calendaring, cross-platform clients for versions of Windows later than Microsoft Windows 95, versions of Windows earlier than Microsoft Windows 95, and Macintosh platforms. You use, or plan to use Office 97, Office 2000, Office XP or Exchange Server and want to take advantage of the integration of Outlook with this version of the Office suite, and the integration with Exchange Server. You require robust, integrated run-time and design-time collaboration capabilities.
What is the Difference between POP and IMAP Mail Server? The using of IMAP to access your mailbox has advantages over POP3 and the difference of their working mechanism can be summarized in the following table.
POP3
IMAP
Since email needs to be downloaded into desktop PC before being displayed, you may have the following problems for POP3 access: You need to download all email again when using another desktop PC to check your email. May get confused if you need to check email both in the office and at home. The downloaded email may be deleted from the server depending on the setting of your email client. All messages as well as their attachments will be downloaded into desktop PC during the 'check new email' process.
Since email is kept on server, it would gain the following
benefits for IMAP access: No need to download all email when using other desktop PC to check your email. Easier to identify the unread email.
whole
message
will
be
downloaded only when it is opened for display from its content.
Mailboxes can only be created on desktop PC. There is only one mailbox (INBOX) exists on the server. Filters can transfer incoming/outgoing messages only to local mailboxes.
Multiple
mailboxes
can
be
created on the desktop PC as well as on the server. Filters can transfer
incoming/outgoing messages to other mailboxes no matter
where the mailboxes locate (on the server or the PC). Outgoing email is stored only locally on the desktop PC. Outgoing email can be filtered to a mailbox on server for accessibility machine. from other
Messages are deleted on the desktop PC. Comparatively, it is inconvenient to clean up your mailbox on the server.
Messages
can
be
deleted
directly on the server to make it more convenient to clean up your mailbox on the server.
Messages may be reloaded onto desktop PC several times due to the corruption of system files.
The occurrence of reloading messages from the server to PC is much less when compared to POP3.
IP ADD An identifier for a computer or device on a TCP/IP network. Networks using the TCP/IP protocol route messages based on the IP address of the destination. The format of an IP address is a 32-bit numeric address written as four numbers separated by periods. Each number can be zero to 255. For example, 1.160.10.240 could be an IP address. Within an isolated network, you can assign IP addresses at random as long as each one is unique. However, connecting a private network to the Internet requires using registered IP addresses (called Internet addresses) to avoid duplicates. The four numbers in an IP address are used in different ways to identify a particular network and a host on that network. Four regional Internet registries -- ARIN, RIPE NCC, LACNIC and APNIC -- assign Internet addresses from the following three classes. Class A - supports 16 million hosts on each of 126 networks Class B - supports 65,000 hosts on each of 16,000 networks Class C - supports 254 hosts on each of 2 million networks The number of unassigned Internet addresses is running out, so a new classless scheme called CIDR is gradually replacing the system based on classes A, B, and C and is tied to adoption of IPv6. What is a Subnet Mask?
A subnet mask allows you to identify which part of an IP address is reserved for the network, and which part is available for host use. If you look at the IP address alone, especially now with classless inter-domain routing, you can't tell which part of the address is which. Adding the subnet mask, or netmask, gives you all the information you need to calculate network and host portions of the address with ease. In summary, knowing the subnet mask can allow you to easily calculate whether IP addresses are on the same subnet, or not. What is a Subnet? A subnet is a logical organization of network address ranges used to separate hosts and network devices from each other to serve a design purpose. In many cases subnets are created to mirror physical or geographical separations, such as you find between cities, buildings, floors or rooms. Most modern subnet definitions are created specifically with a concern of how many hosts will need to exist on the subnet now and in the future, what security controls are needed between networks, and the performance required for communications between hosts
What is IP? IP (Internet Protocol) is the main network layer protocol utilized on the Internet Network and Host ID Fields: The four octets that make up an IP address are conventionally represented by a, b, c, and d respectively. The following table shows how the octets are distributed in classes A, B, and C. Class IP Address Network ID Host ID A B C a.b.c.d a.b.c.d a.b.c.d a a.b a.b.c b.c.d c.d D
10
Class A: Class A addresses are specified to networks with large number of total hosts. Class A allows for 126 networks by using the first octet for the network ID. The first bit in this octet, is always set and fixed to zero. And next seven bits in the octet is all set to one, which then complete network ID. The 24 bits in the remaining octets represent the hosts ID, allowing 126 networks and approximately 17 million hosts per network. Class A network number values begin at 1 and end at 127. Class B: Class B addresses are specified to medium to large sized of networks. Class B allows for 16,384 networks by using the first two octets for the network ID. The two bits in the first octet are always set and fixed to 1 0. The remaining 6 bits, together with the next octet, complete network ID. The 16 bits in the third and fourth octet represent host ID, allowing for approximately 65,000 hosts per network. Class B network number values begin at 128 and end at 191.
Class C: Class C addresses are used in small local area networks (LANs). Class C allows for approximately 2 million networks by using the first three octets for the network ID. In class C address three bits are always set and fixed to 1 1 0. And in the first three octets 21 bits complete the total network ID. The 8 bits of the last octet represent the host ID allowing for 254 hosts per one network. Class C network number values begin at 192 and end at 223. Class D and E: Classes D and E are not allocated to hosts. Class D addresses are used for multicasting, and class E addresses are not available for general use: they are reserved
11
for future purposes.
What is the OSI model? The OSI model is a reference model which most IT professionals use to describe networks and network applications. The OSI model was originally intended to describe a complete set of production network protocols, but the cost and complexity of the government processes involved in defining the OSI network made the project unviable. In the time that the OSI designers spent arguing over who would be responsible for what, TCP/IP conquered the world.
The Seven Layers of the OSI Model: The seven layers of the OSI model are: The easiest way to remember the layers of the OSI model is to use the handy mnemonic "All People Seem To Need Data Processing":
Layer Name 7 6 5 4 3 2 1
Mnemonic
Application All Presentation People Session Transport Network Data Link Physical Seem To Need Data Processing
The functions of the seven layers of the OSI model are:
12
Layer Seven of the OSI Model: The Application Layer of the OSI model is responsible for providing end-user services, such as file transfers, electronic messaging, e-mail, virtual terminal access, and network management. This is the layer with which the user interacts. Layer Six of the OSI Model: The Presentation Layer of the OSI model is responsible for defining the syntax which two network hosts use to communicate. Encryption and compression should be Presentation Layer functions. Layer Five of the OSI Model: The Session Layer of the OSI model is responsible for establishing process-toprocess communications between networked hosts. Layer Four of the OSI Model: The Transport Layer of the OSI model is responsible for delivering messages between networked hosts. The Transport Layer should be responsible for fragmentation and reassembly. Layer Three of the OSI Model: The Network Layer of the OSI model is responsible for establishing paths for data transfer through the network. Routers operate at the Network Layer.
Layer Two of the OSI Model: The Data Link Layer of the OSI model is responsible for communications between adjacent network nodes. Hubs and switches operate at the Data Link Layer. Layer One of the OSI Model:
13
The Physical Layer of the OSI model is responsible for bit-level transmission between network nodes. The Physical Layer defines items such as: connector types, cable types, voltages, and pin-outs. The OSI Model vs. The Real World: The most major difficulty with the OSI model is that is does not map well to the real world! The OSI was created after many of todays protocols were already in production use. These existing protocols, such as TCP/IP, were designed and built around the needs of real users with real problems to solve. The OSI model was created by academicians for academic purposes. The OSI model is a very poor standard, but it's the only well-recognized standard we have which describes networked applications. The easiest way to deal with the OSI model is to map the real-world protocols to the model, as well as they can be mapped.
Layer Name 7 6 5 4 3 2 1
Common Protocols
Application SSH, telnet, FTP Presentation HTTP, SMTP, SNMP Session Transport Network Data Link Physical RPC, Named Pipes, NETBIOS TCP, UDP IP Ethernet Cat-5
The difficulty with this approach is that there is no general agreement as to which
14
layer of the OSI model to map any specific protocol. You could argue forever about what OSI model layer SSH maps to. A much more accurate model of real-world networking is the TCP/IP model: TCP/IP Model Application Layer Transport Layer Internet Layer Network Interface Layer The most significant downside with the TCP/IP model is that if you reference it, fewer people will know what you are talking about!
What are the differences between Windows Server 2003 Service Pack 1 (SP1) and Windows Server 2003 R2? Windows Server 2003 SP1 is a service pack that provides product updates to the Windows Server 2003 operating system. Windows Server 2003 SP1 contains
additional features to increase security and improve functionality. SP1 is a free product update and can be easily downloaded or ordered on a CD-ROM. Windows Server 2003 R2 is an update release of the Windows Server 2003 operating system that is built on top of Windows Server 2003 SP1 and includes new product features, specifically in the following areas: branch office management, identity and access management, and storage management. Windows Server R2 requires a new server license and is available for purchase through the same channels as Windows Server.
What are the differences between Standard, Enterprise and Web Editions of Windows Server 2003? Windows Server 2003 Standard Edition - Standard server that can be a DC, runs ADS and DNS. Does not support Itanium Based PC's and cannot be used as a
15
Streaming media Server but not as a cluster Node.
Windows Server 2003 Enterprise Edition Windows Server 2003 Datacentre Edition - Everything a standard Server can do, but able to support Itanium based PC's, and cable of being a Node in a cluster. More robust, and supports non unuiform Memory access, 64gb Ram and CPU'sWindows Server 2003 Web Edition - Made for Web deployments, webservices and applications. Cannot run ADS on it, and it's never as DC.
Name Some Application server and Webservers 1) Lighttpd,pronounced "lighty" (don't ask me why),is a free web server that is distributed with the FreeBSD operating system. 2) Sun Java System Web Server.
# JBoss(Red Hat),JRun(Adobe),WebLogic Server(BEA)are application servers.
Are there any differences between 32-bit, x64, and 64-bit versions of Windows Server 2003? The 32-bit server processes are treated in the blocks of 32 bits data, and similarly 64 bits data blocks are used for the processing in 64 BIT version Support for 64-bit processing delivers far higher scalability than 32-bit file servers by providing a greatly enlarged virtual address space and paged pool area, the ability to handle increased numbers of users and connections, and increased hardware reliability through predictive error checking and notification of failures.
what is stub? what is its use in replics-aware stubs? In the computer networking STUB is a section of network with only one exit router to other networks. How dow you check whether Active Directory has been installed properly or not?
16
1. By checking SRV Records In DNS Server. After Active Directory is installed, DC will register SRV records in DNS. 2. Verify Folder 3. Verify Database and Log files NTDS.DIT,edb.*,Res*.log What is a proxy server?
A proxy server is an intermediary between the user's computer and the computer they wish to access. For example, if a user browsing the web requests a page from a web server at a university in the USA, the request is directed to the proxy server, which then makes the request from the USA Web ...
What are the different types of Servers? Server Platforms:- A term often used synonymously with operating system, a platform is the underlying hardware or software for a system and is thus the engine that drives the server.
Application Servers :Sometimes referred to as a type of middleware, application servers occupy a large chunk of computing territory between database servers and the end user, and they often connect the two.
Audio/Video Servers :Audio/Video servers bring multimedia capabilities to Web sites by enabling them to broadcast streaming multimedia content.
Chat Servers :Chat servers enable a large number of users to exchange information in an environment similar to Internet newsgroups that offer real-time discussion capabilities.
17
Fax Servers:A fax server is an ideal solution for organizations looking to reduce incoming and outgoing telephone resources but that need to fax actual documents. FTP Servers :One of the oldest of the Internet services, File Transfer Protocol makes it possible to move one or more files securely between computers while providing file security and organization as well as transfer control.
Groupware Servers:A groupware server is software designed to enable users to collaborate, regardless of location, via the Internet or a corporate intranet and to work together in a virtual atmosphere.
IRC Servers:An option for those seeking real-time discussion capabilities, Internet Relay Chat consists of various separate networks (or "nets") of servers that allow users to connect to each other via an IRC network. List Servers :List servers offer a way to better manage mailing lists, whether they be interactive discussions open to the public or one-way lists that deliver announcements, newsletters, or advertising. Mail Servers:Almost as ubiquitous and crucial as Web servers, mail servers move and store mail over corporate networks (via LANs and WANs) and across the Internet. News Servers:News servers act as a distribution and delivery source for the thousands of public
18
news groups currently accessible over the USENET news network.
Proxy Servers:Proxy servers sit between a client program (typically a Web browser) and an external server (typically another server on the Web) to filter requests, improve performance, and share connections. Telnet Servers :A Telnet server enables users to log on to a host computer and perform tasks as if they're working on the remote computer itself.
Web Servers :At its core, a Web server serves static content to a Web browser by loading a file from a disk and serving it across the network to a user's Web browser. This entire exchange is mediated by the browser and server talking to each other using HTTP.
What is a virtual private network? It is method to take access from a private secure network through unsecure public network A virtual private network (VPN) is a network that uses a public telecommunication infrastructure, such as the Internet, to provide remote offices or individual users with secure access to their organization's network. A virtual private network can be contrasted with an expensive system of owned or leased lines that can only be used by one organization. The goal of a VPN is to provide the organization with the same capabilities, but at a much lower cost
What is Active Directory? Active Directory is Microsoft's trademarked directory service. Like other directory services, such as Novell Directory Services (NDS), Active Directory is a centralized and standardized system that automates network management of user data, security,
19
and distributed resources, and enables interoperation with other directories. What is X.500 Directory Service? A standard way to develop an electronic directory of people in an organization so that it can be part of a global directory available to anyone in the world with Internet access. The idea is to be able to look up people in a user-friendly way by name, department, or organization. Many enterprises and institutions have created an X.500 directory. Because these directories are organized as part of a single global directory, you can search for hundreds of thousands of people from a single place on the World Wide Web. What is LDAP? LDAP (Lightweight Directory Access Protocol) is a software protocol for enabling anyone to locate organizations, individuals, and other resources such as files and devices in a network, whether on the public Internet or on a corporate intranet. LDAP is a "lightweight" (smaller amount of code) version of X.500. LDAP originated at the University of Michigan and has been endorsed by at least 40 companies. Explain ADs Logical and Physical Components The physical structure consists of sites and domain controllers. The physical structure helps you optimize network traffic by customizing the network configuration. Domain The core component of ADs logical structure is the domain. A domain is a unit of replicationall domain controllers in a domain replicate information to each other and contain a complete copy of directory information for their domain. Domains also act as security boundaries. Organization Unit (OU): You use OUs to organize objects within a domain and to delegate authority to individuals or groups who need to manage those objects. For example, if the finance
20
department wants to manage its own resources, you can create an OU container called Finance, create objects (e.g., users, computers, printers) within that container, and assign someone from the finance department to manage these resources (known as delegating the authority). Tree: Multiple Domains form a Tree. All domains in a tree maintains contiguous name space. Ex:- Microsoft .com, Support. Microsoft .com, US. Microsoft .com etc Forest: A forest is one or more trees that don't share a contiguous namespace. We can have two trees in a forest representing two namespaces in one organization. A forest will share a common configuration (e.g., information about domains, computers, and trust relationships), schema (e.g., classes and attributes), and a Global Catalog. Physical structure - Sites and domain controllers: Site: Is one or more well-connected IP subnets, controls replication traffic between domain controllers and lets users authenticate with a domain controller within their site. This functionality helps you optimize network traffic and logon authentication in large enterprises. Domain controller: Domain controller, which is a Win2K server running AD, contains a complete replica of the domain database. In Win2K, no single domain controller acts as a master domain controller. All domain controllers use a multimaster replication model and are peers.
What are FSMO Roles? Though Windows 2K/2K3 domain models are multimaster, there are certain roles
INNOVATIVE EFFORT BY PROF. Syed Munawwer For Knowledge Exploration
21
performed only by a single server. These are known as Flexible Single Master Operations. There are five FSMO roles: Domain naming Master, Schema Master, RID Master, PDC Emulator and Infrastructure Master. There must be a domain controller that owns each one of those roles. Domain naming Master: The machine which has Domain Naming master should be available for adding and removing a domain the roll is forest wide.
Schema Master: This is permits the extension of schema. the schema to be extended the schema master should be on line the roll is forest wide.
RID Master: Relative ID will allocate the pool of RIDs to domain controller. The roll is Domain wide.
PDC Emulator: Primary Domain Controller Emulators as a PDC for backward compactability. the roll is Domain wide.
Infrastructure Master: This will initiate replication of group membership changes .the roll is Domain wide
What is Authoritative Restore and how it is performed? An authoritative restore replicates all objects that are marked authoritative to every domain controller hosting the naming contexts that the objects are in. To perform an authoritative restore on the computer, you must use the Ntdsutil.exe tool to make the
22
necessary USN changes to the Active Directory database. What is the Volume Shadow Copy Service? The Volume Shadow Copy service, or VSS for short, is a new feature in Windows 2003 server that allows you to maintain multiple views of how files, folders and shares on a Windows 2003 server appeared in the past. Shadow copy will allow you to restore a deleted or modified file. What is DFS? The Distributed File System is used to build a hierarchical view of multiple file servers and shares on the network. Instead of having to think of a specific machine name for each set of files, the user will only have to remember one name; which will be the 'key' to a list of shares found on multiple servers on the network. What is Kerberos? Kerberos is a network authentication protocol. It is designed to provide strong authentication for client/server applications by using secret-key cryptography. A free implementation of this protocol is available from the Massachusetts Institute of Technology. Kerberos is available in many commercial products as well.
What are the well known ports? Netstat - 15 FTP 20 (data) and 21(Control) SSH -22 Telnet 23 SMTP -25 Wins - 42 DNS -53 DHCP server 67 & clint 68 TFTP 69 HTTP 80 Secure 81
23
Kerbros - 88 * POP3 110 NNTP Net bios - 139 SNMP - 161 IMAP3 220 LDAP - 389 SSL - Secuer socket leyar - 443 RIP - 520 MS Sql - 1433 NFS - 2049 RDP - Remote Desk top Protocals - 3389 X Windows 6000 119
What is network Monitor and which is the protocol used for Network Monitor? Network Monitor is a protocol analyzer used to capture inbound and outbound frames. The protocol used is SNMP.
Whats the difference between local, global and universal groups? Domain local groups assign access permissions to global/domain groups for local domain resources. Global groups provide access to resources in other trusted domains. Universal groups grant access to resources in all trusted domains.
I am trying to create a new universal user group. Why cant I? Universal groups are allowed only in native-mode Windows Server 2003 environments. Native mode requires that all domain controllers be promoted to Windows Server 2003 Active Directory.
24
What is LSDOU? Its group policy inheritance model, where the policies are applied to Local machines, Sites, Domains and Organizational Units.
Where are group policies stored? %SystemRoot%System32\GroupPolicy
What is GPT and GPC? policy template and group policy container.
Where is GPT stored? %SystemRoot%\SYSVOL\sysvol\domainname\Policies\GUID
You change the group policies, and now the computer and user settings are in conflict. Which one has the highest priority? The computer settings take priority.
How can you restrict running certain applications on a machine? Via group policy, security settings for the group, then Software Restriction Policies.
You need to automatically install an app, but MSI file is not available. What do you do? A .zap text file can be used to add applications using the Software Installer, rather than the Windows Installer.
Whats the difference between Software Installer and Windows Installer?
25
The former has fewer privileges and will probably require user intervention. Plus, it uses .zap files.
What is loop back address and its purpose? 127.0.0.1. The Loop back address is used to check the drivers of the TCP/IP protocol.
What can be restricted on Windows Server 2003 that wasnt there in previous products? Group Policy in Windows Server 2003 determines a users right to modify network and dial-up TCP/IP properties. Users may be selectively restricted from modifying their IP address and other network configuration parameters. How frequently is the client policy refreshed? 90 minutes.
Where is secedit? Its now gpupdate.
You want to create a new group policy but do not wish to inherit. Make sure you check Block inheritance among the options when creating the policy. What does IntelliMirror do? IntelliMirror intelligently mirror user settings. It helps to reconcile desktop settings, applications, and stored files for users, particularly those who move between workstations or those who must periodically work offline.
What are private IP addresses? The Internet Assigned Numbers Authority (IANA) has reserved the following
26
three blocks of the IP address space for private internets (local networks): 10.0.0.1 - 10.255.255.254 172.16.0.1 - 172.31.255.254 192.168.0.1 - 192.168.255.254 What are the IP Classes? Class A 1-126.x.x.x, hosts supported 16777214, with mask 255.0.0.0 Class B 128-191.x.x.x, hosts supported 65534, with mask 255.255.0.0 Class C 192-223.x.x.x, hosts supported 254, with mask 255.255.255.0 Class D 224-239.x.x.x, reserved for multicast addressing Class E 240-254.x.x.x, reserved for experimental use
What is CIDR? This is a shorthand notation for a subnet mask, classless interdomain routing (CIDR) notation. It counts the number of 1's in the subnet masks binary representation and is displayed after the ip address, for example 192.168.2.12/24 means that the subnet mask is 255.255.255.0 since we have 24 1's in the subnet mask.
How many name resolution for windows? There are Two (1) NetBIOS (2) DNS
What is DNS? Domain Naming System. To resolve Host name to IP Address
Whats the difference between forward lookup and reverse lookup in DNS? Forward lookup is name-to-address, the reverse lookup is address-to-name.
Types of Zones
27
Primary, Secondary and STUB Zone
What is Primary Zone? Primary zones, which store their zone information in a writable text file on the name server.
What is Secondary Zone? Secondary zones, which store their zone information in a read-only text file on the name server.
What is Stub Zone? Stub zone is a new feature in windows 2003. It is like a secondary zone. But there are certain differences. The differences are while secondary zones contain copies of all the resource records in the corresponding zone on the master name server, stub zones contain only three kinds of resource records: (1) Copy of the SOA record for the zone.
((2) Copies of NS records for all name servers authoritative for the zone. (3) Copies of A records for all name servers authoritative for the zone.
What are the common Resource Records: A, NS, SOA, MX, SRV, Cname, PTR What is Conditional Forwarding: Conditional forwarding is a new feature of DNS in Windows Server 2003. Conditional forwarding can be used to speed up the DNS name resolution process by directing queries for specific domains to specific name servers.
What is LMHOSTS file? Its a file stored on a host machine that is used to resolve NetBIOS to specific IP
28
addresses.
What is HOSTS file? Its a file stored on a host machine that is used to resolve Host name to specific IP addresses.
What is DHCP? DHCP stands for "Dynamic Host Configuration Protocol". DHCP allows for dynamic allocation of network addresses and configurations newly attached hosts.
Describe how the DHCP lease is obtained. Its a four-step process consisting of (a) DHCP Discover, (b) DHCP Offer, DHCP Request (d) DHCP Acknowledgement.
Can a BOOTP client boot from a DHCP server? Only if the DHCP server is specifically written to also handle BOOTP queries.
What is DHCP Scope? Scope - A range of IP addresses that the DHCP server can assign to clients that are on one subnet.
What is Supersocpe? Superscope is a range of IP addresses that span several subnets. The DHCP server can assign these addresses to clients that are on several subnets.
What is Client Reservation? Client Reservation is used to be sure a computer gets the same IP address all the time. Therefore since DHCP IP address assignments use MAC addresses to control
29
assignments. What is Exclusion range? Exclusion range is used to reserve a bank of IP addresses so computers with static IP addresses, such as servers may use the assigned addresses in this range. These addresses are not assigned by the DHCP server.
Which utility is used to compact DHCP Database? JETPACK
What is Scope Options? Scope options are IP configuration settings for a particular subnet including the IP address of the router (default gateway), DNS Server, Domain Name, WINS Server etc.
Why we need DHCP Relay Agent? When you have clients on different Subnets, you either need to have multiple DHCP Servers, or a DHCP Relay Agent. All DHCP packets are broadcast packets. When there is a DHCP broadcast the router will not forward the broadcast packets. To allocate IP address for the clients which are on a network other than DHCP server, you need to configure DHCP relay agent on Router. The DHCP Relay Agent allows you to place DHCP Clients and DHCP Servers on different networks. I cant seem to access to the corporate network and on ipconfig my address is 169.254.X.X. What happened? The 169.254.x.x netmask is assigned to Windows machines running 98/2000/XP if the DHCP server is not available. The name for the technology is APIPA (Automatic Private Internet Protocol Addressing)
Weve installed a new Windows-based DHCP server, however, the users do
30
not seem to be getting DHCP lease for the Server. Reason out why the lease is not available? The server must be authorized first with the Active Directory. How can you force the client to give up the dhcp lease if you have access to the client PC? ipconfig /release
What are the occasion a client renew IP address from DHCP server 1) Every restart 2) 50% of lease duration 3) ipconfig /renew
What authentication options do Windows 2003 Servers have for remote clients? PAP, SPAP, CHAP, MS-CHAP, MS-CHAP v2 and EAP.
What is data link layer in the OSI reference model responsible for? Data link layer is located above the physical layer, but below the network layer. Taking raw data bits and packaging them into frames. The network layer will be responsible for addressing the frames, while the physical layer is responsible for retrieving and sending raw data bits. What is Routing? Routing is the process of transferring packets from one network to other network. Windows 2003 can be configured as router.
What are the features available with Windows 2003 Routing and Remote Access Server (RRAS)? We can configure a windows 2003 machine as Router, Remote Access Server,
31
NAT Server, Demand Dial Router, and VPN Server. Differentiate Routed Protocol and Routing Protocol Routed protocol: Any network protocol that provides enough information in its network layer address to allow a packet to be forwarded from one host to another host based on the addressing scheme. x: IP/IPX Routing protocols: facilitate the exchange of routing information between networks, allowing routers to build routing tables dynamically. Ex: RIP, OSPF.
Explain Distance Vector and link state protocol Routing protocols fall into two main categories, Distance Vector or Link State. Distance Vector protocols determine best path by counting number of HOPS. Hops are devices. Link State protocols are capable of using more sophisticated methods taking into consideration link variables, such as bandwidth, delay, reliability and load.
Explain Distance Vector and link state protocol Distance Vector RIP, IGRP Link State OSPF, EIGRP
Which are the routing protocol supported by windows 2003? RIP and OSPF What is METRIC? Metrics are values routing protocols use to determine the best path to a destination, when multiple paths exist.
32
What is RADIUS? Remote Authentication and Dial In Service (RADIUS) is a server for remote user authentication and accounting. Its primary use is for Internet Service Providers, though it may as well be used on any network that needs a centralized authentication and/or accounting service for its workstations.
Which is Microsoft Implementation of RADISU? And when it is required? MS Implementation of RADIUS is Internet Authentication Service (IAS). IAS need to be configured when the set up needs to centrally manage Authentication, Authorization and Accounting. What is Remote Access Policy? Remote access policies are an ordered set of rules that define how connections are either authorized or rejected. For each rule, there are one or more conditions, a set of profile settings, and a remote access permission setting. What are the Remote Access Policy Elements and how they are evaluated? The three policy elements are evaluated in the following order: Conditions Permissions Profile
Explain about Routing table? There are three types of routes that one finds inside a routing table: Default route - there is a single entry for this route in the table, the address provided is used as a destination for packets whose address doesn't match any other entry in the routing table. This route is indicated by both address and network mask of 0.0.0.0 Host route - provides route to a specific host or a broadcast address, this type of routes is marked by network mask of 255.255.255.255
33
Network route - provides route to a specific network, this type of routes can have a subnet mask between 0.0.0.0 and 255.255.255.255
What is binding order? The order by which the network protocols are used for client-server communications. The most frequently used protocols should be at the top. Whats the major difference between FAT and NTFS on a local machine? FAT and FAT32 provide no security over locally logged-on users. Only native NTFS provides extensive permission control on both remote and local files. How do FAT and NTFS differ in approach to user shares? They dont, both have support for sharing. What is CIFS? The protocol used for File and print sharing in windows network. Common Internet File System (CIFS) is an extension of the SMB protocol that is used with basic file sharing. One of the advantages of CIFS over SMB is the ability to operate directly over DNS without the use of NetBIOS. What are the types of Backup in windows? There are five types.
Normal: Takes the full backup, Will not see the Archive bit but uncheck the bit after backup Incremental Backs up only the files whose archive bit is on and uncheck the bit after backup. Differential: Backs up only the files whose archive bit is on and will not uncheck the bit after
34
backup Integral:
Copy: Just like normal. Will not do anything with Archive bit. Daily: Back up all the files which are created/modified on scheduled date. Explain the List Folder Contents permission on the folder in NTFS. Same as Read & Execute, but not inherited by files within a folder. However, newly created subfolders will inherit this permission.
I have a file to which the user has access, but he has no folder permission to read it. Can he access it? It is possible for a user to navigate to a file for which he does not have folder permission. This involves simply knowing the path of the file object. Even if the user cant drill down the file/folder tree using My Computer, he can still gain access to the file using the Universal Naming Convention (UNC). The best way to start would be to type the full path of a file into Run window.
For a user in several groups, are Allow permissions restrictive or permissive? Permissive, if at least one group has Allow permission for the file/folder, user will have the same permission.
For a user in several groups, are Deny permissions restrictive or
35
permissive? Restrictive, if at least one group has Deny permission for the file/folder, user will be denied access, regardless of other group permissions.
What hidden shares exist on Windows Server 2003 installation? Admin$, Drive$, IPC$, print$.
Whats the difference between standalone and fault-tolerant DFS (Distributed File System) installations? The standalone server stores the Dfs directory tree structure or topology locally. Thus, if a shared folder is inaccessible or if the Dfs root server is down, users are left with no link to the shared resources. A fault-tolerant root node stores the Dfs topology in the Active Directory, which is replicated to other domain controllers. Thus, redundant root nodes may include multiple connections to the same data residing in different shared folders.
Were using the DFS fault-tolerant installation, but cannot access it from a Win98 box. Use the UNC path, not all client, only 2000 and 2003 clients can access Server 2003 fault-tolerant shares.
Where exactly do fault-tolerant DFS shares store information in Active Directory? In Partition Knowledge Table, which is then replicated to other domain controllers.
Is Kerberos encryption symmetric or asymmetric? Symmetric.
36
How does Windows 2003 Server try to prevent a middle-man attack on encrypted line? Time stamp is attached to the initial client request, encrypted with the shared key. What hashing algorithms are used in Windows 2003 Server? RSA Data Securitys Message Digest 5 (MD5), produces a 128-bit hash, and the Secure Hash Algorithm 1 (SHA-1), produces a 160-bit hash.
Which are the four domain functional levels in windows 2003? Mixed, Native, NT Interim and Windows 2003.
Whats the number of permitted unsuccessful logons on Administrator account? Unlimited. Remember, though, that its the Administrator account, not any account thats part of the Administrators group.
Whats the difference between guest accounts in Server 2003 and other editions? More restrictive in Windows Server 2003.
If you uninstall Windows Server 2003, which operating systems can you revert to? Win ME and Win 98. What is ICF? Internet Connection Firewall (ICF) is firewall software that is used to set
37
restrictions on what traffic is allowed to enter your network from the Internet. ICF protects your network against external threats by allowing safe network traffic to pass through the firewall into your network, while denying the entrance of unsafe traffic.
What are the Windows Server 2003 keyboard shortcuts? Winkey opens or closes the Start menu. Winkey + BREAK displays the System Properties dialog box. Winkey + TAB moves the focus to the next application in the taskbar. Winkey + SHIFT + TAB moves the focus to the previous application in the taskbar. Winkey + B moves the focus to the notification area. Winkey + D shows the desktop. Winkey + E opens Windows Explorer showing My Computer. Winkey + F opens the Search panel. Winkey + CTRL + F opens the Search panel with Search for Computers module selected. Winkey + F1 opens Help. Winkey + M minimizes all. Winkey + SHIFT+ M undoes minimization. Winkey + R opens Run dialog. Winkey + U opens the Utility Manager. Winkey + L locks the computer. Explain Distance Vector and link state protocol The Active Directory replaces them. Now all domain controllers share a multimaster peer-to-peer read and write relationship that hosts copies of the Active Directory. How long does it take for security changes to be replicated among the domain controllers? Security-related modifications are replicated within a site immediately. These changes include account and individual user lockout policies, changes to password policies, changes to computer account passwords, and modifications to the Local Security Authority (LSA).
Whats new in Windows Server 2003 regarding the DNS management? When DC promotion occurs with an existing forest, the Active Directory Installation Wizard contacts an existing DC to update the directory and replicate from
38
the DC the required portions of the directory. If the wizard fails to locate a DC, it performs debugging and reports what caused the failure and how to fix the problem. In order to be located on a network, every DC must register in DNS DC locator DNS records. The Active Directory Installation Wizard verifies a proper configuration of the DNS infrastructure. All DNS configuration debugging and reporting activity is done with the Active Directory Installation Wizard.
When should you create a forest? Organizations that operate on radically different bases may require separate trees with distinct namespaces. Unique trade or brand names often give rise to separate DNS identities. Organizations merge or are acquired and naming continuity is desired. Organizations form partnerships and joint ventures. While access to common resources is desired, a separately defined tree can enforce more direct administrative and security restrictions.
How can you authenticate between forests? Four types of authentication are used across forests: (1) Kerberos and NTLM network logon for remote access to a server in another forest; (2) Kerberos and NTLM interactive logon for physical logon outside the users home forest; (3) Kerberos delegation to N-tier application in another forest; and (4) user principal name (UPN) credentials. What snap-in administrative tools are available for Active Directory? Active Directory Domains and Trusts Manager, Active Directory Sites and Services Manager, Active Directory Users and Group Manager, Active Directory Replication (optional, available from the Resource Kit), Active Directory Schema Manager (optional, available from adminpak) What is Global Catalog? The Global Catalog authenticates network user logons and fields inquiries about
39
objects across a forest or tree. Every domain has at least one GC that is hosted on a domain controller. In Windows 2000, there was typically one GC on every site in order to prevent user logon failures across the network. How is user account security established in Windows Server 2003? When an account is created, it is given a unique access number known as a security identifier (SID). Every group to which the user belongs has an associated SID. The user and related group SIDs together form the user accounts security token, which determines access levels to objects throughout the system and network. SIDs from the security token are mapped to the access control list (ACL) of any object the user attempts to access.
If I delete a user and then create a new account with the same username and password, would the SID and permissions stay the same? No. If you delete a user account and attempt to recreate it with the same user name and password, the SID will be different.
What remote access options does Windows Server 2003 support? Dial-in, VPN, dial-in with callback.
Where are the documents and settings for the roaming profile stored? All the documents and environmental settings for the roaming user are stored locally on the system, and, when the user logs off, all changes to the locally stored profile are copied to the shared server folder. Therefore, the first time a roaming user logs on to a new system the logon process may take some time, depending on how large his profile folder is.
Where are the settings for all the users stored on a given machine? Document and Settings\All Users
40
What languages can you use for log-on scripts? JavaScipt, VBScript, DOS batch files (.com, .bat, or even .exe) What is presentation layer responsible for in the OSI model? The presentation layer establishes the data format prior to passing it along to the network applications interface. TCP/IP networks perform this task at the application layer.
Does Windows Server 2003 support IPv6? Yes. Whats the difference between the basic disk and dynamic disk? The basic type contains partitions, extended partitions, logical drivers, and an assortment of static volumes; the dynamic type does not use partitions but dynamically manages volumes and provides advanced storage options. How do you install recovery console? C:\i386\win32 /cmdcons, assuming that your Win server installation is on drive C. Whats new in Terminal Services for Windows 2003 Server? Supports audio transmissions as well, although prepare for heavy network load.
Whats the name of the user who connects to the Web site anonymously? IUSR_computername
Whats the relation between SSL and TLS? Transport Layer Security (TLS) extends SSL by providing cryptographic authentication.
41
Whats a heartbeat? Communication processes between the nodes designed to ensure nodes health.
Which service do you use to set up various alerts? MOM (Microsoft Operations Manager).
What is KCC?
How AD offline defragmentation carried out?
What is Metta data cleener?
Networking Moniter protocal? and tools ?
Service responsable for SYSVOL relication ?
Define the following :
GPT:(Group policy Templet)
GPC:(Group policy Container)
GPO:(Group policy Object)
Difference Between Windows 2000 and 2003 Server (For Interview)
42
When installing terminal services for win2000 u r prompted to select application server functions or administrative functions sets can be installed sequently on one server but it performs only one function at one time. But in 2003 still distinguishes between application and administrative services but installation and management are now consolidated. In Win 2000 server we can apply 620 group policies but in 2003 we can apply nearly 720 so Win2003 server is more secure than win 2000 server. In 2000 we cannot rename domain whereas in 2003 we can rename Domain. In 2000 it supports of 8 processors and 64 GB RAM (In 2000 Advance Server) whereas in 2003 supports up to 64 processors and max of 512GB RAM. Win 2000 Supports IIS 5.0 and 2003 Supports IIS6. Win 2000 doesnt support Dot net whereas 2003 Supports Microsoft .NET 2.0 Win 2000 has Server and Advance Server editions whereas 2003 has Standard, Enterprise, Datacenter and Web server Editions Win 2000 doesnt have any 64 bit server operating system whereas 2003 has 64 bit server operating systems (Windows Server 2003 X64 Std and Enterprise Edition) Win 2000 has basic concept of DFS (Distributed File systems) with defined roots whereas Win 2003 has Enhanced DFS support with multiple roots. In 2000 there is complexity in administering Complex networks whereas 2003 is easy administration in all & Complex networks. In 2000 we can create 1 million users and in 2003 we can create 1 billion users. In 2003 we have concept of Volume shadow copy service which is used to create hard disk snap shot which is used in Disaster recovery and 2000 doesnt have this service.
43
In 2000 we dont have end user policy management, whereas in 2003 we have a End user policy management which is done in GPMC (Group policy management console). In 2000 we have cross domain trust relation ship and 2003 we have Cross forest trust relationship. Win 2000 Supports 4-node clustering and 2003 supports 8-node clustering. Win 2003 has High HCL Support (Hardware Compatibility List) issued by Microsoft. Code name of 2000 is Win NT 5.0 and Code name of 2003 is Win NT 5.1 Win 2003 has service called ADFS (Active Directory Federation Services) which is used to communicate between branches with safe authentication. In 2003 their is improved storage management using service File Server Resource Manager (FSRM). Win 2003 has service called Windows Share point Services (It is an integrated Portfolio of collaboration and communication services designed to connect people, information, processes, and systems both within and beyond the organizational firewall).
Win 2003 has Improved Print management compared to 2000 server. Win 2003 has telnet sessions available. Win 2000 supports IPV4 whereas 2003 supports IPV4 and IPV6. What are the Important features of Server 2008 Windows SBS 2003
x86 (32-bit) Only
Windows SBS 2008

x64 (64-bit) Only
Setup asks technical questions and allows Setup doesn't ask technical questions, if you you to place data stores in the UI want some, look at the answer file to enter the
44
migration path, or make modifications to setup, making it more predictable, easier and faster. Setup asks you technical questions about Setup detects routers at 192.168.x.1 and your router Windows Firewall disabled 192.168.x.255 automatically Windows Firewall enabled and protecting the server before setup is finished Can deploy as Edge NAT box, or Single- Deploy's as Single-NIC only, flexibility for any NIC type of router (hardware or software) to be used in front of SBS. DHCP can be deployed on Router or SBS DHCP strongly recommended on SBS server, server Post Setup called "To Do" list Administrator account used, can disable using advanced console only Post Setup called "Getting Started" List but New Administrator account created during setup, and the built-in is disabled out of the box Connect to the Internet Wizard for outbound connectivity Internet Address Management Wizard for inbound connectivity, which also configures domain names with participating domain name providers Add a Trusted Certificate Wizard for adding certs to the box Configure a Smart Host Wizard for outbound e-mail smarthost configuration Fix-My-Network wizard for continuous re-runs to reset configuration to factory defaults User Templates Power User can log into Renamed to "User Roles" SBS Standard User with administration links, gets additional links in Remote Web Workplace for management of Office Live, Connecting to the server, etc. POP3 Connector was limited for SSL POP3 Connector re-written to support SSL
encouraged to be renamed Configure E-mail and Internet Connection wizard was 27 wizard pages long
administration snap-in with limited tasks
45
access, should be used for transition tool access to mail accounts. Continues to be a only. transition tool.
Remote Web Workplace was on/off for all Remote Web Workplace can be limited to be users Business-card web-site was a white paper solution to host on the local box used for certain users only (all users by default). Integration with Office Live for
configuration of Business card web-site Integration with Office Live for hosted SharePoint Integration AdSense advertising with Office Live for
Backup was NTBackup based, support for Backup is based on new VSS technology, and USB disk drive and Tape is much quicker, but no longer supports tape.
Email Reports Daily and Instant alerts An extensible list of alerts and daily reports from a defined list Security roll-up of the Server only, patch Security roll-up of the server and clients. level of clients only. Including Firewall Status, AV status, Patch Status, Malware Status, Free Disk space and others! Windows Exchange Windows WSUS v2 Remote Web Workplace shows Server Server SharePoint Services 2003 Windows 2003 Exchange v2 Windows WSUS v3 all Remote Web Workplace can show all Server Server SharePoint 2007 Services 2008 SP1 v3
computers to connect to Self-Issued Certificate was
computers, but defaults to a user your Handy distribution tool provided that can be taken home on a USB/Floppy drive and installed on remote computers, or windows mobile devices
responsibility to distribute
Single Leaf/Root Self-issued Certificate
Root Cert/Leaf Cert combination so renewing the leaf cert doesn't require redistributing the certificate package
No Anti Virus included
120 day trial versions of OneCare for the
46
Server, and Forefront Security for Exchange included. Folder Redirection is entire network or no You can choose which users have their "My one. Documents" redirected to the server
All files were able to be put on the server You can filter which type of documents are not allowed on the server, such as music files, etc. Support for Windows 2000 clients and Support for Windows XP SP2 clients and higher higher
Windows Mobile access was always Windows Mobile access can be enabled by allowed user, and devices can be managed through Outlook Web Access. Two consoles, the Administrators console, Three consoles, the Administrators console, the and the Power Users console administrators console with advanced links, and the MMC console with most native tool consoles already in it. Single type of CAL Lower price CALs for Standard server & users that aren't using the features in Premium CALs purchased in 5/25 packs User needs to remember links CALs purchased in 1/5/25 packs Administrator maintained Vista Gadget for common company links
Differences between Win 2000 Server & Advanced Server? Windows 2000 Advanced Server adds advanced symmetric multiprocessing (SMP) support, clustering, and load-balancing to the other technologies in Windows 2000 Server, so you can run more demanding e-commerce and line-of-business applications.
What are the features of windows Vista? Dos and Unix support better security
47
What is the difference between windows 2000 and windows 2003 server features? what is ASR? What are the roles of FSMO? Which are Forest level roles and Domain level roles? What are the steps taken while moving the FSMO roles? Types of RAID and brief description ? Which are all fault tolerant raids? What is the actual disk space utilised in RAID5 and RAID1? What is the diff btwn Mirroring and Duplexing? What are the different types of partitions in Active Directory? What is the database file name created when ADS is installed and where is it stored? What are the types of Sites available? Roles of FSMO Forest level roles 1. Schema master 2. Domain Naming master
Domain level roles 1. RID master 2. PDC emulator 3. Infra structure master
database file name created for ADS The file name is ntds.dit it is stored in the folder NTDS\ntds.dit
Diff types of partitions in active directory 1. schema partition 2. Domain partition 3. configuration partition 4. application directory partition
48
what is active directory ? Active directory is a directory service which contains all the information about network resources like users, groups and computers. It is a centralized managing system What is difference between windows xp & windows xp service pack 2 Win xp has no firewall option and Winxp sp2 has firewall option
WinXP SP2 contains: 1) Firewall 2) Virus and spam protection features. 3) Most important - earlier, WinXP used to get affected by lsasser virus. This virus restarts system automatically in 60 seconds. This file used to affect lsass.exe file of windows which keeps login tracks and for loggoing off, restart or shutdown,
this file is used by windows. Laser virus modies this file. After installing SP2, this virus becomes effect-less . What are the main difference with IE 6 and IE 7 ? 1 major difference is that, we can open multiple tabs in a single window as same in for fox browser, with a default live search option. Anti Phishing Agent and more security futures
After Installation of WIN XP desktop shows only one ICON of Recycle Bin. Why? In the canal (is the heart of the operating system), they stores only recycle bin to see in window xp after installation
What ate the Differences Between Windows Vista and Windows XP
49
Vista has a bit locker option but xp doest have it. bit locker: Bit locker drive encryption, Bit locker on volume Prevents hard drive from hackers
Vista has windows defender tool which prevents spyware and unwanted software installation, but xp doesnt has it
Windows Vista has Parental control Feature Windows XP has No Parental control Feature. This option enables parents to restrict Childrens which sites, games .software to use & not
What is the different between Roaming and Mandatory profile? how to create it?] Roaming Profile: You can logon to all the systems in the lan with your userid and password
Mandatory Profile: You can able to logon only in particular system which is assigned to you What are FSMO Roles? List them Flexible Single-Master Operation (FSMO) roles,manage an aspect of the domain or forest, to prevent conflicts
Domain Naming Master: If you want to add a domain to a forest, the domain name must be verifiably unique. The forest Domain Naming Master FSMOs authorizes the domain name operation.
Infrastructure Master:
50
When a user and group are in different domains, a lag can exist between changes to the user (e.g., a name change) and the users display in the group. The Infrastructure Master of the groups domain fixes the group-to-user reference to reflect the change. The Infrastructure Master performs its fixes locally and relies on replication to bring all other replicas of the domain up to date.
PDC Emulator: For backward compatibility, one DC in each Win2K domain must emulate a PDC for the benefit of Windows NT 4.0 and NT 3.5 DCs and clients.
RID Master: The RID Master must be available for you to use the Microsoft Windows 2000 Resource Kits Move tree utility to move objects between domains.
Schema Master: At the heart of Active Directory (AD) is the schema, which is like a blueprint of all objects and containers. Because the schema must be the same throughoutthe forest, only one machine can authorize schema modifications. Why Dll file is missing? What are the reason for missing ? A missing or corrupt .dll file can be caused by any of the below possibilities.
Another program was uninstalled that removed a .dll file that was required by another program or the operating system. A program was installed that overwrote the .dll file with either an older version or a version that is incompatible with other programs causing .dll errors. A bad installation of a program corrupted one or more files causing the .dll errors.
51
Another user or program maliciously or mistakenly deleted the .dll file or an associated file. A hardware issue exists with the computer, such as a bad hard disk drive, causing the data on the drive to become corrupt, casing the .dll errors
What 3 types of domain controller does Exchange access? Normal Domain Controller, Global Catalog, Configuration Domain Controller
What is windows installer The Windows Installer is an engine for the installation, maintenance, and removal of software's or Application's
What is Kerberos? Which version is currently used by Windows? How does Kerberos work? Kerberos is an authentication protocol as posted earlier the version of Kerberos is 5.0 when you log in, your client contacts the Kerberos server and uses your password to prove your identity. In return it receives a special "ticket granting ticket" (TGT), valid for several hours. When your client wants to contact a network service on your behalf (e.g. to mount a network file share), it first contacts the Kerberos server with the TGT and the name of the service. The Kerberos server issues a service ticket, which your client presents to the actual network service. The network service validates the ticket (without contacting the Kerberos server) and allows the connection. System Requirements
WINDOWS SERVER 2003 SYSTEM REQUIREMENTS Requirement Standard Edition Enterprise Edition Datacenter Edition Web Edition
52
Minimum CPU 133 MHz Speed
133 MHz for x86- for
400 MHz 133 MHz x86-based
based computers computers 733 MHz 733 MHz for for Itanium-based computers*
Itanium-based computers* Recommended CPU Speed Minimum RAM 128 MB Recommended Minimum RAM Maximum RAM 4 GB for 32 GB 256 MB 128 MB 256 MB 550 MHz 733 MHz
733 MHz
550 MHz
512 MB 1 GB
128 MB 256 MB
64 GB for 2 GB
x86-based x86-based computers GB 128 GB
computers 64 for based computers* Multi-Processor 1 or 2 Support Up to 8
Itanium- for Itanium-based computers*
Minimum 1 or 2 8 required Maximum 32
Disk Space for 1.5 GB Setup for
1.5 GB x86-based for
1.5
GB 1.5 GB
x86-based
computers 2.0 GB for based computers*
computers 2.0 GB
Itanium- for Itanium-based computers*
Important:
53
The 64-bit versions of Windows Server 2003, Enterprise Edition and Windows Server 2003, Datacenter Edition are only compatible with 64-bit Intel Itanium-based systems. They cannot be successfully installed on 32-bit systems.
Features of windows2003 ACTIVE DIRECTORY: Easier Deployment and Management ADMT version 2.0 migrates password from NT4 to 2000 to 20003 or from 2000 to 2003.
Domain Rename: Supports changing Domain Name System and/or NetBIOS name
Schema Redefine: Allows deactivation of attributes and class definitions in the Active directory schema AD/AM: Active directory in application mode is a new capability of AD that addresses certain deployment scenarios related to directory enabled applications. Group Policy Improvements: Introduced GPMC tool to manage group policy. UI Enhanced User Interface Grater Security Cross-forest Authentication Cross-forest Authorization Cross-certification Enhancements
54
IAS and Cross-forest authentication Credential Manager Software Restriction Policies Improved Performance and Dependability Easier logon for remote offices Group Membership replication enhancements Application Directory Partitions Install Replica from media Dependability Improvements: Updated Inter-Site Topology Generator (ISTG) that scales better by supporting forests with a greater number of sites than Windows 2000. FILE AND PRINT SERVICES Volume shadow copy service NTFS journaling file system EFS Improved CHDSK Performance Enhanced DFS and FRS Shadow copy of shared folders Enhanced folder redirection Remote document sharing (WEBDAV)
55
IIS Fault-tolerant process architecture The IIS 6.0 fault-tolerant process architecture isolates Web sites and applications into self-contained units called application pools. Health Monitoring IIS 6.0 periodically checks the status of an application pool with automatic restart on failure of the Web sites and applications within that application pool, increasing application availability. IIS 6.0 protects the server, and other applications, by automatically disabling Web sites and applications that fail too often within a short amount of time. Automatic Process Recycling: IIS 6.0 automatically stops and restarts faulty Web sites and applications based on a flexible set of criteria, including CPU utilization and memory consumption, while queuing requests. Rapid-fail Protection: If an application fails too often within a short amount of time, IIS 6.0 will automatically disable it and return a "503 Service Unavailable" error message to any new or queued requests to the application. Edit-While-Running:
Difference between NT & 2000: NT SAM database is a flat database. Where as in windows 2000 active directory database is a hierarchical database In Windows NT only PDC is having writable copy of SAM database but the BDC is only read only database. In case of Windows 2000 both DC and ADC is having write copy of the database
56
Windows NT will not support FAT32 file system. Windows 2000 supports FAT32 Default authentication protocol in NT is NTLM (NT LAN manager). In windows 2000 default authentication protocol is Kerberos V5. Windows 2000 depends and Integrated with DNS. NT user NetBIOS names Active Directory can be backed up easily with System state data
Difference between 2000 & 2003 Application Server mode is introduced in windows 2003 Possible to configure stub zones in windows 2003 DNS Volume shadow copy services is introduced Windows 2003 gives an option to replicate DNS data b/w all DNS servers in forest or All DNS servers in the domain. Difference between PDC & BDC PDC contains a write copy of SAM database where as BDC contains read only copy of SAM database. It is not possible to reset a password or create objects without PDC in Windows NT.
Difference between DC & ADC There is no difference between in DC and ADC both contains write copy of AD. Both can also handles FSMO roles (If transfers from DC to ADC). It is just for identification. Functionality wise there is no difference. What is DNS & WINS DNS is a Domain Naming System, which resolves Host names to IP addresses. It uses fully qualified domain names. DNS is a Internet standard used to resolve host
57
names WINS is a Windows Internet Name Service, which resolves NetBIOS names to IP Address. This is proprietary for Windows Types of DNS Servers Primary DNS Secondary DNS Active Directory Integrated DNS Forwarder Caching only DNS If DHCP is not available what happens to the client Client will not get IP and it cannot be participated in network . If client already got the IP and having lease duration it use the IP till the lease duration expires. What are the different types of trust relationships Implicit Trusts: Explicit Trusts: NT to Win2k or Forest to Forest
What is the process of DHCP for getting the IP address to the client There is a four way negotiation process b/w client and server DHCP Discover (Initiated by client) DHCP Offer (Initiated by server) DHCP Select (Initiated by client) DHCP Acknowledgement (Initiated by Server) DHCP Negative Acknowledgement (Initiated by server if any issues after DHCP offer) Difference between FAT,NTFS & NTFSVersion5
58
NTFS Version 5 features Encryption is possible We can enable Disk Quotas File compression is possible Sparse files Indexing Service NTFS change journal In FAT file system we can apply only share level security. File level protection is not possible. In NTFS we can apply both share level as well as file level security NTFS supports large partition sizes than FAT file systems NTFS supports long file names than FAT file systems
What are the port numbers for FTP, Telnet, HTTP, DNS
FTP-21, Telnet 23, HTTP-80, DNS-53, Kerberos-88, LDAP-389
What are the different types of profiles in 2000 Local Profiles Roaming profiles Mandatory Profiles
What is the database files used for Active Directory The key AD database filesedb.log, ntds.dit, res1.log, res2.log, and edb.chk all of which reside in \%systemroot%\ntds on a domain controller (DC) by default. During AD installation, Dcpromo lets you specify alternative locations for these log files and database files NTDS.DIT
What is the location of AD Database
59
%System root%/NTDS/NTDS>DIT What is the authentication protocol used in NT NTLM (NT LAN Manager)
What is Subnetting and Supernetting Subnetting is the process of borrowing bits from the host portion of an address to provide bits for identifying additional sub-networks Supernetting merges several smaller blocks of IP addresses (networks) that are continuous into one larger block of addresses. Borrowing network bits to combine several smaller networks into one larger network does Supernetting. What is the use of terminal services Terminal services can be used as Remote Administration mode to administer remotely as well as Application Server Mode to run the application in one server and users can login to that server to user that application. What is the protocol used for terminal services RDP What is the port number for RDP 3389
Medium Level Questions: What is the difference between Authorized DHCP and Non Authorized DHCP To avoid problems in the network causing by mis-configured DHCP servers, server in windows 2000 must be validate by AD before starting service to clients. If an authorized DHCP finds any DHCP server in the network it stop serving the clients
60
Difference between inter-site and intra-site replication. Protocols using for replication. Intra-site replication can be done between the domain controllers in the same site. Inter-site replication can be done between two different sites over WAN links BHS (Bridge Head Servers) is responsible for initiating replication between the sites. Inter-site replication can be done B/w BHS in one site and BHS in another site. We can use RPC over IP or SMTP as a replication protocols where as Domain partition is not possible to replicate using SMTP
How to monitor replication We can user Replmon tool from support tools
Brief explanation of RAID Levels Microsoft Windows XP, Windows 2000 and Windows Server 2003 offer two types of disk storage: basic and dynamic. Basic Disk Storage: Basic storage uses normal partition tables supported by MS-DOS, Microsoft Windows 95, Microsoft Windows 98, Microsoft Windows Millennium Edition (Me), Microsoft Windows NT, Microsoft Windows 2000, Windows Server 2003 and Windows XP. A disk initialized for basic storage is called a basic disk. A basic disk contains basic volumes, such as primary partitions, extended partitions, and logical drives. Additionally, basic volumes include multidisk volumes that are created by using Windows NT 4.0 or earlier, such as volume sets, stripe sets, mirror sets, and stripe sets with parity. Windows XP does not support these multidisk basic volumes. Any volume sets, stripe sets, mirror sets, or stripe sets with parity must be backed up and deleted or converted to dynamic disks before you install Windows XP Professional.
61
Dynamic Disk Storage: Dynamic storage is supported in Windows XP Professional, Windows 2000 and Windows Server 2003. A disk initialized for dynamic storage is called a dynamic disk. A dynamic disk contains dynamic volumes, such as simple volumes, spanned volumes, striped volumes, mirrored volumes, and RAID-5 volumes. With dynamic storage, you can perform disk and volume management without the need to restart Windows. Note: Dynamic disks are not supported on portable computers or on Windows XP Home Edition-based computers. You cannot create mirrored volumes or RAID-5 volumes on Windows XP Home Edition, Windows XP Professional, or Windows XP 64-Bit Edition-based computers. However, you can use a Windows XP Professional-based computer to create a mirrored or RAID-5 volume on remote computers that are running Windows 2000 Server, Windows 2000 Advanced Server, or Windows 2000 Datacenter Server, or the Standard, Enterprise and Data Center versions of Windows Server 2003. Storage types are separate from the file system type. A basic or dynamic disk can contain any combination of FAT16, FAT32, or NTFS partitions or volumes. A disk system can contain any combination of storage types. However, all volumes on the same disk must use the same storage type. How To convert a Basic Disk to a Dynamic Disk: Use the Disk Management snap-in in Windows XP/2000/2003 to convert a basic disk to a dynamic disk. To do this, follow these steps: Log on as Administrator or as a member of the Administrators group. Click Start, and then click Control Panel. Click Performance and Maintenance, click Administrative Tools, and then double-click Computer Management. You can also right-click My Computer and choose Manage if you have My Computer displayed on your desktop. In the left pane, click Disk Management.
62
In the lower-right pane, right-click the basic disk that you want to convert, and then click Convert to Dynamic Disk. You must right-click the gray area that contains the disk title on the left side of the Details pane. Select the check box that is next to the disk that you want to convert (if it is not already selected), and then click OK. Click Details if you want to view the list of volumes in the disk. Click Convert. Click Yes when you are prompted to convert the disk, and then click OK. Warning: After you convert a basic disk to a dynamic disk, local access to the dynamic disk is limited to Windows XP Professional, Windows 2000 and Windows Server 2003. Additionally, after you convert a basic disk to a dynamic disk, the dynamic volumes cannot be changed back to partitions. You must first delete all dynamic volumes on the disk and then convert the dynamic disk back to a basic disk. If you want to keep your data, you must first back up the data or move it to another volume. What are Dynamic Storage Terms? A volume Is a storage unit made from free space on one or more disks. It can be formatted with a file system and assigned a drive letter. Volumes on dynamic disks can have any of the following layouts: simple, spanned, mirrored, striped, or RAID-5.
A simple volume Uses free space from a single disk. It can be a single region on a disk or consist of multiple, concatenated regions. A simple volume can be extended within the same disk or onto additional disks. If a simple volume is extended across multiple disks, it becomes a spanned volume. A spanned volume
63
Is created from free disk space that is linked together from multiple disks. You can extend a spanned volume onto a maximum of 32 disks. A spanned volume cannot be mirrored and is not fault-tolerant. A striped volume Is a volume whose data is interleaved across two or more physical disks. The data on this type of volume is allocated alternately and evenly to each of the physical disks. A striped volume cannot be mirrored or extended and is not fault-tolerant. Striping is also known as RAID-0. A mirrored volume Is a fault-tolerant volume whose data is duplicated on two physical disks. All of the data on one volume is copied to another disk to provide data redundancy. If one of the disks fails, the data can still be accessed from the remaining disk. A mirrored volume cannot be extended. Mirroring is also known as RAID-1.
A RAID-5 volume Is a fault-tolerant volume whose data is striped across an array of three or more disks. Parity (a calculated value that can be used to reconstruct data after a failure) is also striped across the disk array. If a physical disk fails, the portion of the RAID-5 volume that was on that failed disk can be re-created from the remaining data and the parity. A RAID-5 volume cannot be mirrored or extended.
The system volume Contains the hardware-specific files that are needed to load Windows (for example, Ntldr, Boot.ini, and Ntdetect.com). The system volume can be, but does not have to be, the same as the boot volume. The boot volume
64
Contains the Windows operating system files that are located in the %Systemroot% and %Systemroot%\System32 folders. The boot volume can be, but does not have to be, the same as the system volume. RAID 0 Striping RAID 1- Mirroring (minimum 2 HDD required) RAID 5 Striping With Parity (Minimum 3 HDD required) RAID levels 1 and 5 only gives redundancy What are the different backup strategies are available Normal Backup Incremental Backup Differential Backup Daily Backup Copy Backup
What is a global catalog? Global catalog is a role, which maintains Indexes about objects. It contains full information of the objects in its own domain and partial information of the objects in other domains. Universal Group membership information will be stored in global catalog servers and replicate to all GCs in the forest. What is Active Directory and what is the use of it Active directory is a directory service, which maintains the relation ship between resources and enabling them to work together. Because of AD hierarchal structure windows 2000 is more scalable, reliable. Active directory is derived from X.500 standards where information is stored is hierarchal tree like structure. Active directory
65
depends on two Internet standards one is DNS and other is LDAP. Information in Active directory can be queried by using LDAP protocol What is the physical and logical structure of AD Active directory physical structure is a hierarchal structure which fallows ForestsTreesDomainsChild DomainsGrand Childetc Active directory is logically divided into 3 partitions Configuration partition Schema Partition Domain partition Application Partition (Only in windows 2003 not available in windows 2000) Out of these Configuration, Schema partitions can be replicated between the domain controllers in the in the entire forest. Whereas Domain partition can be replicated between the domain controllers in the same domain
What is the process of user authentication (Kerberos V5) in windows 2000 After giving logon credentials an encryption key will be generated this is used to encrypt the time stamp of the client machine. User name and encrypted timestamp information will be provided to domain controller for authentication. Then Domain controller based on the password information stored in AD for that user it decrypts the encrypted time stamp information. If produces time stamp matches to its time stamp. It will provide logon session key and Ticket granting ticket to client in an encryption format. Again client decrypts and if produced time stamp information is matching
66
then it will use logon session key to logon to the domain. Ticket granting ticket will be used to generate service granting ticket when accessing network resources
What are the port numbers for Kerberos, LDAP and Global catalog Kerberos 88, LDAP 389, Global Catalog 3268 What is the use of LDAP (X.500 standard?)
LDAP is a directory access protocol, which is used to exchange directory information from server to clients or from server to servers
What are the problems that are generally come across DHCP
Scope is full with IP addresses no IPs available for new machine self scope options are not configured properly eg default gateway Incorrect creation of scopes etc
What is the role responsible for time synchronization?

PDC Emulator is responsible for time synchronization. Time
synchronization is important because Kerberos authentication depends on time stamp information
What is TTL & how to set TTL time in DNS

TTL is Time to Live setting used for the amount of time that the record should remain in cache when name resolution happened. We can set TTL in SOA (start of authority record) of DNS
How to take DNS and WINS,DHCP backup %System root%/system32/dns %System root%/system32/WINS %System root%/system32/DHCP What is recovery console
67
Recovery console is a utility used to recover the system when it is not booting properly or not at all booting. We can perform fallowing operations from recovery console We can copy, rename, or replace operating system files and folders
Enable or disable service or device startup the next time that start computer Repair the file system boot sector or the Master Boot Record Create and format partitions on drives What is DFS & its usage DFS is a distributed file system used to provide common environment for users to access files and folders even when they are shared in different servers physically. There are two types of DFS domain DFS and Stand alone DFS. We cannot provide redundancy for stand alone DFS in case of failure. Domain DFS is used in a domain environment which can be accessed by /domain name/root1 (root 1 is DFS root name). Stand alone DFS can be used in workgroup environment which can be accessed through /server name/root1 (root 1 is DFS root name). Both the cases we need to create DFS root ( Which appears like a shared folder for end users) and DFS links ( A logical link which is pointing to the server where the folder is physically shared) The maximum number of Dfs roots per server is 1. The maximum numbers of Dfs root replicas are 31. The maximum number of Dfs roots per domain is unlimited. The maximum number of Dfs links or shared folders in a Dfs root is 1,000
What is RIS and what are its requirements RIS is a remote installation service, which is used to install operation system remotely.
68
Client requirements PXE DHCP-based boot ROM version 1.00 or later NIC, or a network adapter that is supported by the RIS boot disk. Should meet minimum operating system requirements Software Requirements Below network services must be active on RIS server or any server in the network Domain Name System (DNS Service) Dynamic Host Configuration Protocol (DHCP) Active directory Directory service
How many root replicas can be created in DFS What is the difference between Domain DFS and Standalone DFS Can we establish trust relationship between two forests In Windows 2000 it is not possible. In Windows 2003 it is possible What is FSMO Roles Flexible single master operation (FSMO) roles are Domain Naming Master Schema Master PDC Emulator Infrastructure Master RID Master Brief all the FSMO Roles
69
Windows 2000/2003 Multi-Master Model A multi-master enabled database, such as the Active Directory, provides the flexibility of allowing changes to occur at any DC in the enterprise, but it also introduces the possibility of conflicts that can potentially lead to problems once the data is replicated to the rest of the enterprise. One way Windows 2000/2003 deals with conflicting updates is by having a conflict resolution algorithm handle discrepancies in values by resolving to the DC to which changes were written last (that is, "the last writer wins"), while discarding the changes in all other DCs. Although this resolution method may be acceptable in some cases, there are times when conflicts are just too difficult to resolve using the "last writer wins" approach. In such cases, it is best to prevent the conflict from occurring rather than to try to resolve it after the fact. For certain types of changes, Windows 2000/2003 incorporates methods to prevent conflicting Active Directory updates from occurring.
Windows 2000/2003 Single-Master Model To prevent conflicting updates in Windows 2000/2003, the Active Directory performs updates to certain objects in a single-master fashion. In a single-master model, only one DC in the entire directory is allowed to process updates. This is similar to the role given to a primary domain controller (PDC) in earlier versions of Windows (such as Microsoft Windows NT 4.0), in which the PDC is responsible for processing all updates in a given domain. In a forest, there are five FSMO roles that are assigned to one or more domain controllers. The five FSMO roles are: Schema Master: The schema master domain controller controls all updates and modifications to the schema. Once the Schema update is complete, it is replicated from the schema master to all other DCs in the directory. To update the schema of a forest, you must have
70
access to the schema master. There can be only one schema master in the whole forest. Domain naming master: The domain naming master domain controller controls the addition or removal of domains in the forest. This DC is the only one that can add or remove a domain from the directory. It can also add or remove cross references to domains in external directories. There can be only one domain naming master in the whole forest. Infrastructure Master: When an object in one domain is referenced by another object in another domain, it represents the reference by the GUID, the SID (for references to security principals), and the DN of the object being referenced. The infrastructure FSMO role holder is the DC responsible for updating an object's SID and distinguished name in a cross-domain object reference. At any one time, there can be only one domain controller acting as the infrastructure master in each domain. Note: The Infrastructure Master (IM) role should be held by a domain controller that is not a Global Catalog server (GC). If the Infrastructure Master runs on a Global Catalog server it will stop updating object information because it does not contain any references to objects that it does not hold. This is because a Global Catalog server holds a partial replica of every object in the forest. As a result, cross-domain object references in that domain will not be updated and a warning to that effect will be logged on that DC's event log. If all the domain controllers in a domain also host the global catalog, all the domain controllers have the current data, and it is not important which domain controller holds the infrastructure master role.
Relative ID (RID) Master: The RID master is responsible for processing RID pool requests from all domain controllers in a particular domain. When a DC creates a security principal object such as a user or group, it attaches a unique Security ID (SID) to the object. This SID
71
consists of a domain SID (the same for all SIDs created in a domain), and a relative ID (RID) that is unique for each security principal SID created in a domain. Each DC in a domain is allocated a pool of RIDs that it is allowed to assign to the security principals it creates. When a DC's allocated RID pool falls below a threshold, that DC issues a request for additional RIDs to the domain's RID master. The domain RID master responds to the request by retrieving RIDs from the domain's unallocated RID pool and assigns them to the pool of the requesting DC. At any one time, there can be only one domain controller acting as the RID master in the domain. PDC Emulator: The PDC emulator is necessary to synchronize time in an enterprise. Windows 2000/2003 includes the W32Time (Windows Time) time service that is required by the Kerberos authentication protocol. All Windows 2000/2003-based computers within an enterprise use a common time. The purpose of the time service is to ensure that the Windows Time service uses a hierarchical relationship that controls authority and does not permit loops to ensure appropriate common time usage. The PDC emulator of a domain is authoritative for the domain. The PDC emulator at the root of the forest becomes authoritative for the enterprise, and should be configured to gather the time from an external source. All PDC FSMO role holders follow the hierarchy of domains in the selection of their in-bound time partner. In a Windows 2000/2003 domain, the PDC emulator role holder retains the following functions: Password changes performed by other DCs in the domain are replicated preferentially to the PDC emulator. Authentication failures that occur at a given DC in a domain because of an incorrect password are forwarded to the PDC emulator before a bad password failure message is reported to the user. Account lockout is processed on the PDC emulator.
72
Editing or creation of Group Policy Objects (GPO) is always done from the GPO copy found in the PDC Emulator's SYSVOL share, unless configured not to do so by the administrator. The PDC emulator performs all of the functionality that a Microsoft Windows NT 4.0 Server-based PDC or earlier PDC performs for Windows NT 4.0-based or earlier clients. This part of the PDC emulator role becomes unnecessary when all workstations, member servers, and domain controllers that are running Windows NT 4.0 or earlier are all upgraded to Windows 2000/2003. The PDC emulator still performs the other functions as described in a Windows 2000/2003 environment. At any one time, there can be only one domain controller acting as the PDC emulator master in each domain in the forest. How to manually configure FSMO Roles to separate DCs How can I determine who are the current FSMO Roles holders in my domain/forest? Windows 2000/2003 Active Directory domains utilize a Single Operation Master method called FSMO (Flexible Single Master Operation), as described in Understanding FSMO Roles in Active Directory. The five FSMO roles are: Schema master - Forest-wide and one per forest. Domain naming master - Forest-wide and one per forest. RID master - Domain-specific and one for each domain. PDC - PDC Emulator is domain-specific and one for each domain. Infrastructure master - Domain-specific and one for each domain. In most cases an administrator can keep the FSMO role holders (all 5 of them) in the same spot (or actually, on the same DC) as has been configured by the Active Directory installation process. However, there are scenarios where an administrator
73
would want to move one or more of the FSMO roles from the default holder DC to a different DC. The transferring method is described in the Transferring FSMO Roles article, while seizing the roles from a non-operational DC to a different DC is described in the Seizing FSMO Roles article. In order to better understand your AD infrastructure and to know the added value that each DC might possess, an AD administrator must have the exact knowledge of which one of the existing DCs is holding a FSMO role, and what role it holds. With that knowledge in hand, the administrator can make better arrangements in case of a scheduled shut-down of any given DC, and better prepare him or herself in case of a non-scheduled cease of operation from one of the DCs.How to find out which DC is holding which FSMO role? Well, one can accomplish this task by many means. This article will list a few of the available methods. Method #1: Know the default settings The FSMO roles were assigned to one or more DCs during the DCPROMO process. The following table summarizes the FSMO default locations: FSMO Role Number of DCs holdingOriginal DC holding the FSMO role this role Schema Domain Naming RID PDC Emulator Infrastructure One per forest One per forest One per domain One per domain One per domain The first DC in the first domain in the forest (i.e. the Forest Root Domain) The first DC in a domain (any domain, including the Forest Root Domain, any Tree Root Domain, or any Child Domain) Method #2: Use the GUI The FSMO role holders can be easily found by use of some of the AD snapins. Use this table to see which tool can be used for what FSMO role:
74
FSMO Role Schema
Which snap-in should I use? Schema snap-in
Domain Naming AD Domains and Trusts snap-in RID PDC Emulator Infrastructure AD Users and Computers snapin
Finding the RID Master, PDC Emulator, and Infrastructure Masters via GUI To find out who currently holds the Domain-Specific RID Master, PDC Emulator, and Infrastructure Master FSMO Roles: Open the Active Directory Users and Computers snap-in from the Administrative Tools folder. Right-click the Active Directory Users and Computers icon again and press Operation Masters. Select the appropriate tab for the role you wish to view. When you're done click close. Finding the Domain Naming Master via GUI To find out who currently holds the Domain Naming Master Role: Open the Active Directory Domains and Trusts snap-in from the Administrative Tools folder. Right-click the Active Directory Domains and Trusts icon again and press Operation Masters. When you're done click Close. Finding the Schema Master via GUI To find out who currently holds the Schema Master Role: Register the Schmmgmt.dll library by pressing Start > RUN and typing: Press OK. You should receive a success confirmation.
75
From the Run command open an MMC Console by typing MMC. On the Console menu, press Add/Remove Snap-in. Press Add. Select Active Directory Schema. Press Add and press Close. Press OK. Click the Active Directory Schema icon. After it loads right-click it and press Operation Masters.
Press the Close button. Method #3: Use the Ntdsutil command The FSMO role holders can be easily found by use of the Ntdsutil command. Caution: Using the Ntdsutil utility incorrectly may result in partial or complete loss of Active Directory functionality. On any domain controller, click Start, click Run, type Ntdsutil in the Open box, and then click OK.
Type roles, and then press ENTER. Note: To see a list of available commands at any of the prompts in the Ntdsutil tool, type ?, and then press ENTER. Type connections, and then press ENTER. Type connect to server <servername>, where <servername> is the name of the server you want to use, and then press ENTER. At the server connections: prompt, type q, and then press ENTER again. At the FSMO maintenance: prompt, type Select operation target, and then press ENTER again. At the select operation target: prompt, type List roles for connected server, and then press ENTER again. select operation target: List roles for connected server Server "server100" knows about 5 roles Schema - CN=NTDS Settings,CN=SERVER100,CN=Servers,CN=Default-First-SiteName,CN=Sites,CN=C
76
onfiguration,DC=dpetri,DC=net Domain - CN=NTDS Settings,CN=SERVER100,CN=Servers,CN=Default-First-SiteName,CN=Sites,CN=C onfiguration,DC=dpetri,DC=net PDC - CN=NTDS Settings,CN=SERVER100,CN=Servers,CN=Default-First-SiteName,CN=Sites,CN=Conf iguration,DC=dpetri,DC=net RID - CN=NTDS Settings,CN=SERVER100,CN=Servers,CN=Default-First-SiteName,CN=Sites,CN=Conf iguration,DC=dpetri,DC=net Infrastructure - CN=NTDS Settings,CN=SERVER100,CN=Servers,CN=DefaultFirst-Site-Name,CN=Si tes,CN=Configuration,DC=dpetri,DC=net select operation target: Type q 3 times to exit the Ntdsutil prompt. Note: You can download THIS nice batch file that will do all this for you (1kb). Another Note: Microsoft has a nice tool called Dumpfsmos.cmd, found in the Windows 2000 Resource Kit (and can be downloaded here: Download Free Windows 2000 Resource Kit Tools). This tool is basically a one-click Ntdsutil script that performs the same operation described above. Method #4: Use the Netdom command The FSMO role holders can be easily found by use of the Netdom command. Netdom.exe is a part of the Windows 2000/XP/2003 Support Tools. You must either download it separately (from here Download Free Windows 2000 Resource Kit Tools) or by obtaining the correct Support Tools pack for your operating system. The Support Tools pack can be found in the \Support\Tools folder on your installation CD (or you can Download Windows 2000 SP4 Support Tools, Download Windows XP SP1 Deploy Tools). On any domain controller, click Start, click Run, type CMD in the Open box, and then click OK.
77
In the Command Prompt window, type netdom query /domain:<domain> fsmo (where <domain> is the name of YOUR domain). Close the CMD window. Note: You can download THIS nice batch file that will do all this for you (1kb). Method #5: Use the Replmon tool The FSMO role holders can be easily found by use of the Netdom command. Just like Netdom, Replmon.exe is a part of the Windows 2000/XP/2003 Support Tools. Replmon can be used for a wide verity of tasks, mostly with those that are related with AD replication. But Replmon can also provide valuable information about the AD, about any DC, and also about other objects and settings, such as GPOs and FSMO roles. Install the package before attempting to use the tool. On any domain controller, click Start, click Run, type REPLMON in the Open box, and then click OK. Right-click Monitored servers and select Add Monitored Server. In the Add Server to Monitor window, select the Search the Directory for the server to add. Make sure your AD domain name is listed in the drop-down list. In the site list select your site, expand it, and click to select the server you want to query. Click Finish. Right-click the server that is now listed in the left-pane, and select Properties. Click on the FSMO Roles tab and read the results. Click Ok when you're done.
How can I forcibly transfer (seize) some or all of the FSMO Roles from one DC to another? Windows 2000/2003 Active Directory domains utilize a Single Operation Master method called FSMO (Flexible Single Master Operation), as described in Understanding FSMO Roles in Active Directory. The five FSMO roles are: Schema master - Forest-wide and one per forest.
78
Domain naming master - Forest-wide and one per forest. RID master - Domain-specific and one for each domain. PDC - PDC Emulator is domain-specific and one for each domain. Infrastructure master - Domain-specific and one for each domain. In most cases an administrator can keep the FSMO role holders (all 5 of them) in the same spot (or actually, on the same DC) as has been configured by the Active Directory installation process. However, there are scenarios where an administrator would want to move one or more of the FSMO roles from the default holder DC to a different DC. Moving the FSMO roles while both the original FSMO role holder and the future FSMO role holder are online and operational is called Transferring, and is described in the Transferring FSMO Roles article. However, when the original FSMO role holder went offline or became non operational for a long period of time, the administrator might consider moving the FSMO role from the original, non-operational holder, to a different DC. The process of moving the FSMO role from a non-operational role holder to a different DC is called Seizing, and is described in this article. If a DC holding a FSMO role fails, the best thing to do is to try and get the server online again. Since none of the FSMO roles are immediately critical (well, almost none, the loss of the PDC Emulator FSMO role might become a problem unless you fix it in a reasonable amount of time), so it is not a problem to them to be unavailable for hours or even days. If a DC becomes unreliable, try to get it back on line, and transfer the FSMO roles to a reliable computer. Administrators should use extreme caution in seizing FSMO roles. This operation, in most cases, should be performed only if the original FSMO role owner will not be brought back into the environment. Only seize a FSMO role if absolutely necessary when the original role holder is not connected to the network.
79
What will happen if you do not perform the seize in time? This table has the info: FSMO Role Schema Loss implications The schema cannot be extended. However, in the short term no one will notice a missing Schema Master unless you plan a schema upgrade during that time. Domain Naming Unless you are going to run DCPROMO, then you will not miss this FSMO role. RID Chances are good that the existing DCs will have enough unused RIDs to last some time, unless you're building hundreds of users or computer object per week. PDC Emulator Will be missed soon. NT 4.0 BDCs will not be able to replicate, there will be no time synchronization in the domain, you will probably not be able to change or troubleshoot group policies and password changes will become a problem. Infrastructure Group memberships may be incomplete. If you only have one domain, then there will be no impact. Important: If the RID, Schema, or Domain Naming FSMOs are seized, then the original domain controller must not be activated in the forest again. It is necessary to reinstall Windows if these servers are to be used again. The following table summarizes the FSMO seizing restrictions:
80
FSMO Role Schema Domain Naming RID
Restrictions Original must be reinstalled
PDC Emulator Can transfer back to original Infrastructure
Another consideration before performing the seize operation is the administrator's group membership, as this table lists:
FSMO Role Schema Domain Naming RID PDC Emulator Infrastructure
Administrator must be a member of Schema Admins Enterprise Admins Domain Admins
To seize the FSMO roles by using Ntdsutil, follow these steps: Caution: Using the Ntdsutil utility incorrectly may result in partial or complete loss of Active Directory functionality. On any domain controller, click Start, click Run, type Ntdsutil in the Open box, and then click OK. Type roles, and then press ENTER. Note: To see a list of available commands at any of the prompts in the Ntdsutil tool, type ?, and then press ENTER. Type connections, and then press ENTER. Type connect to server <servername>, where <servername> is the name of the server you want to use, and then press ENTER.
81
At the server connections: prompt, type q, and then press ENTER again. Type seize <role>, where <role> is the role you want to seize. For example, to seize the RID Master role, you would type seize rid master: Options are: You will receive a warning window asking if you want to perform the seize. Click on Yes. fsmo maintenance: Seize infrastructure master Attempting safe transfer of infrastructure FSMO before seizure. ldap_modify_sW error 0x34(52 (Unavailable). Ldap extended error message is 000020AF: SvcErr: DSID-03210300, problem 5002 (UNAVAILABLE) , data 1722 Win32 error returned is 0x20af(The requested FSMO operation failed. The current FSMO holde r could not be contacted.) ) Depending on the error code this may indicate a connection, ldap, or role transfer error. Transfer of infrastructure FSMO failed, proceeding with seizure ... Server "server100" knows about 5 roles Schema - CN=NTDS Settings,CN=SERVER200,CN=Servers,CN=Default-First-SiteName,CN=Sites,CN=Configuration,DC=dpetri,DC=net Domain - CN=NTDS Settings,CN=SERVER100,CN=Servers,CN=Default-First-SiteName,CN=Sites,CN=Configuration,DC=dpetri,DC=net PDC - CN=NTDS Settings,CN=SERVER100,CN=Servers,CN=Default-First-SiteName,CN=Sites,CN=Configuration,DC=dpetri,DC=net RID - CN=NTDS Settings,CN=SERVER200,CN=Servers,CN=Default-First-SiteName,CN=Sites,CN=Configuration,DC=dpetri,DC=net Infrastructure - CN=NTDS Settings,CN=SERVER100,CN=Servers,CN=DefaultFirst-Site-Name,CN=Sites,CN=Configuration,DC=dpetri,DC=net fsmo maintenance:
82
Note: All five roles need to be in the forest. If the first domain controller is out of the forest then seize all roles. Determine which roles are to be on which remaining domain controllers so that all five roles are not on only one server. Repeat steps 6 and 7 until you've seized all the required FSMO roles.
After you seize or transfer the roles, type q, and then press ENTER until you quit the Ntdsutil tool.
Note: Do not put the Infrastructure Master (IM) role on the same domain controller as the Global Catalog server. If the Infrastructure Master runs on a GC server it will stop updating object information because it does not contain any references to objects that it does not hold. This is because a GC server holds a partial replica of every object in the forest.
What is the difference between authoritative and non-authoritative restore In authoritative restore, Objects that are restored will be replicated to all domain controllers in the domain. This can be used specifically when the entire OU is disturbed in all domain controllers or specifically restore a single object, which is disturbed in all DCs In non-authoritative restore, Restored directory information will be updated by other domain controllers based on the latest modification time.
What is Active Directory De-fragmentation De-fragmentation of AD means separating used space and empty space created by deleted objects and reduces directory size (only in offline De-fragmentation) Difference between online and offline de-fragmentation The size of NTDS.DIT will often be different sizes across the domain controllers in a domain. Remember that Active Directory is a multi-master independent model
83
where updates are occurring in each of the domain controllers with the changes being replicated over time to the other domain controllers. The changed data is replicated between domain controllers, not the database, so there is no guarantee that the files are going to be the same size across all domain controllers. Windows 2000 and Windows Server 2003 servers running Directory Services (DS) perform a directory online defragmentation every 12 hours by default as part of the garbage-collection process. This defragmentation only moves data around the database file (NTDS.DIT) and doesnt reduce the files size - the database file cannot be compacted while Active Directory is mounted. Active Directory routinely performs online database defragmentation, but this is limited to the disposal of tombstoned objects. The database file cannot be compacted while Active Directory is mounted (or online). An NTDS.DIT file that has been defragmented offline (compacted), can be much smaller than the NTDS.DIT file on its peers. However, defragmenting the NTDS.DIT file isnt something you should really need to do. Normally, the database self-tunes and automatically tombstoning the records then sweeping them away when the tombstone lifetime has passed to make that space available for additional records. Defragging the NTDS.DIT file probably wont help your AD queries go any faster in the long run. So why defrag it in the first place? One reason you might want to defrag your NTDS.DIT file is to save space, for example if you deleted a large number of records at one time. To create a new, smaller NTDS.DIT file and to enable offline defragmentation, perform the following steps: Back up Active Directory (AD). Reboot the server, select the OS option, and press F8 for advanced options.
84
Select the Directory Services Restore Mode option, and press Enter. Press Enter again to start the OS. W2K will start in safe mode, with no DS running. Use the local SAMs administrator account and password to log on. Youll see a dialog box that says youre in safe mode. Click OK. From the Start menu, select Run and type cmd.exe In the command window, youll see the following text. (Enter the commands in bold.)
C:\> ntdsutil ntdsutil: files file maintenance:info .... file maintenance:compact to c:\temp Youll see the defragmentation process. If the process was successful, enter quit to return to the command prompt. Then, replace the old NTDS.DIT file with the new, compressed version. (Enter the commands in bold.) C:\> copy c:\temp\ntds.dit %systemroot%\ntds\ntds.dit Restart the computer, and boot as normal. What is tombstone period Tombstones are nothing but objects marked for deletion. After deleting an object in AD the objects will not be deleted permanently. It will be remain 60 days by default (which can be configurable) it adds an entry as marked for deletion on the object and replicates to all DCs. After 60 days object will be deleted permanently from all Dcs. What is white space and Garbage collection What are the monitoring tools used for Server and Network Heath. How to define alert mechanism Spot Light , SNMP Need to enable .
85
How to deploy the patches and what are the softwares used for this process
Using SUS (Software update services) server we can deploy patches to all clients in the network. We need to configure an option called Synchronize with Microsoft software update server option and schedule time to synchronize in server. We need to approve new update based on the requirement. Then approved update will be deployed to clients
We can configure clients by changing the registry manually or through Group policy by adding WUAU administrative template in group policy What is Clustering. Briefly define & explain it Clustering is a technology, which is used to provide High Availability for mission critical applications. We can configure cluster by installing MCS (Microsoft cluster service) component from Add remove programs, which can only available in Enterprise Edition and Data center edition. In Windows we can configure two types of clusters NLB (network load balancing) cluster for balancing load between servers. This cluster will not provide any high availability. Usually preferable at edge servers like web or proxy. Server Cluster This provides High availability by configuring active-active or active-passive cluster. In 2 node active-passive cluster one node will be active and one node will be stand by. When active server fails the application will FAILOVER to stand by server automatically. When the original server backs we need to FAILBACK the application Quorum A shared storage need to provide for all servers which keeps information about clustered application and session state and is useful in FAILOVER situation. This is very important if Quorum disk fails entire cluster will fails
86
Heartbeat Heartbeat is a private connectivity between the servers in the cluster, which is used to identify the status of other servers in cluster. How to configure SNMP
SNMP can be configured by installing SNMP from Monitoring and Management tools from Add and Remove programs.
For SNMP programs to communicate we need to configure common community name for those machines where SNMP programs (eg DELL OPEN MANAGER) running. This can be configured from services.msc--- SNMP service -- Security Is it possible to rename the Domain name & how? In Windows 2000 it is not possible. In windows 2003 it is possible. On Domain controller by going to MYCOMPUTER properties we can change. What is SOA Record SOA is a Start Of Authority record, which is a first record in DNS, which controls the startup behavior of DNS. We can configure TTL, refresh, and retry intervals in this record. What is a Stub zone and what is the use of it. Stub zones are a new feature of DNS in Windows Server 2003 that can be used to streamline name resolution, especially in a split namespace scenario. They also help reduce the amount of DNS traffic on your network, making DNS more efficient especially over slow WAN links. What are the different types of partitions present in AD Active directory is divided into three partitions Configuration Partitionreplicates entire forest Schema Partitionreplicates entire forest Domain Partitionreplicate only in domain
87
Application Partition (Only in Windows 2003)
What are the (two) services required for replication File Replication Service (FRS Knowledge Consistency Checker (KCC)
Can we use a Linux DNS Sever in 2000 Domain We can use, But the BIND version should be 8 or greater What is the difference between IIS Version 5 and IIS Version 6
What is ASR (Automated System Recovery) and how to implement it ASR is a two-part system; it includes ASR backup and ASR restore. The ASR Wizard, located in Backup, does the backup portion. The wizard backs up the system state, system services, and all the disks that are associated with the operating system components. ASR also creates a file that contains information about the backup, the disk configurations (including basic and dynamic volumes), and how to perform a restore.
You can access the restore portion by pressing F2 when prompted in the textmode portion of setup. ASR reads the disk configurations from the file that it creates. It restores all the disk signatures, volumes, and partitions on (at a minimum) the disks that you need to start the computer. ASR will try to restore all the disk configurations, but under some circumstances it might not be able to. ASR then installs a simple installation of Windows and automatically starts a restoration using the backup created by the ASR Wizard. What are the different levels that we can apply Group Policy We can apply group policy at SITE level---Domain Level---OU level
88
What is Domain Policy, Domain controller policy, Local policy and Group policy Domain Policy will apply to all computers in the domain, because by default it will be associated with domain GPO, Where as Domain controller policy will be applied only on domain controller. By default domain controller security policy will be associated with domain controller GPO. Local policy will be applied to that particular machine only and effects to that computer only.
What is the use of SYSVOL folder Policies and scripts saved in SYSVOL folder will be replicated to all domain controllers in the domain. FRS (File replication service) is responsible for replicating all policies and scripts What is folder redirection? Folder Redirection is a User group policy. Once you create the group policy and link it to the appropriate folder object, an administrator can designate which folders to redirect and where To do this, the administrator needs to navigate to the following location in the Group Policy Object: User Configuration\Windows Settings\Folder Redirection In the Properties of the folder, you can choose Basic or Advanced folder redirection, and you can designate the server file system path to which the folder should be redirected.
The %USERNAME% variable may be used as part of the redirection path, thus allowing the system to dynamically create a newly redirected folder for each user to whom the policy object applies. What different modes in windows 2003 (Mixed, native & intrim.etc) What are the domain and forest function levels in a Windows Server 2003basedActive Directory?
89
Functional levels are an extension of the mixed/native mode concept introduced in Windows 2000 to activate new Active Directory features after all the domain controllers in the domain or forest are running the Windows Server 2003 operating system.
When a computer that is running Windows Server 2003 is installed and promoted to a domain controller, new Active Directory features are activated by the Windows Server 2003 operating system over its Windows 2000 counterparts. Additional Active Directory features are available when all domain controllers in a domain or forest are running Windows Server 2003 and the administrator activates the corresponding functional level in the domain or forest. To activate the new domain features, all domain controllers in the domain must be running Windows Server 2003. After this requirement is met, the administrator can raise the domain functional level to Windows Server 2003 (read Raise Domain Function Level in Windows Server 2003 Domains for more info). To activate new forest-wide features, all domain controllers in the forest must be running Windows Server 2003, and the current forest functional level must be at Windows 2000 native or Windows Server 2003 domain level. After this requirement is met, the administrator can raise the domain functional level (read Raise Forest Function Level in Windows Server 2003 Active Directory for more info). Note: Network clients can authenticate or access resources in the domain or forest without being affected by the Windows Server 2003 domain or forest functional levels. These levels only affect the way that domain controllers interact with each other. Important Raising the domain and forest functional levels to Windows Server 2003 is a nonreversible task and prohibits the addition of Windows NT 4.0based or Windows 2000based domain controllers to the environment. Any existing Windows NT 4.0 or Windows 2000based domain controllers in the environment will no longer function. Before raising functional levels to take advantage of advanced Windows Server 2003
90
features, ensure that you will never need to install domain controllers running Windows NT 4.0 or Windows 2000 in your environment. When the first Windows Server 2003based domain controller is deployed in a domain or forest, a set of default Active Directory features becomes available. The following table summarizes the Active Directory features that are available by default on any domain controller running Windows Server 2003: Feature Multiple selection of user objects Functionality Allows you to modify common attributes of multiple user objects at one time. Drag and drop functionality Allows you to move Active Directory objects from container to container by dragging one or more objects to a location in the domain hierarchy. You can also add objects to group membership lists by dragging one or more objects (including other group objects) to the target group. Efficient search capabilities Search functionality is object-oriented and provides an efficient search that minimizes network traffic associated with browsing objects. Saved queries Allows you to save commonly used search
parameters for reuse in Active Directory Users and Computers Active tools InetOrgPerson class Directory command-lineAllows you to run new directory service commands for administration scenarios. The inetOrgPerson class has been added to the base schema as a security principal and can be used in the same manner as the user class. Application directory partitions Allows you to configure the replication scope for application-specific data among domain controllers. For example, you can control the replication scope of Domain Name System (DNS) zone data stored in
91
Active Directory so that only specific domain controllers in the forest participate in DNS zone replication. Ability to add additional domainReduces the time it takes to add an additional domain controllers by using backup media controller in an existing domain by using backup media. Universal caching group membershipPrevents the need to locate a global catalog across a wide area network (WAN) when logging on by storing universal group membership information on an authenticating domain controller. Secure Lightweight DirectoryActive Directory administrative tools sign and encrypt all LDAP traffic by default. Signing LDAP traffic guarantees that the packaged data comes from a known source and that it has not been tampered with. Partial synchronization of theProvides improved replication of the global catalog when schema changes add attributes to the global catalog partial attribute set. Only the new attributes are replicated, not the entire global catalog. Active Directory quotas Quotas can be specified in Active Directory to control the number of objects a user, group, or computer can own in a given directory partition. Members of the Domain Administrators and Enterprise
Access Protocol (LDAP) traffic
global catalog
Administrators groups are exempt from quotas. When the first Windows Server 2003based domain controller is deployed in a domain or forest, the domain or forest operates by default at the lowest functional level that is possible in that environment. This allows you to take advantage of the default Active Directory features while running versions of Windows earlier than Windows Server 2003.
92
When you raise the functional level of a domain or forest, a set of advanced features becomes available. For example, the Windows Server 2003 interim forest functional level supports more features than the Windows 2000 forest functional level, but fewer features than the Windows Server 2003 forest functional level supports. Windows Server 2003 is the highest functional level that is available for a domain or forest. The Windows Server 2003 functional level supports the most advanced Active Directory features; however, only Windows Server 2003 domain controllers can operate in that domain or forest. If you raise the domain functional level to Windows Server 2003, you cannot introduce any domain controllers that are running versions of Windows earlier than Windows Server 2003 into that domain. This applies to the forest functional level as well. Domain Functional Level Domain functionality activates features that affect the whole domain and that domain only. The four domain functional levels, their corresponding features, and supported domain controllers are as follows: Windows 2000 mixed (Default) Supported domain controllers: Microsoft Windows NT 4.0, Windows 2000, Windows Server 2003 Activated features: local and global groups, global catalog support Windows 2000 native Supported domain controllers: Windows 2000, Windows Server 2003 Activated features: group nesting, universal groups, SidHistory, converting groups between security groups and distribution groups, you can raise domain levels by increasing the forest level settings Windows Server 2003 interim Supported domain controllers: Windows NT 4.0, Windows Server 2003 Supported features: There are no domain-wide features activated at this level. All domains in a forest are automatically raised to this level when the forest level
93
increases to interim. This mode is only used when you upgrade domain controllers in Windows NT 4.0 domains to Windows Server 2003 domain controllers. Windows Server 2003 Supported domain controllers: Windows Server 2003 Supported features: domain controller rename, logon timestamp attribute updated and replicated. User password support on the InetOrgPerson objectClass. Constrained delegation, you can redirect the Users and Computers containers. Domains that are upgraded from Windows NT 4.0 or created by the promotion of a Windows Server 2003-based computer operate at the Windows 2000 mixed functional level. Windows 2000 domains maintain their current domain functional level when Windows 2000 domain controllers are upgraded to the Windows Server 2003 operating system. You can raise the domain functional level to either Windows 2000 native or Windows Server 2003. After the domain functional level is raised, domain controllers that are running earlier operating systems cannot be introduced into the domain. For example, if you raise the domain functional level to Windows Server 2003, domain controllers that are running Windows 2000 Server cannot be added to that domain. The following describes the domain functional level and the domain-wide features that are activated for that level. Note that with each successive level increase, the feature set of the previous level is included. Forest Functional Level Forest functionality activates features across all the domains in your forest. Three forest functional levels, the corresponding features, and their supported domain controllers are listed below. Windows 2000 (default) Supported domain controllers: Windows NT 4.0, Windows 2000, Windows Server 2003 New features: Partial list includes universal group caching, application partitions, install from media, quotas, rapid global catalog demotion, Single Instance Store (SIS)
94
for System Access Control Lists (SACL) in the Jet Database Engine, Improved topology generation event logging. No global catalog full sync when attributes are added to the PAS Windows Server 2003 domain controller assumes the Intersite Topology Generator (ISTG) role. Windows Server 2003 interim Supported domain controllers: Windows NT 4.0, Windows Server 2003. See the "Upgrade from a Windows NT 4.0 Domain" section of this article. Activated features: Windows 2000 features plus Efficient Group Member Replication using Linked Value Replication, Improved Replication Topology Generation. ISTG Aliveness no longer replicated. Attributes added to the global catalog. ms-DS-TrustForest-Trust-Info. Trust-Direction, Trust-Attributes, Trust-Type, Trust-Partner, Security-Identifier, ms-DS-Entry-Time-To-Die, Message Queuing-Secured-Source, Message Queuing-Multicast-Address, Print-Memory, Print-Rate, Print-Rate-Unit Windows Server 2003 Supported domain controllers: Windows Server 2003 Activated features: all features in Interim Level, Defunct schema objects, Cross Forest Trust, Domain Rename, Dynamic auxiliary classes, InetOrgPerson objectClass change, Application Groups, 15-second intrasite replication frequency for Windows Server 2003 domain controllers upgraded from Windows 2000 After the forest functional level is raised, domain controllers that are running earlier operating systems cannot be introduced into the forest. For example, if you raise forest functional levels to Windows Server 2003, domain controllers that are running Windows NT 4.0 or Windows 2000 Server cannot be added to the forest. Different Active Directory features are available at different functional levels. Raising domain and forest functional levels is required to enable certain new features as domain controllers are upgraded from Windows NT 4.0 and Windows 2000 to Windows Server 2003 Domain Functional Levels
95
Windows 2000 Mixed mode, Windows 2000 Native mode, Windows server 2003 and Windows server 2003 interim ( Only available when upgrades directly from Windows NT 4.0 to Windows 2003) Forest Functional Levels Windows 2000 and Windows 2003 Ipsec usage and difference window 2000 & 2003. Microsoft doesnt recommend Internet Protocol security (IPSec) network address translation (NAT) traversal (NAT-T) for Windows deployments that include VPN servers and that are located behind network address translators. When a server is behind a network address translator, and the server uses IPSec NAT-T, unintended side effects may occur because of the way that network address translators translate network traffic If you put a server behind a network address translator, you may experience connection problems because clients that connect to the server over the Internet require a public IP address. To reach servers that are located behind network address translators from the Internet, static mappings must be configured on the network address translator. For example, to reach a Windows Server 2003-based computer that is behind a network address translator from the Internet, configure the network address translator with the following static network address translator mappings: Public IP address/UDP port 500 to the server's private IP address/UDP port 500. Public IP address/UDP port 4500 to the server's private IP address/UDP port 4500 These mappings are required so that all Internet Key Exchange (IKE) and IPSec NAT-T traffic that is sent to the public address of the network address translator is automatically translated and forwarded to the Windows Server 2003-based computer
How to create application partition windows 2003 and its usage? An application directory partition is a directory partition that is replicated only to specific domain controllers. A domain controller that participates in the replication of a particular application directory partition hosts a replica of that partition. Only
96
domain controllers running Windows Server 2003 can host a replica of an application directory partition. Applications and services can use application directory partitions to store application-specific data. Application directory partitions can contain any type of object, except security principals. TAPI is an example of a service that stores its application-specific data in an application directory partition. Application directory partitions are usually created by the applications that will use them to store and replicate data. For testing and troubleshooting purposes, members of the Enterprise Admins group can manually create or manage application directory partitions using the Ntdsutil command-line tool. Is it possible to do implicit transitive forest to forest trust relation ship in windows 2003? Implicit Transitive trust will not be possible in windows 2003. Between forests we can create explicit trust Two-way trust One-way: incoming One-way: Outgoing What is universal group membership cache in windows 2003. Information is stored locally once this option is enabled and a user attempts to log on for the first time. The domain controller obtains the universal group membership for that user from a global catalog. Once the universal group membership information is obtained, it is cached on the domain controller for that site indefinitely and is periodically refreshed. The next time that user attempts to log on, the authenticating domain controller running Windows Server 2003 will obtain the universal group membership information from its local cache without the need to contact a global catalog. By default, the universal group membership information contained in the cache of each domain controller will be refreshed every 8 hours.
97
GPMC & RSOP in windows 2003? GPMC is tool which will be used for managing group policies and will display information like how many policies applied, on which OUs the policies applied, What are the settings enabled in each policy, Who are the users effecting by these polices, who is managing these policies. GPMC will display all the above information. RSoP provides details about all policy settings that are configured by an Administrator, including Administrative Templates, Folder Redirection, Internet Explorer Maintenance, Security Settings, Scripts, and Group Policy Software Installation. When policies are applied on multiple levels (for example, site, domain, domain controller, and organizational unit), the results can conflict. RSoP can help you determine a set of applied policies and their precedence (the order in which policies are applied). Assign & Publish the applications in GP & how? Through Group policy you can Assign and Publish the applications by creating .msi package for that application. With Assign option you can apply policy for both user and computer. If it is applied to computer then the policy will apply to user who logs on to that computer. If it is applied on user it will apply where ever he logs on to the domain. It will be appear in Start menuPrograms. Once user click the shortcut or open any document having that extension then the application install into the local machine. If any application program files missing it will automatically repair. With Publish option you can apply only on users. It will not install automatically when any application program files are corrupted or deleted. DFS in windows 2003?
How to use recovery console?
98
The Windows 2000 Recovery Console is a command-line console that you can start from the Windows 2000 Setup program. Using the Recovery Console, you can start and stop services, format drives, read and write data on a local drive (including drives formatted to use NTFS), and perform many other administrative tasks. The Recovery Console is particularly useful if you need to repair your system by copying a file from a floppy disk or CD-ROM to your hard drive, or if you need to reconfigure a service that is preventing your computer from starting properly. Because the Recovery Console is quite powerful, it should only be used by advanced users who have a thorough knowledge of Windows 2000. In addition, you must be an administrator to use the Recovery Console.
There are two ways to start the Recovery Console: If you are unable to start your computer, you can run the Recovery Console from your Windows 2000 Setup disks or from the Windows 2000 Professional CD (if you can start your computer from your CD-ROM drive). As an alternative, you can install the Recovery Console on your computer to make it available in case you are unable to restart Windows 2000. You can then select the Recovery Console option from the list of available operating systems
PPTP protocol for VPN in windows 2003? Point-to-Point-Tunneling Protocol (PPTP) is a networking technology that supports multiprotocol virtual private networks (VPN), enableing remote users to access corporate networks securely across the Microsoft Windows NT Workstation, Windows 95, and Windows 98 operating systems and other point-to-point protocol (PPP)-enabled systems to dial into a local Internet service provider to connect securely to their corporate network through the Internet Netdom.exe is domain management tool to rename domain controller SID history What is Bridge Head Server?
99
Crisis Management?
Mail flow in Exchange Server.
DMZ concept in Firewalls.
Is NAT uses Port Number if so what is the Port number?
Difference between Schema Master and Global Catlog?
Difference Between Incremental and Differential Backup? Which is best backup Microsoft has recommended? (depends on the volume of data)
How DNS and DHCP are integrated?
If RID master fails what happens?
Tool used for FSMO?
Difference between Assigning and Publishing through Group Policy?
Netdom.exe is domain management tool to rename domain controller
Second level Question: What are the services installed when RIS is installed. Read about RIS.
How to trouble shoot if a DHCP client wont get IP from DHCP Server?
What is online and offline fragmentations?
100
Garbage collections and white spaces?
Tell me one example when Infracture master and Global catalog will be on one DC, what is the issue if both resides on same system? When you require a Infrastructure Master.
What are Windows 2003 modes?
What are FSMO roles and explain then?
Stress on PDC emulator?
2003 advantages? About migration?(W2k to W2k3 and NT to W2k3).
How to Set Up ADMT for a Windows NT 4.0-to-Windows Server 2003 Migration: Before you upgrade a Windows NT 4.0 domain to a Windows Server 2003-based domain, the following domain and security configurations are required. Note: This article assumes that the source domain is running Windows NT 4.0 Service Pack 4 (SP4) or later with 128-Bit encryption, and that the target domain is a Windows Server 2003-based domain in native mode. Also, the Windows Server 2003 must have 128-Bit encryption (which comes as a default setting in Windows 2003). Trusts: Configure the source domain to trust the target domain. Configure the target domain to trust the source domain.
101
Groups: Add the Domain Admins global group from the source domain to the Administrators local group in the target domain. Add the Domain Admins global group from the target domain to the Administrators local group in the source domain. Create a new local group in the source domain called Source Domain$$$. Note: There must be no members in this group.
Auditing: Enable auditing for the success and failure of user and group management on the source domain. Enable auditing for the success and failure of Audit account management on the target domain in the Default Domain Controllers policy. Registry: On the PDC in the source domain, add the
TcpipClientSupport:REG_DWORD:0x1 value to the following registry key: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\LSA Administrative Shares: shares must exist on the domain controller in the target domain on which you run ADMT, and on any computers on which an agent must be dispatched. User Rights You must log on to the computer on which you run ADMT with an account that has the following permissions: Domain Administrator rights in the target domain. A member of the Administrators group in the source domain. Administrator rights on each computer that you migrate.
102
Administrator rights on each computer on which you translate security. You will have the appropriate rights when you log on to the PDC that is the FSMO role holder in the target domain with the Source Domain\Administrator account, assuming that the Source Domain\Domain Administrators group is a member of the Administrators group on each computer.
How to set up ADMT for a Windows 2000 to Windows Server 2003 migration: You can install the Active Directory Migration Tool version 2 (ADMTv2) on any computer that is running Windows 2000 or later, including: Microsoft Windows 2000 Professional Microsoft Windows 2000 Server Microsoft Windows XP Professional Microsoft Windows Server 2003 The computer on which you install ADMTv2 must be a member of either the source or the target domain. Intraforest Migration: Intraforest migration does not require any special domain configuration. The account you use to run ADMT must have enough permissions to perform the actions that are requested by ADMT. For example, the account must have the right to delete accounts in the source domain, and to create accounts in the target domain. Intraforest migration is a move operation instead of a copy operation. These migrations are said to be destructive because after the move, the migrated objects no longer exist in the source domain. Because the object is moved instead of copied, some actions that are optional in interforest migrations occur automatically. Specifically, the sIDHistory and password are automatically migrated during all intraforest migrations.
103
ADMT requires the following permissions to run properly: Administrator rights in the source domain. Administrator rights on each computer that you migrate. Administrator rights on each computer on which you translate security. Before you migrate a Windows 2000-based domain to a Windows Server 2003based domain, you must make some domain and security configurations. Computer migration and security translation do not require any special domain configuration. However, each computer you want to migrate must have the administrative shares, C$ and ADMIN$. The account you use to run ADMT must have enough permission to complete the required tasks. The account must have permission to create computer accounts in the target domain and organizational unit, and must be a member of the local Administrators group on each computer to be migrated. User and Group Migration: You must configure the source domain to trust the target domain. Optionally, the target may be configured to trust the source domain. While this may ease configuration, it is not required to finish the ADMT migration. Requirements for Optional Migration Tasks: You can complete the following tasks automatically by running the User Migration Wizard in Test mode and selecting the migrate sIDHistory option. The user account you use to run ADMT must be an Administrator in both the source and the target domains for the automatic configuration to succeed. Create a new local group in the source domain that is named
%sourcedomain%$$$. There must be no members in this group. Turn on auditing for the success and failure of Audit account management on both domains in the Default Domain Controllers policy.
104
Configure the source domain to allow RPC access to the SAM by configuring the following registry entry on the PDC Emulator in the source domain with a DWORD value of 1: HKEY_LOCAL_MACHINE\System\CurrentControlSet\
Control\LSA\TcpipClientSupport You must restart the PDC Emulator after you make this change. Note: For Windows 2000 domains, the account you use to run ADMTv2 must have domain administrator permissions in both the source and target domains. For Windows Server 2003 target domains, the 'Migrate sIDHistory' may be delegated. For more information, see Windows Server 2003 Help & Support. You can turn on interforest password migration by installing a DLL that runs in the context of LSA. By running in this protected context, passwords are shielded from being viewed in cleartext, even by the operating system. The installation of the DLL is protected by a secret key that is created by ADMTv2, and must be installed by an administrator. To install the password migration DLL: Log on as an administrator or equivalent to the computer on which ADMTv2 is installed. At a command prompt, run the ADMT KEY sourcedomainpath [* | password] command to create the password export key file (.pes). In this example, sourcedomain is the NetBIOS name of the source domain and path is the file path where the key will be created. The path must be local, but can point to removable media such as a floppy disk drive, ZIP drive, or writable CD media. If you type the optional password at the end of the command, ADMT protects the .pes file with the password. If you type the asterisk (*), ADMT prompts for a password, and the system will not echo it as it is typed.
105
Move the .pes file you created in step 2 to the designated Password Export Server in the source domain. This can be any domain controller, but make sure it has a fast, reliable link to the computer that is running ADMT. Install the Password Migration DLL on the Password Export Server by running the Pwmig.exe tool. Pwmig.exe is located in the I386\ADMT folder on the Windows Server 2003 installation media, or the folder to which you downloaded ADMTv2 from the Internet. When you are prompted to do so, specify the path to the .pes file that you created in step 2. This must be a local file path. After the installation completes, you must restart the server. If you are ready to migrate passwords, modify the following registry key to have a DWORD value of 1. For maximum security, do not complete this step until you are ready to migrate. HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\LSA\AllowPasswor dExport The Active Directory Migration Tool v2 is included in the I386\Admt folder on the Windows-Server-2003-CD. The Active Directory Migration Tool provides an easy, secure, and fast way to migrate to Windows 2000 Active Directory service. As a system administrator, you can use this tool to diagnose any possible problems before starting migration operations to Windows 2000 Server Active Directory. You can then use the taskbased wizard to migrate users, groups, and computers; set correct file permissions; and migrate Microsoft Exchange Server mailboxes. The tool's reporting feature allows you to assess the impact of the migration, both before and after move operations. In many cases, if there is a problem, you can use the rollback features to automatically restore previous structures. The tool also provides support for parallel
106
domains, so you can maintain your existing Windows NT 4.0 domains while you deploy Windows 2000. Note: To successfully run the AD Migration Tool the source domain must be running Windows NT 4.0 Service Pack 4 or later, and the target domain will be a Windows 2000-based domain in Native mode. Version 2.0 of ADMT is from Windows Server 2003 and has many new features: Scripting and Command line interface Password Migration Sid Mapping Files for Security Translation Windows 2000 Attribute Exclusion Agent Credentials Migration Log Skip-Membership-Restoration Question on System State data Backup? Diff types of DNS roles and Zones? What are the steps you follow when you are promoting a server as ADC in windows 2003? What are the two parameters you run before upgrading the server to an ADC(/forestprep, /domainprep). What is the authentication process? What is the role of GC in authentication process? What happens if DNS server fails. Can a user is able to login if the DNS server fails(if you have only one DNS Server).
107
How do you promote a server to a domain controller(in windows 2003) over a slow wan links. Take the backup of systemstate from the DC and restore it in the server where you are promoting using dcpromo /adv and select restore from backup. Working with Group Policy: This article deals with the mechanism of deploying and verifying GPO deployment. It will not deal in the GPO itself and the settings inside it (these settings and configurations will be discussed in different articles). Group Policy is a one of the most useful tools found in the Windows 2000/2003 Active Directory infrastructure. Group Policy can help you do the following: Configure user's desktops Configure local security on computers Install applications Run start-up/shut-down or logon/logoff scripts Configure Internet Explorer settings Redirect special folders In fact, you can configure any aspect of the computer behavior with it. Although it is a cool toy; working with it without proper attention can cause unexpected behavior. Here are some basic terms you need to be familiar with before drilling down into Group Policy: Local policy: Refers to the policy that configures the local computer or server, and is not inherited from the domain. You can set local policy by running gpedit.msc from the Run command, or you can add "Group Policy Object Editor" snap-in to MMC. Local Policies also exist in the Active Directory environment, but have many fewer configuration options that the full-fledged Group Policy in AD. GPO - Group Policy Object:
108
Refers to the policy that is configured at the Active Directory level and is inherited by the domain member computers. You can configure a GPO Group Policy Object - at the site level, domain level or OU level. GPC Group Policy Container: The GPC is the store of the GPOs; The GPC is where the GPO stores all the ADrelated configuration. Any GPO that is created is not effective until it is linked to an OU, Domain or a Site. The GPOs are replicated among the Domain Controllers of the Domain through replication of the Active Directory. GPT - Group Policy Templates: The GPT is where the GPO stores the actual settings. The GPT is located within the Netlogon share on the DCs. Netlogon share: A share located only on Domain Controllers and contains GPOs, scripts and .POL files for policy of Windows NT/98. The Netlogon share replicates among all DCs in the Domain, and is accessible for read only for the Everyone group, and Full Control for the Domain Admins group. The Netlogon's real location is: C:\WINDOWS\SYSVOL\sysvol\domain.com\SCRIPTS When a domain member computer boots up, it finds the DC and looks for the Netlogon share in it. To see what DC the computer used when it booted, you can go to the Run command and type %logonserver%\Netlogon. The content of the Netlogon share should be the same on all DCs in the domain. GPO behavior: Group Policy is processed in the following order:
109
Local Policy > Site GPO > Domain GPO > OU GPO > Child OU GPO and so on. GPOs inherited from the Active Directory are always stronger than local policy. When you configure a Site policy it is being overridden by Domain policy, and Domain policy is being overridden by OU policy. If there is an OU under the previous OU, its GPO is stronger the previous one. The rule is simple, as more you get closer to the object that is being configured, the GPO is stronger. What does it mean "stronger"? If you configure a GPO and linke it to "Organization" OU, and in it you configure Printer installation allowed and then at the "Dallas" OU you configured other GPO but do not allow printer installation, then the Dallas GPO is more powerful and the computers in it will not allow installation of printers. The example above is true when you have different GPOs that have similar configuration, configured with opposite settings. When you apply couple of GPOs at different levels and every GPO has its own settings, all settings from all GPOs are merged and inherited by the computers or users. Group Policy sections: Each GPO is built from 2 sections: Computer configuration: Contains the settings that configure the computer prior to the user logon combo-box User configuration: Contains the settings that configure the user after the logon, you cannot choose to apply the setting on a single user, all users, including administrator, are affected by the settings.
110
Within these two sections you can find more sub-folders: Software settings and Windows settings: Both of computer and user are settings that configure local DLL files on the machine. Administrative templates It is a setting that configures the local registry of the machine. You can add more options to administrative templates by right clicking it and choose .ADM files. Many programs that are installed on the computer add their .ADM files to %systemroot%\inf folder so you can add them to the Administrative Templates. You can download .ADM files for the Microsoft operating systems Tools used to configure GPO: You can configure GPOs with these set of tools from Microsoft (other 3rd-party tools exist but we will discuss these in a different article): Group Policy Object Editor snap-in in MMC - or - use gpedit.msc from the Run command. Active Directory Users and Computers snap in - or dsa.msc to invoke the Group Policy tab on every OU or on the Domain. Active Directory Sites and Services - or dssite.msc to invoke the Group Policy tab on a site. Group Policy Management Console - or gpmc.msc - this utility is NOT included in Windows 2003 server and needs to be separately installed. You can download it from HERE Note that if you'd like to use the GPMC tool on Windows XP, you need to install it on computers running Windows XP SP2. Installing it on computers without SP2 will generate errors due to unsupported and newer .ADM files.
111
GPMC utility - Creating a GPO: When you create a GPO it is stored in the GPO container. After creation you should link the GPO to an OU that you choose. Linking a GPO: To link a GPO simply right click an OU and choose Link an existing GPO or you can create and link a GPO in the same time. You can also drag and drop a GPO from the Group Policy Objects folder to the appropriate Site, Domain or OU. When you right-click a link you can: Edit a GPO : This will open the GPO window so you can configure settings. Link/Unlink a GPO : This setting allows you to temporarily disable a link if you need to add settings to it or if you will activate it later. Enabling/disabling computer or user settings: GPO has computer and user settings but if you create a GPO that contains only computer settings, you might want to disable the user settings in that GPO, this will reduce the amount of settings replicated and can also be used for testing. To disable one of the configurations simply choose the GPO link and go to Details tab: How do I know what are the settings in a GPO? Prior to the use of GPMC, an administrator who wanted to find out which one of the hundreds of settings of a GPO were actually configured - had to open each GPO and manually comb through each and every node of the GPO sections. Now, with GPMC, you can simply see what the configurations of any GPO are if you point on
112
that GPO and go to the Settings tab. There you can use the drop-down menus to see computer or user settings. Block/Enforce inheritance: You can block policy inheritance to an OU if you dont want the settings from upper GPOs to configure your OU. To block GPO inheritance, simply right click your OU and choose "Block Inheritance". Blocking inheritance will block all upper GPOs. In case you need one of the upper GPOs to configure all downstream OUs and overcome Block inheritance, use the Enforce option of a link. Enforcing a GPO is a powerful option and rarely should be used. You can see in this example that when you look at Computers OU, three different GPOs are inherited to it. In this example you can see that choosing "Block inheritance" will reject all upper GPOs. Now, if we configure the "Default domain policy" with the Enforce option, it will overcome the inheritance blocking. Link order: When linking more than one GPO to an OU, there could be a problem when two or more GPOs have the same settings but with opposite configuration, like, GPO1 have Allow printer installation among other settings but GPO2 is configured to prevent printer installation among other settings. Because the two GPOs are at the same level, there is a link order which can be changed. The GPO with the lowest link order is processed last, and therefore has the highest precedence.
113
Security Filtering: Filtering let you choose the user, group or computer that the GPO will apply onto. If you configured "Computers" OU with a GPO but you only want to configure Win XP stations with that GPO and exclude Win 2000 stations, you can easily create a group of Win XP computers and apply the GPO only to that group. This option save you from creating complicated OU tree with each type of computer in it. A user or a group that you configure in the filtering field have by default the "Read" and "Apply" permission. By default when you create a GPO link, you can see that "Authenticated users" are listed. In the above example, Office 2K3 will be installed on all computers that are part of the two listed groups. If we still were using Authenticated users, the installation of the Office suite could have followed the user to any computer that he logs onto, like servers or other machines. Using filtering narrows the installation options. If you want to configure these permissions with higher resolution, you can go to Delegation tab and see the permissions. Going to the Advanced Tab will let you configure the ACL permission with the highest resolution. How the GPO is updated on the computers GPO inherited from AD is refreshed on the computers by several ways: Logon to computer (If the settings are of "user settings" in GPO) Restart of the computer (If the settings are of "computer settings" in GPO) Every 60 to 90 minutes, the computers query their DC for updates.
114
Manually by using gpupdate command. You can add the /force switch to force all settings and not only the delta. Note: Windows 2000 doesn't support the Gpupdate command so you need run a different command instead: For computer settings. For user settings. In both commands you can use the /enforce that is similar to the /force in gpupdate. If any configuration change requires a logoff or a restart message will appear: You can force logoff or reboot using gpupdate switches. How to check that the GPO was deployed: To be sure that GPO was deployed correctly, you can use several ways. The term for the results is called RSoP Resultant Sets of Policies. Use gpresult command in the command prompt. The default result is for the logged on user on that machine. You can also choose to check what are the results for other users on to that machine. If you use /v or /z switches you will get very detailed information. You can see what GPOs were applied and what GPOs were filtered out and the reason for not being deployed. Resultant Set of Policy snap-in in MMC. The snap-in has two modes: Logging mode: which tells you what are the real settings that were deployed on the machine
115
Planning mode: which tells you what will be the results if you choose some options. This option is not so compatible because you need to browse in the RSoP data to find the settings. Group Policy Results in GPMC: This is the most comfortable option that let you check the RSoP data on every computer or user from a central location. This option also displays the summary of the RSoP and Detailed RSoP data in HTML format. In the example above example you can see the summary of applied or non applied GPOs both of computer and user settings. When looking at the Settings tab we can see what settings did applied on the computer and see which is the "Winning GPO" that actually configured the computer with the particular setting.
116
Windows Server 2003 interview and certification questions: How do you double-boot a Win 2003 server box? The Boot.ini file is set as read-only, system, and hidden to prevent unwanted editing. To change the Boot.ini timeout and default settings, use the System option in Control Panel from the advanced tab and select Startup. What do you do if earlier application doesnt run on Windows Server 2003? When an application that ran on an earlier legacy version of Windows cannot be loaded during the setup function or if it later malfunctions, you must run the compatibility mode function. This is accomplished by right-clicking the application or setup program and selecting Properties > Compatibility > selecting the previously supported operating system. If you uninstall Windows Server 2003, which operating systems can you revert to? Win ME, Win 98, 2000, XP. Note, however, that you cannot upgrade from ME and 98 to Windows Server 2003. How do you get to Internet Firewall settings? Start > Control Panel > Network and Internet Connections > Network Connections. What are the Windows Server 2003 keyboard shortcuts? Winkey opens or closes the Start menu. Winkey + BREAK displays the System Properties dialog box. Winkey + TAB moves the focus to the next application in the taskbar. Winkey + SHIFT + TAB moves the focus to the previous application in the taskbar. Winkey + B moves the focus to the notification area. Winkey + D shows the desktop. Winkey + E opens Windows Explorer showing My Computer. Winkey + F
117
opens the Search panel. Winkey + CTRL + F opens the Search panel with Search for Computers module selected. Winkey + F1 opens Help. Winkey + M minimizes all. Winkey + SHIFT+ M undoes minimization. Winkey + R opens Run dialog. Winkey + U opens the Utility Manager. Winkey + L locks the computer. What is Active Directory? Active Directory is a network-based object store and service that locates and manages resources, and makes these resources available to authorized users and groups. An underlying principle of the Active Directory is that everything is considered an objectpeople, servers, workstations, printers, documents, and devices. Each object has certain attributes and its own security access control list (ACL). Where are the Windows NT Primary Domain Controller (PDC) and its Backup Domain Controller (BDC) in Server 2003? The Active Directory replaces them. Now all domain controllers share a multimaster peer-to-peer read and write relationship that hosts copies of the Active Directory. How long does it take for security changes to be replicated among the domain controllers? Security-related modifications are replicated within a site immediately. These changes include account and individual user lockout policies, changes to password policies, changes to computer account passwords, and modifications to the Local Security Authority (LSA). Whats new in Windows Server 2003 regarding the DNS management? When DC promotion occurs with an existing forest, the Active Directory Installation Wizard contacts an existing DC to update the directory and replicate from the DC the required portions of the directory. If the wizard fails to locate a DC, it
118
performs debugging and reports what caused the failure and how to fix the problem. In order to be located on a network, every DC must register in DNS DC locator DNS records. The Active Directory Installation Wizard verifies a proper configuration of the DNS infrastructure. All DNS configuration debugging and reporting activity is done with the Active Directory Installation Wizard. When should you create a forest? Organizations that operate on radically different bases may require separate trees with distinct namespaces. Unique trade or brand names often give rise to separate DNS identities. Organizations merge or are acquired and naming continuity is desired. Organizations form partnerships and joint ventures. While access to common resources is desired, a separately defined tree can enforce more direct administrative and security restrictions. How can you authenticate between forests? Four types of authentication are used across forests: (1) Kerberos and NTLM network logon for remote access to a server in another forest; (2) Kerberos and NTLM interactive logon for physical logon outside the users home forest; (3) Kerberos delegation to N-tier application in another forest; and (4) user principal name (UPN) credentials. What snap-in administrative tools are available for Active Directory? Active Directory Domains and Trusts Manager, Active Directory Sites and Services Manager, Active Directory Users and Group Manager, Active Directory Replication (optional, available from the Resource Kit), Active Directory Schema Manager (optional, available from adminpak) What types of classes exist in Windows Server 2003 Active Directory? Structural class:
119
The structural class is important to the system administrator in that it is the only type from which new Active Directory objects are created. Structural classes are developed from either the modification of an existing structural type or the use of one or more abstract classes. Abstract class: Abstract classes are so named because they take the form of templates that actually create other templates (abstracts) and structural and auxiliary classes. Think of abstract classes as frameworks for the defining objects. Auxiliary class: The auxiliary class is a list of attributes. Rather than apply numerous attributes when creating a structural class, it provides a streamlined alternative by applying a combination of attributes with a single include action. 88 class: The 88 class includes object classes defined prior to 1993, when the 1988 X.500 specification was adopted. This type does not use the structural, abstract, and auxiliary definitions, nor is it in common use for the development of objects in Windows Server 2003 environments. How do you delete a lingering object? Windows Server 2003 provides a command called Repadmin that provides the ability to delete lingering objects in the Active Directory. What is Global Catalog? The Global Catalog authenticates network user logons and fields inquiries about objects across a forest or tree. Every domain has at least one GC that is hosted on a domain controller. In Windows 2000, there was typically one GC on every site in order to prevent user logon failures across the network.
120
How is user account security established in Windows Server 2003? When an account is created, it is given a unique access number known as a security identifier (SID). Every group to which the user belongs has an associated SID. The user and related group SIDs together form the user accounts security token, which determines access levels to objects throughout the system and network. SIDs from the security token are mapped to the access control list (ACL) of any object the user attempts to access. If I delete a user and then create a new account with the same username and password, would the SID and permissions stay the same? No. If you delete a user account and attempt to recreate it with the same user name and password, the SID will be different. What do you do with secure sign-ons in an organization with many roaming users? Credential Management feature of Windows Server 2003 provides a consistent single sign-on experience for users. This can be useful for roaming users who move between computer systems. The Credential Management feature provides a secure store of user credentials that includes passwords and X.509 certificates. Anything special you should do when adding a user that has a Mac? "Save password as encrypted clear text" must be selected on User Properties Account Tab Options, since the Macs only store their passwords that way. What remote access options does Windows Server 2003 support? Dial-in, VPN, dial-in with callback. Where are the documents and settings for the roaming profile stored?
121
All the documents and environmental settings for the roaming user are stored locally on the system, and, when the user logs off, all changes to the locally stored profile are copied to the shared server folder. Therefore, the first time a roaming user logs on to a new system the logon process may take some time, depending on how large his profile folder is. Where are the settings for all the users stored on a given machine? \Document and Settings\All Users What languages can you use for log-on scripts? JavaScipt, VBScript, DOS batch files (.com, .bat, or even .exe) Responses to Windows Server 2003 interview and certification questions How can you authenticate between forests? Windows 2000 always uses NTLM for authentication between forests; 2003 will use Kerberos if and only if dns is used while setting up the domains. If the NetBIOS name is uses; NTLM is used for 2003. Windows Server 2003 interview and certification questions? How do you double-boot a Win 2003 server box? The Boot.ini file is set as read-only, system, and hidden to prevent unwanted editing. To change the Boot.ini timeout and default settings, use the System option in Control Panel from the Advanced tab and select Startup. What do you do if earlier application doesnt run on Windows Server 2003? When an application that ran on an earlier legacy version of Windows cannot be loaded during the setup function or if it later malfunctions, you must run the
122
compatibility mode function. This is accomplished by right-clicking the application or setup program and selecting Properties > Compatibility > selecting the previously supported operating system. If you uninstall Windows Server 2003, which operating systems can you revert to? Win ME, Win 98, 2000, XP. Note, however, that you cannot upgrade from ME and 98 to Windows Server 2003. How do you get to Internet Firewall settings? Start > Control Panel > Network and Internet Connections > Network Connections. What are the Windows Server 2003 keyboard shortcuts? Winkey opens or closes the Start menu. Winkey + BREAK displays the System Properties dialog box. Winkey + TAB moves the focus to the next application in the taskbar. Winkey + SHIFT + TAB moves the focus to the previous application in the taskbar. Winkey + B moves the focus to the notification area. Winkey + D shows the desktop. Winkey + E opens Windows Explorer showing My Computer. Winkey + F opens the Search panel. Winkey + CTRL + F opens the Search panel with Search for Computers module selected. Winkey + F1 opens Help. Winkey + M minimizes all. Winkey + SHIFT+ M undoes minimization. Winkey + R opens Run dialog. Winkey + U opens the Utility Manager. Winkey + L locks the computer. What is Active Directory? Active Directory is a network-based object store and service that locates and manages resources, and makes these resources available to authorized users and groups. An underlying principle of the Active Directory is that everything is considered an objectpeople, servers, workstations, printers, documents, and
123
devices. Each object has certain attributes and its own security access control list (ACL). Where are the Windows NT Primary Domain Controller (PDC) and its Backup Domain Controller (BDC) in Server 2003? The Active Directory replaces them. Now all domain controllers share a multimaster peer-to-peer read and write relationship that hosts copies of the Active Directory. How long does it take for security changes to be replicated among the domain controllers? Security-related modifications are replicated within a site immediately. These changes include account and individual user lockout policies, changes to password policies, changes to computer account passwords, and modifications to the Local Security Authority (LSA). Whats new in Windows Server 2003 regarding the DNS management? When DC promotion occurs with an existing forest, the Active Directory Installation Wizard contacts an existing DC to update the directory and replicate from the DC the required portions of the directory. If the wizard fails to locate a DC, it performs debugging and reports what caused the failure and how to fix the problem. In order to be located on a network, every DC must register in DNS DC locator DNS records. The Active Directory Installation Wizard verifies a proper configuration of the DNS infrastructure. All DNS configuration debugging and reporting activity is done with the Active Directory Installation Wizard. When should you create a forest? Organizations that operate on radically different bases may require separate trees with distinct namespaces. Unique trade or brand names often give rise to separate DNS identities. Organizations merge or are acquired and naming continuity is desired. Organizations form partnerships and joint ventures. While access to
124
common resources is desired, a separately defined tree can enforce more direct administrative and security restrictions.
How can you authenticate between forests? Four types of authentication are used across forests: (1) Kerberos and NTLM network logon for remote access to a server in another forest; (2) Kerberos and NTLM interactive logon for physical logon outside the users home forest; (3) Kerberos delegation to N-tier application in another forest; and (4) user principal name (UPN) credentials. What snap-in administrative tools are available for Active Directory? Active Directory Domains and Trusts Manager, Active Directory Sites and Services Manager, Active Directory Users and Group Manager, Active Directory Replication (optional, available from the Resource Kit), Active Directory Schema Manager (optional, available from adminpak) Anything special you should do when adding a user that has a Mac? "Save password as encrypted clear text" must be selected on User Properties Account Describe how the DHCP lease is obtained. Its a four-step process consisting of (a) IP request, (b) IP offer, IP selection and (d) acknowledgement. I cant seem to access the Internet, dont have any access to the corporate network and on ipconfig my address is 169.254.*.*. What happened? The 169.254.*.* netmask is assigned to Windows machines running 98/2000/XP if the DHCP server is not available. The name for the technology is APIPA (Automatic Private Internet Protocol Addressing).
125
Weve installed a new Windows-based DHCP server, however, the users do not seem to be getting DHCP leases off of it. The server must be authorized first with the Active Directory. How can you force the client to give up the dhcp lease if you have access to the client PC? ipconfig /release What authentication options do Windows 2000 Servers have for remote clients? PAP, SPAP, CHAP, MS-CHAP and EAP. What are the networking protocol options for the Windows clients if for some reason you do not want to use TCP/IP? NWLink (Novell), NetBEUI, AppleTalk (Apple). What is data link layer in the OSI reference model responsible for? Data link layer is located above the physical layer, but below the network layer. Taking raw data bits and packaging them into frames. The network layer will be responsible for addressing the frames, while the physical layer is reponsible for retrieving and sending raw data bits. What is binding order? The order by which the network protocols are used for client-server communications. The most frequently used protocols should be at the top. How do cryptography-based keys ensure the validity of data transferred across the network? Each IP packet is assigned a checksum, so if the checksums do not match on both receiving and transmitting ends, the data was modified or corrupted. Should we deploy IPSEC-based security or certificate-based security?
126
They are really two different technologies. IPSec secures the TCP/IP communication and protects the integrity of the packets. Certificate-based security ensures the validity of authenticated clients and servers. What is LMHOSTS file? Its a file stored on a host machine that is used to resolve NetBIOS to specific IP addresses. Whats the difference between forward lookup and reverse lookup in DNS? Forward lookup is name-to-address, the reverse lookup is address-to-name. How can you recover a file encrypted using EFS? Use the domain recovery agent These questions were sent in from IBM. They discuss various telecom and networking topics. OSPF Describe OSPF in your own words. OSPF areas, the purpose of having each of them Types of OSPF LSA, the purpose of each LSA type What exact LSA type you can see in different areas How OSPF establishes neighboor relation, what the stages are If OSPF router is stucked in each stage what the problem is and how to troubleshoot it
127
OSPF hierarchy in the single or multi areas. Cool OSPF behavior in broadcast and nonbroadcast Draw the diagram of typical OSPF network and explain generally how it works, DR, BDR, election, ASBR, ABR, route redistribution and summarization STP: How it works and the purpose Diff types (SSTP, MSTP, RSTP) Cisco - PVST/PVST+ Root election Diff. port stages and timing for convergence Draw the typical diagram and explain how diff types of STP work What ports are blocking or forwarding How it works if there are topology changes ACLs: What are they Diff types Write an example if you want to allow and to deny Well-known port numbers (DNS - 53 and etc) QOS: What is that What is the diff b/w L2 and L3 QoS
128
How it works Network: Draw the typical network diagram you have to deal with Explain how it works What part of it you are responsible firewall, what is that, how it works, how it is diff from ACLs What problems with the network you had had and how you solved it. What are the ways to troubleshoot the network, techniques, commands Network security, ways to achieve it Switching: VLANs STP How a L2 switch works with broadcast, unicast, multicast, known/unknown traffic VRRP, GLBP port monitoring and mirroring L3 switch, how it works PIM sparse and dense modes What is a default gateway? The exit-point from one network and entry-way into another network, often the router of the network.
129
How do you set a default route on an IOS Cisco router? ip route 0.0.0.0 0.0.0.0 x.x.x.x [where x.x.x.x represents the destination address What is the difference between a domain local group and a global group? Domain local groups grant permissions to objects within the domain in which the reside. Global groups contain grant permissions tree or forest wide for any objects within the Active Directory. What is LDAP used for? LDAP is a set of protocol used for providing access to information directories. What tool have you used to create and analyze packet captures? Network Monitor in Win2K / Win2K3, Ethereal in Linux, OptiView Series II (by Fluke Networks). How does HSRP work? What is the significance of the IP address 255.255.255.255? The limited broadcast address is utilized when an IP node must perform a oneto-everyone delivery on the local network but the network ID is unknown. Posted in: Networking | Comments(26) Windows sysadmin interview questions: What are the required components of Windows Server 2003 for installing Exchange 2003? ASP.NET, SMTP, NNTP, W3SVC What must be done to an AD forest before Exchange can be deployed? Setup /forestprep
130
What Exchange process is responsible for communication with AD? - DSACCESS What 3 types of domain controller does Exchange access? Normal Domain Controller, Global Catalog, Configuration Domain Controller What connector type would you use to connect to the Internet, and what are the two methods of sending mail over that connector? SMTP Connector: Forward to smart host or use DNS to route to each address How would you optimise Exchange 2003 memory usage on a Windows Server 2003 server with more than 1Gb of memory? Add /3Gb switch to boot.ini What would a rise in remote queue length generally indicate? This means mail is not being sent to other servers. This can be explained by outages or performance issues with the network or remote servers. What would a rise in the Local Delivery queue generally mean? This indicates a performance issue or outage on the local server. Reasons could be slowness in consulting AD, slowness in handing messages off to local delivery or SMTP delivery. It could also be databases being dismounted or a lack of disk space. What are the standard port numbers for SMTP, POP3, IMAP4, RPC, LDAP and Global Catalog? SMTP 25, POP3 110, IMAP4 143, RPC 135, LDAP 389, Global Catalog - 3268 Name the process names for the following: System Attendant?
131
MAD.EXE, Information Store STORE.EXE, SMTP/POP/IMAP/OWA INETINFO.EXE What is the maximum amount of databases that can be hosted on Exchange 2003 Enterprise? 20 databases. 4 SGs x 5 DBs. What are the disadvantages of circular logging? In the event of a corrupt database, data can only be restored to the last backup. Windows sysadmin interview questions What is Active Directory schema? What are the domain functional level in Windows Server 2003? What are the forest functional level in Windows Server 2003? What is global catalog server? How we can raise domain functional & forest functional level in Windows Server 2003? Which is the deafult protocol used in directory services? What is IPv6? What is the default domain functional level in Windows Server 2003? What are the physical & logical components of ADS In which domain functional level, we can rename domain name? What is multimaster replication? What is a site?
132
Which is the command used to remove active directory from a domain controler? How we can create console, which contain schema? What is trust? What is the file thats responsible for keep all Active Directory database? Network developer interview questions: How does TCP handshake work? How does SSL handshake work? What is the difference between passive FTP and active FTP? What is the difference between socket and session? How does network management station work? What are the different phases in VPN establishment? How does DH (deffie helman) work? What is TCP window sizing? What is MTU? Some PC and networking questions: Workers cannot print from the printer, there user log on are correct and are allowed to print from that printer in active directory. How would you resolve this issue? What is the difference between hub and switch?
133
Your hard drive is partitioned as follows: 8 gigs for OS drive C, 8 gigs for Hot Swappable dirve D and rest is free as dirve E. Your drive C crashes, how would you reboot your system without installing a new operating system? Your computer gives you non-disk error before you log on what would you do to make your computer work? Network engineer interview questions: User(s) are complaining of delays when using the network. What would you do? What are some of the problems associated with operating a switched LAN? Name some of the ways of combining TCP/IP traffic and SNA traffic over the same link. What sort of cabling is suitable for Fast Ethernet protocols? What is a Class D IP address? Why do I sometimes lose a servers address when using more than one server? What is Firewall? How do I monitor the activity of sockets? How would I put my socket in non-blocking mode? What are RAW sockets? What is the role of TCP protocol and IP protocol. What is UDP? How can I make my server a daemon? How should I choose a port number for my server?
134
Layers in TCP/IP How can I be sure that a UDP message is received? How to get IP header of a UDP message Writing UDP/SOCK_DGRAM applications How many bytes in an IPX network address? What is the difference between MUTEX and Semaphore? What is priority inversion? Different Solutions to dining philosophers problem. What is a message queue? Questions on Shared Memory. What is DHCP? Working of ping, telnet, gopher. Can I connect two computers to internet using same line? Network developer interview questions: What ports does FTP traffic travel over? What ports does mail traffic utilize? What ports do HTTP and HTTPS use? Why is NTP required in an NFS network? Name some common mal software on the server side What is CPAN? How do you access it?
135
What is PEAR? What advantages does mod_perl have over a perl CGI? What is required to do SSL in Apache 1.x? What is Tcl? What is a servlet engine/container? What is BIND? Name the steps to setup a slave zone in BIND Name the steps to setup a primary zone in BIND What commands would you use under Solaris or Linux to modify/view an LDAP tree? Security interview questions for network admin: What is a firewall? Describe, genrally, how to manage a firewall What is a Denial of Service attack? What is a spoofed packet? What is a SYN Flood? What do you do if you are a victim of a DoS? What is GPG/PGP? What is SSH? What is SSL? How do you create certificates?
136
What would you do if you discovered a UNIX or Network device on your network has been compromised? What would you do if you discovered a Windows system on your network has been comrpromised? What is DNS Hijacking? What is a log host? What is IDS or IDP, and can you give me an example of one? Why are proxy servers useful? What is web-caching? What is the difference between layer 2 and layer 3 in the OSI model? What is the difference between a hub, switch, and router? What is a VLAN? What is the difference between TCP and UDP? How do you distinguish a DNS problem from a network problem? What is a runt, Giant, and collision? What is a broadcast storm? What is the purpose of VRRP? What is a VPN? What information about a peer would I need to establish a VPN? What is a full-class C in CIDR notation? What is a default route?
137
What is a metric?
Questions only on Active Directory Services

What is Active Directory? AD is the directory service in Windows2000 network. AD is a hierarchical database. A directory service stores information about network resources and make the resources accessible to users and computers. It helps to centrally manage, organize and control access to resources. AD objects include users, groups, computers, printers, etc. Servers, domains and sites are also considered as AD objects. What is LDAP? LDAP is the directory service protocol that is used to query and update AD. LDAP naming paths are used to access AD objects and includes the following:
Distinguished names Relative Distinguished names

Distinguished name gives the complete path of the object E.g. CN=Sanjo Thomas,OU=India,DC=Microsoft,DC=com Relative Distinguished name is the portion of the distinguished name that uniquely identifies the object. E.g. CN=Sanjo Thomas OR OU= India
Introducing domain trees and forests

TREES
138
Tree is a hierarchical arrangement of W2K domains that share a contiguous name space. The first domain in a domain tree is called the root domain. Additional domains in the same domain tree are child domains. A domain immediately above another domain in the same domain tree is referred to as the parent of the child domain. The name of the chills domain is combined with its parent domain to form its DNS name. Every child domain has a two two-way, transitive trust relationship with its parent domain. Because these trust relationships are two-way and transitive, a Windows 2000 domain newly created in a domain tree or forest immediately has trust relationships established with every other Windows 2000 domain in the domain tree or forest. These trust relationships allow a single logon process to authenticate a user on all domains in the domain tree or forest. This does not necessarily mean that the authenticated user has rights and permissions in all domains in the domain tree. Because a domain is a security boundary, rights and permissions must be assigned on a per-domain basis. FORESTS A forest consists of multiple domain trees. The domain trees in a forest do not form a contiguous namespace but share a common schema and GC. The forest root domain is the first domain created in the forest. The root domains of all domain trees in the forest establish transitive trust relationships with the forest root domain. This is necessary for the purposes of establishing trust across all the domain trees in the forest. All of the Windows 2000 domains in all of the domain trees in a forest share the following traits: Transitive trust relationships between the domains Transitive trust relationships between the domain trees
139
A common schema Common configuration information A common global catalog Using both domain trees and forests provides you with the flexibility of both contiguous and noncontiguous naming conventions. This can be useful in, for example, companies with independent divisions that must each maintain their own DNS names. Explain the role of Global Catalog Server in a Domain? By default, a global catalog is created automatically on the initial domain controller in the forest. It stores a full replica of all objects in the directory for its host domain and a partial replica of all objects contained in the directory of every other domain in the forest. The replica is partial because it stores some, but not all, of the property values for every object in the forest. The global catalog performs two key directory roles: It enables network logon by providing universal group membership information to a domain controller when a logon process is initiated. It enables finding directory information in the entire forest regardless of which domain in the forest actually contains the data. When a user logs on to the network, the global catalog provides universal group membership information for the account sending the logon request to the domain controller. If there is only one domain controller in the domain, the domain controller and the global catalog are the same server. If there are multiple domain controllers in the network, the global catalog is hosted on the domain controller configured as such. If a global catalog is not available when a user initiates a network logon process, the user is only able to log on to the local computer. If a user is a member of the Domain Admins group, they are able to log on to the network even when a global catalog is not available. The global catalog is designed to respond to queries about objects anywhere in the forest with maximum
140
speed and minimum network traffic. Because a single global catalog contains information about objects in all domains in the forest, a query about an object can be resolved by a global catalog in the domain in which the query is initiated. Thus, finding information in the directory does not produce unnecessary query traffic across domain boundaries. You can optionally configure any domain controller to host a global catalog, based on your organization's requirements for servicing logon requests and search queries. After additional domain controllers are installed in the domain, you can change the default location of the global catalog to another domain controller using Active Directory Sites and Services. GC and infrastructure master should not be on the same Server. Why? The infrastructure master is responsible for updating references from objects in its domain to objects in other domains. The infrastructure master compares its data with that of a global catalog. Global catalogs receive regular updates for objects in all domains through replication, so the global catalog's data will always be up-to-date. If the infrastructure master finds data that is out-of-date, it requests the updated data from a global catalog. The infrastructure master then replicates that updated data to the other domain controllers in the domain. Important If the infrastructure master and global catalog are on the same domain controller, the infrastructure master will not function. The infrastructure master will never find data that is out of date, so will never replicate any changes to the other domain controllers in the domain. If all of the domain controllers in a domain are also hosting the global catalog, all of the domain controllers will have the current data and it does not matter which domain controller holds the infrastructure master role. Explain Active Directory schema? The Active Directory schema is the set of definitions that defines the kinds of objects, and the types of information about those objects, that can be stored in Active Directory. The definitions are themselves stored as objects so that Active Directory
141
can manage the schema objects with the same object management operations used for managing the rest of the objects in the directory. There are two types of definitions in the schema: attributes and classes. Attributes and classes are also referred to as schema objects or metadata. Attributes are defined separately from classes. Each attribute is defined only once and can be used in multiple classes. For example, the Description attribute is used in many classes, but is defined once in the schema, assuring consistency. Classes, also referred to as object classes; describe the possible directory objects that can be created. Each class is a collection of attributes. When you create an object, the attributes store the information that describes the object. The User class, for example, is composed of many attributes, including Network Address, Home Directory, and so on. Every object in Active Directory is an instance of an object class. Active Directory does not support deletion of schema objects; however, objects can be marked as deactivated, providing many of the benefits of deletion. The structure and content of the schema is controlled by the domain controller that holds the schema operations master role. A copy of the schema is replicated to all domain controllers in the forest. The use of this common schema ensures data integrity and consistency throughout the forest. Explain Sites. What are the advantages of Sites? Site consists of one or more IP subnets connected by a high speed link. Wide area networks should employ multiple sites for efficiently handling servicing requests and reducing replication traffic. Sites map the physical structure of your network whereas domains generally map the logical structure of your organization. Active Directory Sites and Services allow you to specify site information. Active Directory uses this information to determine how best to use available network resources. This makes the following types of operations more efficient: Service requests
142
When a client requests a service from a domain controller, it directs the request to a domain controller in the same site. Selecting a domain controller that is well-connected to the client makes handling the request more efficient.
Replication Site streamlines replication of directory information and reduces replication traffic Site membership is determined differently for domain controllers and clients. A client determines it is in when it is turned on, so its site location will often be dynamically updated. A domain controller's site location is established by which site its Server object belongs to in the directory, so its site location will be consistent unless the domain controller's Server object is intentionally moved to a different site. Minimum Requirement for Installing AD Windows Server, Advanced Server, Datacenter Server Minimum Disk space of 200MB for AD and 50MB for log files NTFS partition TCP/IP Installed and Configured to use DNS Administrative privilege for creating a domain in existing network How will you verify whether the AD installation is proper? Verify SRV Resource Records After AD is installed, the DC will register SRV records in DNS when it restarts. We can check this using DNS MMC or nslookup command. Using MMC If the SRV records are registered, the following folders will be there in the domain folder in Forward Lookup Zone. msdes
143
sites tcp adp Using nslookup >nslookup >ls t SRV Domain If the SRV records are properly created, they will be listed. Verifying SYSVOL If SYSVOL folder is not properly created data stores in SYSVOL such are scripts, GPO, etc will not be replicated between DCs. First verify the following folder structure is created in SYSVOL Domain Staging Staging areas Sysvol Then verify necessary shares are created. >net share It should show two shares, NETLOGON and SYSVOL Verifying Database and Log files Make sure that the following files are there at %systemroot%\ntds
144
Ntds.dit, Edb.*, Res*.log Explain User and Computer naming in AD? Active Directory domain names are usually the full DNS name of the domain. For backward compatibility, each domain also has a pre-Windows 2000 name. USER ACCOUNTS In Active Directory, each user account has a user logon name, a pre-Windows 2000 user logon name (SAM account name), and a user principal name suffix. Active Directory suggests a pre-Windows 2000 user logon name using the first 20 bytes of the user logon name. In Active Directory, each user account has a user principal which is composed of the user logon name and the user principal name suffix joined by the @ sign. Do not add the @ sign to the user logon name or to the user principal name suffix. Active Directory automatically adds it when it creates the user principal name. A user principal name that contains more than one @ sign is invalid. The second part of the user principal name, referred to as the user principal name suffix, identifies the domain in which the user account is located. This user principal name suffix can be the DNS domain name, the DNS name of any domain in the forest, or it can be an alternative name created by an administrator and used just for logon purposes. This alternative user principal name suffix does not need to be a valid DNS name. Using alternative domain names as the user principal name suffix can provide additional logon security and simplify the names used to log on to another domain in the forest. E.g. Sanjo is user in sales.westcoast.microsoft.com. So the logon name would be sanjo@sales.westcoast.microsoft.com. Creating a user principal name suffix of "microsoft" would allow that same user to log on using the much simpler logon name of sanjo@microsoft. You can add or remove user principal name suffixes using Active Directory Domains and Trusts. Active Directory suggests the pre-Windows 2000 name using the first 15 bytes of the relative distinguished name. This can be changed at any time. The primary DNS suffix defaults to the full DNS name of the domain to which the computer is
145
joined. The DNS host name is built from the first 15 characters of the relative distinguished name + the primary DNS suffix. The service principal name is built from the DNS host name. The service principal name is used in the process of mutual authentication between the client and the server hosting a particular service. The client finds a computer account based on the service principal name of the service to which it is trying to connect. It is possible for administrators to change the way the service principal name is created. This security modification allows a computer COMPUTER ACCOUNTS Each computer account created in Active Directory has a relative dist inguished name, a pre-Windows 2000 computer name (SAM account name), a primary DNS suffix, a DNS host name and a service principal name. This computer name is used as the LDAP relative distinguished name. Active Directory suggests the pre-Windows 2000 name using the first 15 bytes of the relative distinguished name. This can be changed at any time. The primary DNS suffix defaults to the full DNS name of the domain to which the computer is joined. The DNS host name is built from the first 15 characters of the relative distinguished name + the primary DNS suffix. The service principal name is built from the DNS host name. The service principal name is used in the process of mutual authentication between the client and the server hosting a particular service. The client finds a computer account based on the service principal name of the service to which it is trying to connect. It is possible for administrators to change the way the service principal name is created. This security modification allows a computer to use primary DNS suffixes that are different than the domain to which the computer is joined. The same modification also allows Active Directory to use more than the first 15 bytes of the relative distinguished name when constructing the service principal name. Computers with these modified computer names will register their names in DNS correctly but an additional procedure is required to enable correct registration of
146
the
DNS
host
name
(dNSHostName)
and
service
principal
Name
(servicePrincipalName) attributes of the computer object in Active Directory. To allow a computer to use a different DNS name Right-click Active Directory Users and Computers, point to View, and then click Advanced Features. Right-click the name of the domain, and then click Properties. On the Security tab, click Add, click the Self group, click Add, and then click OK. Click Advanced, click Self, and then click View/Edit. On the Properties tab, in Apply onto, click Computer Objects. Under Permissions, click Write dNSHostName, and then click the Allow check box. By modifying default security in this way, there is a possibility that a computer joined to the selected domain could be operated by a malicious user and may be able to advertise itself under a different name through the service principal name attribute. What are the FSMO roles and explain their functions? Schema master Domain naming master RID master PDC emulator Infrastructure daemon Schema Master
147
The schema master is responsible for performing updates to the directory schema. This DC is the only one that can process updates to the directory schema. Once the Schema update is complete, it is replicated from the schema master to all other DCs in the directory. There is only one schema master per directory.
Domain Naming Master The Domain Naming Master is responsible for making changes to the forestwide domain name space of the directory. This DC is the only one that can add or remove a domain from the directory. RID Master The RID master is responsible for processing RID Pool requests from all DCs within a given domain. It is also responsible for removing an object from its domain and putting it in another domain during an object move. When a DC creates a security principal object such as a user or group, it attaches a unique SID to the object. This SID consists of a domain SID (the same for all SIDs created in a domain), and a relative ID (RID) that is unique for each security Principal SID created in a domain. Each Windows 2000 DC in a domain is allocated a pool of RIDs that can be assigned to the security principals it creates. When a DC's allocated RID pool falls below a threshold, that DC issues a request for additional RIDs to the domain's RID master. The domain-RID master responds to the request by retrieving RIDs from the domain's unallocated RID pool and assigns them to the pool of the requesting DC. There is one RID master per domain in a directory. PDC Emulator FSMO Role The PDC emulator is necessary to synchronize time in an enterprise. Windows 2000 includes the W32Time (Windows Time) time service that is required by the
148
Kerberos authentication protocol. All Windows 2000-based computers within an enterprise use a common time. The purpose of the time service is to ensure that the Windows Time service uses a hierarchical relationship that controls authority and does not permit loops to ensure appropriate common time usage. The PDC emulator of a domain is authoritative for the domain. The PDC emulator at the root of the forest becomes authoritative for the enterprise, and should be configured to gather the time from an external source. All PDC FSMO role holders follow the hierarchy of domains in the selection of their in-bound time partner. In a Windows 2000 domain, the PDC emulator role holder retains the following functions: Password changes performed by other DCs in the domain are replicated preferentially to the PDC emulator. Authentication failures that occur at a given DC in a domain because of an incorrect password are forwarded to the PDC emulator before a bad password failure message is reported to the user. Account lockout is processed on the PDC emulator. Note that the PDC emulator role becomes unnecessary as down-level workstations, member servers, and domain controllers are all upgraded to Windows 2000, in which case the following information applies: Windows 2000 clients (workstations and member servers) and down-level clients that have installed the distributed services client package do not perform directory writes (such as password changes) preferentially at the DC that has advertised itself as the PDC; they use any DC for the domain. Once backup domain controllers (BDCs) in down-level domains are upgraded to Windows 2000, the PDC emulator receives no down-level replica requests. Windows 2000 clients (workstations and member servers) and down-level clients that have installed the distributed services client package use the Active
149
Directory to locate network resources. They do not require the Windows NT Browser service. Infrastructure FSMO Role When an object in one domain is referenced by another object in another domain, it represents the reference by the GUID, the SID (for references to security principals), and the DN of the object being referenced. The infrastructure FSMO role holder is the DC responsible for updating an object's SID and distinguished name in a cross-domain object reference.
NOTE: The Infrastructure Master (IM) role should be held by a domain controller that is not a Global
Catalog server(GC). If the Infrastructure Master runs on a Global Catalog server it will stop updating object information because it does not contain any references to objects that it does not hold. This is because a Global Catalog server holds a partial replica of every object in the forest. As a result, cross-domain object references in that domain will not be updated and a warning to that effect will be logged on that DC's event log. How will you place the FSMO roles? Place the RID and PDC emulator roles on the same domain controller. Good communication from the PDC to the RID master is desirable as down level clients and applications target the PDC, making it a large consumer of RIDs. As a general rule, the infrastructure master should be located on a nonglobal catalog server that has a direct connection object to some global catalog in the forest, preferably in the same Active Directory site. Two exceptions to the "do not place the infrastructure master on a global catalog server" rule are: Single domain forest:
150
In a forest that contains a single Active Directory domain, there are no phantoms, and so the infrastructure master has no work to do. The infrastructure master may be placed on any domain controller in the domain. Multidomain forest where every domain controller holds the global catalog: If every domain controller in the domain also hosts the global catalog, then there are no phantoms or work for the infrastructure master to do. The infrastructure master may be placed on any domain controller in the domain. At the forest level, the schema master and domain naming master roles should be placed on the same domain controller as they are rarely used and should be tightly controlled. Additionally, the Domain Naming master FSMO should also be a global catalog server. Configure DNS Dynamic Update in Windows 2000 The DNS service allows client computers to dynamically update their resource records in DNS and improves DNS administration. You can use DDNS in conjunction with DHCP to update resource records when a computer's IP address is changed. How Windows 2000-Based Computers Update Their DNS Names Windows 2000 computers try to dynamically register host address (A) and pointer (PTR) resource records. All computers register records based on their full computer name. Dynamic updates can be sent for any of the following reasons or events: An IP address is added, removed, or modified for any one of the installed network connections. An IP address lease changes or renews. For example, if you use the ipconfig /renew command.
151
You use the ipconfig /registerdns command to manually force a refresh of the client name registration in DNS. At startup time, when the computer is turned on. When one of these events triggers a dynamic update, the DHCP Client service (not the DNS Client service) sends updates. This process is designed so that if a change to the IP address information occurs because of DHCP, corresponding updates in DNS are performed to synchronize name-to-address mappings for the computer. The DHCP Client service performs this function for all network connections used on the system, including connections that are not configured to use DHCP. Dynamic updates are sent or refreshed periodically. By default, Windows 2000 sends a refresh once every 24 hours. If the update occurs and there are no changes to zone data, the zone remains at its current version and no changes are written. NOTE: Names are not removed from DNS zones if they become inactive or if they are not updated within the refresh interval (24 hours). DNS does not use a mechanism to release or tombstone names, although DNS clients do attempt to delete or update old name records when a new name or address change is applied. When the DHCP Client service registers A and PTR resource records for a Windows 2000 computer, it uses a default caching Time-To-Live (TTL) value of 15 minutes for host records. This value determines how long other DNS servers and clients cache a computer's records when they are included in a query response. How to Allow Only Secure Dynamic Updates Click Start, point to Programs, point to Administrative Tools, and then click DNS. Under DNS, expand the applicable DNS server, expand Forward Lookup Zones (or Reverse Lookup Zones) , and then click the applicable zone. On the Action menu, click Properties.
152
On the General tab, verify that the zone type is Active Directory-integrated. In the Allow dynamic updates? box, click Only secure updates. The secure dynamic update functionality is supported only for Active Directoryintegrated zones. How to Configure DNS Dynamic Update for DHCP Clients By default, Windows 2000-based DHCP clients are configured to request that the client register the A resource record and the server register the PTR resource record. By default, the name that is used in the DNS registration is a concatenation of the computer name and the primary DNS suffix. To change this default name, open the TCP/IP properties of your network connection. To change the dynamic update defaults on the dynamic update client: Right-click the connection that you want to configure, and then click Properties. Click Internet Protocol (TCP/IP), click Properties, click Advanced, and then click the DNS tab. By default, Register this connection's address in DNS is selected and Use this connection's DNS suffix in DNS registration is not selected. This default configuration causes the client to request that the client register the A resource record and the serverregister the PTR resource record. In this case, the name to be used in DNS registration is a concatenation of the computer name and primary DNS suffix of the computer. Click to select the Use this connection's DNS suffix check box in DNS registration. If you select this check box, the client requests that the server update the PTR record by using the name that is a concatenation of the computer name and the connection-
153
specific DNS suffix.PTR record, which uses the name that is a concatenation of the computer name and the primary DNS suffix. To configure the client to make no requests for DNS registration, click to clear the Register this connection's address in DNS check box. If you clear this check box, the client does not attempt to register any A or PTR DNS records that correspond to this connection. DNS Dynamic Update on Statically Configured and Remote Access Clients Statically configured clients and remote access clients do not communicate with the DHCP server. Statically configured Windows 2000-based clients dynamically update their A and PTR resource records every time they start in case the records become corrupted in the DNS database. Remote access clients dynamically update A and PTR resource records when a dial-up connection is made. They also attempt to unregister the A and PTR resource records when the user closes down the connection. How to Configure DNS Dynamic Update on Multiple-Homed Clients If a dynamic update client is multiple-homed (if it has more than one adapter and an associated IP address), it registers all of its IP addresses with DNS by default. If you do not want the client to register all of its IP addresses, you can configure it to not register one or more IP addresses in the network connection properties. To prevent the computer from registering all its IP addresses: Right-click My Network Places, and then click Properties. Click the connection that you want to configure, and then click Properties. Click Internet Protocol (TCP/IP), click Properties, click Advanced, and then click the DNS tab.
154
Click to clear the Register this connection's address in DNS check box. You can also configure the computer to register its domain name in DNS. For example, if you have a client that is connected to two different networks, you can configure the client to have a different domain name on each network.
How to Configure DNS Dynamic Update on a Windows 2000 DNS Client Computer To configure DNS dynamic update on a Windows 2000 DNS client computer: Click Start, point to Settings, and then click Network and Dial-up Connections. Right-click the network connection that you want to configure, and then click Properties. Click either the General tab (for the local area connection) or the Networking tab (for all other connections), click Internet Protocol (TCP/IP), and then click Properties. Click Advanced, and then click the DNS tab. To use DNS dynamic update to register both the IP addresses for this connection and the full computer name of the computer, click to select the Register this connection's addresses in DNS check box. This check box is selected by default. To configure a connection-specific DNS suffix, type the DNS suffix in the DNS suffix for this connection box. To use DNS dynamic update to register the IP addresses and the connectionspecific domain name for this connection, click to select the Use this connection's DNS suffix in DNS registration check box. This check box is selected by default. How to Configure DNS Dynamic Update on a Windows 2000 DNS Server
155
To enable DNS dynamic update on a Windows 2000 DNS server: Click Start, point to Programs, point to Administrative Tools, and then click DNS. Click the appropriate zone under either Forward Lookup Zones or Reverse Lookup Zones. On the Action menu, click Properties. On the General tab, verify that the zone type is either Primary or Active Directory-integrated. If the zone type is Primary, click Yes in the Allow dynamic updates? list. If the zone types is Active Directory-integrated, click either Yes or Only secure updates in the Allow dynamic updates? list, depending on whether you want DNS dynamic updates to be secure. How to Configure DNS Dynamic Update on a Windows 2000 DHCP Server To configure DNS dynamic update for a Windows 2000 DHCP server: Click Start, point to Programs, point to Administrative Tools, and then click DHCP. Click the appropriate DHCP server or a scope on the appropriate DHCP server. On the Action menu, click Properties. Click the DNS tab. To enable DNS dynamic update for DHC P clients that support it, click to select the automatically update DHCP client information in DNS check box. This check box is selected by default.
156
To enable DNS dynamic update for DHCP clients that do not support it, click to select the Enable updates for DNS clients that do not support dynamic updates check box. This check box is selected by default. How to Enable DNS Dynamic Updates on a DHCP Server Windows 2000 DHCP and DNS servers now support dynamic updates to a DNS server. Windows 2000 clients can dynamically update their forward lookup records themselves with the DNS server after the clients obtain a new IP address from a DHCP server. In Windows 2000 DHCP server, you can dynamically update the DNS records for pre-Windows 2000 clients that cannot do it for themselves. This feature currently works only with the Windows 2000 DHCP and DNS servers. To enable a DHCP server to dynamically update the DNS records of its clients: Select the scope or DHCP server on which you want to permit dynamic DNS updates. On the Action menu, click Properties, and then click the DNS tab. Click to select the Automatically Update DHCP Client Information In DNS check box. To update a client's DNS records based on the type of DHCP request that the client makes and only when it is requested, click Update DNS Only If DHCP Client Requests. To always update a client's forward and reverse lookup records, click Always Update DNS.
157
Click to select the Discard Forward Lookups When Leases Expire check box to have the DHCP server delete the Host resource record for a client when its DHCP lease expires and is not renewed. Click to select the Enable Updates For DNS Clients That Do Not Support Dynamic Updates check box to enable the DHCP server to update the forward and reverse lookup records for clients that cannot update their own forward lookup records. If you do not select this check box, the DHCP server does not automatically update the DNS records of non-Windows 2000 clients. Create and Configure a Site Link in Active Directory in Windows 2000 For the site link to become active, there must be at least two sites available in Active Directory. A Site Link object represents a set of sites that can communicate at uniform cost through an inter-site transport. For IP transport, a typical site link connects just two sites and corresponds to an actual WAN link. An IP site link that connects more than two sites might correspond to an asynchronous transfer mode (ATM) backbone that connects more than two clusters of buildings on a large campus, or several offices in a large metropolitan area that are connected through leased lines and IP routers. How to Create a Site Link To create a new site link: Click Active Directory Sites and Services. Expand the Inter-Site Transports node, right-click IP (or click SMTP if you want to use SMTP as the inter-site transport protocol), and then click New Site Link. If you have only one site in Active Directory, you receive a message that states that two sites are required for the site link to work. Click OK to continue. How to Create a DNS Entry for the Web Server
158
Create an alias or CNAME record for the DNS server on which you configured IIS. This step ensures that external host computers can connect to your Web server by using the "www" host name. To do this: Start the DNS snap-in. Under DNS, expand Server1 (where Server1 is the host name of the DNS server). Expand Forward Lookup Zones. Under Forward Lookup Zones, right-click the zone that you want (for example, Microsoft.com), and then click New Alias. In the Alias name box, type www. In the Fully qualified name for target host box, type the fully qualified host name of the DNS server on which IIS is installed. For example, type dns.microsoft.com, and then click OK. Audit Active Directory Objects in Windows 2000 An audit entry in the Security log contains the following information: The action that was performed. The user who performed the action. The success or failure of the event and the time that the event occurred. When you audit Active Directory events, Windows 2000 writes an event to the Security log on the domain controller. If a user tries to log on to the domain using a domain user account and the logon attempt is unsuccessful, the event is recorded on the DC and not on the computer on which the logon attempt was made. This is because it is the domain controller that tried to authenticate the logon attempt. How to Configure an Audit Policy Setting for a Domain Controller
159
Auditing is turned off by default. To audit all DCs, Enable auditing on Domain Controllers OU To configure an audit policy setting for a domain controller, follow these steps: Start Directory Users and Computers. Click Advanced Features on the View menu. Right-click Domain Controllers, and then click Properties. Click the Group Policy tab, click Default Domain Controller Policy, and then click Edit. Click Computer Configuration, double-click Windows Settings, double-click Security Settings, double-click Local Policies, and then double-click Audit Policy. In the right pane, right-click Audit Directory Services Access, and then click Security. Click Define These Policy Settings, and then click to select one or both of the following check boxes: Success: Click to select this check box to audit successful attempts for the event category. Failure: Click to select this check box to audit failed attempts for the event category. Right-click any other event category that you want to audit, and then click Security. Click OK
160
How to Configure Auditing for Specific Active Directory Objects You can configure auditing for specific objects, such as users, computers, organizational units, or groups, by specifying both the types of access and the users whose access that you want to audit. To configure auditing for specific Active Directory objects, follow these steps: Open Active Directory Users and Computers. Select Advanced Features on the View menu. Right-click the Active Directory object that you want to audit, and then click Properties. Click the Security tab, and then click Advanced. Click the Auditing tab, and then click Add. Enter the name of either the user or the group whose access you want to audit Click to select either the Successful check box or the Failed check box for the actions that you want to audit, and then click OK. How to Configure a Secondary Name Server in Windows 2000 Identify the Secondary Name Server On the primary DNS server, identify an additional name server: Open DNS MMC. In the console tree, click Host name (where Host name is the host name of the DNS server). In the console tree, click Forward Lookup Zones.
161
Right-click the zone that you want (for example, example.com), and then click Properties. Click the Name Servers tab, and then click Add. In the Server name box, type the host name of the server that you want to add, for example, namesvr2.example.com. In the IP address box, type the IP address of the name server that you want to add (for example, 192.168.0.22), and then click Add. Click OK, and then click OK. In the console tree, click Reverse Lookup Zones, right-click the zone that you want, and then click Properties. Click the Name Servers tab, and then click Add. In the Server name box, type the host name of the server that you want to add, for example, namesvr2.example.com. In the IP address box, type the IP address of the name server that you want to add (for example, 192.168.0.22), and then click Add. Click OK, and then click OK. Install DNS on the Secondary Name Server To install the DNS service through Add/Remove Programs. Configure the Forward Lookup Zone To configure the forward lookup zone on the secondary name server: Open the DNS MMC in the Secondary Name Server.
162
In the console tree, under DNS, click Host name (where Host name is the host name of the DNS server). In the console tree, click Forward Lookup Zones. Right-click Forward Lookup Zones, and then click New Zone. When the New Zone Wizard starts, click Next to continue. Click Standard secondary, and then click Next. In the Name box, type the name of the zone (for example, example.com), and then click Next. On the Master DNS Servers page, type the IP address of the primary name server for this zone, click Add, click Next, and then click Finish. Configure the Reverse Lookup Zone To configure the reverse lookup zone on the secondary name server: Click Start, point to Programs, point to Administrative Tools, and then click DNS. In the console tree, click Host name (where Host name is the host name of the DNS server). In the console tree, click Reverse Lookup Zones. Right-click Reverse Lookup Zones, and then click New Zone. When the New Zone Wizard starts, click Next to continue. Click Standard secondary, and then click Next. In the Network ID box, type the network ID (for example, type 192.168.0), and then click Next. On the Zone File page, click Next, and then click Finish. Troubleshooting: The DNS server does not load the zone
163
When you select a zone on the secondary name server, the following error message may be displayed in the right pane of the DNS window: Zone not loaded by DNS Server The DNS server encountered an error while attempting to load the zone. The transfer of zone data from the master server failed. This behavior can occur when zone transfers are disabled. To resolve this issue, follow these steps: On the primary name server open DNS MMC. In the console tree, click MainServer1 In the console tree, click Forward Lookup Zones. Under Forward Lookup Zones, right-click the zone that you want (for example, example.com), and then click Properties. Click the Zone Transfers tab. Click to select the Allow zone transfers check box, and then click one of the following options: To any server Only to servers listed on the Name Servers tab Only to the following servers Click Apply, and then click OK.
How to set up a One-Way Non-Transitive Trust in Windows 2000
164
Windows 2000 domains in the same forest share transitive trust relationships with one another. There is an implicit transitive trust between the root domains in each tree in the Windows 2000 forest. A two-way implicit transitive trust also exists between all contiguous domains in a single tree. There may be times when you need to create explicit trust relationships between domains. Windows 2000 allows you to configure one-way transitive trusts between domains. Configure a One-way Trust Perform the following steps to configure the one-way trust: On a domain controller in the trusted domain, start the Active Directory Domains and Trusts console. In the Domains that trust this domain pane, click Add. In the Add Trusting Domain dialog box, type the name of the trusting domain, type a password, and then type the password again in the Confirm password box. Click OK. In the Active Directory dialog box, click OK to verify the trust. Enter a user name and password of a user that has permissions to modify trust relationships in the trusting domain. You receive a message that states that the trusting domain has been added and the trust verified. Quit the Active Directory Domains and Trusts console. On a domain controller in the trusting domain, start the Active Directory Domains and Trusts console.
165
Right-click the trusting domain and click Properties. In the Domains trusted by this domain box, click Add. In the Add Trusted Domain dialog box, type the name of the trusted domain and a Password, and then type the password again in the Confirm Password dialog box. Click OK. NOTE: The DNS infrastructure must be in place so that domain controllers from each domain can find one another. You can configure Windows NT 4.0 domain trusts by using Windows NT 4.0 User Manager for Domains. How to create a Container to List Printers in Active Directory By default, printers are not displayed when you use My Network Places to browse Active Directory. The ADSI Edit tool in Support Tools can be used to add a container in which to the list printers that are published in Active Directory. By doing so, users can either find the folder that contains the printers in My Network Places or add a network place to the folder that contains the printers. To create a Printers container in which to list your printers in Active Directory: Click Start, point to Programs, point to Windows 2000 Support Tools, point to Tools, and then click ADSI Edit. Expand Domain NC [DomainName], and then click DC=Domain, DC=com. On the Action menu, point to New, and then click Object. In the Select a class box, click container, and then click Next. In the Value box, type Printers, and then click Next.
166
Click Finish. A CN=Printers container appears in the right pane of ADSI Edit. Right-click CN=Printers, and then click Properties. Click the Attributes tab. In the Select a property to view box, click showInAdvancedViewOnly, and then click Clear. In the Edit Attribute box, type false, click Set, and then click OK. Quit ADSI Edit. Click Start, point to Programs, point to Administrative Tools, and then click Active Directory Users and Computers. The Printers container that you created appears in the list of directory objects. On the View menu, click Advanced Features. On the View menu, click Users, Groups, and Computers as containers. Move the printers that you want to the Printers container. Quit Active Directory Users and Computers. Note: The procedure in this article requires that printers are published in Active Directory. How to publish a printer in AD Log on to the computer as an administrator. Click Start, point to Settings, and then click Printers.
167
In the Printers folder, right-click the printer that you want to publish in Active Directory, and then click Properties. Click the Sharing tab, click Share As, and then either type a share name or accept the default name. Use only letters and numbers; do not use spaces, punctuation, or special characters. Click to select the List in the Directory check box, and then click OK. Close the Printers folder. NOTE: If you want to make this printer available to users who are running different versions of Windows, you must install additional drivers. To do so, click Additional Drivers on the Sharing tab of the Printer properties, and then select the appropriate items in the list. How to replace the current primary DNS Server with a new Primary DNS Server in Windows 2000 When an existing DNS domain structure is in place, it may be necessary to replace the current primary DNS server with a new Windows 2000 DNS server. First install DNS on new windows 2000 Server and transfer the records Transfer Records from the Current DNS Server Open the DNS MMC and double-click W2K-DNS (the server name) to expand it. Right-click Forward Lookup Zones, click New Zone to start the wizard, and then click Next. Click Standard Secondary for the zone type, click Next, type the zone name (E.g. "microsoft.edu"), and then click Next.
168
Type the IP address of the current primary DNS server (in this example, 192.168.0.2), click Add, click Next, and then click Finish. Right-click Reverse Lookup Zones, click New Zone to start the wizard, click Next, click Standard Secondary for the zone type, and then click Next. In the Network ID box, type 192.168.0, and then click Next. Type the IP address of the current primary DNS server (in this example, 192.168.0.2), click Add, click Next, and then click Finish.
Change the Role of a DNS Server to Primary Server After you transfer all of the records have been transferred, you must remove the old DNS server from the network, and set the DNS server as the primary DNS server. To set the DNS server as the primary DNS server Open the DNS MMC and double-click W2K-DNS (the server name) to expand it. Double-click Forward Lookup Zones, right-click the Microsoft.edu zone, and then click Properties. Click the General tab, click Change under Type, and then click either Standard Primary or Active Directory Integrated as the new type, depending on whether or not this computer is a domain controller (DC). Click OK. Change the setting under Allow Dynamic Updates to Yes if this server is for a Windows 2000 Domain. The server is now set as a primary DNS server for the DNS domain space. It may be necessary to change the IP address of the new server to match the IP address that the old DNS server used. This should be done to prevent having to make
169
changes on all clients or secondary servers to point to a new IP address for the primary DNS server Troubleshooting: You Are Unable to Transfer the Zone File Verify the existing DNS server allows zone transfers. Verify that the new DNS server IP address is allowed for zone transfers. If the zone file is locked, the transfer should occur after a maximum of 10 minutes. How to Verify the Creation of SRV Records for a Domain Controller Using DNS Manager After you install Active Directory on a server running the Microsoft DNS service, you can use the DNS Manager Microsoft Management Console (MMC) snapin to verify that the appropriate zones and resource records are created for each DNS zone. Active Directory creates its SRV records in the following folders: _msdcs/dc/_sites/default-first-site-name/_tcp _msdcs/dc/_tcp In these locations, an SRV record is displayed for the following services: _kerberos _ldap Using Nslookup: From your DNS server, type nslookup at a command prompt. Type set type=all, and then press ENTER.
170
Type _ldap._tcp.dc._msdcs.domainname (where domainname is the name of your domain), and then press ENTER. Nslookup returns one or more SRV service location records in the following format Hostname.domainname Internet address = ipaddress Where hostname is the host na me of a domain controller, domainname is the domain to which the domain controller belongs, and ipaddress is the DCs IP. Configure the Windows 2000 Domain Name System to Age Records When any records are orphaned, dynamic DNS on a Windows 2000-based server does not age these records by renaming them or by moving computers to different subnets out of their zones, unless the server is configured to perform this task. Orphans can occur if a group of computers are installed from an image, and then renamed at a later time on another subnet. The reverse look up pointers may not be deleted if the computer is disconnected from the network immediately after the installation. The automatic deletion of these records is possible by enabling the Aging and Scavenging feature on the DNS server. Enable Aging and Scavenging You need to enable the Aging and Scavenging feature at a server level, and optionally set the Aging feature on zones if you need different aging periods: Open the DNS manager. In the left pane, under the DNS icon, right-click the server name. Click Set Aging/Scavanging for all zones. Click to select the Scavenge Stale Resource Records check box, and then set the interval that you want the Aging feature to use.
171
To set the Aging feature on an individual zone: Right-click the zone, and then click Properties. Click Aging. Click to select the Scavenge Stale Resource Records check box, and then set the interval that you want the Aging feature to use. If the Aging feature is not enabled at the server level, and you attempt to enable the Aging feature at the zone level, the Aging feature does not work. After you select the appropriate aging periods and you enable the Scavenging feature on the server, outdated records are scavenged. Additionally, you can initiate the Scavenging feature if you right-click the server name in the left pane, click Scavenge Stale Resource Records, and then click YES when asked if you want to scavenge. How to move Windows 2000 DNS Zones to Another Windows 2000-based Server To move zone files from one server to another, follow these steps: To use the following method, the Windows 2000 DNS Server service must be installed on a new Windows 2000-based server. The DNS Server service should not be configured yet. On the DNS server that is currently hosting the DNS zone(s), change any Active Directory-integrated zones to standard primary. This action creates the zone files that are needed for the destination DNS server. Stop the DNS Server service on both DNS servers. Manually copy the entire contents of the %SystemRoot%\System32\DNS folder from the source server to the destination server.
172
On the current DNS server, start Registry Editor. Locate and click the following registry key: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\DNS\Zones Export the Zones key to a registry file. On the destination DNS server, double-click the registry file to import the Zones key into the registry. Bring the current DNS server down and transfer its IP address to the destination DNS server. On the destination DNS server, start the DNS Server service. To initiate the registration of the server's A and PTR resource records, run the following command at a command prompt: Ipconfig/registerdns If this server is also a domain controller, stop and restart the Net Logon service to register the Service (SRV) records, or run the following command at a command prompt: Netdiag/fix The standard zones that were previously Active Directory-integrated can be converted back to Active Directory-integrated on the replacement DNS server if it is a domain controller. Verify that the SOA resource records on each zone contain the correct name for the primary server and that the NS resource records for the zone(s) are correct. The steps outlined in this article do not migrate the following DNS server settings: Interfaces, Forwarders, Advanced, Root Hints, Logging, Security The host's "A" record is registered in DNS after you choose not to register the connection's address.
173
In Windows 2000, if you clear the Register this connection's address in DNS check box under Advanced TCP/IP Settings for a network interface, the IP address may register an A record for the host name in its primary DNS suffix zone. For example, this behavior may occur if you have the following configuration: The DNS service is installed on the server. The DNS server zone is example.com, where the example.com zone can be updated dynamically. The server host name is Server1.example.com, where Server1 has two network adapters that have IP addresses of 10.1.1.1 and 10.2.2.2. If you click to clear the Register this connection's address in DNS check box on the network adaptor that has the IP address of 10.2.2.2 and then you delete the host record for Server1.example.com 10.2.2.2, the host record for Server1.example.com 10.2.2.2 is dynamically added back to the zone late. The unwanted registration of this record can be reproduced if you restart the DNS service on the server. This is because, when the DNS service is installed on a computer that is running Windows 2000, it listens to all of the network interfaces that are configured by using TCP/IP. When DNS causes an interface to listen for DNS queries, the interface tries to register the host A record in the zone that matches its primary DNS suffix. The interface tries to register the host A record regardless of the settings that have been configured in the TCP/IP properties. This behavior is by design and can take place under the following circumstances: The DNS service is installed on the server whose configuration you are trying to change. The DNS zone that matches the primary DNS suffix of the server is enabled to update dynamically.
174
To resolve this, remove the interface from the list of interfaces that the DNS server listens on. To do so, follow these steps: Start the DNS Management Microsoft Management Console (MMC). Right-click the DNS server, and then click Properties. Click the Interfaces tab. Under Listen on, click to select the Only the following IP addresses check box. Type the IP addresses that you want the server to listen on. Include only the IP addresses of the interfaces for which you want a host A record registered in DNS. Click OK, and then quit the DNS Management MMC. Dynamic DNS Updates Do Not Work if the DHCP Client Service Stops The client computer does not send dynamic Domain Name System (DNS) updates to the DNS server even though the Register this connection's address in DNS option is selected. You receive the following error forcing DNS registration: IPCONFIG /REGISTERDNS Windows 2000 IP Configuration Error: The system cannot find the file specified. : Refreshing DNS names This is because: Dynamic DNS registration relies on the DHCP client service to perform dynamic updates. When you disable or set the DHCP client service to start manually, it prevents dynamic DNS updates from occurring. Even if the has a static IP, the DHCP client service must be running for dynamic DNS updates to occur. To resolve this issue, you must configure the DHCP client service to start automatically when your computer system starts.
175
Explain ADS Database Garbage Collection Process? Garbage Collection is a process that is designed to free space within the Active Directory database. This process runs independently on every DC with a default lifetime interval of 12 hours. The Garbage Collection process has 3 main steps Removing "tombstones" from the database. Tombstones are remains of objects that have been previously deleted. (**When an object is deleted, it is not actually removed from the Active Directory database. It is marked for deletion at a later date. This then gets replicated to other DCs. When the tombstoneLifetime is over, the object is deleted.) Deletion of any unnecessary log files. The process launches a defragmentation thread to claim additional free space. There are two ways to defragment the Active Directory database in Windows 2000. Online Defragmentation method: That runs as part of the garbage collection process. The only advantage to this method is that the server does not need to be taken offline for it to run. However, this method does not shrink the Active Directory database file (Ntds.dit). Offline Defragmentation: This is done by taking the server offline and use Ntdsutil.exe to defragment the database. This approach requires that the ADS database be started in repair mode. The advantage to this method is that the database is resized, unused space is removed, and the size is reflected by the Ntds.dit file.
176
How will you remove DC Server Object (In ADS Sites and Services) which is not removed After Demotion? After demoting a DC, the object that represents the server in the Active Directory Sites and Services Manager snap-in remains. This issue occurs because the server object is a "container" in the Active Directory and may hold child objects that represent configuration data for other services installed on your computer. Because of this, the Dcpromo utility does not automatically remove the server object. If the server object contains any child objects named "NTDS Settings," these are objects that represent the server as a DC and should be automatically removed by the demotion process. If this does not work, these objects must be removed by using the Ntdsutil utility before you delete the server object. After verifying that all other services with a dependency on the server object have been removed an administrator can delete the server in Active Directory Sites and Services Manager. NOTE: This process may not finish successfully for either of the following reasons: If you receive a message that states the server is a container that contains other objects, verify that the appropriate decommissioning of services has completed before continuing. If you receive a message that states the DSA object cannot be deleted, you may be attempting to delete an active DC. How to Configure an Authoritative Time Server in Windows 2000? Windows includes the W32Time Time service tool that is required by the Kerberos authentication protocol. The purpose of the Time service is to ensure that all computers that are running Windows 2000 in an organization use a common time.
177
Windows-based computers use the following hierarchy by default: All client PCs and member servers nominate the authenticating DC as their inbound time Server. DCs may nominate the PDC operations master as their in-bound time partner but may use a parent DC based on stratum numbering. All PDC operations masters follow the hierarchy of domains in the selection of their in-bound time partner. PDC operations master at the root of the forest becomes authoritative for the organization. This PDC can be configured to recognize an external Simple Network Time Protocol (SNTP) time server as authoritative by using the following net time command: Net time /setsntp: server_list To reset the local computer's time against the authoritative time server for the domain: Net time /domain_name /set Net stop w32time W32tm once Net start w32time SNTP defaults to using UDP port 123. If this port is not open to the Internet, you cannot synchronize your server to Internet SNTP servers. Administrators can also configure an internal time server as authoritative by using the net time command. If the administrator directs the command to the operations master, it may be necessary to reboot the server for the changes to take effect. How will you remove Orphaned Domains from Active Directory?
178
Typically, when the last DC for a domain is demoted, the administrator selects this server is the last DC in the domain option in the DCPromo tool, which removes the domain meta-data from Active Directory. Note: The administrator must verify that replication has occurred since the demotion of the last DC before manually removing the domain meta-data. Using the NTDSUTIL tool improperly can result in partial or complete loss of Active Directory functionality. Determine the DC that holds the Domain Naming Master FSMO role. Verify that all servers for the specified domain have been demoted. At the command prompt: ntdsutil metadata cleanup connections connect to server servername (Servername is the name of the DC holding the Domain Naming Master FSMO Role) If an error occurs, verify that the DC being used in the connection is available and that the credentials you supplied have administrative permissions on the server. Quit Metadata Cleanup menu is displayed Select operation target List domains A list of domains in the forest is displayed, each with an associated number
179
Select domain number Where number is the number associated with the domain to be removed Quit The Metadata Cleanup menu is displayed. Remove selected domain You should receive confirmation that the removal was successful. Quit You should receive confirmation that the connection disconnected successfully. Loop back Processing of Group Policy Group Policy applies to the user or computer in a manner that depends on where both the user and the computer objects are located in Active Directory. However, in some cases, users may need policy applied to them based on the location of the computer object alone. You can use the Group Policy loopback feature to apply GPOs that depend only on which computer the user logs on to. To set user configuration per computer: In the Group Policy Microsoft Management Console (MMC), click Computer Configuration. Locate Administrative Templates, click System, click Group Policy, and then enable the Loopback Policy option. This policy directs the system to apply the set of GPOs for the computer to any user who logs on to a computer affected by this policy. Loopback is supported only in a purely Windows 2000 based environment. Both the computer account and the user account must be in Active Directory. Usually users in their OU have GPOs applied in order during logon, regardless of which computer they log on to. In some cases, this processing order may not be
180
appropriate (E.g., when you do not want applications assigned to users to be installed while they are logged on to the computers in some specific OU). With the Group Policy loopback, you can specify some other ways to retrieve the list of GPOs for any user who logs on to any of the computers in this specific OU: Merge Mode Here, first the GPO for users is applied. Then the GPO for the computer is then added to the end of the GPOs for the user. This causes the computer's GPOs to have higher precedence than the user's GPOs. Replace Mode In this mode, the user's list of GPOs is not gathered. Only the list of GPOs based on the computer object is used. SRV Records Missing After Implementing Active Directory and Domain Name System When you implement Active Directory and Domain Name System (DNS), SRV records may be missing in the DNS Management console or database. This behavior occurs when the following conditions exist: The DNS server is configured as a Dynamic Host Configuration Protocol (DHCP) client. The DNS zone has a name other than your Active Directory domain name. The zone is not enabled to allow dynamic updates. To resolve this issue, verify that all of the following conditions exist: Configure your DNS server to use a static Internet Protocol (IP) address. Create a forward lookup zone named after your Active Directory. Enable your domain zone to allow dynamic updates.
181
If all of these conditions exist and you still do not see your SRV records, stop and start the Netlogon service. This action forces the DC to re-register the appropriate SRV records. Using the netdiag /fix command on the DC will verify that all SRV records that are in the Netlogon.dns file are registered on the primary DNS server. Group Policy May Not Be Applied to Users Belonging to Many Groups If a user is member of many groups either directly or because of group nesting, Kerberos authentication may not work. The Group Policy object (GPO) may not be applied to the user and the user may not be validated to use network resources. Because: The Kerberos token has a fixed size. If a user is a member of a group either directly or by membership in another group, the security ID (SID) for that group is added to the user's token. For a SID to be added to the user's token, it must be communicated by using the Kerberos token. If the required SID information exceeds the size of the token, authentication does not succeed. The number of groups varies, but the limit is approximately 70 to 80 groups. For many operations, Windows NTLM authentication succeeds; the Kerberos authentication problem may not be evident without analysis. However, operations that include GPO application do not work at all. To resolve this problem, obtain the latest service pack for Windows 2000. Questions about Windows 2000 DNS What are the common mistakes that are made when administrators set up DNS on network that contains a single Windows 2000 or Windows Server 2003 DC? The most common mistakes are: The DC is not pointing to itself for DNS resolution on all network interfaces.
182
The "." zone exists under forward lookup zones in DNS. Other computers on the local area network (LAN) do not point to the Windows 2000 DNS server for DNS. Why do I have to point my DC to itself for DNS? The Netlogon service on the DC registers a number of records in DNS that enable other DCs and computers to find Active Directory-related information. If the DC is pointing to the Internet service provider's (ISP) DNS server, Netlogon does not register the correct records for Active Directory, and errors are generated in Event Viewer. The preferred DNS setting for the DC is itself; no other DNSservers should be listed. The only exception to this rule is with additional DCs. Additional DCs in the domain must point to the first DC (which runs DNS) that was installed in the domain and then to themselves as secondary. What does a DC register in DNS? The Netlogon service registers all the SRV records for that DC. These records are displayed as the _msdcs, _sites, _tcp, and _udp folders in the forward lookup zone that matches your domain name. Other computers look for these records to find Active Directory-related information. Why can't I use WINS for name resolution like it is used in Microsoft Windows NT 4.0? A Windows 2000 DC does not register Active Directory-related information with a WINS server; it only registers this information with a DNS server that supports dynamic updates such as a Windows 2000 DNS server. Other Windows 2000-based computers do not query WINS to find Active Directory-related information. If I remove the ISP's DNS server settings from the DC, how does it resolve names such as Microsoft.com on the Internet?
183
As long as the "." zone does not exist under forward lookup zones in DNS, the DNS service uses the root hint servers. The root hint servers are well-known servers on the Internet that help all DNS servers resolve name queries. What is the "." zone in my forward lookup zone? This setting designates the Windows 2000 DNS server to be a root hint server and is usually deleted. If you do not delete this setting, you may not be able to perform external name resolution to the root hint servers on the Internet. Do I need to configure forwarders in DNS? By default, Windows 2000 DNS use the root hint servers on the Internet; however, you can configure forwarders to send DNS queries directly to your ISP's DNS server or other DNS servers. In most cases, when you configure forwarders, DNS performance and efficiency increases, but this configuration can also introduce a point of failure if the forwarding DNS server is experiencing problems. The root hint server can provide a level of redundancy in exchange for slightly increased DNS traffic on your Internet connection. Should I point the other Windows 2000-based and Windows Server 2003based computers on my LAN to my ISP's DNS servers? No. If a Windows 2000-based or Windows Server 2003-based server or workstation does not find the DC in DNS, you may experience issues joining the domain or logging on to the domain. A Windows 2000-based or Windows Server 2003-based computer's preferred DNS setting should point to the Windows 2000 or Windows Server 2003 DC running DNS. If you are using DHCP, make sure that you view scope option #15 for the correct DNS server settings for your LAN. Do I need to point computers that are running Windows NT 4.0 or Microsoft Windows 95,Microsoft Windows 98, or Microsoft Windows 98 Second Edition to the Windows 2000 or Windows Server 2003 DNS server?
184
Legacy operating systems continue to use NetBIOS for name resolution to find a DC; however it is recommended that you point all computers to the Windows 2000 or Windows Server 2003 DNS server for name resolution. What if my Windows 2000 or Windows Server 2003 DNS server is behind a proxy server or firewall? If you are able to query the ISP's DNS servers from behind the proxy server or firewall, Windows 2000 and Windows Server 2003 DNS server is able to query the root hint servers. UDP and TCP Port 53 should be open on the proxy server or firewall. What should I do if the DC points to itself for DNS, but the SRV records still do not appear in the zone? Check for a disjointed namespace, and then run Netdiag.exe /fix. You must install Support Tools from the Windows 2000 Server CD-ROM to run Netdiag.exe. How do I set up DNS for other DCs in the domain that are running DNS? For each additional DC that is running DNS, the preferred DNS setting is the parent DNS server (first DC in the domain), and the alternate DNS setting is the actual IP address of network interface. How do I set up DNS for a child domain? To set up DNS for a child domain, create a delegation record on the parent DNS server for the child DNS server. Create a secondary zone on the child DNS server that transfers the parent zone from the parent DNS server. Set the child DNS server to point to itself only. Domain Replication and the knowledge consistency checker Since widows 2000 has multi master replication, maintaining consistency is a problem. KCC creates connections dynamically between the DCs and triggers replication. As the number of DCs increases, replication consumes more and more network bandwidth. The KCC
185
balances the need for consistency against bandwidth limitation using the timely contact rule. This means that no DC is allowed to be more than 3 connections from any other DC. The KCC maintains domain consistency automatically. You can manually force the KCC to run immediately using the Repadmin.exe tool. To force the KCC on the server named server1.mydomain.com, you would issue the following command. Repadmin /kcc server1.mydomain.com Intersite replication relaxes the timely contact rule since replication between sites usually occurs over slower links. The KCC can be optimized for your particular intersite replication needs. Bridgehead servers perform directory replication between two sites. Only two designated DCs talk to each other. These DCs are called bridgehead servers. If you have DCs from multiple domains, you will have a bridgehead server for each domain. Each Active Directory site also has one DC that takes the role of Inter-Site Topology Generator (ISTG), which reviews and generates the connection object for the bridgehead servers in each site. There is only one DC with this role in each site, even if you have multiple domains. The first DC in the site becomes the ISTG for the site by default. You can't controller which DC is the ISTG, but you can know which one is the ISTG: Open the Active Directory Sites and Services console. Select the site object. In the right pane right-click the NTDS Site Settings object and select Properties. The current role owner will appear in the Server box under Inter-Site Topology Generator on the Site Settings tab. If the DC holding the ISTG role is offline for more than 60 minutes, another DC in the site will automatically take over this role.
186
Responding to operations master failures Some of the operations master roles are crucial to the operation of your network. Others can be unavailable for quite some time before their absence becomes a problem If an operations master is not available due to computer failure or network problems, you can seize the operations master role. In general, seizing an operations master role is a drastic step that should be considered only if the current operations master will never be available again.
SCHEMA MASTER FAILURE Temporary loss of the schema operations master will be visible only if we are trying to modify the schema or install an application that modifies the schema during installation. A DC whose schema master role has been seized must never be brought back online. To seize the schema master role Click Start, click Run, and then type cmd. At the command prompt, type ntdsutil. At the ntdsutil prompt, type roles. At the fsmo maintenance prompt, type connections. At the server connections prompt, type connect to server, followed by the fully qualified domain name. At the server connections prompt, type quit. At the fsmo maintenance prompt, type seize schema master.
187
At the fsmo maintenance prompt, type quit. At the ntdsutil prompt, type quit. DOMAIN NAMING MASTER FAILURE Temporary loss of the schema operations master will be visible only if we are trying to add a domain to the forest or remove a domain from the forest. A DC whose domain naming master role has been seized must never be brought back online. RELATIVE ID MASTER FAILURE Temporary loss of the schema operations master will be visible if you are creating objects and the domain in which you are creating the objects runs out of RIDs. A DC whose relative identifier master role has been seized must never be brought back online. PDC EMULATOR FAILURE The loss of the PDC emulator affects network users. Therefore, when the PDC emulator is not available, you may need to immediately seize the role. If the current PDC emulator master will be unavailable for an unacceptable length of time and its domain has clients without Windows 2000 client software, or if it contains Windows NT backup DCs, seize the PDC emulator master role to the standby operations master. When the original PDC emulator master is returned to service, you can return the role to the original DC. INFRASTRUCTURE MASTER FAILURE Temporary loss of the infrastructure master is not visible to network users or administrators either, unless they have recently moved or renamed a large number of accounts.
188
If the infrastructure master will be unavailable for an unacceptable length of time, you can seize the role to a DC that is not a GC but is well connected to a GC, ideally in the same site as the current GC. Explain about ADS Database Active Directory includes 4 files. NTDS.DIT This is the AD database and stores all AD objects. Default location is SystemRoot%\ntds\NTDS.DIT. Active Directory's database engine is the Extensible Storage Engine which is based on the Jet database and can grow up to 16 TB. NTDS.DIT, consists of the following tables Schema Table The types of objects that can be created in the Active Directory, relationships between them, and the attributes on each type of object. This table is fairly static and much smaller than the data table. Link Table Contains linked attributes, which contain values referring to other objects in the Active Directory. Take the MemberOf attribute on a user object. That attribute contains values that reference groups to which the user belongs. This is also far smaller than the data table. Data Table Users, groups, application-specific data, and any other data stored in the Active Directory. From a different perspective, Active Directory has three types of data Schema information
189
Definitional details about objects and attributes that one CAN store in the AD. Replicates to all DCs. Static in nature. Configuration information Configuration data about forest and trees. Replicates to all DCs. Static as your forest is. Domain information Object information for a domain. Replicates to all DCs within a domain. The object portion becomes part of GC. The attribute values only replicates within the domain.
EDB.LOG This is the transaction log file (10 MB). When EDB.LOG is full, it is renamed to EDBnnnn.log. Where nnnn is the increasing number starting from 1 EDB.CHK This is the checkpoint file used to track the data not yet written to database file. This indicates the starting point from which data is to be recovered from the logfile, in case of failure. Res1.log and Res2.log This is reserved transaction log files of 20 MB (10 MB each) which provides the transaction log files enough room to shutdown if the other spaces are being used.
How will you do an Offline Defragmentation of Active Directory?
190
Active Directory routinely performs online database defragmentation, but this is limited to the disposal of tombstoned objects. The database file cannot be compacted while Active Directory is mounted. To defrag ntds.dit offline: Back up System State in the backup wizard. Reboot and select Directory Services Restore Mode At the command prompt: Ntdsutil Files Info
This will display current information about the path and size of the Active Directory database and its log files. Compact to D:\DbBackup\ You must specify a directory path and if the path name has spaces, the command will not work unless you use quotation marks Quit (till you reach the command prompt) A new compacted database named Ntds.dit can be found in D:\DbBackup Copy the new ntds.dit file over the old ntds.dit file. You have successfully compacted the Active Directory database. Explain GC? By default, a GC is created automatically on the first DC in the forest. It stores a full replica of all objects in the directory for its host domain and a partial replica of all objects of every other domain in the forest. The replica is partial because it stores only some attributes for each objects. The GC performs two key directory roles: It enables network logon by providing universal group membership information to a DC when a logon process is initiated.
191
It enables finding directory information regardless of which domain in the forest actually contains the data. When a user logs on to the network, the GC provides universal group membership information for the account sending the logon request to the DC. If a GC is not available the user is only able to log on to the local computer unless he is in the Domain Admins group. The GC is designed to respond to queries about objects with maximum speed and minimum network traffic. Because a single GC contains information about objects in all domains in the forest, a query about an object can be resolved by a GC in the domain in which the query is initiated. Thus, finding information in the directory does not produce unnecessary query traffic across domain boundaries. Active Directory defines a base set of attributes for each object in the directory. Each object and some of its attributes (such as universal group memberships) are stored in the GC. Using Active Directory Schema, you can specify additional attributes to be kept in the GC. GC and infrastructure master should not be on the same Server. Why? The infrastructure master is responsible for updating references from objects in its domain to objects in other domains. The infrastructure master compares its data with that of a GC. GCs receive regular updates for objects in all domains through replication, so the GC's data will a lways be up-to-date. Ifthe infrastructure master finds data that is out-of-date, it requests the updated data from a GC. The infrastructure master then replicates that updated data to the other DCs in the domain. Important If the infrastructure master and GC are on the same DC, the infrastructure master will not function. The infrastructure master will never find data that is out of date, so will never replicate any changes to the other DCs in the domain. If all of the DCs in a domain are also hosting the GC, all of the DCs will have the current data and it does not matter which DC holds the infrastructure master role.
192
Explain Active Directory schema? The Active Directory schema is the set of definitions that defines the kinds of objects, and the types of information about those objects, that can be stored in Active Directory. The definitions are themselves stored as objects so that Active Directory can manage the schema objects with the same object management operations used for managing the rest of the objects in the directory. There are two types of definitions in the schema: attributes and classes. Attributes and classes are also referred to as schema objects or metadata. Attributes are defined separately from classes. Each attribute is defined only once and can be used in multiple classes. For example, the Description attribute is used in many classes, but is defined once in the schema, assuring consistency. Classes, also referred to as object classes; describe the possible directory objects that can be created. Each class is a collection of attributes. When you create an object, the attributes store the information that describes the object. The User class, for example, is composed of many attributes, including Network Address, Home Directory, and so on. Every object in Active Directory is an instance of an object class. Active Directory does not support deletion of schema objects; however, objects can be marked as deactivated, providing many of the benefits of deletion. The structure and content of the schema is controlled by the DC that holds the schema operations master role. A copy of the schema is replicated to all DCs in the forest. The use of this common schema ensures data integrity and consistency throughout the forest. Explain Kerberos V5 authentication process? Kerberos V5 is the primary security protocol for authentication within a domain. The Kerberos V5 protocol verifies both the identity of the user and network services. This dual verification is known as mutual authentication.
193
HOW KERBEROS V5 WORKS Kerberos V5 authentication mechanism issues tickets (A set of identification data for a security principle, issued by a DC for purposes of user authentication. Two forms of tickets in Windows 2000 are ticket-granting tickets (TGTs) and service tickets) for accessing network services. These tickets contain encrypted data, including an encrypted password, which confirms the user's identity to the requested service. An important service within Kerberos V5 is the Key Distribution Center (KDC) (A Kerberos V5 service that runs on a DC. It issues ticket-granting tickets (TGTs) and service tickets for obtaining network authentication in a domain). The KDC runs on each DC as part of Active Directory, which stores all client passwords and other account information. The Kerberos V5 authentication process works as follows: The user on a client system, using a password authenticates to the KDC. The KDC issues a special ticket-granting ticket (A ticket issued by the Kerberos V5 Key Distribution Center (KDC) for purposes of obtaining a service ticket from the ticket-granting service (TGS) to the client. The client system uses this TGT to access the ticket-granting service (TGS), which is part of the Kerberos V5 authentication mechanism on the DC. The TGS then issues a service ticket to the client. The client presents this service ticket to the requested network service. The service ticket proves both the user's identity to the service and the service's identity to the user. KERBEROS V5 AND DCS The Kerberos V5 services are installed on each DC, and a Kerberos client is installed on each Windows 2000 workstation and server. Every DC acts as a KDC. A
194
Windows 2000 system uses a DNS lookup to locate the nearest available DC. That DC then functions as the preferred KDC for that user during the user's logon session. If the preferred KDC becomes unavailable, the Windows 2000 system locates an alternate KDC to provide authentication. What are the Single master operations? Active Directory supports multimaster replication of the directory data between all DCs in the domain. Some changes are impractical to perform in multimaster fashion, so only one DC, called the operations master, accepts requests for such changes. Because the operations master roles can be moved to other DCs within the domain or forest, these roles are sometimes referred to as Flexible Single Master Operations. In any Active Directory there are five operations master roles. Some roles must appear in every forest. Other roles must appear in every domain in the forest. FOREST-WIDE OPERATIONS MASTER ROLES Every Active Directory forest must have the following roles: Schema master Domain naming master There can be only one schema master and one domain naming master for the entire forest. Schema master The schema master DC controls all updates and modifications to the schema. Domain naming master Domain Naming Master DC controls the addition or removal of domains in the forest. DOMAIN-WIDE OPERATIONS MASTER ROLES Every domain in the forest must have the following roles:
195
Relative ID master Primary DC (PDC) emulator Infrastructure master Each domain in the forest can have only one RID master, PDC Emulator, and Infrastructure Master. Relative ID master The RID master allocates pool of relative IDs to each DC in its domain. Whenever a DC creates a user, group, or computer object, it assigns a unique security ID to that object. The security ID consists of a domain security ID (that is the same for all security IDs created in the domain), and a relative ID that is unique for each security ID created in the domain. To move an object between domains (using Movetree.exe), you must initiate the move on the DC acting as the relative ID master of the domain that currently contains the object. PDC emulator For pre-W2K clients, the PDC emulator acts as a Windows NT PDC. It processes password changes from clients and replicates updates to the BDCs. In native-mode, the PDC emulator receives
preferential replication of password changes performed by other DCs in the domain. If a password was recently changed, that change takes time to replicate to every DC in the domain. If a logon authentication fails at another DC due to a bad password, that DC will forward the authentication request to the PDC emulator before rejecting the log on attempt. Infrastructure master The infrastructure master is responsible for updating the group-to-user references whenever the members of groups are renamed or changed. At any time, there can be only one DC acting as the infrastructure master in each domain. When you rename or move a member of a group (and that member resides in a different domain from the group), the group may temporarily appear not to contain that member. The infrastructure master of the group's domain is responsible for updating the group so it knows the new name or location of the member. The infrastructure master distributes the update via multimaster replication. There is no compromise to
196
security during the time between the member rename and the group update. Only an administrator looking at that particular group membership would notice the temporary inconsistency. How the Local User Accounts Are Handled When a Server Is Promoted to a DC When a server is promoted to a DC, the server no longer uses the local SAM database to store users and groups. When the promotion is complete, DC will store users, groups, and computer accounts in Active Directory database. The SAM database is present, but it is inaccessible when the server is running in Normal mode. But SAM database is used when you boot into Directory Services Restore Mode or the Recovery Console. If this new DC is the first DC in a new domain, all of the local user accounts in the SAM database are migrated to the Active Directory. All permissions that had been assigned to the local users, such as, NTFS permissions, are retained. Can we run DC promo on a server in which NAT is installed? When you attempt to promote or demote a DC with dcromo, you may receive the following error message: Active Directory Installation failed The operation failed because: Failed to modify the necessary properties for the machine account Servername$ The specified server cannot perform the requested operation. This can happen when the server is using Network Address Translation: and it can be caused by the H.323/LDAP Proxy Service. To resolve this behavior, install SP1 or disable the H.323/LDAP proxy service with the following command:
197
Do not use NAT on a network with other DCs, DNS servers, Gateways, DHCP servers, or Systems configured for static IP because of possible conflict with other services. Do not connect NAT directly to a corporate network because Kerberos authentication, IPSec, and Internet Key Encryption (IKE) will not work Enable Debug Logging in the Microsoft Directory Synchronization Services Tool When you troubleshoot synchronization issues in the MSDSS tool, you can enable debug logging to capture detailed information about the synchronization process. Enabling Detailed MSDSS Logging, go to HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Msdss\ Create a new REG_DWORD key DebugLogLevel and set value as 1 and restart the computer activates logging, 0 turns logging off. The logging information is placed in the %Systemroot%\System32\Directory Synchronization\Session Logs folder. The log files are labeled as "Session#-#.log" Replication Access Was Denied" Error Message When Attempting to Synchronize DCs When you use the Active Directory Sites and Services snap-in from a child domain to force replication from a parent domain or another child domain at the same level, you may receive the following error message: The following error occurred during the attempt to synchronize the DCs: Replication Access was denied Domains in Active Directory are natural security boundaries. Administrative permissions do not flow down; they need to be assigned. When a child domain is created, the Enterprise Admin global group is added to the built-in Administrators group of the child domain. This allows the administrator of the parent domain to
198
administer and force replication from either the parent domain or the child domain, but the administrator in the child domain is only able to force replication from within his or her own domain. To resolve this issue, give the administrator in the child domain permissions to the parent domain from which you want to force replication. Add his to Administrators group in parent domain Repeat these steps from each domain that you want to assign administrative permissions to. Keep in mind that parent domains are able to manage all of their child domains but you need to perform the steps described in this article for any child domains that want to manage the parent domain or other child domains on the same level. Auditing Does Not Report Security Event for Resetting Password on DC If you choose to audit success and failure with the "Audit account management" policy, the auditing does not report the expected success event in the Security log when an administrator resets the user password on a DC. This problem occurs because Remote Procedure Call (RPC ) impersonation does not succeed when the Security service tries to send a message to the Eventlog service. SP2 will solve this problem. RPC Error Messages Returned for Active Directory Replication When Time Is Out of Synchronization When you are viewing the status of Active Directory replication between two DCs, the following messages may be displayed for the result of the last replication attempt: The RPC server is unavailable. -orThe RPC server is too busy to complete this operation.
199
These error messages may be reported in the Event log through Replication Monitor. By default, W2K computers synchronize time with a time server. If the time server is not available and the timedifference between DCs drifts beyond the skew allowed by Kerberos, authentication between the two DCs may not succeed and the RPC error messages can result. Synchronies time amongst DCs using net time Net time \\mypdc /set /y This synchronizes the local computer time with the server named Mypdc. The /set - Time not only be queried, but synchronized with the specified server. The /y switch skips the confirmation for changing the time on the local computer How to Change the Recovery Console Administrator Password on a DC When you promote a Windows 2000 Server-based computer to a DC, you are prompted to type a Directory Service Restore Mode Administrator password. This password is also used by Recovery Console, and is separate from the Administrator password that is stored in Active Directory after a completed promotion. The Administrator password that you use when you start Recovery Console or when you press F8 to start Directory Service Restore Mode is stored in the SAM on the local computer. The SAM-based account and password is computer specific and they are not replicated to other DCs in the domain. To change the local Administrator password that you use when you start Recovery Console or when you start Directory Service Restore Mode, use one of the following methods. Method 1
200
In a DC use the %systemroot%\system32\Setpwd.exe (SP2 or Later) utility to change the SAM-based Administrator password. To change the SAM Administrator password on a remote DC, type the following command Setpwd /s: servername Method 2 Restart the DC in Directory Service Restore Mode. Use the command net user administrator * or Local User and Groups Who can "Log On locally" to a DC By default Account Operators, Administrators, Backup Operators, Print Operators, Server Operators, Internet Guest Account, and Terminal Services User Account are assigned the log on locally right
How Conflicts Are Resolved in Active Directory Replication All computers that provide multi-master updates must deal with potential conflicts that may arise when concurrent updates originating on two separate master replicas are inconsistent. There are three types of conflicts: Attribute value: An object's attribute is set concurrently to one value at one master, and another value at a second master. Add/move under a deleted container object or the deletion of a non-leaf object: Essentially, this conflict is a situation in which one master records the deletion of a container object, while another master records the placement of another object subordinate to that deleted object.
201
Sibling name conflict: This conflict occurs when one replica attempts to move an object into a container in which another replica has concurrently moved another object with the same relative display name (RDN). Active Directory orders all update by assigning a globally unique stamp to the originating update. If there is a conflict, the ordering of stamps allows a consistent resolution. This approach is used in the following ways: Attribute value: The value whose update operation has the larger stamp wins. Add/move under a deleted container object or the deletion of a non-leaf object: After resolution at all replicas, the container object is deleted, and the leaf object is made a child of the folder's special Lost &Found container. Stamps are not involved in this resolution. Sibling name conflict: The object with the larger stamp keeps the RDN. The sibling object is assigned a unique RDN by the computer. This does not conflict with any client-assigned value [using a reserved character (the asterisk), the RDN, and the object's GUID]. How to Modify the Default Intra-Site DC Replication Interval When a DC writes a change to its local copy of the Active Directory, a timer is started that determines when the DC's replication partners should be notified of the change. By default, this interval is 5 minutes. When this interval elapses, the DC initiates a notification to each intra-site replication partner that it has changes that need to be propagated. Another configurable parameter determines the number of seconds to pause between notification. This parameter prevents simultaneous replies by the replication partners. By default, this interval is 30 seconds. Both of these intervals can be modified by editing the registry. To modify the delay between the change to the Active Directory and first replication partner notification, use Registry Editor to modify value data for the
202
"Replicator notify pause after modify (secs)" DWORD value in the following registry key: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\NTDS\Para meters The default value data for the "Replicator notify pause after modify (secs)" DWORD value is 0x12c, which in hexadecimal format is 300 decimal (5 minutes). To modify the notification delay between DCs, use Registry Editor to modify value data for the "Replicator notify pause between DSAs (secs)" DWORD value in the following registry key: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\NTDS\Para meters The default value data for the "Replicator notify pause between DSAs (secs)" DWORD value is 0x1e, which in hexadecimal format is 30 decimal (30 seconds).
Resetting Computer Accounts in Windows 2000 and Windows XP For each Windows 2000/XP PC that is a member of a domain, there is a discrete communication channel, known as the secure channel, with a DC. The secure channel's password is stored along with the computer account on all DCs. Default computer account password change period is every 30 days. If the computer account's password and the LSA secret are not synchronized, the Netlogon service logs one or both of the following errors messages: The session setup from the computer
DOMAINMEMBER failed to authenticate. The name of the account referenced in the security database is DOMAINMEMBER$. The following error occurred: Access is denied.
203
NETLOGON Event ID 3210: Failed to authenticate with \\DOMAINDC, a Windows NT DC for domain DOMAIN. The Netlogon service on the DC logs the following error message when the password is not synchronized: NETLOGON Event 5722: The session setup from the computer %1 failed to authenticate. The name of the account referenced in the security database is %2. The following error occurred: %n%3 We can reset computer password using Active Directory Users and Computers MMC. Right-click the computer object and then click Reset Account. Resetting the password for DCs using this method is not allowed. Resetting a computer account breaks that computer's connection to the domain and requires it to rejoin the domain. This will prevent an established computer from connecting to the domain and should only be used for a computer that has just been rebuilt.
Distinguishing a DC from a Windows 2000 Member Server The \NTDS registry key exists in the HKLM\SYSTEM\CCS\SERVICES portion of the registry. The SYSVOL and NETLOGON shares exist. (The SYSVOL share and its contents exist after demotion of a DC.) NBTSTAT shows that the 1C name (Domain) has been registered. Type nbtstat -n from a command prompt and note the presence of the 1C name.
204
The computer role from the NET ACCOUNTS utility lists the computer role as "PRIMARY" and standalone servers as "SERVERS." Type net accounts from the command prompt. The NET START command indicates that the Kerberos Key Distribution Center (KDC) service is running. Type net start |more. The computer responds to LDAP queries (specifically, to port 389 or 3268). The "Connect to server %S" command in Ntdsutil.exe functions only against Windows 2000 DCs. The Change button on the Network Identification tab in My Computer is disabled when Windows 2000 is configured as a DC. A note appears indicating this. Run Netdiag (a Resource Kit utility) and observe the "Machine is a Primary DC" entry in the output. Type netdiag /v from the command prompt. The Role of the Inter-Site Topology Generator in Active Directory Replication The Knowledge Consistency Checker (KCC) is an Active Directory component that is responsible for the generation of the replication topology between DCs. This article describes the role of one server per site, known as the Inter-Site Topology Generator, which is responsible for managing the inbound replication connection objects for all bridgehead servers in the site in which it is located. When the KCC on each DC generates the intra-site topology for the site in which it resides, the KCC create a connection object in the Active Directory only when a connection object is required for the local computer. These changes propagate to other DCs through the normal replication process. Each DC uses the same algorithm to compute the replication topology, and in a state of equilibrium between DCs, each should arrive at the same result in respect to what the replication topology should be. In the process, each DC creates its own connection objects.
205
Connection objects for bridgehead servers for inter-site replication are created differently. The KCC on one DC in each site is responsible for reviewing the inter-site topology and creating inbound replication connection objects as necessary for bridgehead servers in the site in which it resides. This DC is known as the Inter-Site Topology Generator (ISTG). The DC holding this role may not necessarily be a bridgehead server. When the ISTG determines that a connection object needs to be modified on a given bridgehead server in the site, the ISTG makes the change to its local Active Directory copy. As part of the normal intra-site replication process, these changes propagate to the bridgehead servers in the site. Whenthe KCC on the bridgehead server reviews the topology after receiving these changes, it translates the connection objects into replication links that Active Directory uses to replicate data from remote bridgehead servers. The current owner of the ISTG role is communicated through the normal Active Directory replication process. Initially, the first server in the site becomes the ISTG for the site. The role does not change as additional DCs are added to the site until the current ISTG becomes unavailable. The current ISTG notifies every other DC in the site that it is still present by writing the "interSiteTopologyGenerator" attribute on the NTDS Settings object under its DC object in the Configuration naming context in Active Directory at a specified interval. As this attribute gets propagated to other DCs by Active Directory
replication, the KCC on each of these computers monitors this attribute to verify that it has been written within a specified amount of time. If the amount of time elapses without a modification, a new ISTG takes over. In the event that a new ISTG needs to be established, each DC orders the list of servers in ascending order by their Globa lly Unique Identifier (GUID). The DC that is next highest in the list of servers from the current owner takes over the role, starts to write the "interSiteTopologyGenerator" attribute, and performs the necessary KCC processes to manage inbound connection objects for bridgehead servers.
206
As DCs evaluate which server should assume the ISTG role, the selection begins again with the first DC listed in the site if the current server is the last server in the list. In the event that two DCs in the site believe that they own the ISTG role, there may be temporary state of inbound replication connection objects being created by two computers. However, once replication occurs and all DCs receive the change identifying the new ISTG, the KCC on the ISTG adjusts the topology as appropriate.
207

Combined Bbok

Hochgeladen von

Dokumentinformationen

Originalbeschreibung:

Copyright

Verfügbare Formate

Dieses Dokument teilen

Dokument teilen oder einbetten

Freigabeoptionen

Stufen Sie dieses Dokument als nützlich ein?

Sind diese Inhalte unangemessen?

Copyright:

Verfügbare Formate

Combined Bbok

Hochgeladen von

Copyright:

Verfügbare Formate

2010

FUNDAMENTALS OF MCSE & CCNA for Competition, Certification & Interviews

[Type the document title]

ZEEL ASPIRANTS GROUP 2/18/2010

PREFACE TO THE FIRST EDITION

AUTHOR Professor. Syed Munawwer

Key Board Shortcuts:

SHIFT+TAB ALT+HOME ALT+RIGHT ARROW ALT+LEFT BACKSPACE SHIFT+F10 CTRL+TAB or F6 ARROW

INNOVATIVE EFFORT BY PROF. Syed Munawwer

For Knowledge Exploration

INNOVATIVE EFFORT BY PROF. Syed Munawwer

For Knowledge Exploration

CTRL+ENTER UP ARROW DOWN ARROW CTRL+D CTRL+B ALT+UP ARROW

INNOVATIVE EFFORT BY PROF. Syed Munawwer

For Knowledge Exploration

CTRL+I CTRL+H CTRL+J CTRL+X CTRL+C CTRL+V CTRL ALT+N SPACEBAR

INNOVATIVE EFFORT BY PROF. Syed Munawwer

For Knowledge Exploration

INNOVATIVE EFFORT BY PROF. Syed Munawwer

For Knowledge Exploration

INNOVATIVE EFFORT BY PROF. Syed Munawwer

For Knowledge Exploration

INNOVATIVE EFFORT BY PROF. Syed Munawwer

For Knowledge Exploration

Since email is kept on server, it would gain the following

downloaded only when it is opened for display from its content.

created on the desktop PC as well as on the server. Filters can transfer

incoming/outgoing messages to other mailboxes no matter

INNOVATIVE EFFORT BY PROF. Syed Munawwer

For Knowledge Exploration

INNOVATIVE EFFORT BY PROF. Syed Munawwer

For Knowledge Exploration

INNOVATIVE EFFORT BY PROF. Syed Munawwer

For Knowledge Exploration

INNOVATIVE EFFORT BY PROF. Syed Munawwer

For Knowledge Exploration

for future purposes.

The functions of the seven layers of the OSI model are:

INNOVATIVE EFFORT BY PROF. Syed Munawwer

For Knowledge Exploration

INNOVATIVE EFFORT BY PROF. Syed Munawwer

For Knowledge Exploration

INNOVATIVE EFFORT BY PROF. Syed Munawwer

For Knowledge Exploration

INNOVATIVE EFFORT BY PROF. Syed Munawwer

For Knowledge Exploration

Streaming media Server but not as a cluster Node.

# JBoss(Red Hat),JRun(Adobe),WebLogic Server(BEA)are application servers.

INNOVATIVE EFFORT BY PROF. Syed Munawwer

For Knowledge Exploration

INNOVATIVE EFFORT BY PROF. Syed Munawwer

For Knowledge Exploration

For Knowledge Exploration

news groups currently accessible over the USENET news network.

INNOVATIVE EFFORT BY PROF. Syed Munawwer

For Knowledge Exploration

INNOVATIVE EFFORT BY PROF. Syed Munawwer

For Knowledge Exploration

INNOVATIVE EFFORT BY PROF. Syed Munawwer

For Knowledge Exploration

Where are group policies stored? %SystemRoot%System32\GroupPolicy

Where is GPT stored? %SystemRoot%\SYSVOL\sysvol\domainname\Policies\GUID

Whats the difference between Software Installer and Windows Installer?