Active Directory

Active Directory is a centralized and standardized system, stores information

about objects in a network and makes this information available to users and
network administrators.

Domain Controller

In an Active Directory forest, the domain controller is a server that contains a

writable copy of the Active Directory database, participates in Active
Directory replication, and controls access to network resources.

Global catalog server

A global catalog server is a domain controller that stores information about

all objects in the forest. Like all domain controllers, a global catalog server
stores full, writable replicas of the schema and configuration directory
partitions and a full, writable replica of the domain directory partition for the
domain that it is hosting. In addition, a global catalog server stores a partial,
read-only replica of every other domain in the forest. Partial replicas are
stored on Global Catalog servers so that searches of the entire directory can
be achieved without requiring referrals from one domain controller to
another.

Partial information of other domains. Partial information nothing but classes

and attributes (first name and last name and phones and addresses) attribute
level security improvement in 2003….

OU:

"Organizational Units", are administrative-level containers on a computer, it

allows administrators to organize groups of users together so that any
changes, security privileges or any other administrative tasks could be
accomplished more efficiently.

Domain:

Windows Domain is a logical grouping of computers that share common

security and
user account information.

Forest

A Windows forest is a group of 1 or more trusted Windows trees. The trees do

not need to have contiguous DNS names. A forest shares a schema and
global catalog servers. A single tree can also be called a forest.

Tree:

A Windows tree is a group of one or more trusted Windows domains with

contiguous

DNS domains. “Trusted” means that an authenticated account from one

domain isn’t

rejected by another domain. “Contiguous DNS domains” means that they all
have

the same root DNS name.

Site:

Sites are manually defined groupings of subnets. Objects in a site share the
same global catalog

servers, and can have a common set of group policies applied to them.

Schema:

The schema defines what attributes, objects, classes, and rules are available
in the Active

Directory.

SID (Security Identifier):

The SID is a unique name (alphanumeric character string) that is used to

identify an object,

such as a user or a group of users.

Group Policy

Group policy Architecture:

Group Policy objects (GPO):

A GPO is a collection of Group Policy settings, stored at the domain level as a
virtual

object consisting of a Group Policy container (GPC) and a Group Policy

template

(GPT).

password history will store

Computer Configuration\Windows Settings\Security Settings\Account

Policies\Password Policy

Group Policy Container (GPC)

The Group Policy container (GPC) is an Active Directory container that

contains GPO properties, such as version information, GPO status, plus a list
of other component settings.

Group Polity Template (GPT)

The Group Policy template (GPT) is a file system folder that includes policy
data

specified by .adm files, security settings, script files, and information about

applications that are available for installation. The GPT is located in the
system

volume folder (SysVol) in the domain \Policies sub-folder.

Filtering the Scope of a GPO

By default, a GPO affects all users and computers that are contained in the
linked

site, domain, or organizational unit. The administrator can further specify the

computers and users that are affected by a GPO by using membership in

security

groups.
Starting with Windows 2000, the administrator can add both computers and
users to

security groups. Then the administrator can specify which security groups are

affected by the GPO by using the Access Control List editor.

Knowledge Consistency Checker (KCC)

The Knowledge Consistency Checker (KCC) is a Windows component that

automatically generates and maintains the intra-site and inter-site replication
topology.

Intrasite Replication

Replication that happens between controllers inside one site. All of the
subnets inside

the site should be connected by high speed network wires.

Intersite Replication

Intersite replication is replication between sites and must be set up by an

administrator. Simple Mail Transfer Protocol (SMTP) may be used for

replication

between sites.

Active Directory Replication?

Replication must often occur both (intrasite) within sites and (Intersite)
between

sites to keep domain and forest data consistent among domain controllers
that store

the same directory partitions

Adprep.exe
Adprep.exe is a command-line tool used to prepare a Microsoft Windows
2000 forest

or a Windows 2000 domain for the installation of Windows Server 2003

domain

controllers.

USE:

When Microsoft Exchange Server is deployed in an organization, Exchange

Server uses Active Directory as a data store and it extends the Windows 2000
Active Directory schema to enable it to store objects specific to Exchange
Server. The ldapDisplayName of the attribute schema ms-Exch-Assistant-
Name, ms-Exch- LabeledURI, and ms-Exch-House-Identifier defined by
Exchange Server conflicts with the iNetOrgPerson schema that Active
Directory uses in Windows Server 2003. When Windows Server 2003 Service
Pack 1 is installed, Adprep.exe will be able to detect the presence of the
schema conflict and block the upgrade of the schema until the issue has been
resolved.

GUID:

When a new domain user or group account is created, Active Directory stores
the

account's SID in the Object-SID (objectSID) property of a User or Group

object. It

also assigns the new object a globally unique identifier (GUID), which is a
128-bit

value that is unique not only in the enterprise but also across the world.
GUIDs are

assigned to every object created by Active Directory, not just User and Group

objects. Each object's GUID is stored in its Object-GUID (objectGUID)

property.

Active Directory uses GUIDs internally to identify objects.

SID:
A security identifier (SID) is a data structure in binary format that contains a
variable number of values. When a DC creates a security principal object
such as a user or group, it attaches a unique Security ID (SID) to the object.
This SID consists of a domain SID (the same for all SIDs created in a domain),
and a relative ID (RID) that is unique for each security Principal SID created in
a domain.

Lingering objects

When a domain controller is disconnected for a period that is longer than the
TSL, one or more objects that are deleted from Active Directory on all other
domain controllers may remain on the disconnected domain controller. Such
objects are called lingering objects. Because the domain controller is offline
during the time that the tombstone is alive, the domain controller never
receives replication of the tombstone

Sysvol

Sysvol is a shared directory that stores the server copy of the domain’s public
files, which are replicated among all domain controllers in the domain. The
Sysvol contains the data in a GPO: the GPT, which includes Administrative
Template-based Group Policy settings, security settings, script files, and
information regarding applications that are available for software installation.
It is replicated using the File Replication Service (FRS).

File Replication Service (FRS)

In Windows 2000, the SYSVOL share is used to authenticate users. The

SYSVOL

share includes group policy information which is replicated to all local domain

controllers. File replication service (FRS) is used to replicate the SYSVOL

share. The

"Active Directory Users and Computers" tool is used to change the file
replication

service schedule.

Win logon

A component of the Windows operating system that provides interactive

logon

support, Winlogon is the service in which the Group Policy engine runs.

Lightweight Directory Access Protocol (LDAP)

It defines how clients and servers exchange information about a directory.

LDAP

version 2 and version 3 are used by Windows 2000 Server's Active Directory.

An LDAP URL names the server holding Active Directory services and the
Attributed Name of the

object. For example:

LDAP://SomeServer.Myco.Com/CN=jamessmith,CN=Sys,CN=Product,CN

=Division,DC=myco,DC=domain-controller

USN

Each object has an Update Sequence Number (USN), and if the object is
modified, the USN is incremented. This number is different on each domain
controller. USN provides the key to multimaster replication.

Universal group membership caching

Due to available network bandwidth and server hardware limitations, it may

not be practical to have a global catalog in smaller branch office locations.
For these sites, you can deploy domain controllers running Windows Server
2003, which can store universal group membership information locally.

By default, the universal group membership information contained in the

cache of each domain controller will be refreshed every 8 hours. Up to 500
universal group memberships can be updated at once. Universal groups
couldn't be created in Mixed mode.

What is an ACL or access-control list?

A list of security protections that applies to an object. (An object can be a file,
process, event, or

anything else having a security descriptor.)

What is an ACE or access-control entry?

ACE contains a set of access rights and a security identifier (SID) that
identifies a trustee for

whom the rights are allowed, denied, or audited.

Flexible Single Master Operations (FSMO)

MultiMaster Operation:

In Windows 2000 & 2003, every domain controller can receive changes, and
the changes are replicated to all other domain controllers. The day-to-day
operations that are associated with managing users, groups, and computers
are typically multimaster operations.

There is a set of Flexible Single Master Operations (FSMO) which can only be
done on a single controller. An administrator determines which operations
must be done on the master controller. These operations are all set up on the
master controller by default and can be transferred later. FSMO operations
types include:

Schema Master: The schema master domain controller controls all updates
and

modifications to the schema. There can be only one schema master in the
whole

forest.

Domain naming master: The domain naming master domain controller

controls

the addition or removal of domains in the forest and responsibility of ensuring

that domain names are unique in the forest. There can be only one domain
naming master in the whole forest.

Infrastructure Master:

Synchronizes cross-domain group membership changes. The infrastructure

master

cannot run on a global catalog server (unless all DCs are also GCs.)
The infrastructure is responsible for updating references from objects in its
domain to objects in other domains. At any one time, there can be only one
domain controller acting as the infrastructure master in each domain.

This works when we are renaming any group member ship object this role
takes

care.

Note: The Infrastructure Master (IM) role should be held by a domain

controller that is not a Global Catalog server (GC). If the Infrastructure Master
runs on a Global Catalog server it will stop updating object information
because it does not contain any references to objects that it does not hold.
This is because a Global Catalog server holds a partial replica of every object
in the forest. As a result, cross-domain object references in that domain will
not be updated and a warning to that effect will be logged on that DC's event
log. If all the domain controllers in a domain also host the global catalog, all
the domain controllers have the current data, and it is not important which
domain controller holds the infrastructure master role.

Relative ID (RID) Master:

It assigns RID and SID to the newly created object like Users and computers.
If RID master is down (u can create security objects up to RID pools are
available in DCs) else u can’t create any object one itSDs down

When a DC creates a security principal object such as a user or group, it

attaches a unique Security ID (SID) to the object. This SID consists of a
domain SID (the same for all SIDs created in a domain), and a relative ID
(RID) that is unique for each security principal SID created in a domain.

PDC Emulator - When Active Directory is in mixed mode, the computer Active

Directory is on acts as a Windows NT PDC. The first server that becomes a

Windows

2000 domain controller takes the role of PDC emulator by default.

Functions performed by the PDC emulator:

User account changes and password changes.

SAM directory replication requests.

Domain master browser requests

Authentication requests.

GPO

Time synchronization

New Active Directory features in Windows Server 2003

•Multiple selection of user objects.

•Drag-and-drop functionality.

•Efficient search capabilities. Search functionality is object-oriented and

provides an efficient search that minimizes

•Saved queries. Save commonly used search parameters for reuse in Active

Directory Users and Computers

•Active Directory command-line tools.

•InetOrgPerson class. The inetOrgPerson class has been added to the base

schema as a security principal and can be used in the same manner as the
user

class. The userPassword attribute can also be used to set the account
password.

•Ability to add additional domain controllers using backup media. Reduce the
time it takes to add an additional domain controller in an existing domain by
using backup media.

•Universal group membership caching. Prevent the need to locate a global

catalog across a WAN when logging on by storing universal group
membership information on an authenticating domain controller.
•Secure LDAP traffic. Active Directory administrative tools sign and encrypt
all LDAP traffic by default. Signing LDAP traffic guarantees that the packaged
data comes from a known source and that it has not been tampered with.

•Active Directory quotas. Quotas can be specified in Active Directory to

control

the number of objects a user, group, or computer can own in a given

directory

partition. Domain Administrators and Enterprise

Windows Functional levels

In Windows 2000 Active Directory domains is the concept of Mixed and

Native

Modes. The default mixed mode allows both NT and Windows 2000 domain

controllers to coexist. Once you convert to Native Mode, you are only allowed
to

have Windows 2000 domain controllers in your domain. The conversion is a

one-way

conversion -- it cannot be reversed. In Windows Server 2003, Microsoft

introduced

forest and domain functional levels. The concept is rather similar to switching
from

Mixed to Native Mode in Windows 2000. The new functional levels give you
additional

capabilities that the previous functional levels didn’t have.

There are four domain functional levels:

1. Windows 2000 Mixed (supports NT4/2000/2003 DCs)

2. Windows 2000 Native (supports 2000/2003 DCs)

3. Windows Server 2003 Interim (supports NT4/2003 DCs)

4. Windows Server 2003 (supports only 2003 DCs)

And three forest functional levels:

1. Windows 2000 (supports NT4/2000/2003 DCs)

2. Windows 2000 Interim (supports NT4/2003 DCs)

3. Windows Server 2003 (supports only 2003 DCs)

To raise the domain functional level, you go to the properties of your domain
in

Active Directory Domains and Trusts. To raise the forest functional level you
go to

the properties of Active Directory Domains and Trusts at the root. Of course,
if your

domains are not at the correct level, you won’t be able to raise the forest
functional

level.

Directory partition

A directory partition, or naming context, is a contiguous Active Directory

subtree

replicated on one, or more, Windows 2000 domain controllers in a forest. By

default,

each domain controller has a replica of three partitions: the schema partition
the

Configuration partition and a Domain partition.

Schema partition

It contains all class and attributes definitions for the forest. There is one
schema

directory partition per forest.

Configuration partition

It contains replication configuration information (and other information) for

the

forest. There is one configuration directory partition per forest.

Domain partition

It contains all objects that are stored by one domain. There is one domain
directory

partition for each domain in the forest.

Application Directory Partition

Application directory partitions are most often used to store dynamic data. An

application partition can not contain security principles (users, groups, and

computers).The KCC generates and maintains the replication topology for an

application directory partition

Application: The application partition is a new feature introduced in Windows

Server

2003. This partition contains application specific objects. The objects or data
that

applications and services store here can comprise of any object type
excluding

security principles. Security principles are Users, Groups, and Computers. The

application partition typically contains DNS zone objects, and dynamic data
from

other network services such as Remote Access Service (RAS), and Dynamic
Host

Configuration Protocol (DHCP).

Dynamic Data:

A dynamic entry is an object in the directory which has an associated time-to-

live

(TTL) value. The TTL for an entry is set when the entry is created.

Security Principles - Objects that can have permissions assigned to them and
each

contain security identifiers. The following objects are security principles:

oUser

oComputer

oGroup

RPC:

Active Directory uses RPC over IP to transfer both intersite and intrasite
replication between domain controllers. To keep data secure while in transit,
RPC over IP replication uses both the Kerberos authentication protocol and
data encryption.

SMTP:

If you have a site that has no physical connection to the rest of your network,
but

that can be reached using the Simple Mail Transfer Protocol (SMTP), that site
has

mail-based connectivity only. SMTP replication is used only for replication

between

sites. You also cannot use SMTP replication to replicate between domain
controllers

in the same domain—only inter-domain replication is supported over SMTP

(that is,

SMTP can be used only for inter-site, inter-domain replication). SMTP

replication can

be used only for schema, configuration, and global catalog partial replica
replication.
SMTP replication observes the automatically generated replication schedule.

Changing of ntds.dit file from one Drive to another

1. Boot the domain controller in Directory Services Restore mode and log on
with the Directory Services Restore mode administrator account and
password (this is the password you assigned during the Dcpromo process).

2. At a command prompt, typent dsut il.exe. You receive the following

prompt:

ntdsutil:

3. Typefiles to receive the following prompt:

file maintenance:

4. Typeinfo. Note the path of the database and log files.

5. To move the database, type move db to %s (where %s is the target folder).

6. To move the log files, type move logs to %s (where %s is the target folder).

7. Typequit twice to return to the command prompt.

8. Reboot the computer normally.

DNS

DNS (Domain Name system)

Domain Name System (DNS) is a database system that translates a

computer's fully

qualified domain name into an IP address.

The local DNS resolver

The following graphic shows an overview of the complete DNS query process.

DNS Zones

Forward lookup zone - Name to IP address map.

Reverse lookup zone - IP address to name map.

Primary Zones - It Holds Read and Write copies of all resource records (A, NS,

_SRV).

Secondary Zones- which hold read only copies of the Primary Zones.

Stub Zones

Conceptually, stub zones are like secondary zones in that they have a read
only copy

of a primary zone. Stub zones are more efficient and create less replication
traffic.

Stub Zones only have 3 records, the SOA for the primary zone, NS record and
a Host

(A) record. The idea is that if a client queries a record in the Stub Zone, your
DNS

server can refer that query to the correct Name Server because it knows its
Host (A)

record.

Queries

Query types are:

Inverse - Getting the name from the IP address. These are used by servers as
a

security check.

Iterative - Server gives its best answer. This type of inquiry is sent from one
server

to another.

Recursive - Cannot refer the query to another name server.

Conditional Forwarding

Another classic use of forwards is where companies have subsidiaries,

partners or
people they know and contact regularly query. Instead of going the long-way

around using the root hints, the network administrators configure Conditional

Forwarders

Purpose of Resource Records

Without resource records DNS could not resolve queries. The mission of a
DNS

Query is to locate a server that is Authoritative for a particular domain. The

easy

part is for the Authoritative server to check the name in the query against its

resource records.

SOA (start of authority) recordeach zone has one SOA record that identifies

which DNS server is authoritative for domains and sub domains in the zone.

NS (name server) record An NS record contains the FQDN and IP address of a

DNS server authoritative for the zone. Each primary and secondary name
server

authoritative in the domain should have an NS record.

A (address) record

By far the most common type of resource record, an A

record is used to resolve the FQDN of a particular host into its associated IP
address.

CNAME (canonical name) record

A CNAME record contains an alias

(alternate name) for a host.

PTR (pointer) record the opposite of an A record, a PTR record is used to

resolve

the IP address of a host into its FQDN.

SRV (service) record

An SRV record is used by DNS clients to locate a server that is running a
particular service—for example, to find a domain controller so you can log on
to the network. SRV records are key to the operation of Active Directory.

MX (mail exchange) record

An MX record points to one or more computers

that process SMTP mail for an organization or site.

Where DNS resource records will be stored:

After running DCPROMO, A text file containing the appropriate DNS resource

records for the domain controller is created. The file called Netlogon.dns is

created in the %systemroot%\System32\config folder and contains all the

records needed to register the resource records of the domain controller.

Netlogon.dns is used by the Windows 2000 NetLogon service and to support

Active Directory for non-Windows 2000 DNS servers.

Procedures for changing a Server’s IP Address

Once DNS and replication are setup, it is generally a bad idea to change a
servers IP address (at least according to Microsoft). Just be sure that is what
you really want to do before starting the process. It is a bit kin to changing
the Internal IPX number of A Novell server, but it can be done.

1.

Change the Server’s IP address

2.

Stop the NETLOGON service.

3.

Rename or delete SYSTEM32\CONFIG\NETLOGON.DNS and NETLOGON.DNB

4.
Restart the NETLOGON service and run “IPconfig /registerDNS”

5.

Go to one of the other DCs and verify that its DNS is now pointing to the new
IP address of the server. If not, change the records manually and give it 15
minutes to replicate the DNS changes out.

6.

Run REPLMON and make sure that replication is working now. You may have
to

wait a little while for things to straighten out. Give it an hour or two if
necessary.

If a server shows that it isn’t replicating with one of its partners, there are

several issues to address:

A.

Check to see that the servers can ping each other.

B.

Make sure that both servers’ DNS entries for each other point to the proper IP

addresses

C. If server A says it replicated fine, but server B says it couldn’t contact

Server A, check the DNS setup on Server B. Chances are it has a record for
Server A pointing to the wrong place.

D. Run Netdiag and see if it reports any errors or problems.

Trust Relationship

One way trust - When one domain allows access to users on another

domain, but the other domain does not allow access to users on the first

domain.

•
Two way trust - When two domains allow access to users on the other

domain.

Trusting domain - The domain that allows access to users on another

domain.

Trusted domain - The domain that is trusted, whose users have access to

the trusting domain.

Transitive trust - A trust which can extend beyond two domains to other

trusted domains in the tree.

Intransitive trust - A one way trust that does not extend beyond two

domains.

Explicit trust - A trust that an administrator creates. It is not transitive and

is one way only.

Cross-link trust - An explicit trust between domains in different trees or in

the same tree when a descendent/ancestor (child/parent) relationship does

not exist between the two domains.

Forest trust - When two forests have a functional level of Windows 2003,

you can use a forest trust to join the forests at the root.

Shortcut trust - When domains that authenticate users are logically distant
from one another, the process of logging on to the network can take a long

time. You can manually add a shortcut trust between two domains in the

same forest to speed authentication. Shortcut trusts are transitive and can

either be one way or two way.

Windows 2000 only supports the following types of trusts:

Two way transitive trusts

One way non-transitive trusts.

BACKUP

Archive bit:

The archive bit is used to determine what files have been backuped up
previously on

a Windows file system. The bit is set if a file is modified

Types of Backups:

Normal - Saves files and folders and shows they were backed up by clearing
the

archive bit.

Copy - Saves files and folders without clearing the archive bit.

Incremental- Incremental backup stores all files that have changed since the
last Full,

Differential or Incremental backup. The archive bit is cleared.

Differential- A differential backup contains all files that have changed since
the last

FULL backup. The archive bit is not cleared.

Daily - Saves files and folders that have been changed that day. The archive
bit is
not cleared.

Multiplexing:

Multiplexing sends data from multiple sources to a single tape or disk device.
This is useful if you have a tape or disk device that writes faster than a single
system can send data, which (at this point) is just about every tape device.

Multistreaming:

Multistreaming establishes multiple connections, orthr e ads, from a single

system to the backup server. This is useful if you have a large system with
multiple I/O devices and large amounts of data that need backing up.

To perform a backup, select "Start", "Programs", "Accessories", "System

Tools", and

"Backup". The Windows 2000 "Backup Utility" will start. It has these tabs:

System data:

1. The registry

2. System startup files

3. Component services data class registration database

4. Active Directory (Windows 2000 & 2003 Servers only)

5. Certificate server database (Windows 2000 & 2003Servers only)

6. SYSVOL folder (Windows 2000 & 2003 Servers only)

Non authoritative Active Directory restores–

Changes are accepted from other domain controllers after the backup is
done.

When you are restoring a domain controller by using backup and restore
programs, the default mode for the restore is non authoritative. This means
that the restored server is brought up-to-date with its replicas through the
normal replication mechanism.
Authoritative Active Directory restores:

Changes are NOT accepted from other domain controllers after the backup is
done.

Authoritative restore allows the administrator to recover a domain controller,

restore it to a specific point in time, and mark objects in Active Directory as
being authoritative with respect to their replication partners. Authoritative
restore has the ability to increment the version number of the attributes of all
objects in an entire directory. You can authoritatively restore only objects
from the configuration and domain-naming contexts. Authoritative restores of
schema-naming contexts are not supported. To perform an authoritative
restore, you must start the domain controller in Directory Services Restore
Mode.

Authoritative Restore Example

E:\ntdsutil>ntdsutil

ntdsutil: authoritative restore

authoritative restore: restore sub tree OU=bosses,DC=ourdom,DC=com

Opening DIT database... Done.

The current time is 06-17-05 12:34.12.

Most recent database update occurred at 06-16-05 00:41.25.

Increasing attribute version numbers by 100000.

Counting records that need updating...

Records found:00 0 00 0 0012

Directory Store Files that are backed up

Database file - Stored in SystemRoot\NTDS\ntds.dit, it holds all AD objects

and

attributes. Contains these tables:

Ntds.dit is the Active Directory database which stores the entire active
directory objects on the domain controller. The .dit extension refers to the
directory information tree. The default location is the %systemroot%\Ntds
folder. Active Directory records each and every transaction log files that are
associated with the Ntds.dit file.

Edb*.log is the transaction log file. Each transaction file is 10 megabytes

(MB). When Edb.log file is full, active directory renames it to Edbnnnnn.log,

wherennnnn is an increasing number starts from 1.

Edb.chk is a checkpoint file which is use by database engine to track the data

which is not yet written to the active directory database file. The checkpoint

file act as a pointer that maintains the status between memory and database

file on disk. It indicates the starting point in the log file from which the

information must be recovered if a failure occurs.

Res1.log and Res2.log: These are reserved transaction log files. The

amount of disk space that is reserved on a drive or folder for this log is 20
MB. This reserved disk space provides a sufficient space to shut down if all
the other disk space is being used.

Recovery without Restore - Transaction logs are used to recover

uncommitted AD

changes after a system crash. This is done by the system automatically

without

using a restore from a tape backup.

How to restore a domain controller system:

1. Reboot the domain controller.

2. Press F8 while booting.

3. Open Advanced Options Menu, select "Directory Services Restore Mode".

4. Select the correct Windows 2000 Server operating system if more than one

system is on the computer.

5. During safe mode, press CTRL-ALT-DEL.

6. Log on as Administrator.

7. Select "Start", "Programs", "Accessories", "System Tools", and "Backup".

8. Use the "Restore Wizard".

9. After the restore, if an authoritative restore was done use the "ntdsutil"
command

line utility. Type "authoritative restore". Syntax for restoration of partial

database

format:

restore subtree OU=OUname, DC=domainname, DC=rootdomain

Type "restore database" to make the entire database authoritative.

10. Reboot the Domain Controller.

How to Transfer the FSMO Roles:

To Transfer the Schema Master Role:

1.

Register theSchmmg mt. dl l library by pressing Start > RUN and typing:

regsvr32 schmmgmt.dll

2.

Press OK. You should receive a success confirmation.

3.

From the Run command open an MMC Console by typingMMC.

4.

On the Console menu, press Add/Remove Snap-in.

5.

Press Add. Select Active Directory Schema.

6.

Press Add and press Close. Press OK.

7.

If you are NOT logged onto the target domain controller, in the snap-in,

right-click the Active Directory Schema icon in the Console Root and press

Change Domain Controller.

8.

Press Specify... . and type the name of the new role holder. Press OK.

9.

Right-click right-click the Active Directory Schema icon again and press

Operation Masters.

10.

Press the Change button.

11.

Press OK all the way out.

Transferring the FSMO Roles via Ntdsutil

To transfer the FSMO roles from the Ntdsutil command:

Caution: Using the Ntdsutil utility incorrectly may result in partial or complete

loss of Active Directory functionality.

1.
On any domain controller, click Start, click Run, typeN tdsut il in the Open

box, and then click OK.

Microsof t Window s [Version 5.2.3790]

(C) Copyright 1985-2003 Microsoft Corp.

C:\WINDOWS>ntdsutil

ntdsutil:

2.

Typer o le s, and then press ENTER.

ntdsutil: roles

fsmo maintenance:

Note: To see a list of available commands at any of the prompts in the

Ntdsutil

tool, type? And then press ENTER.

3.

Typeco nne ctio ns, and then press ENTER.

f smo maintenance: connections

server connections:

4.

Type connect to server ms-dc04 wherems- dc04 is the name of the

server you want to use, and then press ENTER.

server connections: connect to server ms-dc04

Binding to ms-dc04 ...

Connected ms-dc04 using credentials of locally logg

server connections:

5.

At the server connections: prompt, typeq, and then press ENTER again.

server connections: q
fsmo maintenance:

6.

Type transfer <role>. where<r o le > is the role you want to transfer.

For example, to transfer the RID Master role, you would type transfer rid

master:

Options are:

Transf er domain naming master

Transfer infrastructure master

Transfer PDC

Transfer RID master

Transfer schema master

7.

You will receive a warning window asking if you want to perform the

transfer. Click on Yes.

8.

After you transfer the roles, typeq and press ENTER until you quit

Ntdsutil.exe.

9.

Restart the server and make sure you update your backup.

To seize the FSMO roles by using Ntdsutil, follow these steps:

Caution: Using the Ntdsutil utility incorrectly may result in partial or complete

loss of Active Directory functionality.

1.

On any domain controller, click Start, click Run, typeN tdsut il in the Open

box, and then click OK.

Microsof t Window s [Version 5.2.3790]

(C) Copyright 1985-2003 Microsoft Corp.

C:\WINDOWS>ntdsutil

ntdsutil:

2.

Typer o le s, and then press ENTER.

ntdsutil: roles

fsmo maintenance:

Note: To see a list of available commands at any of the prompts in the

Ntdsutil

tool, type ?, and then press ENTER.

3.

Typeco nne ctio ns, and then press ENTER.

f smo maintenance: connections

server connections:

4.

Type connect to server ms-dc04, where ms-dc04 is the name of the

server you want to use, and then press ENTER.

server connections: connect to server ms-dc04

Binding to ms-dc04...

Connected to ms-dc04 using credentials of locally lo

server connections:

5.

At the server connections: prompt, typeq, and then press ENTER again.

server connections: q

fsmo maintenance:

6.
Type seize <role>, where<ro le > is the role you want to seize. For

example, to seize the RID Master role, you would type seize rid master:

Options are:

Seize domain naming master

Seize infrastructure master

Seize PDC

Seize RID master

Seize schema master

7.

You will receive a warning window asking if you want to perform the

seize. Click on Yes.

Note: All five roles need to be in the forest. If the first domain controller is out

of the forest then seize all roles. Determine which roles are to be on which

remaining domain controllers so that all five roles are not on only one server.

8.

Repeat steps 6 and 7 until you've seized all the required FSMO roles.

9.

After you seize or transfer the roles, type q, and then press ENTER until

you quit the Ntdsutil tool.

Note: Do not put the Infrastructure Master (IM) role on the same domain

controller as the Global Catalog server. If the Infrastructure Master runs on a

GC

server it will stop updating object information because it does not contain any

references to objects that it does not hold. This is because a GC server holds
a

partial replica of every object in the forest.

DHCP

Dynamic host configuration protocol is used to automatically assign TCP/IP

addresses to clients along with the correct subnet mask, default gateway,
and DNS server. Two ways for a computer to get its IP address:

DHCP Scopes

Scope - A range of IP addresses that the DHCP server can assign to clients
that

are on one subnet.

Super scope - A range of IP addresses that span several subnets. The DHCP

server can assign these addresses to clients that are on several subnets.

Multicast scope - A range of class D addresses from 224.0.0.0 to

239.255.255.255 that can be assigned to computers when they ask for them.
A multicast group is assigned to one IP address. Multicasting can be used to
send messages to a group of computers at the same time with only one copy
of the message. The Multicast Address Dynamic Client Allocation Protocol
(MADCAP) is used to request a multicast address from a DHCP server.

DORA

DHCP Lease Process

DHCP leases are used to reduce DHCP network traffic by giving clients
specific

addresses for set periods of time.

DHCP Lease Process

1.

The DHCP client requests an IP address by broadcasting a DHCPDiscover

message to the local subnet.

2.
The client is offered an address when a DHCP server responds with a
DHCPOffer

message containing IP address and configuration information for lease to the

client. If no DHCP server responds to the client request, the client can
proceed in

two ways:

•If it is a Windows 2000–based client, and IP auto-configuration has not been

disabled, the client self-configures an IP address for its interface.

•If the client is not a Windows 2000–based client, or IP auto-configuration has

been

disabled, the client network initialization fails. The client continues to resend

DHCPDiscover messages in the background (four times, every 5 minutes)

until it

receives a DHCPOffer message from a DHCP server.

3.

The client indicates acceptance of the offer by selecting the offered address
and

replying to the server with a DHCPRequest message.

4.

The client is assigned the address and the DHCP server sends a DHCPAck

message, approving the lease. Other DHCP option information might be

included

in the message.

5.

Once the client receives acknowledgment, it configures its TCP/IP properties

using any DHCP option information in the reply, and joins the network.
In rare cases, a DHCP server might return a negative acknowledgment to the
client.

This can happen if a client requests an invalid or duplicate address. If a client

receives a negative acknowledgment (DHCPNak), the client must begin the

entire

lease process again.

When the client sends the lease request, it then waits one second for an
offer. If a

response is not received, the request is repeated at 9, 13, and 16 second

intervals

with additional 0 to 1000 milliseconds of randomness. The attempt is

repeated every

5 minutes thereafter. The client uses port 67 and the server uses port 68.

Client Reservation

Client Reservation is used to be sure a computer gets the same IP address all
the time. Therefore since DHCP IP address assignments use MAC addresses
to control assignments, the following are required for client reservation:

1) MAC (hardware) address

2) IP address

Exclusion Range

Exclusion range is used to reserve a bank of IP addresses so computers with

static IP addresses, such as servers may use the assigned addresses in this
range. These addresses are not assigned by the DHCP server.

Database files:

DCHP.MDB - The main database

DHCP.TMP - Temporary DHCP storage.

JET*.LOG - Transaction logs used to recover data.

SYSTEM.MDB - USed to track the structure of the DHCP database.

APIPA

If all else fails, then clients give themselves an Automatic IP address in the
range

169.254.x.y where x and y are two random numbers between 1 and 254.

BOOTP

BOOTP or the bootstrap protocol can be used to boot diskless clients

WINS

WINS

WINS stands for Windows Internet Name Service. WINS is a NetBIOS Name
Server

that registers your NetBIOS names and resolves into IP addresses.

DFS

The Distributed File System (DFS) allows files and directories in various
places to be

combined into one directory tree. Only Windows 2000 & 2003Servers can
contain

DFS root directories and they can have only one.

DFS Components

DFS root - A shared directory that can contain other shared directories, files,
DFS

links, and other DFS roots. One root is allowed per server.

Types of DFS roots:

Stand alone DFS root - Not published in Active Directory, cannot be

replicated, and

can be on any Windows 2000 & 2003 Server. This provides no fault tolerance
with
the DFS topology stored on one computer. A DFS can be accessed using the

Syntax: \\Server\DFSname

Domain DFS root - It is published in Active Directory, can be replicated, and

can be

on any Windows 2000 & 2003 Server. Files and directories must be manually

replicated to other servers or Windows 2000 & 2003 must be configured to

replicate

files and directories. Configure the domain DFS root, then the replicas when

configuring automatic replication. Links are automatically replicated. There

may be

up to 31 replicas. Domain DFS root directories can be accessed using the

Syntax: \\domain\DFSname

DFS link - A pointer to another shared directory. There can be up to 1000 DFS
links

for a DFS root.

IIS

Virtual Directory:

A virtual directory is a directory that is not contained in the home directory

but

appears to client browsers as though it were.

What is ISAPI?

Internet Server Application Programming Interface (ISAPI), is an API

developed to

provide the application developers with a powerful way to extend the

functionality of

Internet Information Server (IIS). Although ISAPI extensions by no means are

limited to IIS, they are extensively used in conjunction with MS-IIS.

What is application pool?

Application Pools” that can house a single or multiple web sites. It provides a
convenient way to administer a set of Web sites and applications and
increase reliability,

What is a COM component?

Any VB6 DLL is a COM component, as is any Windows DLL or EXE that
supports the

COM interfaces.

How many types of authentication securities are there in IIS?

In IIS there are 4 types of authentication security - Basic, Anonymous, Digest

&

Integrated windows Authentication.

What is the Tombstone? What is the default tombstone life time? How to

increase the tombstone life time?

The number of days before a deleted object is removed from the directory
services. The default tombstone-lifetime of 60 days, Windows Server 2003
sp1 the new default tombstone-lifetime is 180 days.

You can check your tombstone-lifetime using the following command which
comes

with Windows Server 2003:

dsquery * "CN=Directory Service,CN=Windows

NT,CN=Services,CN=Configuration,DC=yourdomain,DC=com" -scope base

-attr

tombstonelifetime

What is a session Object?

A Session Object holds information relevant to a particular user’s session.

How IIS can host multiple websites

To distinguish between websites, IIS looks at three attributes:

The host header name

The IP number

The port number

What is a host header?

A host header is a string part of the request sent to the web server (it is in
the HTTP header). This means that configuring IIS to use host headers is only
one step in the approach to host multiple websites using host headers to
distinguish between the websites. A configuration of the DNS server (usually
means that you need to add an (A) record for the domain) is also required, so
the client can find the web server.

EXCHANGE SERVER

DS PROXY

DSProxy is the component in Microsoft Exchange Server 2003 that provides

an address book service to Microsoft Outlook clients. Although the name
implies that this component provides only proxy services, DSProxy provides
both of the following services:

1. DSProxy emulates a MAPI address book service and sends proxy requests
to an

Active Directory server.

2. DSProxy refers Outlook client queries to an Active Directory server.

DSAccess

The Exchange components that need to interact with Active Directory use
DSAccess to retrieve Active Directory information rather than communicating
directly with domain controllers and global catalog servers
Forestprep

When you use the /ForestPrep option, the Exchange Setup program extends
the

Active Directory schema to add Exchange-specific classes and attributes.

To verify that the setup /forestprep command completed successfully on a

computer that is running Microsoft Windows 2000 Server in an Exchange

2000

environment, use either of the following methods:

•Look for event ID 1575

DomainPrep:

DomainPrep creates the groups and permissions necessary for Exchange

servers to read and modify user attributes in Active Directory. You must run
DomainPrep before installing your first Exchange server in a domain

MAPI(Messaging Application Programming Interface)

It is an extensive set of functions that developers can use to create mail-

enabled applications.

Enables an application to send and receive mail over a Microsoft Mail

message system

Recovery Storage Group:

Recovery Storage Group is a new feature in Exchange 2003. The biggest

advantage of this method is that it reduces the impact of restoring a single
mailbox from backup.

Exmerge tool:

ExMerge is to recover the mailbox data from the Recovery Storage Group.
Since

ExMerge creates a .pst file.

List the services of Exchange Server 2003?

Microsoft Exchange Event

Monitors folders and triggers events for server applications compatible with

Exchange Server 5.5.

Microsoft Exchange IMAP4

It is a method of accessing electronic mail that are kept on a mail server.

Microsoft Exchange Information Store

The information store, which is the key component for database management
in Exchange Server, is actually two separate databases. The private
information store database, Priv.edb, manages data in user mailboxes. The
public information store, Pub.edb, manages data in public folders.

Microsoft Exchange Management

Provides Exchange management information using Windows Management

Instrumentation (WMI). If this service is stopped, WMI providers implemented
to work in Microsoft Exchange Management, like message tracking and
Directory Access, will not work.

Microsoft Exchange MTA Stacks

You use Exchange X.400 services to connect to Exchange 5.5 servers and
other

connectors (custom gateways).

Microsoft Exchange POP3

POP3 is a Client/Service protocol in which e-mail is received and held for you
by your

Internet server.

Microsoft Exchange Routing Engine

The Exchange Routing Engine uses Link State information for e-mail routing.
The Routing Engine will forward this information to the Advanced Queuing
Engine. The default size of routing table log file is 50 MB and default age is
seven days.
Microsoft Exchange Site Replication Service

Provides directory interoperability between Exchange 5.5 and Exchange 2000

Server or Exchange 2003. Site Replication Service (SRS) acts as a directory
replication bridgehead server for an Exchange site. SRS runs on Exchange
2000 and serves as a modified Exchange 5.5 directory. SRS uses Lightweight
Directory Access Protocol (LDAP) to communicate to both the Active
Directory® directory service and the Exchange 5.5 directory. To Exchange
5.5, SRS looks similar to another Exchange 5.5 configuration/recipients
replication partner.

Microsoft Exchange System Attendant

Provides monitoring, maintenance, and Active Directory lookup services (for

example, monitoring of services and connectors, proxy generation, Active
Directory to metabase replication, publication of free/busy information, offline
address book generation, mailbox maintenance, and forwarding Active
Directory lookups to a global catalog server). If this service is stopped,
monitoring, maintenance, and lookup services are unavailable. If this service
is disabled, any services that explicitly depend on it cannot start.

What are the Exchange Server 2003 - Troubleshooting Eseutil commands?

Eseutil /mh

Here is a simple switch to verify the state of an Exchange database. All that

eseutil /mh does is to determine whether the last shutdown was clean or
dirty.

Eseutil /mh is ideal to practice getting to the right path and executing eseutil
without

doing any harm to the mailstore databases.

Eseutil /ml

Similar to the /mh, except this switch performs an integrity check on log files,
for

example, E00.log.

Eseutil /mm
Dumps metadata from the database file (not the logs). Specialist use only, I
find the

output fascinating but not very useful.

Eseutil /mk

Provides information about the checkpoint file. Handy for troubleshooting

backup / restore problems. Where /mh used priv1.edb, remember to
substitute the name of the checkpoint file E00.chk with /mk.

Eseutil /k to check for damaged headers

Eseutil /cc for troubleshooting

Eseutil /d to defrag the .edb database

Example: eseutil /d e:\exchsrvr\mdbdata\priv1.edb (Or other path to your

store)

Eseutil /r to repair Exchange 2003 log files

Eseutil /p will attempt to repair a corrupted store database

Eseutil /y Copies a database, streaming file, or log file

Eseutil /g Verifies the integrity of a database

Eseutil /m Generates formatted output of various database file types. e.g.

/mh

Isinteg Utility (Information Store Integrity Checker) finds and eliminates errors

from the public folder and mailbox databases at the application level. it can
recover

data that Eseutil cannot recover.

Offline Storage Files (.OST) file

Microsoft Exchange Server locally stores its data in OST file on your storage
Device. An OST file is a component Of Microsoft Exchange Server and can’t
be used with Microsoft Outlook.

At the time of when exchange server crashes or when mailbox is deleted

from the exchange server, OST file gets inaccessible and remains on the
users computer holding large part of emails, calendar, journals, notes,
contacts, tasks etc.

Advanced Queuing Engine (AQE)

The Advanced Queuing Engine (AQE) is responsible for creating and

managing message queues for e-mail delivery. When AQE receives a Simple
Mail Transfer Protocol (SMTP) mailmsg object, this object will be forwarded to
the Message Categorizer. The Advanced Queuing Engine then queues the
Mailmsg object for message delivery based on the Routing information
provided by the Routing Engine process of Exchange Server 2003.

Outbound Mail Flow in Exchange Server 2003

Outbound mail flows through an Exchange Server deployment in the

following

manner:

1. Mail messages are sent from a client (Microsoft Outlook, Outlook

Express, or Outlook Web Access, for example) and are submitted to the

local Exchange store.

2. The Exchange store submits the message to the Advanced Queuing

Engine.

3. The Advanced Queuing Engine submits the message to the message

categorizer.

4.The message categorizer validates the recipients of the message,

checks for proper recipient attributes, applies limits and restrictions, flags the
message for local or remote delivery, and then returns the message to the
Advanced Queuing Engine.
5. If for local delivery, the Advanced Queuing Engine submits the

message to the Local Delivery queue, and the Exchange store receives the

message from the Local Delivery queue. For more information about the

Advanced Queuing Engine,

6. If for remote delivery, the Advanced Queuing Engine submits the

message to the Routing Engine. The Routing Engine determines the most

efficient route for mail delivery, returns the message to the Advanced

Queuing Engine, and, in turn, submits the messages for remote delivery.

The messages are then sent via SMTP to a remote SMTP host or to the

Internet.

The following are the minimum requirements for outbound mail flow:

Exchange Server must have access to the Internet on port 25. This

access should not be blocked by firewalls or other network settings.

Anonymous connections should be allowed.

The Exchange Server SMTP virtual server should be configured to

use the default settings.

The public mail exchanger (MX) resource record configured on your

public Domain Name System (DNS) service should be accessible to all

other Internet domains. The MX record should point to the Exchange

server and must be identified before messages can be sent or received.

INTERVIEW QUESTIONS

What protocol and port does DHCP use?

DHCP, like BOOTP runs over UDP, utilizing ports 67 and 68.

What is the DHCP automatic backup time?

In fact, by default it's 60 minutes. You can change the frequency though

How many scopes you can create

As a general recommendation, limit each DHCP server to having no more

than 1,000

scopes defined for use.

When adding a large number of scopes to the server, be aware that each
scope

creates a corresponding need for additional incremental increases to the

amount of

disk space used for the DHCP server registry and for the server paging file

For the best possible DHCP server design in most networks, it is

recommended that

you have, at most, 10,000 clients per server.

Advantage of LDP tool:

Reanimating Active Directory Tombstone Objects we use LDP tool.

Repadmin to remove lingering objects

repadmin /removelingeringobjects

If there is set of 30 hard disk configured for raid 5 if two hard disk failed

what about data

Because of parity, information all data are available in case one of the disks
fails. If
extra (spare) disks are available, then reconstruction will begin immediately
after the

device failure. However if two hard disks fail at same time, all data are LOST.
In short

RAID 5 can survive one disk failure, but not two or more.

In Raid 5, suppose I have 5 HDD of 10-10 GB, after configuring the Raid

how much space does I have for utilized.

-1 out of the total (eg- if u r using 5 u will get only 4 because 1 goes for
parity).

Here I am playing a key role Active Directory and Backup Administration. I

need to

check the backup logs, backing is completed successfully. We have a MOM

Team, it

will generate the alerts in respective to MOM. I am taking care of AD Alert’s

and

backups. Like Disk space low issues, automated services, CPU Utilization,
Server

Availability, Server Health check, Hardware Failures and DNS issues and
moreover I

can say user creations, DL Creations, Mail Box moments and I am in a part of
taking

care about the Anti virus bad clients.

We are using HP OVSD tool to monitor the Queue. All these issues.

RAID 5 and 10?

Common Name(s): RAID 5.

Technique(s) Used: Block-level striping with distributed parity.

Description: One of the most popular RAID levels, RAID 5 stripes both data
and parity
information across three or more drives. It is similar to RAID 4 except that it

exchanges the dedicated parity drive for a distributed parity algorithm,

writing data

and parity blocks across all the drives in the array. This removes the
"bottleneck"

that the dedicated parity drive represents, improving write performance

slightly and

allowing somewhat better parallelism in a multiple-transaction environment,

though

the overhead necessary in dealing with the parity continues to bog down
writes.

Fault tolerance is maintained by ensuring that the parity information for any
given

block of data is placed on a drive separate from those used to store the data
itself.

The performance of a RAID 5 array can be "adjusted" by trying different

stripe sizes

until one is found that is well-matched to the application being used.

RAID5 versus RAID10 (or even RAID3 or RAID4)

First let's get on the same page so we're all talking about apples.

What is RAID5?

OK here is the deal, RAID5 uses ONLY ONE parity drive per stripe and many
RAID5

arrays are 5 (if your counts are different adjust the calculations appropriately)
drives

(4 data and 1 parity though it is not a single drive that is holding all of the
parity as

in RAID 3 & 4 but read on). If you have 10 drives or say 20GB each for 200GB
RAID5 will use 20% for parity (assuming you set it up as two 5 drive arrays)
so you

will have 160GB of storage. Now since RAID10, like mirroring (RAID1), uses 1
(or

more) mirror drive for each primary drive you are using 50% for redundancy
so to

get the same 160GB of storage you will need 8 pairs or 16 - 20GB drives,
which is

why RAID5 is so popular. This intro is just to put things into perspective.

RAID5 is physically a stripe set like RAID0 but with data recovery included.
RAID5

reserves one disk block out of each stripe block for parity data. The parity
block

contains an error correction code which can correct any error in the RAID5
block, in

effect it is used in combination with the remaining data blocks to recreate

any single

missing block, gone missing because a drive has failed. The innovation of
RAID5

over RAID3 & RAID4 is that the parity is distributed on a round robin basis so
that

There can be independent reading of different blocks from the several drives.
This is

why RAID5 became more popular than RAID3 & RAID4 which must
synchronously

read the same block from all drives together. So, if Drive2 fails blocks
1,2,4,5,6 & 7

are data blocks on this drive and blocks 3 and 8 are parity blocks on this
drive. So

that means that the parity on Drive5 will be used to recreate the data block
from
Disk2 if block 1 is requested before a new drive replaces Drive2 or during the

rebuilding of the new Drive2 replacement. Likewise the parity on Drive1 will
be used

to repair block 2 and the parity on Drive3 will repair block4, etc. For block 2
all the

data is safely on the remaining drives but during the rebuilding of Drive2's

replacement a new parity block will be calculated from the block 2 data and
will be

written to Drive 2.

Now when a disk block is read from the array the RAID software/firmware
calculates

which RAID block contains the disk block, which drive the disk block is on and
which

drive contains the parity block for that RAID block and reads ONLY the one
data

drive. It returns the data block. If you later modify the data block it
recalculates the

parity by subtracting the old block and adding in the new version then in two

separate operations it writes the data block followed by the new parity block.
To do

this it must first read the parity block from whichever drive contains the
parity for

that stripe block and reread the unmodified data for the updated block from
the

original drive. This read-read-write-write is known as the RAID5 write penalty

since

these two writes are sequential and synchronous the write system call cannot
return

until the reread and both writes complete, for safety, so writing to RAID5 is
up to
50% slower than RAID0 for an array of the same capacity. (Some software
RAID5's

avoid the re-read by keeping an unmodified copy of the original block in

memory.)

Now what is RAID10?

RAID10 is one of the combinations of RAID1 (mirroring) and RAID0 (striping)

which

are possible. There used to be confusion about what RAID01 or RAID10

meant and

different RAID vendors defined them differently. About five years or so ago I

proposed the following standard language which seems to have taken hold.
When N

mirrored pairs are striped together this is called RAID10 because the
mirroring

(RAID1) is applied before striping (RAID0). The other option is to create two
stripe

Sets and mirror them one to the other, this is known as RAID01 (because the
RAID0

is applied first). In either a RAID01 or RAID10 system each and every disk
block is

completely duplicated on its drive's mirror. Performance-wise both RAID01

and

RAID10 are functionally equivalent. The difference comes in during recovery

where

RAID01 suffers from some of the same problems I will describe affecting
RAID5 while

RAID10 does not.

Now if a drive in the RAID5 array dies, is removed, or is shut off data is
returned by

reading the blocks from the remaining drives and calculating the missing
data using
the parity, assuming the defunct drive is not the parity block drive for that
RAID

block. Note that it takes 4 physical reads to replace the missing disk block
(for a 5

drive array) for four out of every five disk blocks leading to a 64%
performance

degradation until the problem is discovered and a new drive can be mapped
in to

begin recovery. Performance is degraded further during recovery because all

Drives are being actively accessed in order to rebuild the replacement drive
(see

below).

If a drive in the RAID10 array dies data is returned from its mirror drive in a
single read with only minor (6.25% on average for a 4 pair array as a whole)
performance reduction when two non-contiguous blocks are needed from the
damaged pair (since the two blocks cannot be read in parallel from both
drives) and none otherwise.

Mirroring?

Mirroring is one of the two data redundancy techniques used in RAID (the
other

beingpar ity). In a RAIDsyste m using mirroring, all data in the system is

written

simultaneously to two hard disks instead of one; thus the "mirror" concept.
The

principle behind mirroring is that this 100% data redundancy provides full
protection

against the failure of either of the disks containing the duplicated data.
Mirroring

setups always require an even number of drives for obvious reasons.

The chief advantage of mirroring is that it provides not only complete

redundancy of

data, but also reasonably fast recovery from a disk failure. Since all the data
is on

the second drive, it is ready to use if the first one fails. Mirroring also
improves some

forms of readpe r for mance (though it actually hurts write performance.) The
chief

disadvantage of RAID 1 is expense: that data duplication means half the

space in the

RAID is "wasted" so you must buy twice the capacity that you want to end up
with in

the array. Performance is also not as good as some RAID levels.

Parity

Mirroring is a data redundancy technique used by some RAID levels, in

particular

RAID level 1, to provide data protection on a RAID array. While mirroring has
some

advantages and is well-suited for certain RAID implementations, it also has

some

limitations. It has a high overhead cost, because fully 50% of the drives in the
array

are reserved for duplicate data; and it doesn't improve performance as much
as data

striping does for many applications. For this reason, a different way of
protecting

data is provided as an alternate to mirroring. It involves the use ofpar ity

information, which is redundancy information calculated from the actual data

values.

Cross realm uses for ticket granting service for cross domain authentication.

Kerberos Authentication:After giving the password at client end checks the

time

stamp with domain controller of Global catalogue with the use of NTP
protocol ( port

number 123 )

If the time difference between the DC and client should not be exceed more
than 5

mins.

After finishing the time stamp matching session ticket with encrypted
password and

it releases the two tickets with help of KDC ( Key distribution Centre ).

One is for sends the request to logon and another one sends the permission
whether

accepting or not.

After providing the authentication from Kerberos LDAP finishes the logon
process

with port number 389

Kerberos uses to protocols UDP and TCP with same port number 88.

After that it checks for password which is maintaining in DC if it matches it

will start

authenticating with domain.

Replmon

Replmon.exe: Active Directory Replication Monitor

This GUI tool enables administrators to view the low-level status of Active
Directory

replication, force synchronization between domain controllers, view the

topology in a
graphical format, and monitor the status and performance of domain
controller

replication.

You can use ReplMon to do the following:

1. See when a replication partner fails.

2. View the history of successful and failed replication changes for

troubleshooting purposes.

3. Create your own applications or scripts written in Microsoft Visual Basic

Scripting Edition (VBScript) to extract specific data from Active Directory.

4. View a snapshot of the performance counters on the computer, and the

registry configuration of the server.

5. Generate status reports that include direct and transitive replication

partners,

and detail a record of changes.

6. Find all direct and transitive replication partners on the network.

7. Display replication topology.

8. Poll replication partners and generate individual histories of successful and

failed replication events.

9. Force replication.

10. Trigger the Knowledge Consistency Checker (KCC) to recalculate the

replication topology.

11. Display changes that have not yet replicated from a given replication
partner.

12. Display a list of the trust relationships maintained by the domain

controller

being monitored.
13. Display the metadata of an Active Directory object's attributes.

14. Monitor replication status of domain controllers from multiple forests.

Repadmin.exe: Replication Diagnostics Tool

This command-line tool assists administrators in diagnosing replication

problems

between Windows domain controllers.

Administrators can use Repadmin to view the replication topology

(sometimes

referred to as RepsFrom and RepsTo) as seen from the perspective of each

domain

controller. In addition, Repadmin can be used to manually create the

replication

topology (although in normal practice this should not be necessary), to force

replication events between domain controllers, and to view both the

replication

metadata and up-to-dateness vectors.

Repadmin.exe can also be used for monitoring the relative health of an

Active Directory forest. The operations replsummary, showrepl, showrepl

/csv,

and showvector /latency can be used to check for replication problems.

Usually, the Knowledge Consistency Checker (KCC) manages the replication

topology for each naming context held on

domain controllers.

Important:

During the normal course of operations, there is no need to create the

replication

topology manually. Incorrect use of this tool can adversely impact the
replication
topology. The primary use of this tool is to monitor replication so that
problems

such as offline servers or unavailable LAN/WAN connections can be identified.

1.How to conform if the software package deployed using group policy. Has
got

installed in the user PC.

2.in one DC one user has been deleted the OU by admin1 ……delete by one

administrator, in other DC the same OU is getting updated in admin 2 (Lost

and

found object)

3. what are the two attributes, which reflect while replication happening

4.how do u see the by using GPO …which software has been installed in the

machines

5.hw to install the software package for 500 machines…….can u just give the
steps

6. hw do deploy patch in enterprise environment

7. hw to un-install a package

8.if Kerberos fail, what will happen, is there any other authentication

9. when you need to install DNS server in member servers, what is the use of
it

10. Active directory integrated DNS in member server install?

11. what the log files and what is the use of log files

Answers:

1.Software deployment tools are there …SMS …..Package……how to

diploye…..SMs or some other tool……

MBSA 2.0.1 is compatible with Microsoft Update and Windows Server Update
Services and the SMS

Inventory Tool for Microsoft Update (ITMU). MBSA 2.0.1 offers customers
improved Windows

component support, expanded platform support for XP Embedded and 64-bit

Windows, as well as

more consistent and less complex security update management experience.

Unless specifically noted, all references to MBSA 2.0 in the MBSA TechNet
pages also apply to MBSA

2.0.1.

Legacy Product Support: For customers using legacy products not supported
by MBSA 2.0.1,

Microsoft Update, and WSUS, Shavlik Technologies provides a free MBSA

2.0.1 companion tool

called Shavlik NetChk Limited.

2.only one OU you can create and delete …hw the same OU name will come
in

other machines

3. GPMC………..gpo is one object in in group policy

4. whats is the GPMC……..password policy……….hw u will apply……where u

will apply

5.hirarchichy……site and domain and OU….

6.500……Distribution point(SMS)…….

7.hw to deployed …..the enterprise environement…..

SUS: Microsoft SUS is a free patch management tool provided by Microsoft to

help network administrators deploy security patches more easily. In simple

terms, Microsoft SUS is a version of Windows Update that you can run on your

network.
Software Update Services leverages the successful Windows Automatic
Updates

service first available in Windows XP, and allows information technology

professionals to configure a server that contains content from the live

Windows

Update site in their own Windows-based intranets to service corporate

servers

and clients.

Software Update Services

The server features include:

Built-in security. The administrative pages are restricted to local

administrators on the computer that hosts the updates. The synchronization

validates the digital certificates on any downloads to the update server. If the

certificates are not from Microsoft, the packages are deleted.

Selective content approval. Updates synchronized to your server running

Software Update Services are not made automatically available to the

computers

that have been configured to get updates from that server. The administrator

approves the updates before they are made available for download. This
allows

the administrator to test the packages being deploying them.

•
Content synchronization. The server is synchronized with the public

Windows Update service either manually or automatically. The administrator

can

set a schedule or have the synchronization component of the server do it

automatically at preset times. Alternatively, the administrator can use the

Synchronize Now button to manually synchronize.

Server-to-server synchronization. Because you may need multiple

servers running Microsoft SUS inside your corporation in order to bring the

updates closer to your desktops and servers for downloading, Microsoft SUS
will

allow you to point to another server running Microsoft SUS instead of

Windows

Update, allowing these critical software updates to be distributed around your

enterprise.

Update package hosting flexibility. Administrators have the flexibility of

downloading the actual updates to their intranet, or pointing computers to a

worldwide network of download servers maintained by Microsoft.

Downloading

updates might appeal to an administrator with a network closed to the

Internet.

Large networks spread over geographically disparate sites might find it more

beneficial to use the Microsoft maintained download servers. These are the

actual Windows Update download servers. In a scenario like this, an

administrator would download and test updates at a central site, then point
computers requiring updates to one of the Windows Update download
servers.

Microsoft maintains a worldwide network of these type servers.

Multi-language support. Although the Software Update Services

administrative interface is available only in English or Japanese, the server

supports the publishing of updates to multiple operating-system language

versions. Administrators can configure the list of languages for which they
want

updates downloaded.

Remote administration via HTTP or HTTPS. The administrative interface is

Web-based and therefore allows for remote (internal) administration using

Internet Explorer 5.5 or higher.

Update status logging. You can specify the address of a Web server

where the Automatic Updates client should send statistics about updates that

have been downloaded, and whether the updates have been installed. These

statistics are sent using the HTTP protocol and appear in the log file of the
Web

server.

Download Software Update Services Server 1.0 with Service Pack 1HER E

(33mb)

Microsoft SUS Server limitations

Though very good as what it does, Microsoft’s patch management tool does

have a few limitations:

It does not push out service packs; you need a separate solution for that.

It only handles patches at operating system level (including Internet

Explorer and IIS), but not application patches such as Microsoft Office,
Microsoft

Exchange Server, Microsoft SQL Server, etc.

It requires Windows 2000 and up, so it cannot patch Windows NT 4

systems.

It cannot deploy custom patches for third party software.

It does not allow you to scan your network for missing patches, so you

cannot check if everything has been installed correctly. There is no easy

reporting system for this.

This means that you still require a patch management solution to perform the

above tasks. Microsoft does not plan to add the above features, since it

promotes Microsoft SMS server as a tool for that. So, Microsoft SUS server is

ideal for operating system patches if used in conjunction with a patch

management tool.

Read more on how to overcome SUS's limitations by using a 3rd party tool
called GFI LANguard Network Security Scanner.

Windows Automatic Update Client

To use SUS on your network you will need to use the Windows Automatic
Update

Client.

The client is based on the Windows Automatic Updates technology that was

significantly updated for Windows XP. Automatic Updates is a proactive pull

service

that enables users with administrative privileges to automatically download

and

install Windows updates such as critical operating-system fixes and Windows

security

patches. The features include:

Built-in security: Only users with local administrative privileges can interact

with Automatic Updates. This prevents unauthorized users from tampering

with the installation of critical updates. Before installing a downloaded

update,

Automatic Updates verifies that Microsoft has digitally signed the files.

Just-in-time validation: Automatic Updates uses the Windows Update

service technologies to scan the system and determine which updates are

applicable to a particular computer.

Background downloads: Automatic Updates uses the Background

Intelligent Transfer Service (BITS), an innovative bandwidth-throttling

technology built into Windows XP and newer operating systems, to download

updates to the computer. This bandwidth-throttling technology uses only idle

bandwidth so that downloads do not interfere with or slow down other

network activity, such as Internet browsing.

Chained installation: Automatic Updates uses the Windows Update

technologies to install downloaded updates. If multiple updates are being

installed and one of them requires a restart, Automatic Updates installs them

all together and then requests a single restart.

Multi-user awareness: Automatic Updates is multi-user aware, which

means that it displays different UI depending on which administrative user is

logged on.

Manageability: In an Active Directory environment, an administrator can

configure the behavior of Automatic Updates using Group Policy. Otherwise,

an administrator can remotely configure Automatic Updates using registry

keys through the use of a logon script or similar mechanism.

Multi-language support: The client is supported on localized versions of

Windows.

This update applies to the following operating systems:

•
Windows 2000 Professional with Service Pack 2

Windows 2000 Server with Service Pack 2

Windows 2000 Advanced Server with Service Pack 2

Windows XP Professional

Windows XP Home Edition

Note: Windows 2000 Service Pack 3 (SP3) and Windows XP Service Pack 1
(SP1) include the

Automatic Updates component,elimin a t in g the need to download the client

component separately.

Download Windows automatic updating (SUS Client)HER E (1mb)

Administrator Control via Policies

The Automatic Updates behavior can be driven by configuring Group Policy

settings

in an Active Directory environment.

Administrators can use Group Policy in an Active Directory environment or

can

configure registry keys to specify a server running Software Update Services.

Computers running Automatic Updates then use this specified server to get
updates.

The Software Update Services installation package includes a policy template

file,

WUAU.ADM, which contains the Group Policy settings described earlier in this
paper.

These settings can be loaded into Group Policy Editor for deployment. These
policies

are also included in the System.adm file in Windows 2000 Service Pack 3, and
will be

included in the Windows Server 2003 family, and in Windows XP Service Pack
1.

8. NTLM

System Login Process:

Kerberos uses as its basis theNee dham- Schr oe de r protocol. It makes use
of a

trusted third party, termed a key distribution center (KDC), which consists of
two

logically separate parts: an Authentication Server (AS) and a Ticket Granting

Server (TGS). Kerberos works on the basis of "tickets" which serve to prove
the identity of users.

The KDC maintains a database of secret keys; each entity on the network —
whether

a client or a server — shares a secret key known only to itself and to the KDC.

Knowledge of this key serves to prove an entity's identity. For communication

between two entities, the KDC generates a session key which they can use to
secure

their interactions

These cur ity of the protocol relies heavily on participants maintaining loosely

synchronized time and on short lived assertions of authenticity calledKe r ber

os

tickets.

What follows is a simplified description of the protocol. The following

abbreviations

will be used:
•

AS = Authentication Server

TGS = Ticket Granting Server

SS = Service Server.

TGT = Ticket Granting Ticket

Briefly, the client authenticates to AS using a long-term shared secret and

receives a

ticketfro m the AS. Later the client can use this ticket to get additional tickets
for SS

without resorting to using the shared secret. These tickets can be used to
prove

authentication to SS.

In more detail:

User Client-based Logon Steps:

1.

A user enters a username and password

on theclie nt.

2.

The client performs a one-way function on

the entered password, and this becomes the

secret key of the client.

Client Authentication Steps:

1.

The client sends acle ar te xt message to

the AS requesting services on behalf of the user.

Sample message: "User XYZ would like to

request services". Note: Neither the secret key

nor the password is sent to the AS.

2.

The AS checks to see if the client is in its

database. If it is, the AS sends back the

following two messages to the client:

Message A: Client/TGS session key

encrypted using the secret key of the

user.

Message B: Ticket-Granting Ticket

(which includes the client ID, client

network address, ticket validity period,

and the client/TGS session key)

encrypted using the secret key of the

TGS.

3.

Once the client receives messages A and

B, it decrypts message A to obtain the

client/TGS session key. This session key is used

for further communications with TGS. (Note: The

client cannot decrypt Message B, as it is

encrypted using TGS's secret key.) At this point,

the client has enough information to authenticate

itself to the TGS.

Client Service Authorization Steps:

1.

When requesting services, the client sends

the following two messages to the TGS:

Message C: Composed of the

Ticket-Granting Ticket from message B

and the ID of the requested service.

Message D: Authenticator (which is

composed of the client ID and the

timestamp), encrypted using the

client/TGS session key.

2.

Upon receiving messages C and D, the

TGS retrieves message B out of message C. It

decrypts message B using the TGS secret key.

This gives it the "client/TGS session key". Using

this key, the TGS decrypts message D

(Authenticator) and sends the following two

messages to the client:

Message E: Client-to-server ticket

(which includes the client ID, client

network address, validity period and

Client/server session key) encrypted

using the service's secret key.

Message F: Client/server session

key encrypted with the client/TGS session

key.

Client Service Request Steps:

1.

Upon receiving messages E and F from

TGS, the client has enough information to

authenticate itself to the SS. The client connects

to the SS and sends the following two messages:

Message E from the previous step

(the client-to-server ticket, encrypted

using service's secret key).

o

Message G: a new Authenticator, which includes the client ID, timestamp and
is encrypted usingclie nt/se r ve r

session key.

2.

The SS decrypts the ticket using its own

secret key and sends the following message to

the client to confirm its true identity and

willingness to serve the client:

Message H: the timestamp found in

client's recent Authenticator plus 1,

encrypted using the client/server session

key.

3.

The client decrypts the confirmation using

the client/server session key and checks whether

the timestamp is correctly updated. If so, then

the client can trust the server and can start

issuing service requests to the server.

4.

The server provides the requested

services to the client.

Drawbacks

Single point of failure: It requires continuous availability of a central server.

When the Kerberos server is down, no one can log in. This can be mitigated
by using multiple Kerberos servers.

Kerberos requires the clocks of the involved hosts to be synchronized. The

tickets have time availability period and, if the host clock is not synchronized

with the clock of Kerberos server, the authentication will fail. The default

configuration requires that clock times are no more than 10 minutes apart. In

practice, Network Time Protocol daemons are usually used to keep the host

clocks synchronized.

The administration protocol is not standardized, and differs between server

implementations. Password changes are described in RFC 3244.

Since the secret keys for all users are stored on the central server, a

compromise of that server will compromise all users' secret keys.

Group policies successive event id 1704

For GPUpdate events: 1500,1501,1502 and 1503

For SMB erros event id:1058 and in 2000 id 1000

solution: 1. On the domain controller, click Start, click Run, type regedit, and
then click

OK.
2. Locate and then click the following registry subkey:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\lanmanserver\par
am

eters

3. In the right pane, double-click enablesecuritysignature, type 1 in the Value

data box,

and then click OK.

4. Double-click requiresecuritysignature, type 1 in the Value data box, and

then click OK.

5. Locate and then click the following registry subkey:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\lanmanworkstatio
n\

parameters

6. In the right pane, double-click enablesecuritysignature, type 1 in the Value

data box,

and then click OK.

7. Double-click requiresecuritysignature, type 0 in the Value data box, and

then click OK.

8. After you change these registry values, restart the Server and Workstation
services. Do

not restart the domain controller, because this action may cause Group Policy
to change

the registry values back to the earlier values.

9. Open the domain controller’s Sysvol share. To do this, click Start, click Run,
type

\\Server_Name\Sysvol, and then press ENTER. If the Sysvol share does not
open, repeat
steps 1 through 8.

10. Repeat steps 1 through 9 on each affected domain controller to make

sure that each

domain controller can access its own Sysvol share.

11. After you connect to the Sysvol share on each domain controller, open
the Domain Controller Security Policy snap-in, and then configure the SMB
signing policy settings. To do this, follow these steps:a. Click Start, point to
Programs, point to Administrative Tools, and then click Domain Controller
Security Policy.

b. In the left pane, expand Local Policies, and then click Security Options.

c. In the right pane, double-click Microsoft network server: Digitally sign

communications (always).

Note In Windows 2000 Server, the equivalent policy setting is Digitally sign
server

communication (always).

Important If you have client computers on the network that do not support
SMB signing,

you must not enable the Microsoft network server: Digitally sign
communications

(always) policy setting. If you enable this setting, you require SMB signing for
all client

communication, and client computers that do not support SMB signing will
not be able to

connect to other computers. For example, clients that are running Apple
Macintosh OS X

or Microsoft Windows 95 do not support SMB signing. If your network includes

clients

that do not support SMB signing, set this policy to disabled.

d. Click to select the Define this policy setting check box, click Enabled, and
then click

OK.

e. Double-click Microsoft network server: Digitally sign communications (if

client

agrees).

Note For Windows 2000 Server, the equivalent policy setting is Digitally sign
server

communication (when possible).

f. Click to select the Define this policy setting check box, and then click
Enabled.

g. Click OK.

h. Double-click Microsoft network client: Digitally sign communications

(always).

i. Click to clear the Define this policy setting check box, and then click OK.

j. Double-click Microsoft network client: Digitally sign communications (if

server

agrees).

k. Click to clear the Define this policy setting check box, and then click OK.

12. Run the Group Policy Update utility (Gpupdate.exe) with the force switch.
To do this,

follow these steps:a. Click Start, click Run, type cmd, and then click OK.

b. At the command prompt, type gpupdate /force, and then press ENTER.

For more information about the Group Policy Update utility, click the following
article

number to view the article in the Microsoft Knowledge Base:

298444 (http://support.microsoft.com/kb/298444/) A description of the Group

Policy
Update utility

Note The Group Policy Update utility does not exist in Windows 2000 Server.
In Windows 2000, the equivalent command is secedit /refreshpolicy
machine_policy /enforce.

For more information about using the Secedit command in Windows 2000,
click the

following article number to view the article in the Microsoft Knowledge Base:

227302 (http://support.microsoft.com/kb/227302/) Using SECEDIT to force a

Group

Policy refresh immediately

13. After you run the Group Policy Update utility, check the application event
log to

make sure that the Group Policy settings were updated successfully. After a
successful

Group Policy update, the domain controller logs Event ID 1704. This event
appears in the

Application Log in Event Viewer. The source of the event is SceCli.

14. Check the registry values that you changed in steps 1 through 7 to make
sure that the

registry values have not changed.

Note This step makes sure that a conflicting policy setting is not applied at
another group

or organizational unit (OU) level. For example, if the Microsoft network client:
Digitally

sign communications (if server agrees) policy is configured as "Not Defined"

in Domain

Controller Security Policy, but this same policy is configured as disabled in

Domain
Security Policy, SMB signing will be disabled for the Workstation service.

15. If the registry values have changed after you run the Group Policy Update
utility,

open the Resultant Set of Policy (RSoP) snap-in in Windows Server 2003. To
start the

RSoP snap-in, click Start, click Run, type rsop.msc in the Open box, and then
click OK.

In the RSoP snap-in, the SMB signing settings are located in the following
path:

Computer Configuration/Windows Settings/Security Settings/Local

Policies/Security

Options

Note If you are running Windows 2000 Server, install the Group Policy Update
utility from the Windows 2000 Resource Kit, and then type the following at
the commmand prompt:

gpresult /scope computer /v

After you run this command, the Applied Group Policy Objects list appears.
This list

shows all Group Policy objects that are applied to the computer account.
Check the SMB

signing policy settings for all these Group Policy objects.