Professional Documents
Culture Documents
Domain Controller
OU:
Domain:
Forest
Tree:
rejected by another domain. “Contiguous DNS domains” means that they all
have
Site:
Sites are manually defined groupings of subnets. Objects in a site share the
same global catalog
servers, and can have a common set of group policies applied to them.
Schema:
The schema defines what attributes, objects, classes, and rules are available
in the Active
Directory.
Group Policy
(GPT).
The Group Policy template (GPT) is a file system folder that includes policy
data
specified by .adm files, security settings, script files, and information about
applications that are available for installation. The GPT is located in the
system
By default, a GPO affects all users and computers that are contained in the
linked
site, domain, or organizational unit. The administrator can further specify the
groups.
Starting with Windows 2000, the administrator can add both computers and
users to
security groups. Then the administrator can specify which security groups are
Intrasite Replication
Replication that happens between controllers inside one site. All of the
subnets inside
Intersite Replication
between sites.
Replication must often occur both (intrasite) within sites and (Intersite)
between
sites to keep domain and forest data consistent among domain controllers
that store
Adprep.exe
Adprep.exe is a command-line tool used to prepare a Microsoft Windows
2000 forest
controllers.
USE:
GUID:
When a new domain user or group account is created, Active Directory stores
the
also assigns the new object a globally unique identifier (GUID), which is a
128-bit
value that is unique not only in the enterprise but also across the world.
GUIDs are
assigned to every object created by Active Directory, not just User and Group
SID:
A security identifier (SID) is a data structure in binary format that contains a
variable number of values. When a DC creates a security principal object
such as a user or group, it attaches a unique Security ID (SID) to the object.
This SID consists of a domain SID (the same for all SIDs created in a domain),
and a relative ID (RID) that is unique for each security Principal SID created in
a domain.
Lingering objects
When a domain controller is disconnected for a period that is longer than the
TSL, one or more objects that are deleted from Active Directory on all other
domain controllers may remain on the disconnected domain controller. Such
objects are called lingering objects. Because the domain controller is offline
during the time that the tombstone is alive, the domain controller never
receives replication of the tombstone
Sysvol
Sysvol is a shared directory that stores the server copy of the domain’s public
files, which are replicated among all domain controllers in the domain. The
Sysvol contains the data in a GPO: the GPT, which includes Administrative
Template-based Group Policy settings, security settings, script files, and
information regarding applications that are available for software installation.
It is replicated using the File Replication Service (FRS).
share includes group policy information which is replicated to all local domain
"Active Directory Users and Computers" tool is used to change the file
replication
service schedule.
Win logon
support, Winlogon is the service in which the Group Policy engine runs.
version 2 and version 3 are used by Windows 2000 Server's Active Directory.
An LDAP URL names the server holding Active Directory services and the
Attributed Name of the
LDAP://SomeServer.Myco.Com/CN=jamessmith,CN=Sys,CN=Product,CN
=Division,DC=myco,DC=domain-controller
USN
Each object has an Update Sequence Number (USN), and if the object is
modified, the USN is incremented. This number is different on each domain
controller. USN provides the key to multimaster replication.
A list of security protections that applies to an object. (An object can be a file,
process, event, or
ACE contains a set of access rights and a security identifier (SID) that
identifies a trustee for
MultiMaster Operation:
In Windows 2000 & 2003, every domain controller can receive changes, and
the changes are replicated to all other domain controllers. The day-to-day
operations that are associated with managing users, groups, and computers
are typically multimaster operations.
There is a set of Flexible Single Master Operations (FSMO) which can only be
done on a single controller. An administrator determines which operations
must be done on the master controller. These operations are all set up on the
master controller by default and can be transferred later. FSMO operations
types include:
Schema Master: The schema master domain controller controls all updates
and
modifications to the schema. There can be only one schema master in the
whole
forest.
Infrastructure Master:
cannot run on a global catalog server (unless all DCs are also GCs.)
The infrastructure is responsible for updating references from objects in its
domain to objects in other domains. At any one time, there can be only one
domain controller acting as the infrastructure master in each domain.
This works when we are renaming any group member ship object this role
takes
care.
It assigns RID and SID to the newly created object like Users and computers.
If RID master is down (u can create security objects up to RID pools are
available in DCs) else u can’t create any object one itSDs down
PDC Emulator - When Active Directory is in mixed mode, the computer Active
Authentication requests.
GPO
Time synchronization
•Drag-and-drop functionality.
•Saved queries. Save commonly used search parameters for reuse in Active
•InetOrgPerson class. The inetOrgPerson class has been added to the base
schema as a security principal and can be used in the same manner as the
user
class. The userPassword attribute can also be used to set the account
password.
•Ability to add additional domain controllers using backup media. Reduce the
time it takes to add an additional domain controller in an existing domain by
using backup media.
Modes. The default mixed mode allows both NT and Windows 2000 domain
controllers to coexist. Once you convert to Native Mode, you are only allowed
to
forest and domain functional levels. The concept is rather similar to switching
from
Mixed to Native Mode in Windows 2000. The new functional levels give you
additional
To raise the domain functional level, you go to the properties of your domain
in
Active Directory Domains and Trusts. To raise the forest functional level you
go to
the properties of Active Directory Domains and Trusts at the root. Of course,
if your
domains are not at the correct level, you won’t be able to raise the forest
functional
level.
Directory partition
each domain controller has a replica of three partitions: the schema partition
the
Schema partition
It contains all class and attributes definitions for the forest. There is one
schema
Domain partition
It contains all objects that are stored by one domain. There is one domain
directory
Application directory partitions are most often used to store dynamic data. An
application partition can not contain security principles (users, groups, and
2003. This partition contains application specific objects. The objects or data
that
applications and services store here can comprise of any object type
excluding
security principles. Security principles are Users, Groups, and Computers. The
application partition typically contains DNS zone objects, and dynamic data
from
other network services such as Remote Access Service (RAS), and Dynamic
Host
Dynamic Data:
(TTL) value. The TTL for an entry is set when the entry is created.
Security Principles - Objects that can have permissions assigned to them and
each
oUser
oComputer
oGroup
RPC:
Active Directory uses RPC over IP to transfer both intersite and intrasite
replication between domain controllers. To keep data secure while in transit,
RPC over IP replication uses both the Kerberos authentication protocol and
data encryption.
SMTP:
If you have a site that has no physical connection to the rest of your network,
but
that can be reached using the Simple Mail Transfer Protocol (SMTP), that site
has
sites. You also cannot use SMTP replication to replicate between domain
controllers
be used only for schema, configuration, and global catalog partial replica
replication.
SMTP replication observes the automatically generated replication schedule.
1. Boot the domain controller in Directory Services Restore mode and log on
with the Directory Services Restore mode administrator account and
password (this is the password you assigned during the Dcpromo process).
ntdsutil:
file maintenance:
6. To move the log files, type move logs to %s (where %s is the target folder).
DNS
The following graphic shows an overview of the complete DNS query process.
DNS Zones
_SRV).
Secondary Zones- which hold read only copies of the Primary Zones.
Stub Zones
Conceptually, stub zones are like secondary zones in that they have a read
only copy
of a primary zone. Stub zones are more efficient and create less replication
traffic.
Stub Zones only have 3 records, the SOA for the primary zone, NS record and
a Host
(A) record. The idea is that if a client queries a record in the Stub Zone, your
DNS
server can refer that query to the correct Name Server because it knows its
Host (A)
record.
Queries
Inverse - Getting the name from the IP address. These are used by servers as
a
security check.
Iterative - Server gives its best answer. This type of inquiry is sent from one
server
to another.
Conditional Forwarding
around using the root hints, the network administrators configure Conditional
Forwarders
Without resource records DNS could not resolve queries. The mission of a
DNS
part is for the Authoritative server to check the name in the query against its
resource records.
SOA (start of authority) recordeach zone has one SOA record that identifies
which DNS server is authoritative for domains and sub domains in the zone.
DNS server authoritative for the zone. Each primary and secondary name
server
A (address) record
record is used to resolve the FQDN of a particular host into its associated IP
address.
After running DCPROMO, A text file containing the appropriate DNS resource
records for the domain controller is created. The file called Netlogon.dns is
Once DNS and replication are setup, it is generally a bad idea to change a
servers IP address (at least according to Microsoft). Just be sure that is what
you really want to do before starting the process. It is a bit kin to changing
the Internal IPX number of A Novell server, but it can be done.
1.
2.
3.
4.
Restart the NETLOGON service and run “IPconfig /registerDNS”
5.
Go to one of the other DCs and verify that its DNS is now pointing to the new
IP address of the server. If not, change the records manually and give it 15
minutes to replicate the DNS changes out.
6.
Run REPLMON and make sure that replication is working now. You may have
to
wait a little while for things to straighten out. Give it an hour or two if
necessary.
If a server shows that it isn’t replicating with one of its partners, there are
A.
B.
Make sure that both servers’ DNS entries for each other point to the proper IP
addresses
Trust Relationship
One way trust - When one domain allows access to users on another
domain, but the other domain does not allow access to users on the first
domain.
•
Two way trust - When two domains allow access to users on the other
domain.
domain.
Trusted domain - The domain that is trusted, whose users have access to
Transitive trust - A trust which can extend beyond two domains to other
Intransitive trust - A one way trust that does not extend beyond two
domains.
Forest trust - When two forests have a functional level of Windows 2003,
you can use a forest trust to join the forests at the root.
Shortcut trust - When domains that authenticate users are logically distant
from one another, the process of logging on to the network can take a long
time. You can manually add a shortcut trust between two domains in the
same forest to speed authentication. Shortcut trusts are transitive and can
BACKUP
Archive bit:
The archive bit is used to determine what files have been backuped up
previously on
Types of Backups:
Normal - Saves files and folders and shows they were backed up by clearing
the
archive bit.
Copy - Saves files and folders without clearing the archive bit.
Incremental- Incremental backup stores all files that have changed since the
last Full,
Differential- A differential backup contains all files that have changed since
the last
Daily - Saves files and folders that have been changed that day. The archive
bit is
not cleared.
Multiplexing:
Multiplexing sends data from multiple sources to a single tape or disk device.
This is useful if you have a tape or disk device that writes faster than a single
system can send data, which (at this point) is just about every tape device.
Multistreaming:
"Backup". The Windows 2000 "Backup Utility" will start. It has these tabs:
System data:
1. The registry
Changes are accepted from other domain controllers after the backup is
done.
When you are restoring a domain controller by using backup and restore
programs, the default mode for the restore is non authoritative. This means
that the restored server is brought up-to-date with its replicas through the
normal replication mechanism.
Authoritative Active Directory restores:
Changes are NOT accepted from other domain controllers after the backup is
done.
E:\ntdsutil>ntdsutil
Ntds.dit is the Active Directory database which stores the entire active
directory objects on the domain controller. The .dit extension refers to the
directory information tree. The default location is the %systemroot%\Ntds
folder. Active Directory records each and every transaction log files that are
associated with the Ntds.dit file.
Edb.chk is a checkpoint file which is use by database engine to track the data
which is not yet written to the active directory database file. The checkpoint
file act as a pointer that maintains the status between memory and database
file on disk. It indicates the starting point in the log file from which the
Res1.log and Res2.log: These are reserved transaction log files. The
amount of disk space that is reserved on a drive or folder for this log is 20
MB. This reserved disk space provides a sufficient space to shut down if all
the other disk space is being used.
4. Select the correct Windows 2000 Server operating system if more than one
6. Log on as Administrator.
9. After the restore, if an authoritative restore was done use the "ntdsutil"
command
format:
1.
Register theSchmmg mt. dl l library by pressing Start > RUN and typing:
regsvr32 schmmgmt.dll
2.
3.
5.
6.
7.
If you are NOT logged onto the target domain controller, in the snap-in,
right-click the Active Directory Schema icon in the Console Root and press
8.
Press Specify... . and type the name of the new role holder. Press OK.
9.
Right-click right-click the Active Directory Schema icon again and press
Operation Masters.
10.
11.
Caution: Using the Ntdsutil utility incorrectly may result in partial or complete
1.
On any domain controller, click Start, click Run, typeN tdsut il in the Open
C:\WINDOWS>ntdsutil
ntdsutil:
2.
ntdsutil: roles
fsmo maintenance:
3.
server connections:
4.
server connections:
5.
At the server connections: prompt, typeq, and then press ENTER again.
server connections: q
fsmo maintenance:
6.
Type transfer <role>. where<r o le > is the role you want to transfer.
For example, to transfer the RID Master role, you would type transfer rid
master:
Options are:
Transfer PDC
7.
You will receive a warning window asking if you want to perform the
8.
After you transfer the roles, typeq and press ENTER until you quit
Ntdsutil.exe.
9.
Restart the server and make sure you update your backup.
Caution: Using the Ntdsutil utility incorrectly may result in partial or complete
1.
On any domain controller, click Start, click Run, typeN tdsut il in the Open
C:\WINDOWS>ntdsutil
ntdsutil:
2.
ntdsutil: roles
fsmo maintenance:
3.
server connections:
4.
Binding to ms-dc04...
server connections:
5.
At the server connections: prompt, typeq, and then press ENTER again.
server connections: q
fsmo maintenance:
6.
Type seize <role>, where<ro le > is the role you want to seize. For
example, to seize the RID Master role, you would type seize rid master:
Options are:
Seize PDC
7.
You will receive a warning window asking if you want to perform the
Note: All five roles need to be in the forest. If the first domain controller is out
of the forest then seize all roles. Determine which roles are to be on which
remaining domain controllers so that all five roles are not on only one server.
8.
Repeat steps 6 and 7 until you've seized all the required FSMO roles.
9.
After you seize or transfer the roles, type q, and then press ENTER until
Note: Do not put the Infrastructure Master (IM) role on the same domain
server it will stop updating object information because it does not contain any
references to objects that it does not hold. This is because a GC server holds
a
DHCP Scopes
Scope - A range of IP addresses that the DHCP server can assign to clients
that
Super scope - A range of IP addresses that span several subnets. The DHCP
server can assign these addresses to clients that are on several subnets.
239.255.255.255 that can be assigned to computers when they ask for them.
A multicast group is assigned to one IP address. Multicasting can be used to
send messages to a group of computers at the same time with only one copy
of the message. The Multicast Address Dynamic Client Allocation Protocol
(MADCAP) is used to request a multicast address from a DHCP server.
DORA
DHCP leases are used to reduce DHCP network traffic by giving clients
specific
1.
2.
The client is offered an address when a DHCP server responds with a
DHCPOffer
client. If no DHCP server responds to the client request, the client can
proceed in
two ways:
disabled, the client network initialization fails. The client continues to resend
3.
The client indicates acceptance of the offer by selecting the offered address
and
4.
The client is assigned the address and the DHCP server sends a DHCPAck
in the message.
5.
using any DHCP option information in the reply, and joins the network.
In rare cases, a DHCP server might return a negative acknowledgment to the
client.
When the client sends the lease request, it then waits one second for an
offer. If a
5 minutes thereafter. The client uses port 67 and the server uses port 68.
Client Reservation
Client Reservation is used to be sure a computer gets the same IP address all
the time. Therefore since DHCP IP address assignments use MAC addresses
to control assignments, the following are required for client reservation:
2) IP address
Exclusion Range
Database files:
APIPA
If all else fails, then clients give themselves an Automatic IP address in the
range
169.254.x.y where x and y are two random numbers between 1 and 254.
BOOTP
WINS
WINS
WINS stands for Windows Internet Name Service. WINS is a NetBIOS Name
Server
DFS
The Distributed File System (DFS) allows files and directories in various
places to be
combined into one directory tree. Only Windows 2000 & 2003Servers can
contain
DFS Components
DFS root - A shared directory that can contain other shared directories, files,
DFS
links, and other DFS roots. One root is allowed per server.
can be on any Windows 2000 & 2003 Server. This provides no fault tolerance
with
the DFS topology stored on one computer. A DFS can be accessed using the
Syntax: \\Server\DFSname
on any Windows 2000 & 2003 Server. Files and directories must be manually
files and directories. Configure the domain DFS root, then the replicas when
Syntax: \\domain\DFSname
DFS link - A pointer to another shared directory. There can be up to 1000 DFS
links
IIS
Virtual Directory:
What is ISAPI?
Any VB6 DLL is a COM component, as is any Windows DLL or EXE that
supports the
COM interfaces.
What is the Tombstone? What is the default tombstone life time? How to
The number of days before a deleted object is removed from the directory
services. The default tombstone-lifetime of 60 days, Windows Server 2003
sp1 the new default tombstone-lifetime is 180 days.
You can check your tombstone-lifetime using the following command which
comes
tombstonelifetime
The IP number
A host header is a string part of the request sent to the web server (it is in
the HTTP header). This means that configuring IIS to use host headers is only
one step in the approach to host multiple websites using host headers to
distinguish between the websites. A configuration of the DNS server (usually
means that you need to add an (A) record for the domain) is also required, so
the client can find the web server.
EXCHANGE SERVER
DS PROXY
1. DSProxy emulates a MAPI address book service and sends proxy requests
to an
DSAccess
The Exchange components that need to interact with Active Directory use
DSAccess to retrieve Active Directory information rather than communicating
directly with domain controllers and global catalog servers
Forestprep
When you use the /ForestPrep option, the Exchange Setup program extends
the
DomainPrep:
Exmerge tool:
ExMerge is to recover the mailbox data from the Recovery Storage Group.
Since
Monitors folders and triggers events for server applications compatible with
The information store, which is the key component for database management
in Exchange Server, is actually two separate databases. The private
information store database, Priv.edb, manages data in user mailboxes. The
public information store, Pub.edb, manages data in public folders.
You use Exchange X.400 services to connect to Exchange 5.5 servers and
other
POP3 is a Client/Service protocol in which e-mail is received and held for you
by your
Internet server.
The Exchange Routing Engine uses Link State information for e-mail routing.
The Routing Engine will forward this information to the Advanced Queuing
Engine. The default size of routing table log file is 50 MB and default age is
seven days.
Microsoft Exchange Site Replication Service
Eseutil /mh
Here is a simple switch to verify the state of an Exchange database. All that
eseutil /mh does is to determine whether the last shutdown was clean or
dirty.
Eseutil /mh is ideal to practice getting to the right path and executing eseutil
without
Eseutil /ml
Similar to the /mh, except this switch performs an integrity check on log files,
for
example, E00.log.
Eseutil /mm
Dumps metadata from the database file (not the logs). Specialist use only, I
find the
Eseutil /mk
Isinteg Utility (Information Store Integrity Checker) finds and eliminates errors
from the public folder and mailbox databases at the application level. it can
recover
Microsoft Exchange Server locally stores its data in OST file on your storage
Device. An OST file is a component Of Microsoft Exchange Server and can’t
be used with Microsoft Outlook.
manner:
Express, or Outlook Web Access, for example) and are submitted to the
Engine.
categorizer.
checks for proper recipient attributes, applies limits and restrictions, flags the
message for local or remote delivery, and then returns the message to the
Advanced Queuing Engine.
5. If for local delivery, the Advanced Queuing Engine submits the
message to the Local Delivery queue, and the Exchange store receives the
message from the Local Delivery queue. For more information about the
message to the Routing Engine. The Routing Engine determines the most
efficient route for mail delivery, returns the message to the Advanced
Queuing Engine, and, in turn, submits the messages for remote delivery.
The messages are then sent via SMTP to a remote SMTP host or to the
Internet.
The following are the minimum requirements for outbound mail flow:
Exchange Server must have access to the Internet on port 25. This
INTERVIEW QUESTIONS
DHCP, like BOOTP runs over UDP, utilizing ports 67 and 68.
In fact, by default it's 60 minutes. You can change the frequency though
When adding a large number of scopes to the server, be aware that each
scope
disk space used for the DHCP server registry and for the server paging file
repadmin /removelingeringobjects
If there is set of 30 hard disk configured for raid 5 if two hard disk failed
Because of parity, information all data are available in case one of the disks
fails. If
extra (spare) disks are available, then reconstruction will begin immediately
after the
device failure. However if two hard disks fail at same time, all data are LOST.
In short
RAID 5 can survive one disk failure, but not two or more.
In Raid 5, suppose I have 5 HDD of 10-10 GB, after configuring the Raid
-1 out of the total (eg- if u r using 5 u will get only 4 because 1 goes for
parity).
backups. Like Disk space low issues, automated services, CPU Utilization,
Server
Availability, Server Health check, Hardware Failures and DNS issues and
moreover I
can say user creations, DL Creations, Mail Box moments and I am in a part of
taking
We are using HP OVSD tool to monitor the Queue. All these issues.
Description: One of the most popular RAID levels, RAID 5 stripes both data
and parity
information across three or more drives. It is similar to RAID 4 except that it
and parity blocks across all the drives in the array. This removes the
"bottleneck"
the overhead necessary in dealing with the parity continues to bog down
writes.
Fault tolerance is maintained by ensuring that the parity information for any
given
block of data is placed on a drive separate from those used to store the data
itself.
First let's get on the same page so we're all talking about apples.
What is RAID5?
OK here is the deal, RAID5 uses ONLY ONE parity drive per stripe and many
RAID5
arrays are 5 (if your counts are different adjust the calculations appropriately)
drives
(4 data and 1 parity though it is not a single drive that is holding all of the
parity as
in RAID 3 & 4 but read on). If you have 10 drives or say 20GB each for 200GB
RAID5 will use 20% for parity (assuming you set it up as two 5 drive arrays)
so you
will have 160GB of storage. Now since RAID10, like mirroring (RAID1), uses 1
(or
more) mirror drive for each primary drive you are using 50% for redundancy
so to
get the same 160GB of storage you will need 8 pairs or 16 - 20GB drives,
which is
why RAID5 is so popular. This intro is just to put things into perspective.
RAID5 is physically a stripe set like RAID0 but with data recovery included.
RAID5
reserves one disk block out of each stripe block for parity data. The parity
block
contains an error correction code which can correct any error in the RAID5
block, in
missing block, gone missing because a drive has failed. The innovation of
RAID5
over RAID3 & RAID4 is that the parity is distributed on a round robin basis so
that
There can be independent reading of different blocks from the several drives.
This is
why RAID5 became more popular than RAID3 & RAID4 which must
synchronously
read the same block from all drives together. So, if Drive2 fails blocks
1,2,4,5,6 & 7
are data blocks on this drive and blocks 3 and 8 are parity blocks on this
drive. So
that means that the parity on Drive5 will be used to recreate the data block
from
Disk2 if block 1 is requested before a new drive replaces Drive2 or during the
rebuilding of the new Drive2 replacement. Likewise the parity on Drive1 will
be used
to repair block 2 and the parity on Drive3 will repair block4, etc. For block 2
all the
data is safely on the remaining drives but during the rebuilding of Drive2's
replacement a new parity block will be calculated from the block 2 data and
will be
written to Drive 2.
Now when a disk block is read from the array the RAID software/firmware
calculates
which RAID block contains the disk block, which drive the disk block is on and
which
drive contains the parity block for that RAID block and reads ONLY the one
data
drive. It returns the data block. If you later modify the data block it
recalculates the
parity by subtracting the old block and adding in the new version then in two
separate operations it writes the data block followed by the new parity block.
To do
this it must first read the parity block from whichever drive contains the
parity for
that stripe block and reread the unmodified data for the updated block from
the
these two writes are sequential and synchronous the write system call cannot
return
until the reread and both writes complete, for safety, so writing to RAID5 is
up to
50% slower than RAID0 for an array of the same capacity. (Some software
RAID5's
different RAID vendors defined them differently. About five years or so ago I
proposed the following standard language which seems to have taken hold.
When N
mirrored pairs are striped together this is called RAID10 because the
mirroring
(RAID1) is applied before striping (RAID0). The other option is to create two
stripe
Sets and mirror them one to the other, this is known as RAID01 (because the
RAID0
is applied first). In either a RAID01 or RAID10 system each and every disk
block is
RAID01 suffers from some of the same problems I will describe affecting
RAID5 while
Now if a drive in the RAID5 array dies, is removed, or is shut off data is
returned by
reading the blocks from the remaining drives and calculating the missing
data using
the parity, assuming the defunct drive is not the parity block drive for that
RAID
block. Note that it takes 4 physical reads to replace the missing disk block
(for a 5
drive array) for four out of every five disk blocks leading to a 64%
performance
degradation until the problem is discovered and a new drive can be mapped
in to
Drives are being actively accessed in order to rebuild the replacement drive
(see
below).
If a drive in the RAID10 array dies data is returned from its mirror drive in a
single read with only minor (6.25% on average for a 4 pair array as a whole)
performance reduction when two non-contiguous blocks are needed from the
damaged pair (since the two blocks cannot be read in parallel from both
drives) and none otherwise.
Mirroring?
Mirroring is one of the two data redundancy techniques used in RAID (the
other
simultaneously to two hard disks instead of one; thus the "mirror" concept.
The
principle behind mirroring is that this 100% data redundancy provides full
protection
against the failure of either of the disks containing the duplicated data.
Mirroring
data, but also reasonably fast recovery from a disk failure. Since all the data
is on
the second drive, it is ready to use if the first one fails. Mirroring also
improves some
forms of readpe r for mance (though it actually hurts write performance.) The
chief
RAID is "wasted" so you must buy twice the capacity that you want to end up
with in
Parity
RAID level 1, to provide data protection on a RAID array. While mirroring has
some
limitations. It has a high overhead cost, because fully 50% of the drives in the
array
are reserved for duplicate data; and it doesn't improve performance as much
as data
striping does for many applications. For this reason, a different way of
protecting
Cross realm uses for ticket granting service for cross domain authentication.
stamp with domain controller of Global catalogue with the use of NTP
protocol ( port
number 123 )
If the time difference between the DC and client should not be exceed more
than 5
mins.
After finishing the time stamp matching session ticket with encrypted
password and
it releases the two tickets with help of KDC ( Key distribution Centre ).
One is for sends the request to logon and another one sends the permission
whether
accepting or not.
After providing the authentication from Kerberos LDAP finishes the logon
process
Kerberos uses to protocols UDP and TCP with same port number 88.
Replmon
This GUI tool enables administrators to view the low-level status of Active
Directory
replication.
troubleshooting purposes.
9. Force replication.
replication topology.
11. Display changes that have not yet replicated from a given replication
partner.
being monitored.
13. Display the metadata of an Active Directory object's attributes.
domain controllers.
Important:
topology manually. Incorrect use of this tool can adversely impact the
replication
topology. The primary use of this tool is to monitor replication so that
problems
1.How to conform if the software package deployed using group policy. Has
got
2.in one DC one user has been deleted the OU by admin1 ……delete by one
found object)
3. what are the two attributes, which reflect while replication happening
4.how do u see the by using GPO …which software has been installed in the
machines
5.hw to install the software package for 500 machines…….can u just give the
steps
7. hw to un-install a package
8.if Kerberos fail, what will happen, is there any other authentication
9. when you need to install DNS server in member servers, what is the use of
it
11. what the log files and what is the use of log files
Answers:
MBSA 2.0.1 is compatible with Microsoft Update and Windows Server Update
Services and the SMS
Inventory Tool for Microsoft Update (ITMU). MBSA 2.0.1 offers customers
improved Windows
Unless specifically noted, all references to MBSA 2.0 in the MBSA TechNet
pages also apply to MBSA
2.0.1.
Legacy Product Support: For customers using legacy products not supported
by MBSA 2.0.1,
2.only one OU you can create and delete …hw the same OU name will come
in
other machines
will apply
6.500……Distribution point(SMS)…….
terms, Microsoft SUS is a version of Windows Update that you can run on your
network.
Software Update Services leverages the successful Windows Automatic
Updates
and clients.
validates the digital certificates on any downloads to the update server. If the
that have been configured to get updates from that server. The administrator
approves the updates before they are made available for download. This
allows
•
Content synchronization. The server is synchronized with the public
servers running Microsoft SUS inside your corporation in order to bring the
updates closer to your desktops and servers for downloading, Microsoft SUS
will
enterprise.
Large networks spread over geographically disparate sites might find it more
beneficial to use the Microsoft maintained download servers. These are the
administrator would download and test updates at a central site, then point
computers requiring updates to one of the Windows Update download
servers.
versions. Administrators can configure the list of languages for which they
want
updates downloaded.
Update status logging. You can specify the address of a Web server
where the Automatic Updates client should send statistics about updates that
have been downloaded, and whether the updates have been installed. These
statistics are sent using the HTTP protocol and appear in the log file of the
Web
server.
Download Software Update Services Server 1.0 with Service Pack 1HER E
(33mb)
It does not push out service packs; you need a separate solution for that.
Explorer and IIS), but not application patches such as Microsoft Office,
Microsoft
systems.
It does not allow you to scan your network for missing patches, so you
This means that you still require a patch management solution to perform the
above tasks. Microsoft does not plan to add the above features, since it
promotes Microsoft SMS server as a tool for that. So, Microsoft SUS server is
management tool.
Read more on how to overcome SUS's limitations by using a 3rd party tool
called GFI LANguard Network Security Scanner.
To use SUS on your network you will need to use the Windows Automatic
Update
Client.
The client is based on the Windows Automatic Updates technology that was
Built-in security: Only users with local administrative privileges can interact
Automatic Updates verifies that Microsoft has digitally signed the files.
service technologies to scan the system and determine which updates are
installed and one of them requires a restart, Automatic Updates installs them
logged on.
Windows.
•
Windows 2000 Professional with Service Pack 2
Windows XP Professional
Note: Windows 2000 Service Pack 3 (SP3) and Windows XP Service Pack 1
(SP1) include the
Computers running Automatic Updates then use this specified server to get
updates.
WUAU.ADM, which contains the Group Policy settings described earlier in this
paper.
These settings can be loaded into Group Policy Editor for deployment. These
policies
are also included in the System.adm file in Windows 2000 Service Pack 3, and
will be
included in the Windows Server 2003 family, and in Windows XP Service Pack
1.
8. NTLM
Kerberos uses as its basis theNee dham- Schr oe de r protocol. It makes use
of a
trusted third party, termed a key distribution center (KDC), which consists of
two
The KDC maintains a database of secret keys; each entity on the network —
whether
a client or a server — shares a secret key known only to itself and to the KDC.
between two entities, the KDC generates a session key which they can use to
secure
their interactions
These cur ity of the protocol relies heavily on participants maintaining loosely
tickets.
will be used:
•
AS = Authentication Server
SS = Service Server.
ticketfro m the AS. Later the client can use this ticket to get additional tickets
for SS
without resorting to using the shared secret. These tickets can be used to
prove
authentication to SS.
In more detail:
1.
on theclie nt.
2.
2.
user.
TGS.
3.
1.
2.
key.
1.
Message G: a new Authenticator, which includes the client ID, timestamp and
is encrypted usingclie nt/se r ve r
session key.
2.
key.
3.
4.
tickets have time availability period and, if the host clock is not synchronized
with the clock of Kerberos server, the authentication will fail. The default
configuration requires that clock times are no more than 10 minutes apart. In
practice, Network Time Protocol daemons are usually used to keep the host
clocks synchronized.
Since the secret keys for all users are stored on the central server, a
solution: 1. On the domain controller, click Start, click Run, type regedit, and
then click
OK.
2. Locate and then click the following registry subkey:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\lanmanserver\par
am
eters
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\lanmanworkstatio
n\
parameters
8. After you change these registry values, restart the Server and Workstation
services. Do
not restart the domain controller, because this action may cause Group Policy
to change
9. Open the domain controller’s Sysvol share. To do this, click Start, click Run,
type
\\Server_Name\Sysvol, and then press ENTER. If the Sysvol share does not
open, repeat
steps 1 through 8.
11. After you connect to the Sysvol share on each domain controller, open
the Domain Controller Security Policy snap-in, and then configure the SMB
signing policy settings. To do this, follow these steps:a. Click Start, point to
Programs, point to Administrative Tools, and then click Domain Controller
Security Policy.
b. In the left pane, expand Local Policies, and then click Security Options.
communications (always).
Note In Windows 2000 Server, the equivalent policy setting is Digitally sign
server
communication (always).
Important If you have client computers on the network that do not support
SMB signing,
you must not enable the Microsoft network server: Digitally sign
communications
(always) policy setting. If you enable this setting, you require SMB signing for
all client
communication, and client computers that do not support SMB signing will
not be able to
connect to other computers. For example, clients that are running Apple
Macintosh OS X
d. Click to select the Define this policy setting check box, click Enabled, and
then click
OK.
agrees).
Note For Windows 2000 Server, the equivalent policy setting is Digitally sign
server
f. Click to select the Define this policy setting check box, and then click
Enabled.
g. Click OK.
i. Click to clear the Define this policy setting check box, and then click OK.
agrees).
k. Click to clear the Define this policy setting check box, and then click OK.
12. Run the Group Policy Update utility (Gpupdate.exe) with the force switch.
To do this,
follow these steps:a. Click Start, click Run, type cmd, and then click OK.
b. At the command prompt, type gpupdate /force, and then press ENTER.
For more information about the Group Policy Update utility, click the following
article
Note The Group Policy Update utility does not exist in Windows 2000 Server.
In Windows 2000, the equivalent command is secedit /refreshpolicy
machine_policy /enforce.
For more information about using the Secedit command in Windows 2000,
click the
following article number to view the article in the Microsoft Knowledge Base:
13. After you run the Group Policy Update utility, check the application event
log to
make sure that the Group Policy settings were updated successfully. After a
successful
Group Policy update, the domain controller logs Event ID 1704. This event
appears in the
14. Check the registry values that you changed in steps 1 through 7 to make
sure that the
Note This step makes sure that a conflicting policy setting is not applied at
another group
or organizational unit (OU) level. For example, if the Microsoft network client:
Digitally
15. If the registry values have changed after you run the Group Policy Update
utility,
open the Resultant Set of Policy (RSoP) snap-in in Windows Server 2003. To
start the
RSoP snap-in, click Start, click Run, type rsop.msc in the Open box, and then
click OK.
In the RSoP snap-in, the SMB signing settings are located in the following
path:
Options
Note If you are running Windows 2000 Server, install the Group Policy Update
utility from the Windows 2000 Resource Kit, and then type the following at
the commmand prompt:
After you run this command, the Applied Group Policy Objects list appears.
This list
shows all Group Policy objects that are applied to the computer account.
Check the SMB