Low Level 1. Features of windows2003 ACTIVE DIRECTORY Easier Deployment and Management ADMT version 2.

0migrates password from NT4 to 2000 to 2000 or from 2000 to 200 Domain !ename""" s#pports $%anging Domain Name &ystem and'or Net(ios name &$%ema !edefine""" Allows dea$tivation of attri)#tes and $lass definitions in t%e A$tive dire$tory s$%ema AD'AM""" A$tive dire$tory in appli$ation mode is a new $apa)ility of AD t%at addresses $ertain deployment s$enarios related to dire$tory ena)led appli$ations *ro#p +oli$y ,mprovements""""introd#$ed *+M- tool to manage gro#p poli$y .,En%an$ed .ser ,nterfa$e *rater &e$#rity -ross"forest A#t%enti$ation -ross"forest A#t%ori/ation -ross"$ertifi$ation En%an$ements ,A& and -ross"forest a#t%enti$ation -redential Manager &oftware !estri$tion +oli$ies ,mproved +erforman$e and Dependa)ility Easier logon for remote offi$es *ro#p Mem)ers%ip repli$ation en%an$ements Appli$ation Dire$tory +artitions ,nstall !epli$a from media

Dependa)ility ,mprovements""" #pdated ,nter"&ite Topology *enerator 0,&T*1 t%at s$ales )etter )y s#pporting forests wit% a greater n#m)er of sites t%an 2indows 2000. 3,LE AND +!,NT &E!4,-E& 4ol#me s%adow $opy servi$e NT3& 5o#rnaling file system E3& ,mproved -6D&7 +erforman$e En%an$ed D3& and 3!& &%adow $opy of s%ared folders En%an$ed folder redire$tion !emote do$#ment s%aring 02E(DA41 IIS Fault-tolerant pro ess ar !ite ture""""" T%e ,,& 8.0 fa#lt"tolerant pro$ess ar$%ite$t#re isolates 2e) sites and appli$ations into self"$ontained #nits $alled appli$ation pools "ealt! #onitorin$"""" ,,& 8.0 periodi$ally $%e$9s t%e stat#s of an appli$ation pool wit% a#tomati$ restart on fail#re of t%e 2e) sites and appli$ations wit%in t%at appli$ation pool: in$reasing appli$ation availa)ility. ,,& 8.0 prote$ts t%e server: and ot%er appli$ations: )y a#tomati$ally disa)ling 2e) sites and appli$ations t%at fail too often wit%in a s%ort amo#nt of time Auto%ati &ro ess Re ' lin$--- IIS ()0 auto%ati all' stops and restarts fault' *e+ sites and appli ations +ased on a fle,i+le set of riteria- in ludin$ C&. utili/ation and %e%or' onsu%ption- w!ile 0ueuin$ re0uests Rapid-fail &rote tion---- ,f an appli$ation fails too often wit%in a s%ort amo#nt of time: ,,& 8.0 will a#tomati$ally disa)le it and ret#rn a ;<0 &ervi$e .navaila)le; error message to any new or =#e#ed re=#ests to t%e appli$ation Edit-*!ile-Runnin$

%ttp>''www.mi$rosoft.$om'windowsserver200 'eval#ation'overview'te$%nologies'defa #lt.msp? 2. Differen e +etween 1T 2 2000

NT &AM data)ase is a flat data)ase. 2%ere as in windows 2000 a$tive dire$tory data)ase is a %ierar$%i$al data)ase. ,n windows NT only +D- is %aving writa)le $opy of &AM data)ase )#t t%e (D- is only read only data)ase. ,n $ase of 2indows 2000 )ot% D- and AD- is %aving write $opy of t%e data)ase 2indows NT will not s#pport 3AT 2 file system. 2indows 2000 s#pports 3AT 2 Defa#lt a#t%enti$ation proto$ol in NT is NTLM 0NT LAN manager1. ,n windows 2000 defa#lt a#t%enti$ation proto$ol is 7er)eros 4<. 2indows 2000 depends and ,ntegrated wit% DN&. NT #ser Net)ios names A$tive Dire$tory $an )e )a$9ed #p easily wit% &ystem state data . Differen e +etween 2000 2 2003

Appli$ation &erver mode is introd#$ed in windows 200 +ossi)le to $onfig#re st#) /ones in windows 200 DN& 4ol#me s%adow $opy servi$es is introd#$ed 2indows 200 gives an option to repli$ate DN& data )'w all DN& servers in forest or All DN& servers in t%e domain. !efer @#estion 1 for all En%an$ements 4. Differen e +etween &DC 2 3DC

+D- $ontains a write $opy of &AM data)ase w%ere as (D- $ontains read only $opy of &AM data)ase. ,t is not possi)le to reset a password or $reate o)5e$ts wit% o#t +Din 2indows NT.

<. Differen e +etween DC 2 ADC

T%ere is no differen$e )etween in D- and AD- )ot% $ontains write $opy of AD. (ot% $an also %andles 3&MA roles 0,f transfers from D- to AD-1. ,t is 5#st for identifi$ation. 3#n$tionality wise t%ere is no differen$e.

8. *!at is D1S 2 *I1S

DN& is a Domain Naming &ystem: w%i$% resolves 6ost names to ,+ addresses. ,t #ses f#lly =#alified domain names. DN& is a ,nternet standard #sed to resolve %ost names 2,N& is a 2indows ,nternet Name &ervi$e: w%i$% resolves Net)ios names to ,+ Address. T%is is proprietary for 2indows B. T'pes of D1S Ser4ers

+rimary DN& &e$ondary DN& A$tive Dire$tory ,ntegrated DN& 3orwarder -a$%ing only DN& C. If D"C& is not a4aila+le w!at !appens to t!e lient

-lient will not get ,+ and it $annot )e parti$ipated in networ9 . ,f $lient already got t%e ,+ and %aving lease d#ration it #se t%e ,+ till t%e lease d#ration e?pires. D. w!at are t!e different t'pes of trust relations!ips

,mpli$it Tr#sts E?pli$it Tr#stsNT to 2in29 or 3orest to 3orest 10. w!at is t!e pro ess of D"C& for $ettin$ t!e I& address to t!e lient

T%ere is a fo#r way negotiation pro$ess )'w $lient and server D6-+ Dis$over 0,nitiated )y $lient1 D6-+ Affer 0,nitiated )y server1 D6-+ &ele$t 0,nitiated )y $lient1

D6-+ A$9nowledgement 0,nitiated )y &erver1 D6-+ Negative A$9nowledgement 0,nitiated )y server if any iss#es after D6-+ offer1 11. Differen e +etween FAT-1TFS 2 1TFSVersion5 1TFS Version 5 features En$ryption is possi)le 2e $an ena)le Dis9 @#otas 3ile $ompression is possi)le &parse files ,nde?ing &ervi$e NT3& $%ange 5o#rnal ,n 3AT file system we $an apply only s%are level se$#rity. 3ile level prote$tion is not possi)le. ,n NT3& we $an apply )ot% s%are level as well as file level se$#rity NT3& s#pports large partition si/es t%an 3AT file systems NT3& s#pports long file names t%an 3AT file systems 12. *!at are t!e port nu%+ers for FT&- Telnet- "TT&- D1S

3T+"21: Telnet E 2 : 6TT+"C0: DN&"< : 7er)eros"CC: LDA+" CD 1 . w!at are t!e different t'pes of profiles in 2000

Lo$al +rofiles !oaming profiles Mandatory +rofiles 14. w!at is t!e data+ase files used for A ti4e Dire tor'

T%e 9ey AD data)ase filesed).log: ntds.dit: res1.log: res2.log: and ed).$%9all of w%i$% reside in FGsystemrootGFntds on a domain $ontroller 0D-1 )y defa#lt. D#ring

AD installation: D$promo lets yo# spe$ify alternative lo$ations for t%ese log files and data)ase files NTD&.D,T 1<. *!at is t!e lo ation of AD Data+ase

G&ystem rootG'NTD&'NTD&HD,T 18. *!at is t!e aut!enti ation proto ol used in 1T

NTLM 0NT LAN Manager1 1B. *!at is su+nettin$ and supernettin$

&#)netting is t%e pro$ess of )orrowing )its from t%e %ost portion of an address to provide )its for identifying additional s#)"networ9s &#pernetting merges several smaller )lo$9s of ,+ addresses 0networ9s1 t%at are $ontin#o#s into one larger )lo$9 of addresses. (orrowing networ9 )its to $om)ine several smaller networ9s into one larger networ9 does s#pernetting 1C. w!at is t!e use of ter%inal ser4i es

Terminal servi$es $an )e #sed as !emote Administration mode to administer remotely as well as Appli$ation &erver Mode to r#n t%e appli$ation in one server and #sers $an login to t%at server to #ser t%at appli$ation. 1D. w!at is t!e proto ol used for ter%inal ser4i es

!D+ 20. w!at is t!e port nu%+er for RD&

CD #ediu% 6e4el

1. w!at is t!e differen e +etween Aut!ori/ed D"C& and 1on Aut!ori/ed D"C&

To avoid pro)lems in t%e networ9 $a#sing )y mis"$onfig#red D6-+ servers: server in windows 2000 m#st )e validate )y AD )efore starting servi$e to $lients. ,f an a#t%ori/ed D6-+ finds any D6-+ server in t%e networ9 it stop serving t%e $lients

2. Differen e +etween inter-site and intra-site repli ation) &roto ols usin$ for repli ation)

,ntra"site repli$ation $an )e done )etween t%e domain $ontrollers in t%e same site. ,nter"site repli$ation $an )e done )etween two different sites over 2AN lin9s (6& 0(ridge 6ead &ervers1 is responsi)le for initiating repli$ation )etween t%e sites. ,nter"site repli$ation $an )e done ('w (6& in one site and (6& in anot%er site. 2e $an #se !+- over ,+ or &MT+ as a repli$ation proto$ols w%ere as Domain partition is not possi)le to repli$ate #sing &MT+ . "ow to %onitor repli ation

2e $an #ser !eplmon tool from s#pport tools 4. 3rief e,planation of RAID 6e4els Mi$rosoft 2indows I+: 2indows 2000 and 2indows &erver 200 offer two types of dis9 storage> )asi$ and dynami$. 3asi Dis7 Stora$e (asi$ storage #ses normal partition ta)les s#pported )y M&"DA&: Mi$rosoft 2indows D<: Mi$rosoft 2indows DC: Mi$rosoft 2indows Millenni#m Edition 0Me1: Mi$rosoft 2indows NT: Mi$rosoft 2indows 2000: 2indows &erver 200 and 2indows I+. A dis9 initiali/ed for )asi$ storage is $alled a )asi$ dis9. A )asi$ dis9 $ontains )asi$ vol#mes: s#$% as primary partitions: e?tended partitions: and logi$al drives. Additionally: )asi$ vol#mes in$l#de m#ltidis9 vol#mes t%at are $reated )y #sing 2indows NT 4.0 or earlier: s#$% as vol#me sets: stripe sets: mirror sets: and stripe sets wit% parity. 2indows I+ does not s#pport t%ese m#ltidis9 )asi$ vol#mes. Any vol#me sets: stripe sets: mirror sets: or stripe sets wit% parity m#st )e )a$9ed #p and deleted or $onverted to dynami$ dis9s )efore yo# install 2indows I+ +rofessional. D'na%i Dis7 Stora$e

Dynami$ storage is s#pported in 2indows I+ +rofessional: 2indows 2000 and 2indows &erver 200 . A dis9 initiali/ed for dynami$ storage is $alled a dynami$ dis9. A dynami$ dis9 $ontains dynami$ vol#mes: s#$% as simple vol#mes: spanned vol#mes: striped vol#mes: mirrored vol#mes: and !A,D"< vol#mes. 2it% dynami$ storage: yo# $an perform dis9 and vol#me management wit%o#t t%e need to restart 2indows. 1ote8 Dynami$ dis9s are not s#pported on porta)le $omp#ters or on 2indows I+ 6ome Edition")ased $omp#ters. Jo# $annot $reate mirrored vol#mes or !A,D"< vol#mes on 2indows I+ 6ome Edition: 2indows I+ +rofessional: or 2indows I+ 84"(it Edition")ased $omp#ters. 6owever: yo# $an #se a 2indows I+ +rofessional")ased $omp#ter to $reate a mirrored or !A,D"< vol#me on remote $omp#ters t%at are r#nning 2indows 2000 &erver: 2indows 2000 Advan$ed &erver: or 2indows 2000 Data$enter &erver: or t%e &tandard: Enterprise and Data -enter versions of 2indows &erver 200 . &torage types are separate from t%e file system type. A )asi$ or dynami$ dis9 $an $ontain any $om)ination of 3AT18: 3AT 2: or NT3& partitions or vol#mes. A dis9 system $an $ontain any $om)ination of storage types. 6owever: all vol#mes on t%e same dis9 m#st #se t%e same storage type. To on4ert a 3asi Dis7 to a D'na%i Dis78 .se t%e Dis9 Management snap"in in 2indows I+'2000'200 to $onvert a )asi$ dis9 to a dynami$ dis9. To do t%is: follow t%ese steps> 1. Log on as Administrator or as a mem)er of t%e Administrators gro#p. 2. -li$9 &tart: and t%en $li$9 -ontrol +anel. . -li$9 +erforman$e and Maintenan$e: $li$9 Administrative Tools: and t%en do#)le" $li$9 -omp#ter Management. Jo# $an also rig%t"$li$9 My -omp#ter and $%oose Manage if yo# %ave My -omp#ter displayed on yo#r des9top. 4. ,n t%e left pane: $li$9 Dis9 Management. <. ,n t%e lower"rig%t pane: rig%t"$li$9 t%e )asi$ dis9 t%at yo# want to $onvert: and t%en $li$9 -onvert to Dynami$ Dis9. Jo# m#st rig%t"$li$9 t%e gray area t%at $ontains t%e dis9 title on t%e left side of t%e Details pane. 8. &ele$t t%e $%e$9 )o? t%at is ne?t to t%e dis9 t%at yo# want to $onvert 0if it is not already sele$ted1: and t%en $li$9 A7. B. -li$9 Details if yo# want to view t%e list of vol#mes in t%e dis9. -li$9 -onvert. C. -li$9 Jes w%en yo# are prompted to $onvert t%e dis9: and t%en $li$9 A7. *arnin$8 After yo# $onvert a )asi$ dis9 to a dynami$ dis9: lo$al a$$ess to t%e dynami$ dis9 is limited to 2indows I+ +rofessional: 2indows 2000 and 2indows &erver 200 . Additionally: after yo# $onvert a )asi$ dis9 to a dynami$ dis9: t%e dynami$ vol#mes $annot )e $%anged )a$9 to partitions. Jo# m#st first delete all dynami$ vol#mes on t%e dis9 and t%en

$onvert t%e dynami$ dis9 )a$9 to a )asi$ dis9. ,f yo# want to 9eep yo#r data: yo# m#st first )a$9 #p t%e data or move it to anot%er vol#me. D'na%i Stora$e Ter%s A 4olu%e is a storage #nit made from free spa$e on one or more dis9s. ,t $an )e formatted wit% a file system and assigned a drive letter. 4ol#mes on dynami$ dis9s $an %ave any of t%e following layo#ts> simple: spanned: mirrored: striped: or !A,D"<. A si%ple 4olu%e #ses free spa$e from a single dis9. ,t $an )e a single region on a dis9 or $onsist of m#ltiple: $on$atenated regions. A simple vol#me $an )e e?tended wit%in t%e same dis9 or onto additional dis9s. ,f a simple vol#me is e?tended a$ross m#ltiple dis9s: it )e$omes a spanned vol#me. A spanned 4olu%e is $reated from free dis9 spa$e t%at is lin9ed toget%er from m#ltiple dis9s. Jo# $an e?tend a spanned vol#me onto a ma?im#m of 2 dis9s. A spanned vol#me $annot )e mirrored and is not fa#lt"tolerant. A striped 4olu%e is a vol#me w%ose data is interleaved a$ross two or more p%ysi$al dis9s. T%e data on t%is type of vol#me is allo$ated alternately and evenly to ea$% of t%e p%ysi$al dis9s. A striped vol#me $annot )e mirrored or e?tended and is not fa#lt"tolerant. &triping is also 9nown as !A,D"0. A %irrored 4olu%e is a fa#lt"tolerant vol#me w%ose data is d#pli$ated on two p%ysi$al dis9s. All of t%e data on one vol#me is $opied to anot%er dis9 to provide data red#ndan$y. ,f one of t%e dis9s fails: t%e data $an still )e a$$essed from t%e remaining dis9. A mirrored vol#me $annot )e e?tended. Mirroring is also 9nown as !A,D"1. A RAID-5 4olu%e is a fa#lt"tolerant vol#me w%ose data is striped a$ross an array of t%ree or more dis9s. +arity 0a $al$#lated val#e t%at $an )e #sed to re$onstr#$t data after a fail#re1 is also striped a$ross t%e dis9 array. ,f a p%ysi$al dis9 fails: t%e portion of t%e !A,D"< vol#me t%at was on t%at failed dis9 $an )e re"$reated from t%e remaining data and t%e parity. A !A,D" < vol#me $annot )e mirrored or e?tended. T!e s'ste% 4olu%e $ontains t%e %ardware"spe$ifi$ files t%at are needed to load 2indows 0for e?ample: Ntldr: (oot.ini: and Ntdete$t.$om1. T%e system vol#me $an )e: )#t does not %ave to )e: t%e same as t%e )oot vol#me. T!e +oot 4olu%e $ontains t%e 2indows operating system files t%at are lo$ated in t%e G&ystemrootG and G&ystemrootGF&ystem 2 folders. T%e )oot vol#me $an )e: )#t does not %ave to )e: t%e same as t%e system vol#me. !A,D 0 E &triping !A,D 1" Mirroring 0minim#m 2 6DD re=#ired1 !A,D < E &triping 2it% +arity 0Minim#m !A,D levels 1 and < only gives red#ndan$y <. *!at are t!e different +a 7up strate$ies are a4aila+le 6DD re=#ired1

Normal (a$9#p ,n$remental (a$9#p Differential (a$9#p Daily (a$9#p -opy (a$9#p 8. *!at is a $lo+al atalo$

*lo)al $atalog is a role: w%i$% maintains ,nde?es a)o#t o)5e$ts. ,t $ontains f#ll information of t%e o)5e$ts in its own domain and partial information of t%e o)5e$ts in ot%er domains. .niversal *ro#p mem)ers%ip information will )e stored in glo)al $atalog servers and repli$ate to all *-Ks in t%e forest. B. *!at is A ti4e Dire tor' and w!at is t!e use of it

A$tive dire$tory is a dire$tory servi$e: w%i$% maintains t%e relation s%ip )etween reso#r$es and ena)ling t%em to wor9 toget%er. (e$a#se of AD %ierar$%al str#$t#re windows 2000 is more s$ala)le: relia)le. A$tive dire$tory is derived from I.<00 standards w%ere information is stored is %ierar$%al tree li9e str#$t#re. A$tive dire$tory depends on two ,nternet standards one is DN& and ot%er is LDA+. ,nformation in A$tive dire$tory $an )e =#eried )y #sing LDA+ proto$ol C. w!at is t!e p!'si al and lo$i al stru ture of AD

A$tive dire$tory p%ysi$al str#$t#re is a %ierar$%al str#$t#re w%i$% fallows 3orests TreesDomains-%ild Domains*rand -%ildet$ A$tive dire$tory is logi$ally divided into partitions

1.-onfig#ration partition 2. &$%ema +artition . Domain partition 4. Appli$ation +artition 0only in windows 200 not availa)le in windows 20001 A#t of t%ese -onfig#ration: &$%ema partitions $an )e repli$ated )etween t%e domain $ontrollers in t%e in t%e entire forest. 2%ere as Domain partition $an )e repli$ated )etween t%e domain $ontrollers in t%e same domain D. *!at is t!e pro ess of user aut!enti ation 9:er+eros V5; in windows 2000

After giving logon $redentials an en$ryption 9ey will )e generated w%i$% is #sed to en$rypt t%e time stamp of t%e $lient ma$%ine. .ser name and en$rypted timestamp information will )e provided to domain $ontroller for a#t%enti$ation. T%en Domain $ontroller )ased on t%e password information stored in AD for t%at #ser it de$rypts t%e en$rypted time stamp information. ,f prod#$es time stamp mat$%es to its time stamp. ,t will provide logon session 9ey and Ti$9et granting ti$9et to $lient in an en$ryption format. Again $lient de$rypts and if prod#$ed time stamp information is mat$%ing t%en it will #se logon session 9ey to logon to t%e domain. Ti$9et granting ti$9et will )e #sed to generate servi$e granting ti$9et w%en a$$essing networ9 reso#r$es 10. w!at are t!e port nu%+ers for :er+eros- 6DA& and <lo+al atalo$

7er)eros E CC: LDA+ E CD: *lo)al -atalog E 28C 11. w!at is t!e use of 6DA& 9=)500 standard>;

LDA+ is a dire$tory a$$ess proto$ol: w%i$% is #sed to e?$%ange dire$tory information from server to $lients or from server to servers 12. w!at are t!e pro+le%s t!at are $enerall' o%e a ross D"C&

&$ope is f#ll wit% ,+ addresses no ,+Ks availa)le for new ma$%ines ,f s$ope options are not $onfig#red properly eg defa#lt gateway ,n$orre$t $reation of s$opes et$ 1 . w!at is t!e role responsi+le for ti%e s'n !roni/ation

+D- Em#lator is responsi)le for time syn$%roni/ation. Time syn$%roni/ation is important )e$a#se 7er)eros a#t%enti$ation depends on time stamp information 14. w!at is TT6 2 !ow to set TT6 ti%e in D1S

TTL is Time to Live setting #sed for t%e amo#nt of time t%at t%e re$ord s%o#ld remain in $a$%e w%en name resol#tion %appened. 2e $an set TTL in &AA 0start of a#t%ority re$ord1 of DN& 1<. "ow to ta7e D1S and *I1S-D"C& +a 7up

G&ystem rootG'system 2'dns G&ystem rootG'system 2'2,N& G&ystem rootG'system 2'D6-+ 18. *!at is re o4er' onsole

!e$overy $onsole is a #tility #sed to re$over t%e system w%en it is not )ooting properly or not at all )ooting. 2e $an perform fallowing operations from re$overy $onsole 2e $an $opy: rename: or repla$e operating system files and folders Ena)le or disa)le servi$e or devi$e start#p t%e ne?t time t%at start $omp#ter !epair t%e file system )oot se$tor or t%e Master (oot !e$ord -reate and format partitions on drives 1B. w!at is DFS 2 its usa$e

D3& is a distri)#ted file system #sed to provide $ommon environment for #sers to a$$ess files and folders even w%en t%ey are s%ared in different servers p%ysi$ally. T%ere are two types of D3& domain D3& and &tand alone D3&. 2e $annot provide red#ndan$y for stand alone D3& in $ase of fail#re. Domain D3& is #sed in a domain environment w%i$% $an )e a$$essed )y 'domain name'root1 0root 1 is D3& root name1. &tand alone D3& $an )e #sed in wor9gro#p environment w%i$% $an )e a$$essed t%ro#g% 'server name'root1 0root 1 is D3& root name1. (ot% t%e $ases we need to $reate D3& root 0 2%i$% appears li9e a s%ared folder for end #sers1 and D3& lin9s 0 A logi$al lin9 w%i$% is pointing to t%e server w%ere t%e folder is p%ysi$ally s%ared1 T%e ma?im#m n#m)er of Dfs roots per server is 1. T%e ma?im#m n#m)ers of Dfs root repli$as are 1. T%e ma?im#m n#m)er of Dfs roots per domain is #nlimited. T%e ma?im#m n#m)er of Dfs lin9s or s%ared folders in a Dfs root is 1:000 1C. w!at is RIS and w!at are its re0uire%ents

!,& is a remote installation servi$e: w%i$% is #sed to install operation system remotely. Client re0uire%ents +IE D6-+")ased )oot !AM version 1.00 or later N,-: or a networ9 adapter t%at is s#pported )y t%e !,& )oot dis9. &%o#ld meet minim#m operating system re=#irements Software Re0uire%ents (elow networ9 servi$es m#st )e a$tive on !,& server or any server in t%e networ9 Domain Name &ystem 0DN& &ervi$e1 Dynami$ 6ost -onfig#ration +roto$ol 0D6-+1 A$tive dire$tory LDire$toryM servi$e 1D. "ow %an' root repli as an +e reated in DFS

1 20. *!at is t!e differen e +etween Do%ain DFS and Standalone DFS

!efer =#estion 1B. 6ig% Level 1. Can we esta+lis! trust relations!ip +etween two forests

,n 2indows 2000 it is not possi)le. ,n 2indows 200 it is possi)le 2. *!at is FS#O Roles

3le?i)le single master operation 03&MA1 roles are Domain Naming Master &$%ema Master

+D- Em#lator ,nfrastr#$t#re Master !,D Master . 3rief all t!e FS#O Roles

2indows 2000'200 M#lti"Master Model A m#lti"master ena)led data)ase: s#$% as t%e A$tive Dire$tory: provides t%e fle?i)ility of allowing $%anges to o$$#r at any D- in t%e enterprise: )#t it also introd#$es t%e possi)ility of $onfli$ts t%at $an potentially lead to pro)lems on$e t%e data is repli$ated to t%e rest of t%e enterprise. Ane way 2indows 2000'200 deals wit% $onfli$ting #pdates is )y %aving a $onfli$t resol#tion algorit%m %andle dis$repan$ies in val#es )y resolving to t%e D- to w%i$% $%anges were written last 0t%at is: ;t%e last writer wins;1: w%ile dis$arding t%e $%anges in all ot%er D-s. Alt%o#g% t%is resol#tion met%od may )e a$$epta)le in some $ases: t%ere are times w%en $onfli$ts are 5#st too diffi$#lt to resolve #sing t%e ;last writer wins; approa$%. ,n s#$% $ases: it is )est to prevent t%e $onfli$t from o$$#rring rat%er t%an to try to resolve it after t%e fa$t. 3or $ertain types of $%anges: 2indows 2000'200 in$orporates met%ods to prevent $onfli$ting A$tive Dire$tory #pdates from o$$#rring. 2indows 2000'200 &ingle"Master Model To prevent $onfli$ting #pdates in 2indows 2000'200 : t%e A$tive Dire$tory performs #pdates to $ertain o)5e$ts in a single"master fas%ion. ,n a single"master model: only one D- in t%e entire dire$tory is allowed to pro$ess #pdates. T%is is similar to t%e role given to a primary domain $ontroller 0+D-1 in earlier versions of 2indows 0s#$% as Mi$rosoft 2indows NT 4.01: in w%i$% t%e +Dis responsi)le for pro$essing all #pdates in a given domain. ,n a forest: t%ere are five 3&MA roles t%at are assigned to one or more domain $ontrollers. T%e five 3&MA roles are> S !e%a #aster> T%e s$%ema master domain $ontroller $ontrols all #pdates and modifi$ations to t%e s$%ema. An$e t%e &$%ema #pdate is $omplete: it is repli$ated from t%e s$%ema master to all ot%er D-s in t%e dire$tory. To #pdate t%e s$%ema of a forest: yo# m#st %ave a$$ess to t%e s$%ema master. T%ere $an )e only one s$%ema master in t%e w%ole forest. Do%ain na%in$ %aster8

T%e domain naming master domain $ontroller $ontrols t%e addition or removal of domains in t%e forest. T%is D- is t%e only one t%at $an add or remove a domain from t%e dire$tory. ,t $an also add or remove $ross referen$es to domains in e?ternal dire$tories. T%ere $an )e only one domain naming master in t%e w%ole forest. Infrastru ture #aster8 2%en an o)5e$t in one domain is referen$ed )y anot%er o)5e$t in anot%er domain: it represents t%e referen$e )y t%e *.,D: t%e &,D 0for referen$es to se$#rity prin$ipals1: and t%e DN of t%e o)5e$t )eing referen$ed. T%e infrastr#$t#re 3&MA role %older is t%e D- responsi)le for #pdating an o)5e$tNs &,D and disting#is%ed name in a $ross"domain o)5e$t referen$e. At any one time: t%ere $an )e only one domain $ontroller a$ting as t%e infrastr#$t#re master in ea$% domain. Note> T%e ,nfrastr#$t#re Master 0,M1 role s%o#ld )e %eld )y a domain $ontroller t%at is not a *lo)al -atalog server 0*-1. ,f t%e ,nfrastr#$t#re Master r#ns on a *lo)al -atalog server it will stop #pdating o)5e$t information )e$a#se it does not $ontain any referen$es to o)5e$ts t%at it does not %old. T%is is )e$a#se a *lo)al -atalog server %olds a partial repli$a of every o)5e$t in t%e forest. As a res#lt: $ross"domain o)5e$t referen$es in t%at domain will not )e #pdated and a warning to t%at effe$t will )e logged on t%at D-Ns event log. ,f all t%e domain $ontrollers in a domain also %ost t%e glo)al $atalog: all t%e domain $ontrollers %ave t%e $#rrent data: and it is not important w%i$% domain $ontroller %olds t%e infrastr#$t#re master role. Relati4e ID 9RID; #aster> T%e !,D master is responsi)le for pro$essing !,D pool re=#ests from all domain $ontrollers in a parti$#lar domain. 2%en a D- $reates a se$#rity prin$ipal o)5e$t s#$% as a #ser or gro#p: it atta$%es a #ni=#e &e$#rity ,D 0&,D1 to t%e o)5e$t. T%is &,D $onsists of a domain &,D 0t%e same for all &,Ds $reated in a domain1: and a relative ,D 0!,D1 t%at is #ni=#e for ea$% se$#rity prin$ipal &,D $reated in a domain. Ea$% D- in a domain is allo$ated a pool of !,Ds t%at it is allowed to assign to t%e se$#rity prin$ipals it $reates. 2%en a D-Ns allo$ated !,D pool falls )elow a t%res%old: t%at Diss#es a re=#est for additional !,Ds to t%e domainNs !,D master. T%e domain !,D master responds to t%e re=#est )y retrieving !,Ds from t%e domainNs #nallo$ated !,D pool and assigns t%em to t%e pool of t%e re=#esting D-. At any one time: t%ere $an )e only one domain $ontroller a$ting as t%e !,D master in t%e domain. &DC E%ulator8 T%e +D- em#lator is ne$essary to syn$%roni/e time in an enterprise. 2indows 2000'200 in$l#des t%e 2 2Time 02indows Time1 time servi$e t%at is re=#ired )y t%e 7er)eros a#t%enti$ation proto$ol. All 2indows 2000'200 ")ased $omp#ters wit%in an enterprise #se a $ommon time. T%e p#rpose of t%e time servi$e is to ens#re t%at t%e 2indows Time servi$e #ses a %ierar$%i$al relations%ip t%at $ontrols a#t%ority and does not permit loops to ens#re appropriate $ommon time #sage. T%e +D- em#lator of a domain is a#t%oritative for t%e domain. T%e +D- em#lator at t%e root of t%e forest )e$omes a#t%oritative for t%e enterprise: and s%o#ld )e $onfig#red to gat%er t%e time from an e?ternal so#r$e. All +D- 3&MA role %olders follow t%e %ierar$%y of domains in t%e sele$tion of t%eir in")o#nd time partner.

,n a 2indows 2000'200 domain: t%e +D- em#lator role %older retains t%e following f#n$tions> +assword $%anges performed )y ot%er D-s in t%e domain are repli$ated preferentially to t%e +D- em#lator. A#t%enti$ation fail#res t%at o$$#r at a given D- in a domain )e$a#se of an in$orre$t password are forwarded to t%e +D- em#lator )efore a )ad password fail#re message is reported to t%e #ser. A$$o#nt lo$9o#t is pro$essed on t%e +D- em#lator. Editing or $reation of *ro#p +oli$y A)5e$ts 0*+A1 is always done from t%e *+A $opy fo#nd in t%e +D- Em#latorNs &J&4AL s%are: #nless $onfig#red not to do so )y t%e administrator. T%e +D- em#lator performs all of t%e f#n$tionality t%at a Mi$rosoft 2indows NT 4.0 &erver")ased +D- or earlier +D- performs for 2indows NT 4.0")ased or earlier $lients. T%is part of t%e +D- em#lator role )e$omes #nne$essary w%en all wor9stations: mem)er servers: and domain $ontrollers t%at are r#nning 2indows NT 4.0 or earlier are all #pgraded to 2indows 2000'200 . T%e +D- em#lator still performs t%e ot%er f#n$tions as des$ri)ed in a 2indows 2000'200 environment. At any one time: t%ere $an )e only one domain $ontroller a$ting as t%e +D- em#lator master in ea$% domain in t%e forest. 4. "ow to %anuall' onfi$ure FS#O Roles to separate DC?s

6ow $an , determine w%o are t%e $#rrent 3&MA !oles %olders in my domain'forestO 2indows 2000'200 A$tive Dire$tory domains #tili/e a &ingle Aperation Master met%od $alled 3&MA 03le?i)le &ingle Master Aperation1: as des$ri)ed in .nderstanding 3&MA !oles in A$tive Dire$tory. T%e five 3&MA roles are>

&$%ema master " 3orest"wide and one per forest. Domain naming master " 3orest"wide and one per forest. !,D master " Domain"spe$ifi$ and one for ea$% domain. +D- " +D- Em#lator is domain"spe$ifi$ and one for ea$% domain. ,nfrastr#$t#re master " Domain"spe$ifi$ and one for ea$% domain.

,n most $ases an administrator $an 9eep t%e 3&MA role %olders 0all < of t%em1 in t%e same spot 0or a$t#ally: on t%e same D-1 as %as )een $onfig#red )y t%e A$tive Dire$tory installation pro$ess. 6owever: t%ere are s$enarios w%ere an administrator wo#ld want to move one or more of t%e 3&MA roles from t%e defa#lt %older D- to a different D-. T%e transferring

met%od is des$ri)ed in t%e Transferring 3&MA !oles arti$le: w%ile sei/ing t%e roles from a non"operational D- to a different D- is des$ri)ed in t%e &ei/ing 3&MA !oles arti$le. ,n order to )etter #nderstand yo#r AD infrastr#$t#re and to 9now t%e added val#e t%at ea$% D- mig%t possess: an AD administrator m#st %ave t%e e?a$t 9nowledge of w%i$% one of t%e e?isting D-s is %olding a 3&MA role: and w%at role it %olds. 2it% t%at 9nowledge in %and: t%e administrator $an ma9e )etter arrangements in $ase of a s$%ed#led s%#t"down of any given D-: and )etter prepare %im or %erself in $ase of a non"s$%ed#led $ease of operation from one of t%e D-s. 6ow to find o#t w%i$% D- is %olding w%i$% 3&MA roleO 2ell: one $an a$$omplis% t%is tas9 )y many means. T%is arti$le will list a few of t%e availa)le met%ods. #et!od @A8 :now t!e default settin$s T%e 3&MA roles were assigned to one or more D-s d#ring t%e D-+!AMA pro$ess. T%e following ta)le s#mmari/es t%e 3&MA defa#lt lo$ations> 3&MA !ole &$%ema Domain Naming !,D +D- Em#lator ,nfrastr#$t#re N#m)er of D-s %olding t%is role Ane per forest Ane per forest Ane per domain Ane per domain Ane per domain Ariginal D- %olding t%e 3&MA role T%e first D- in t%e first domain in t%e forest 0i.e. t%e 3orest !oot Domain1 T%e first D- in a domain 0any domain: in$l#ding t%e 3orest !oot Domain: any Tree !oot Domain: or any -%ild Domain1

#et!od @28 .se t!e <.I T%e 3&MA role %olders $an )e easily fo#nd )y #se of some of t%e AD snap"ins. .se t%is ta)le to see w%i$% tool $an )e #sed for w%at 3&MA role> 3&MA !ole &$%ema Domain Naming !,D +D- Em#lator ,nfrastr#$t#re 2%i$% snap"in s%o#ld , #seO &$%ema snap"in AD Domains and Tr#sts snap"in AD .sers and -omp#ters snap"in

3inding t%e !,D Master: +D- Em#lator: and ,nfrastr#$t#re Masters via *., To find o#t w%o $#rrently %olds t%e Domain"&pe$ifi$ !,D Master: +D- Em#lator: and ,nfrastr#$t#re Master 3&MA !oles> 1. Apen t%e A$tive Dire$tory .sers and -omp#ters snap"in from t%e Administrative Tools folder. 2. !ig%t"$li$9 t%e A$tive Dire$tory .sers and -omp#ters i$on again and press Aperation Masters.

. &ele$t t%e appropriate ta) for t%e role yo# wis% to view. 4. 2%en yo#Nre done $li$9 -lose. 3inding t%e Domain Naming Master via *., To find o#t w%o $#rrently %olds t%e Domain Naming Master !ole> 1. Apen t%e A$tive Dire$tory Domains and Tr#sts snap"in from t%e Administrative Tools folder. 2. !ig%t"$li$9 t%e A$tive Dire$tory Domains and Tr#sts i$on again and press Aperation Masters. . 2%en yo#Nre done $li$9 -lose. 3inding t%e &$%ema Master via *., To find o#t w%o $#rrently %olds t%e &$%ema Master !ole> 1. !egister t%e Schmmgmt.dll li)rary )y pressing &tart H !.N and typing> 2. . 4. <. 8. B. +ress A7. Jo# s%o#ld re$eive a s#$$ess $onfirmation. 3rom t%e !#n $ommand open an MM- -onsole )y typing MMC. An t%e -onsole men#: press Add'!emove &nap"in. +ress Add. &ele$t A$tive Dire$tory &$%ema. +ress Add and press -lose. +ress A7. -li$9 t%e A$tive Dire$tory &$%ema i$on. After it loads rig%t"$li$9 it and press Aperation Masters.

C. +ress t%e -lose )#tton. #et!od @38 .se t!e 1tdsutil o%%and T%e 3&MA role %olders $an )e easily fo#nd )y #se of t%e Ntds#til $ommand. Caution8 .sing t%e Ntds#til #tility in$orre$tly may res#lt in partial or $omplete loss of A$tive Dire$tory f#n$tionality. 1. An any domain $ontroller: $li$9 &tart: $li$9 !#n: type Ntdsutil in t%e Apen )o?: and t%en $li$9 A7. 2. Type roles: and t%en press ENTE!.

1ote8 To see a list of availa)le $ommands at any of t%e prompts in t%e Ntds#til tool: type O: and t%en press ENTE!. . Type connections: and t%en press ENTE!. 4. Type connect to server <servername>: w%ere <servername> is t%e name of t%e server yo# want to #se: and t%en press ENTE!. <. At t%e server $onne$tions> prompt: type q: and t%en press ENTE! again. 8. At t%e 3&MA maintenan$e> prompt: type Select operation target: and t%en press ENTE! again.

At t%e sele$t operation target> prompt: type List roles for connected server: and t%en press ENTE! again. sele$t operation target> List roles for $onne$ted server &erver ;server100; 9nows a)o#t < roles &$%ema " -NPNTD& &ettings:-NP&E!4E!100:-NP&ervers:-NPDefa#lt"3irst"&ite" Name:-NP&ites:-NPonfig#ration:D-Pdpetri:D-Pnet Domain " -NPNTD& &ettings:-NP&E!4E!100:-NP&ervers:-NPDefa#lt"3irst"&ite" Name:-NP&ites:-NPonfig#ration:D-Pdpetri:D-Pnet +D- " -NPNTD& &ettings:-NP&E!4E!100:-NP&ervers:-NPDefa#lt"3irst"&ite" Name:-NP&ites:-NP-onf ig#ration:D-Pdpetri:D-Pnet !,D " -NPNTD& &ettings:-NP&E!4E!100:-NP&ervers:-NPDefa#lt"3irst"&ite" Name:-NP&ites:-NP-onf ig#ration:D-Pdpetri:D-Pnet ,nfrastr#$t#re " -NPNTD& &ettings:-NP&E!4E!100:-NP&ervers:-NPDefa#lt"3irst"&ite" Name:-NP&i tes:-NP-onfig#ration:D-Pdpetri:D-Pnet sele$t operation target>

C. Type q

times to e?it t%e Ntds#til prompt.

1ote8 Jo# $an download T6,& ni$e )at$% file t%at will do all t%is for yo# 019)1. Anot!er 1ote8 Mi$rosoft %as a ni$e tool $alled D#mpfsmos.$md: fo#nd in t%e 2indows 2000 !eso#r$e 7it 0and $an )e downloaded %ere> Download 3ree 2indows 2000 !eso#r$e 7it Tools1. T%is tool is )asi$ally a one"$li$9 Ntds#til s$ript t%at performs t%e same operation des$ri)ed a)ove. #et!od @B8 .se t!e 1etdo% o%%and T%e 3&MA role %olders $an )e easily fo#nd )y #se of t%e Netdom $ommand. Netdom.e?e is a part of t%e 2indows 2000'I+'200 &#pport Tools. Jo# m#st eit%er download it separately 0from %ere Download 3ree 2indows 2000 !eso#r$e 7it Tools1 or )y o)taining t%e $orre$t &#pport Tools pa$9 for yo#r operating system. T%e &#pport Tools pa$9 $an )e fo#nd in t%e \Support\Tools folder on yo#r installation -D 0or yo# $an Download 2indows 2000 &+4 &#pport Tools: Download 2indows I+ &+1 Deploy Tools1. 1. An any domain $ontroller: $li$9 &tart: $li$9 !#n: type -MD in t%e Apen )o?: and t%en $li$9 A7. 2. ,n t%e -ommand +rompt window: type netdom query domain!<domain> fsmo 0w%ere <domain> is t%e name of JA.! domain1.

-lose t%e -MD window. 1ote8 Jo# $an download T6,& ni$e )at$% file t%at will do all t%is for yo# 019)1. #et!od @58 .se t!e Repl%on tool T%e 3&MA role %olders $an )e easily fo#nd )y #se of t%e Netdom $ommand. Q#st li9e Netdom: !eplmon.e?e is a part of t%e 2indows 2000'I+'200 &#pport Tools. !eplmon $an )e #sed for a wide verity of tas9s: mostly wit% t%ose t%at are related wit% AD repli$ation. (#t !eplmon $an also provide val#a)le information a)o#t t%e AD: a)o#t any D-: and also a)o#t ot%er o)5e$ts and settings: s#$% as *+As and 3&MA roles. ,nstall t%e pa$9age )efore attempting to #se t%e tool. 1. An any domain $ontroller: $li$9 &tart: $li$9 !#n: type !E+LMAN in t%e Apen )o?: and t%en $li$9 A7. 2. !ig%t"$li$9 Monitored servers and sele$t Add Monitored &erver. . ,n t%e Add &erver to Monitor window: sele$t t%e &ear$% t%e Dire$tory for t%e server to add. Ma9e s#re yo#r AD domain name is listed in t%e drop"down list. 4. ,n t%e site list sele$t yo#r site: e?pand it: and $li$9 to sele$t t%e server yo# want to =#ery. -li$9 3inis%.

<. !ig%t"$li$9 t%e server t%at is now listed in t%e left"pane: and sele$t +roperties. 8. -li$9 on t%e 3&MA !oles ta) and read t%e res#lts. B. -li$9 A9 w%en yo#Nre done.

6ow $an , for$i)ly transfer 0sei/e1 some or all of t%e 3&MA !oles from one D- to anot%erO 2indows 2000'200 A$tive Dire$tory domains #tili/e a &ingle Aperation Master met%od $alled 3&MA 03le?i)le &ingle Master Aperation1: as des$ri)ed in .nderstanding 3&MA !oles in A$tive Dire$tory. T%e five 3&MA roles are>

&$%ema master " 3orest"wide and one per forest. Domain naming master " 3orest"wide and one per forest. !,D master " Domain"spe$ifi$ and one for ea$% domain. +D- " +D- Em#lator is domain"spe$ifi$ and one for ea$% domain. ,nfrastr#$t#re master " Domain"spe$ifi$ and one for ea$% domain.

,n most $ases an administrator $an 9eep t%e 3&MA role %olders 0all < of t%em1 in t%e same spot 0or a$t#ally: on t%e same D-1 as %as )een $onfig#red )y t%e A$tive Dire$tory installation pro$ess. 6owever: t%ere are s$enarios w%ere an administrator wo#ld want to move one or more of t%e 3&MA roles from t%e defa#lt %older D- to a different D-. Moving t%e 3&MA roles w%ile )ot% t%e original 3&MA role %older and t%e f#t#re 3&MA role %older are online and operational is $alled Transferring: and is des$ri)ed in t%e Transferring 3&MA !oles arti$le. 6owever: w%en t%e original 3&MA role %older went offline or )e$ame non operational for a long period of time: t%e administrator mig%t $onsider moving t%e 3&MA role from t%e original: non"operational %older: to a different D-. T%e pro$ess of moving t%e 3&MA role from a non"operational role %older to a different D- is $alled &ei/ing: and is des$ri)ed in t%is arti$le. ,f a D- %olding a 3&MA role fails: t%e )est t%ing to do is to try and get t%e server online again. &in$e none of t%e 3&MA roles are immediately $riti$al 0well: almost none: t%e loss of t%e +D- Em#lator 3&MA role mig%t )e$ome a pro)lem #nless yo# fi? it in a reasona)le amo#nt of time1: so it is not a pro)lem to t%em to )e #navaila)le for %o#rs or even days. ,f a D- )e$omes #nrelia)le: try to get it )a$9 on line: and transfer t%e 3&MA roles to a relia)le $omp#ter. Administrators s%o#ld #se e?treme $a#tion in sei/ing 3&MA roles. T%is operation: in most $ases: s%o#ld )e performed only if t%e original 3&MA role owner will not )e )ro#g%t )a$9 into t%e environment. Anly sei/e a 3&MA role if a)sol#tely ne$essary w%en t%e original role %older is not $onne$ted to t%e networ9.

2%at will %appen if yo# do not perform t%e sei/e in timeO T%is ta)le %as t%e info> 3&MA !ole &$%ema Loss impli$ations T%e s$%ema $annot )e e?tended. 6owever: in t%e s%ort term no one will noti$e a missing &$%ema Master #nless yo# plan a s$%ema #pgrade d#ring t%at time. .nless yo# are going to r#n D-+!AMA: t%en yo# will not miss t%is 3&MA role. -%an$es are good t%at t%e e?isting D-s will %ave eno#g% #n#sed !,Ds to last some time: #nless yo#Nre )#ilding %#ndreds of #sers or $omp#ter o)5e$t per wee9. 2ill )e missed soon. NT 4.0 (D-s will not )e a)le to repli$ate: t%ere will )e no time syn$%roni/ation in t%e domain: yo# will pro)a)ly not )e a)le to $%ange or tro#)les%oot gro#p poli$ies and password $%anges will )e$ome a pro)lem. *ro#p mem)ers%ips may )e in$omplete. ,f yo# only %ave one domain: t%en t%ere will )e no impa$t.

Domain Naming !,D

+D- Em#lator

,nfrastr#$t#re

I%portant8 ,f t%e !,D: &$%ema: or Domain Naming 3&MAs are sei/ed: t%en t%e original domain $ontroller m#st not )e a$tivated in t%e forest again. ,t is ne$essary to reinstall 2indows if t%ese servers are to )e #sed again. T%e following ta)le s#mmari/es t%e 3&MA sei/ing restri$tions> 3&MA !ole !estri$tions &$%ema Ariginal m#st )e reinstalled Domain Naming !,D +D- Em#lator -an transfer )a$9 to original ,nfrastr#$t#re

Anot%er $onsideration )efore performing t%e sei/e operation is t%e administratorNs gro#p mem)ers%ip: as t%is ta)le lists> 3&MA !ole &$%ema Domain Naming !,D +D- Em#lator ,nfrastr#$t#re Administrator m#st )e a mem)er of &$%ema Admins Enterprise Admins Domain Admins

To sei/e t%e 3&MA roles )y #sing Ntds#til: follow t%ese steps>

Caution8 .sing t%e Ntds#til #tility in$orre$tly may res#lt in partial or $omplete loss of A$tive Dire$tory f#n$tionality. 1. An any domain $ontroller: $li$9 &tart: $li$9 !#n: type Ntdsutil in t%e Apen )o?: and t%en $li$9 A7. 2. Type roles: and t%en press ENTE!.

1ote8 To see a list of availa)le $ommands at any of t%e prompts in t%e Ntds#til tool: type O: and t%en press ENTE!. . Type connections: and t%en press ENTE!. 4. Type connect to server <servername>: w%ere <servername> is t%e name of t%e server yo# want to #se: and t%en press ENTE!. <. At t%e server $onne$tions> prompt: type q: and t%en press ENTE! again. 8. Type sei"e <role>: w%ere <role> is t%e role yo# want to sei/e. 3or e?ample: to sei/e t%e !,D Master role: yo# wo#ld type sei"e rid master> Aptions are> B. Jo# will re$eive a warning window as9ing if yo# want to perform t%e sei/e. -li$9 on Jes. fsmo maintenan$e> &ei/e infrastr#$t#re master Attempting safe transfer of infrastr#$t#re 3&MA )efore sei/#re. ldapRmodifyRs2 error 0? 40<2 0.navaila)le1. Ldap e?tended error message is 000020A3> &v$Err> D&,D"0 210 00: pro)lem <002 0.NA4A,LA(LE1 : data 1B22 2in 2 error ret#rned is 0?20af0T%e re=#ested 3&MA operation failed. T%e $#rrent 3&MA %olde r $o#ld not )e $onta$ted.1 1 Depending on t%e error $ode t%is may indi$ate a $onne$tion:

ldap: or role transfer error. Transfer of infrastr#$t#re 3&MA failed: pro$eeding wit% sei/#re ... &erver ;server100; 9nows a)o#t < roles &$%ema " -NPNTD& &ettings:-NP&E!4E!200:-NP&ervers:-NPDefa#lt"3irst"&ite" Name:-NP&ites:-NP-onfig#ration:D-Pdpetri:D-Pnet Domain " -NPNTD& &ettings:-NP&E!4E!100:-NP&ervers:-NPDefa#lt"3irst"&ite" Name:-NP&ites:-NP-onfig#ration:D-Pdpetri:D-Pnet +D- " -NPNTD& &ettings:-NP&E!4E!100:-NP&ervers:-NPDefa#lt"3irst"&ite" Name:-NP&ites:-NP-onfig#ration:D-Pdpetri:D-Pnet !,D " -NPNTD& &ettings:-NP&E!4E!200:-NP&ervers:-NPDefa#lt"3irst"&ite" Name:-NP&ites:-NP-onfig#ration:D-Pdpetri:D-Pnet ,nfrastr#$t#re " -NPNTD& &ettings:-NP&E!4E!100:-NP&ervers:-NPDefa#lt"3irst"&ite" Name:-NP&ites:-NP-onfig#ration:D-Pdpetri:D-Pnet fsmo maintenan$e> 1ote8 All five roles need to )e in t%e forest. ,f t%e first domain $ontroller is o#t of t%e forest t%en sei/e all roles. Determine w%i$% roles are to )e on w%i$% remaining domain $ontrollers so t%at all five roles are not on only one server. C. !epeat steps 8 and B #ntil yo#Nve sei/ed all t%e re=#ired 3&MA roles. D. After yo# sei/e or transfer t%e roles: type =: and t%en press ENTE! #ntil yo# =#it t%e Ntds#til tool. 1ote8 Do not p#t t%e ,nfrastr#$t#re Master 0,M1 role on t%e same domain $ontroller as t%e *lo)al -atalog server. ,f t%e ,nfrastr#$t#re Master r#ns on a *- server it will stop #pdating o)5e$t information )e$a#se it does not $ontain any referen$es to o)5e$ts t%at it does not %old. T%is is )e$a#se a *- server %olds a partial repli$a of every o)5e$t in t%e forest. <. *!at is t!e differen e +etween aut!oritati4e and non-aut!oritati4e restore

,n a#t%oritative restore: A)5e$ts t%at are restored will )e repli$ated to all domain $ontrollers in t%e domain. T%is $an )e #sed spe$ifi$ally w%en t%e entire A. is dist#r)ed in all domain $ontrollers or spe$ifi$ally restore a single o)5e$t: w%i$% is dist#r)ed in all D-Ks ,n non"a#t%oritative restore: !estored dire$tory information will )e #pdated )y ot%er domain $ontrollers )ased on t%e latest modifi$ation time. 8. w!at is A ti4e Dire tor' De-fra$%entation

De"fragmentation of AD means separating #sed spa$e and empty spa$e $reated )y deleted o)5e$ts and red#$es dire$tory si/e 0only in offline De"fragmentation1 B. Differen e +etween online and offline de-fra$%entation

T%e si/e of NTD&.D,T will often )e different si/es a$ross t%e domain $ontrollers in a domain. !emem)er t%at A$tive Dire$tory is a m#lti"master independent model w%ere #pdates are o$$#rring in ea$% of t%e domain $ontrollers wit% t%e $%anges )eing repli$ated over time to t%e ot%er domain $ontrollers. T%e $%anged data is repli$ated )etween domain $ontrollers: not t%e data)ase: so t%ere is no g#arantee t%at t%e files are going to )e t%e same si/e a$ross all domain $ontrollers. 2indows 2000 and 2indows &erver 200 servers r#nning Dire$tory &ervi$es 0D&1 perform a dire$tory online defragmentation every 12 %o#rs )y defa#lt as part of t%e gar)age"$olle$tion pro$ess. T%is defragmentation only moves data aro#nd t%e data)ase file 0NTD&.D,T1 and doesnKt red#$e t%e fileKs si/e " t%e data)ase file $annot )e $ompa$ted w%ile A$tive Dire$tory is mo#nted. A$tive Dire$tory ro#tinely performs online data)ase defragmentation: )#t t%is is limited to t%e disposal of tom)stoned o)5e$ts. T%e data)ase file $annot )e $ompa$ted w%ile A$tive Dire$tory is mo#nted 0or online1. An NTD&.D,T file t%at %as )een defragmented offline 0$ompa$ted1: $an )e m#$% smaller t%an t%e NTD&.D,T file on its peers. 6owever: defragmenting t%e NTD&.D,T file isnKt somet%ing yo# s%o#ld really need to do. Normally: t%e data)ase self"t#nes and a#tomati$ally tom)stoning t%e re$ords t%en sweeping t%em away w%en t%e tom)stone lifetime %as passed to ma9e t%at spa$e availa)le for additional re$ords. Defragging t%e NTD&.D,T file pro)a)ly wonKt %elp yo#r AD =#eries go any faster in t%e long r#n. &o w%y defrag it in t%e first pla$eO Ane reason yo# mig%t want to defrag yo#r NTD&.D,T file is to save spa$e: for e?ample if yo# deleted a large n#m)er of re$ords at one time. To $reate a new: smaller NTD&.D,T file and to ena)le offline defragmentation: perform t%e following steps> (a$9 #p A$tive Dire$tory 0AD1. !e)oot t%e server: sele$t t%e A& option: and press 3C for advan$ed options. &ele$t t%e Dire$tory &ervi$es !estore Mode option: and press Enter. +ress

Enter again to start t%e A&. 227 will start in safe mode: wit% no D& r#nning. .se t%e lo$al &AMKs administrator a$$o#nt and password to log on. Jo#Kll see a dialog )o? t%at says yo#Kre in safe mode. -li$9 A7. 3rom t%e &tart men#: sele$t !#n and type $md.e?e ,n t%e $ommand window: yo#Kll see t%e following te?t. 0Enter t%e $ommands in )old.1 ->FH ntds#til ntds#til> files file maintenan$e>info .... file maintenan$e>$ompa$t to $>Ftemp Jo#Kll see t%e defragmentation pro$ess. ,f t%e pro$ess was s#$$essf#l: enter =#it to ret#rn to t%e $ommand prompt. T%en: repla$e t%e old NTD&.D,T file wit% t%e new: $ompressed version. 0Enter t%e $ommands in )old.1 ->FH $opy $>FtempFntds.dit GsystemrootGFntdsFntds.dit !estart t%e $omp#ter: and )oot as normal. C. *!at is to%+stone period Tom)stones are not%ing )#t o)5e$ts mar9ed for deletion. After deleting an o)5e$t in AD t%e o)5e$ts will not )e deleted permanently. ,t will )e remain 80 days )y defa#lt 0w%i$% $an )e $onfig#ra)le1 it adds an entry as mar9ed for deletion on t%e o)5e$t and repli$ates to all D-Ks. After 80 days o)5e$t will )e deleted permanently from all D$Ks. D. w!at is w!ite spa e and <ar+a$e olle tion

refer =#estion B 10. w!at are t!e %onitorin$ tools used for Ser4er and 1etwor7 "eat!) "ow to define alert %e !anis%

&pot Lig%t : &NM+ Need to ena)le .

11. "ow to deplo' t!e pat !es and w!at are t!e softwares used for t!is pro ess

.sing &.& 0&oftware #pdate servi$es1 server we $an deploy pat$%es to all $lients in t%e networ9. 2e need to $onfig#re an option $alled L&yn$%roni/e wit% Mi$rosoft software #pdate serverM option and s$%ed#le time to syn$%roni/e in server. 2e need to approve new #pdate )ased on t%e re=#irement. T%en approved #pdate will )e deployed to $lients 2e $an $onfig#re $lients )y $%anging t%e registry man#ally or t%ro#g% *ro#p poli$y )y adding 2.A. administrative template in gro#p poli$y 12. *!at is Clusterin$) 3riefl' define 2 e,plain it

-l#stering is a te$%nology: w%i$% is #sed to provide 6ig% Availa)ility for mission $riti$al appli$ations. 2e $an $onfig#re $l#ster )y installing M-& 0Mi$rosoft $l#ster servi$e1 $omponent from Add remove programs: w%i$% $an only availa)le in Enterprise Edition and Data $enter edition. ,n 2indows we $an $onfig#re two types of $l#sters 163 9networ7 load +alan in$; luster for )alan$ing load )etween servers. T%is $l#ster will not provide any %ig% availa)ility. .s#ally prefera)le at edge servers li9e we) or pro?y. Ser4er Cluster8 T%is provides 6ig% availa)ility )y $onfig#ring a$tive"a$tive or a$tive"passive $l#ster. ,n 2 node a$tive"passive $l#ster one node will )e a$tive and one node will )e stand )y. 2%en a$tive server fails t%e appli$ation will 3A,LA4E! to stand )y server a#tomati$ally. 2%en t%e original server )a$9s we need to 3A,L(A-7 t%e appli$ation Cuoru%> A s%ared storage need to provide for all servers w%i$% 9eeps information a)o#t $l#stered appli$ation and session state and is #sef#l in 3A,LA4E! sit#ation. T%is is very important if @#or#m dis9 fails entire $l#ster will fails "eart+eat> 6eart)eat is a private $onne$tivity )etween t%e servers in t%e $l#ster: w%i$% is #sed to identify t%e stat#s of ot%er servers in $l#ster. 1 . "ow to onfi$ure S1#&

&NM+ $an )e $onfig#red )y installing &NM+ from Monitoring and Management tools from Add and !emove programs. 3or &NM+ programs to $omm#ni$ate we need to $onfig#re $ommon $omm#nity name for t%ose ma$%ines w%ere &NM+ programs 0eg DELL A+EN MANA*E!1 r#nning. T%is $an )e $onfig#red from servi$es.ms$""" &NM+ servi$e "" &e$#rity

14. Is it possi+le to rena%e t!e Do%ain na%e 2 !ow>

,n 2indows 2000 it is not possi)le. ,n windows 200 it is possi)le. An Domain $ontroller )y going to MJ-AM+.TE! properties we $an $%ange. 1<. *!at is SOA Re ord

&AA is a &tart Af A#t%ority re$ord: w%i$% is a first re$ord in DN&: w%i$% $ontrols t%e start#p )e%avior of DN&. 2e $an $onfig#re TTL: refres%: and retry intervals in t%is re$ord. 18. *!at is a Stu+ /one and w!at is t!e use of it)

&t#) /ones are a new feat#re of DN& in 2indows &erver 200 t%at $an )e #sed to streamline name resol#tion: espe$ially in a split namespa$e s$enario. T%ey also %elp red#$e t%e amo#nt of DN& traffi$ on yo#r networ9: ma9ing DN& more effi$ient espe$ially over slow 2AN lin9s. 1B. *!at are t!e different t'pes of partitions present in AD

A$tive dire$tory is divided into t%ree partitions -onfig#ration +artitionrepli$ates entire forest &$%ema +artitionrepli$ates entire forest Domain +artitionrepli$ate only in domain Appli$ation +artition 0Anly in 2indows 200 1 1C. *!at are t!e 9two; ser4i es re0uired for repli ation

3ile !epli$ation &ervi$e 03!&1 7nowledge -onsisten$y -%e$9er 07--1 1D. Can we use a 6inu, D1S Se4er in 2000 Do%ain

2e $an #se: (#t t%e (,ND version s%o#ld )e C or greater

20) *!at is t!e differen e +etween IIS Version 5 and IIS Version (

!efer @#estion 1 21. *!at is ASR 9Auto%ated S'ste% Re o4er'; and !ow to i%ple%ent it

A&! is a two"part systemS it in$l#des A&! )a$9#p and A&! restore. T%e A&! 2i/ard: lo$ated in (a$9#p: does t%e )a$9#p portion. T%e wi/ard )a$9s #p t%e system state: system servi$es: and all t%e dis9s t%at are asso$iated wit% t%e operating system $omponents. A&! also $reates a file t%at $ontains information a)o#t t%e )a$9#p: t%e dis9 $onfig#rations 0in$l#ding )asi$ and dynami$ vol#mes1: and %ow to perform a restore. Jo# $an a$$ess t%e restore portion )y pressing 32 w%en prompted in t%e te?t"mode portion of set#p. A&! reads t%e dis9 $onfig#rations from t%e file t%at it $reates. ,t restores all t%e dis9 signat#res: vol#mes: and partitions on 0at a minim#m1 t%e dis9s t%at yo# need to start t%e $omp#ter. A&! will try to restore all t%e dis9 $onfig#rations: )#t #nder some $ir$#mstan$es it mig%t not )e a)le to. A&! t%en installs a simple installation of 2indows and a#tomati$ally starts a restoration #sing t%e )a$9#p $reated )y t%e A&! 2i/ard. 22. *!at are t!e different le4els t!at we an appl' <roup &oli '

2e $an apply gro#p poli$y at &,TE level"""Domain Level"""A. level 2 . *!at is Do%ain &oli '- Do%ain ontroller poli '- 6o al poli ' and <roup poli '

Domain +oli$y will apply to all $omp#ters in t%e domain: )e$a#se )y defa#lt it will )e asso$iated wit% domain *+A: 2%ere as Domain $ontroller poli$y will )e applied only on domain $ontroller. (y defa#lt domain $ontroller se$#rity poli$y will )e asso$iated wit% domain $ontroller *+A. Lo$al poli$y will )e applied to t%at parti$#lar ma$%ine only and effe$ts to t%at $omp#ter only.

24. *!at is t!e use of SYSVO6 folder

+oli$ies and s$ripts saved in &J&4AL folder will )e repli$ated to all domain $ontrollers in t%e domain. 3!& 03ile repli$ation servi$e1 is responsi)le for repli$ating all poli$ies and s$ripts

2<. *!at is folder redire tion>

3older !edire$tion is a .ser gro#p poli$y. An$e yo# $reate t%e gro#p poli$y and lin9 it to t%e appropriate folder o)5e$t: an administrator $an designate w%i$% folders to redire$t and w%ere To do t%is: t%e administrator needs to navigate to t%e following lo$ation in t%e *ro#p +oli$y A)5e$t> .ser -onfig#rationF2indows &ettingsF3older !edire$tion ,n t%e +roperties of t%e folder: yo# $an $%oose (asi$ or Advan$ed folder redire$tion: and yo# $an designate t%e server file system pat% to w%i$% t%e folder s%o#ld )e redire$ted. T%e G.&E!NAMEG varia)le may )e #sed as part of t%e redire$tion pat%: t%#s allowing t%e system to dynami$ally $reate a newly redire$ted folder for ea$% #ser to w%om t%e poli$y o)5e$t applies. 28. *!at different %odes in windows 2003 9#i,ed- nati4e 2 intri%D)et ;

2%at are t%e domain and forest f#n$tion levels in a 2indows &erver 200 ")asedA$tive Dire$toryO 3#n$tional levels are an e?tension of t%e mi?ed'native mode $on$ept introd#$ed in 2indows 2000 to a$tivate new A$tive Dire$tory feat#res after all t%e domain $ontrollers in t%e domain or forest are r#nning t%e 2indows &erver 200 operating system. 2%en a $omp#ter t%at is r#nning 2indows &erver 200 is installed and promoted to a domain $ontroller: new A$tive Dire$tory feat#res are a$tivated )y t%e 2indows &erver 200 operating system over its 2indows 2000 $o#nterparts. Additional A$tive Dire$tory feat#res are availa)le w%en all domain $ontrollers in a domain or forest are r#nning 2indows &erver 200 and t%e administrator a$tivates t%e $orresponding f#n$tional level in t%e domain or forest. To a$tivate t%e new domain feat#res: all domain $ontrollers in t%e domain m#st )e r#nning 2indows &erver 200 . After t%is re=#irement is met: t%e administrator $an raise t%e domain f#n$tional level to 2indows &erver 200 0read !aise Domain 3#n$tion Level in 2indows &erver 200 Domains for more info1. To a$tivate new forest"wide feat#res: all domain $ontrollers in t%e forest m#st )e r#nning 2indows &erver 200 : and t%e $#rrent forest f#n$tional level m#st )e at 2indows 2000 native or 2indows &erver 200 domain level. After t%is re=#irement is met: t%e administrator $an raise t%e domain f#n$tional level 0read !aise 3orest 3#n$tion Level in 2indows &erver 200 A$tive Dire$tory for more info1. 1ote8 Networ9 $lients $an a#t%enti$ate or a$$ess reso#r$es in t%e domain or forest wit%o#t )eing affe$ted )y t%e 2indows &erver 200 domain or forest f#n$tional levels. T%ese levels only affe$t t%e way t%at domain $ontrollers intera$t wit% ea$% ot%er.

I%portant !aising t%e domain and forest f#n$tional levels to 2indows &erver 200 is a nonreversi)le tas9 and pro%i)its t%e addition of 2indows NT 4.0E)ased or 2indows 2000E)ased domain $ontrollers to t%e environment. Any e?isting 2indows NT 4.0 or 2indows 2000E)ased domain $ontrollers in t%e environment will no longer f#n$tion. (efore raising f#n$tional levels to ta9e advantage of advan$ed 2indows &erver 200 feat#res: ens#re t%at yo# will never need to install domain $ontrollers r#nning 2indows NT 4.0 or 2indows 2000 in yo#r environment. 2%en t%e first 2indows &erver 200 E)ased domain $ontroller is deployed in a domain or forest: a set of defa#lt A$tive Dire$tory feat#res )e$omes availa)le. T%e following ta)le s#mmari/es t%e A$tive Dire$tory feat#res t%at are availa)le )y defa#lt on any domain $ontroller r#nning 2indows &erver 200 > 3eat#re M#ltiple sele$tion of #ser o)5e$ts 3#n$tionality Allows yo# to modify $ommon attri)#tes of m#ltiple #ser o)5e$ts at one time. Drag and drop f#n$tionality Allows yo# to move A$tive Dire$tory o)5e$ts from $ontainer to $ontainer )y dragging one or more o)5e$ts to a lo$ation in t%e domain %ierar$%y. Jo# $an also add o)5e$ts to gro#p mem)ers%ip lists )y dragging one or more o)5e$ts 0in$l#ding ot%er gro#p o)5e$ts1 to t%e target gro#p. Effi$ient sear$% $apa)ilities &ear$% f#n$tionality is o)5e$t"oriented and provides an effi$ient sear$% t%at minimi/es networ9 traffi$ asso$iated wit% )rowsing o)5e$ts. &aved =#eries Allows yo# to save $ommonly #sed sear$% parameters for re#se in A$tive Dire$tory .sers and -omp#ters A$tive Dire$tory $ommand"line Allows yo# to r#n new dire$tory servi$e $ommands tools for administration s$enarios. ,netArg+erson $lass T%e inetArg+erson $lass %as )een added to t%e )ase s$%ema as a se$#rity prin$ipal and $an )e #sed in t%e same manner as t%e #ser $lass. Appli$ation dire$tory partitions Allows yo# to $onfig#re t%e repli$ation s$ope for appli$ation"spe$ifi$ data among domain $ontrollers. 3or e?ample: yo# $an $ontrol t%e repli$ation s$ope of Domain Name &ystem 0DN&1 /one data stored in A$tive Dire$tory so t%at only spe$ifi$ domain $ontrollers in t%e forest parti$ipate in DN& /one repli$ation. A)ility to add additional domain !ed#$es t%e time it ta9es to add an additional domain $ontrollers )y #sing )a$9#p media $ontroller in an e?isting domain )y #sing )a$9#p media. .niversal gro#p mem)ers%ip +revents t%e need to lo$ate a glo)al $atalog a$ross a $a$%ing wide area networ9 02AN1 w%en logging on )y storing #niversal gro#p mem)ers%ip information on an a#t%enti$ating domain $ontroller.

&e$#re Lig%tweig%t Dire$tory A$$ess +roto$ol 0LDA+1 traffi$

+artial syn$%roni/ation of t%e glo)al $atalog A$tive Dire$tory =#otas

A$tive Dire$tory administrative tools sign and en$rypt all LDA+ traffi$ )y defa#lt. &igning LDA+ traffi$ g#arantees t%at t%e pa$9aged data $omes from a 9nown so#r$e and t%at it %as not )een tampered wit%. +rovides improved repli$ation of t%e glo)al $atalog w%en s$%ema $%anges add attri)#tes to t%e glo)al $atalog partial attri)#te set. Anly t%e new attri)#tes are repli$ated: not t%e entire glo)al $atalog. @#otas $an )e spe$ified in A$tive Dire$tory to $ontrol t%e n#m)er of o)5e$ts a #ser: gro#p: or $omp#ter $an own in a given dire$tory partition. Mem)ers of t%e Domain Administrators and Enterprise Administrators gro#ps are e?empt from =#otas.

2%en t%e first 2indows &erver 200 E)ased domain $ontroller is deployed in a domain or forest: t%e domain or forest operates )y defa#lt at t%e lowest f#n$tional level t%at is possi)le in t%at environment. T%is allows yo# to ta9e advantage of t%e defa#lt A$tive Dire$tory feat#res w%ile r#nning versions of 2indows earlier t%an 2indows &erver 200 . 2%en yo# raise t%e f#n$tional level of a domain or forest: a set of advan$ed feat#res )e$omes availa)le. 3or e?ample: t%e 2indows &erver 200 interim forest f#n$tional level s#pports more feat#res t%an t%e 2indows 2000 forest f#n$tional level: )#t fewer feat#res t%an t%e 2indows &erver 200 forest f#n$tional level s#pports. 2indows &erver 200 is t%e %ig%est f#n$tional level t%at is availa)le for a domain or forest. T%e 2indows &erver 200 f#n$tional level s#pports t%e most advan$ed A$tive Dire$tory feat#resS %owever: only 2indows &erver 200 domain $ontrollers $an operate in t%at domain or forest. ,f yo# raise t%e domain f#n$tional level to 2indows &erver 200 : yo# $annot introd#$e any domain $ontrollers t%at are r#nning versions of 2indows earlier t%an 2indows &erver 200 into t%at domain. T%is applies to t%e forest f#n$tional level as well. Do%ain Fun tional 6e4el Domain f#n$tionality a$tivates feat#res t%at affe$t t%e w%ole domain and t%at domain only. T%e fo#r domain f#n$tional levels: t%eir $orresponding feat#res: and s#pported domain $ontrollers are as follows> *indows 2000 %i,ed 9Default;

&#pported domain $ontrollers> Mi$rosoft 2indows NT 4.0: 2indows 2000: 2indows &erver 200 A$tivated feat#res> lo$al and glo)al gro#ps: glo)al $atalog s#pport

*indows 2000 nati4e

&#pported domain $ontrollers> 2indows 2000: 2indows &erver 200 A$tivated feat#res> gro#p nesting: #niversal gro#ps: &id6istory: $onverting gro#ps )etween se$#rity gro#ps and distri)#tion gro#ps: yo# $an raise domain levels )y in$reasing t%e forest level settings

*indows Ser4er 2003 interi%

&#pported domain $ontrollers> 2indows NT 4.0: 2indows &erver 200 &#pported feat#res> T%ere are no domain"wide feat#res a$tivated at t%is level. All domains in a forest are a#tomati$ally raised to t%is level w%en t%e forest level in$reases to interim. T%is mode is only #sed w%en yo# #pgrade domain $ontrollers in 2indows NT 4.0 domains to 2indows &erver 200 domain $ontrollers.

*indows Ser4er 2003

&#pported domain $ontrollers> 2indows &erver 200 &#pported feat#res> domain $ontroller rename: logon timestamp attri)#te #pdated and repli$ated. .ser password s#pport on t%e ,netArg+erson o)5e$t-lass. -onstrained delegation: yo# $an redire$t t%e .sers and -omp#ters $ontainers.

Domains t%at are #pgraded from 2indows NT 4.0 or $reated )y t%e promotion of a 2indows &erver 200 ")ased $omp#ter operate at t%e 2indows 2000 mi?ed f#n$tional level. 2indows 2000 domains maintain t%eir $#rrent domain f#n$tional level w%en 2indows 2000 domain $ontrollers are #pgraded to t%e 2indows &erver 200 operating system. Jo# $an raise t%e domain f#n$tional level to eit%er 2indows 2000 native or 2indows &erver 200 . After t%e domain f#n$tional level is raised: domain $ontrollers t%at are r#nning earlier operating systems $annot )e introd#$ed into t%e domain. 3or e?ample: if yo# raise t%e domain f#n$tional level to 2indows &erver 200 : domain $ontrollers t%at are r#nning 2indows 2000 &erver $annot )e added to t%at domain. T%e following des$ri)es t%e domain f#n$tional level and t%e domain"wide feat#res t%at are a$tivated for t%at level. Note t%at wit% ea$% s#$$essive level in$rease: t%e feat#re set of t%e previo#s level is in$l#ded. Forest Fun tional 6e4el 3orest f#n$tionality a$tivates feat#res a$ross all t%e domains in yo#r forest. T%ree forest f#n$tional levels: t%e $orresponding feat#res: and t%eir s#pported domain $ontrollers are listed )elow. *indows 2000 9default;

&#pported domain $ontrollers> 2indows NT 4.0: 2indows 2000: 2indows &erver 200 New feat#res> +artial list in$l#des #niversal gro#p $a$%ing: appli$ation partitions: install from media: =#otas: rapid glo)al $atalog demotion: &ingle ,nstan$e &tore 0&,&1 for &ystem A$$ess -ontrol Lists 0&A-L1 in t%e Qet Data)ase Engine: ,mproved topology generation event logging. No glo)al $atalog f#ll syn$ w%en attri)#tes are added to t%e +A& 2indows &erver 200 domain $ontroller ass#mes t%e ,ntersite Topology *enerator 0,&T*1 role.

*indows Ser4er 2003 interi%

&#pported domain $ontrollers> 2indows NT 4.0: 2indows &erver 200 . &ee t%e ;.pgrade from a 2indows NT 4.0 Domain; se$tion of t%is arti$le.

A$tivated feat#res> 2indows 2000 feat#res pl#s Effi$ient *ro#p Mem)er !epli$ation #sing Lin9ed 4al#e !epli$ation: ,mproved !epli$ation Topology *eneration. ,&T* Aliveness no longer repli$ated. Attri)#tes added to t%e glo)al $atalog. ms"D&"Tr#st" 3orest"Tr#st",nfo. Tr#st"Dire$tion: Tr#st"Attri)#tes: Tr#st"Type: Tr#st"+artner: &e$#rity",dentifier: ms"D&"Entry"Time"To"Die: Message @#e#ing"&e$#red"&o#r$e: Message @#e#ing"M#lti$ast"Address: +rint"Memory: +rint"!ate: +rint"!ate".nit

*indows Ser4er 2003

&#pported domain $ontrollers> 2indows &erver 200 A$tivated feat#res> all feat#res in ,nterim Level: Def#n$t s$%ema o)5e$ts: -ross 3orest Tr#st: Domain !ename: Dynami$ a#?iliary $lasses: ,netArg+erson o)5e$t-lass $%ange: Appli$ation *ro#ps: 1<"se$ond intrasite repli$ation fre=#en$y for 2indows &erver 200 domain $ontrollers #pgraded from 2indows 2000

After t%e forest f#n$tional level is raised: domain $ontrollers t%at are r#nning earlier operating systems $annot )e introd#$ed into t%e forest. 3or e?ample: if yo# raise forest f#n$tional levels to 2indows &erver 200 : domain $ontrollers t%at are r#nning 2indows NT 4.0 or 2indows 2000 &erver $annot )e added to t%e forest. Different A$tive Dire$tory feat#res are availa)le at different f#n$tional levels. !aising domain and forest f#n$tional levels is re=#ired to ena)le $ertain new feat#res as domain $ontrollers are #pgraded from 2indows NT 4.0 and 2indows 2000 to 2indows &erver 200 Do%ain Fun tional 6e4els> 2indows 2000 Mi?ed mode: 2indows 2000 Native mode: 2indows server 200 and 2indows server 200 interim 0 Anly availa)le w%en #pgrades dire$tly from 2indows NT 4.0 to 2indows 200 1 Forest Fun tional 6e4els8 2indows 2000 and 2indows 200 2B. Ipse usa$e and differen e window 2000 2 2003)

Mi$rosoft doesnKt re$ommend ,nternet +roto$ol se$#rity 0,+&e$1 networ9 address translation 0NAT1 traversal 0NAT"T1 for 2indows deployments t%at in$l#de 4+N servers and t%at are lo$ated )e%ind networ9 address translators. 2%en a server is )e%ind a networ9 address translator: and t%e server #ses ,+&e$ NAT"T: #nintended side effe$ts may o$$#r )e$a#se of t%e way t%at networ9 address translators translate networ9 traffi$ ,f yo# p#t a server )e%ind a networ9 address translator: yo# may e?perien$e $onne$tion pro)lems )e$a#se $lients t%at $onne$t to t%e server over t%e ,nternet re=#ire a p#)li$ ,+ address. To rea$% servers t%at are lo$ated )e%ind networ9 address translators from t%e ,nternet: stati$ mappings m#st )e $onfig#red on t%e networ9 address translator. 3or e?ample: to rea$% a 2indows &erver 200 ")ased $omp#ter t%at is )e%ind a networ9 address translator from t%e ,nternet: $onfig#re t%e networ9 address translator wit% t%e following stati$ networ9 address translator mappings> T +#)li$ ,+ address'.D+ port <00 to t%e serverNs private ,+ address'.D+ port <00.

T +#)li$ ,+ address'.D+ port 4<00 to t%e serverNs private ,+ address'.D+ port 4<00. T%ese mappings are re=#ired so t%at all ,nternet 7ey E?$%ange 0,7E1 and ,+&e$ NAT" T traffi$ t%at is sent to t%e p#)li$ address of t%e networ9 address translator is a#tomati$ally translated and forwarded to t%e 2indows &erver 200 ")ased $omp#ter 2C. "ow to reate appli ation partition windows 2003 and its usa$e> An appli$ation dire$tory partition is a dire$tory partition t%at is repli$ated only to spe$ifi$ domain $ontrollers. A domain $ontroller t%at parti$ipates in t%e repli$ation of a parti$#lar appli$ation dire$tory partition %osts a repli$a of t%at partition. Anly domain $ontrollers r#nning 2indows &erver 200 $an %ost a repli$a of an appli$ation dire$tory partition. Appli$ations and servi$es $an #se appli$ation dire$tory partitions to store appli$ation" spe$ifi$ data. Appli$ation dire$tory partitions $an $ontain any type of o)5e$t: e?$ept se$#rity prin$ipals. TA+, is an e?ample of a servi$e t%at stores its appli$ation"spe$ifi$ data in an appli$ation dire$tory partition. Appli$ation dire$tory partitions are #s#ally $reated )y t%e appli$ations t%at will #se t%em to store and repli$ate data. 3or testing and tro#)les%ooting p#rposes: mem)ers of t%e Enterprise Admins gro#p $an man#ally $reate or manage appli$ation dire$tory partitions #sing t%e Ntds#til $ommand"line tool. 2D. Is it possi+le to do i%pli it transiti4e forest to forest trust relation s!ip in windows 2003>

,mpli$it Transitive tr#st will not )e possi)le in windows 200 . (etween forests we $an $reate e?pli$it tr#st Two"way tr#st Ane"way> in$oming Ane"way> A#tgoing 0. *!at is uni4ersal $roup %e%+ers!ip a !e in windows 2003)

,nformation is stored lo$ally on$e t%is option is ena)led and a #ser attempts to log on for t%e first time. T%e domain $ontroller o)tains t%e #niversal gro#p mem)ers%ip for t%at #ser from a glo)al $atalog. An$e t%e #niversal gro#p mem)ers%ip information is o)tained: it is $a$%ed on t%e domain $ontroller for t%at site indefinitely and is periodi$ally refres%ed. T%e ne?t time t%at #ser attempts to log on: t%e a#t%enti$ating domain $ontroller r#nning 2indows &erver 200 will o)tain t%e #niversal gro#p mem)ers%ip information from its lo$al $a$%e wit%o#t t%e need to $onta$t a glo)al $atalog.

(y defa#lt: t%e #niversal gro#p mem)ers%ip information $ontained in t%e $a$%e of ea$% domain $ontroller will )e refres%ed every C %o#rs.

1. <&#C 2 RSO& in windows 2003>

*+M- is tool w%i$% will )e #sed for managing gro#p poli$ies and will display information li9e %ow many poli$ies applied: on w%i$% A.Ks t%e poli$ies applied: 2%at are t%e settings ena)led in ea$% poli$y: 2%o are t%e #sers effe$ting )y t%ese poli$es: w%o is managing t%ese poli$ies. *+M- will display all t%e a)ove information. !&o+ provides details a)o#t all poli$y settings t%at are $onfig#red )y an Administrator: in$l#ding Administrative Templates: 3older !edire$tion: ,nternet E?plorer Maintenan$e: &e$#rity &ettings: &$ripts: and *ro#p +oli$y &oftware ,nstallation. 2%en poli$ies are applied on m#ltiple levels 0for e?ample: site: domain: domain $ontroller: and organi/ational #nit1: t%e res#lts $an $onfli$t. !&o+ $an %elp yo# determine a set of applied poli$ies and t%eir pre$eden$e 0t%e order in w%i$% poli$ies are applied1. 2. Assi$n 2 &u+lis! t!e appli ations in <& 2 !ow>

T%ro#g% *ro#p poli$y yo# $an Assign and +#)lis% t%e appli$ations )y $reating .msi pa$9age for t%at appli$ation 2it% Assign option yo# $an apply poli$y for )ot% #ser and $omp#ter. ,f it is applied to $omp#ter t%en t%e poli$y will apply to #ser w%o logs on to t%at $omp#ter. ,f it is applied on #ser it will apply w%ere ever %e logs on to t%e domain. ,t will )e appear in &tart men#+rograms. An$e #ser $li$9 t%e s%ort$#t or open any do$#ment %aving t%at e?tension t%en t%e appli$ation install into t%e lo$al ma$%ine. ,f any appli$ation program files missing it will a#tomati$ally repair. 2it% +#)lis% option yo# $an apply only on #sers. ,t will not install a#tomati$ally w%en any appli$ation program files are $orr#pted or deleted. . DFS in windows 2003>

!efer @#estion 1B on level 2 4. "ow to use re o4er' onsole>

T%e 2indows 2000 !e$overy -onsole is a $ommand"line $onsole t%at yo# $an start from t%e 2indows 2000 &et#p program. .sing t%e !e$overy -onsole: yo# $an start and stop servi$es: format drives: read and write data on a lo$al drive 0in$l#ding drives formatted to #se NT3&1: and perform many ot%er administrative tas9s. T%e !e$overy -onsole is parti$#larly #sef#l if yo# need to repair yo#r system )y $opying a file from a floppy dis9 or -D"!AM to yo#r %ard drive: or if yo# need to re$onfig#re a servi$e t%at is preventing yo#r $omp#ter from starting properly. (e$a#se t%e !e$overy -onsole is =#ite powerf#l: it s%o#ld only )e #sed )y advan$ed #sers w%o %ave a t%oro#g% 9nowledge of 2indows 2000. ,n addition: yo# m#st )e an administrator to #se t%e !e$overy -onsole. T%ere are two ways to start t%e !e$overy -onsole> ,f yo# are #na)le to start yo#r $omp#ter: yo# $an r#n t%e !e$overy -onsole from yo#r 2indows 2000 &et#p dis9s or from t%e 2indows 2000 +rofessional -D 0if yo# $an start yo#r $omp#ter from yo#r -D"!AM drive1. As an alternative: yo# $an install t%e !e$overy -onsole on yo#r $omp#ter to ma9e it availa)le in $ase yo# are #na)le to restart 2indows 2000. Jo# $an t%en sele$t t%e !e$overy -onsole option from t%e list of availa)le operating systems <. &&T& proto ol for V&1 in windows 2003>

+oint"to"+oint"T#nneling +roto$ol 0++T+1 is a networ9ing te$%nology t%at s#pports m#ltiproto$ol virt#al private networ9s 04+N1: ena)leing remote #sers to a$$ess $orporate networ9s se$#rely a$ross t%e Mi$rosoft 2indows NTU 2or9station: 2indowsU D<: and 2indows DC operating systems and ot%er point"to"point proto$ol 0+++1"ena)led systems to dial into a lo$al ,nternet servi$e provider to $onne$t se$#rely to t%eir $orporate networ9 t%ro#g% t%e ,nternet Netdom.e?e is domain management tool to rename domain $ontroller &,D %istory

*!at is 3rid$e "ead Ser4er> Crisis #ana$e%ent> #ail flow in E, !an$e Ser4er) D#E on ept in Firewalls)

Is 1AT uses &ort 1u%+er if so w!at is t!e &ort nu%+er> Differen e +etween S !e%a #aster and <lo+al Catlo$> Differen e 3etween In re%ental and Differential 3a 7up> *!i ! is +est +a 7up #i rosoft !as re o%%ended> 9depends on t!e 4olu%e of data; "ow D1S and D"C& are inte$rated> If RID %aster fails w!at !appens> tool used for FS#O> Differen e +etween Assi$nin$ and &u+lis!in$ t!rou$! <roup &oli '>

1etdo%)e,e is do%ain %ana$e%ent tool to rena%e do%ain ontroller

Se ond le4el

*!at are t!e ser4i es installed w!en RIS is installed) Read a+out RIS) "ow to trou+le s!oot if a D"C& lient won?t $et I& fro% D"C& Ser4er> *!at is online and offline fra$%entations>

<ar+a$e olle tions and w!ite spa es> Tell %e one e,a%ple w!en Infra ture %aster and <lo+al atalo$ will +e on one DC- w!at is t!e issue if +ot! resides on sa%e s'ste%> *!en 'ou re0uire a Infrastru ture #aster) *!at are *indows 2003 %odes>

*!at are FS#O roles and e,plain t!en> Stress on &DC e%ulator> 2003 ad4anta$es> A+out %i$ration>9*27 to *273 and 1T to *273;)

6ow to &et .p ADMT for a 2indows NT 4.0"to"2indows &erver 200 Migration> (efore yo# #pgrade a 2indows NT 4.0 domain to a 2indows &erver 200 ")ased domain: t%e following domain and se$#rity $onfig#rations are re=#ired. Note> T%is arti$le ass#mes t%at t%e so#r$e domain is r#nning 2indows NT 4.0 &ervi$e +a$9 4 0&+41 or later wit% 12C"(it en$ryption: and t%at t%e target domain is a 2indows &erver 200 ")ased domain in native mode. Also: t%e 2indows &erver 200 m#st %ave 12C"(it en$ryption 0w%i$% $omes as a defa#lt setting in 2indows 200 1. Tr#sts -onfig#re t%e so#r$e domain to tr#st t%e target domain. -onfig#re t%e target domain to tr#st t%e so#r$e domain. *ro#ps Add t%e Domain Admins glo)al gro#p from t%e so#r$e domain to t%e Administrators lo$al gro#p in t%e target domain. Add t%e Domain Admins glo)al gro#p from t%e target domain to t%e Administrators lo$al gro#p in t%e so#r$e domain. -reate a new lo$al gro#p in t%e so#r$e domain $alled &o#r$e DomainVVV. Note> T%ere m#st )e no mem)ers in t%is gro#p. A#diting Ena)le a#diting for t%e s#$$ess and fail#re of #ser and gro#p management on t%e so#r$e domain. Ena)le a#diting for t%e s#$$ess and fail#re of A#dit a$$o#nt management on t%e target domain in t%e Defa#lt Domain -ontrollers poli$y. !egistry An t%e +D- in t%e so#r$e domain: add t%e T$pip-lient&#pport>!E*RD2A!D>0?1 val#e to t%e following registry 9ey>

67EJRLA-ALRMA-6,NEF&ystemF-#rrent-ontrol&etF -ontrolFL&A Administrative &%ares Administrative s%ares m#st e?ist on t%e domain $ontroller in t%e target domain on w%i$% yo# r#n ADMT: and on any $omp#ters on w%i$% an agent m#st )e dispat$%ed. .ser !ig%ts Jo# m#st log on to t%e $omp#ter on w%i$% yo# r#n ADMT wit% an a$$o#nt t%at %as t%e following permissions> Domain Administrator rig%ts in t%e target domain. A mem)er of t%e Administrators gro#p in t%e so#r$e domain. Administrator rig%ts on ea$% $omp#ter t%at yo# migrate. Administrator rig%ts on ea$% $omp#ter on w%i$% yo# translate se$#rity. Jo# will %ave t%e appropriate rig%ts w%en yo# log on to t%e +D- t%at is t%e 3&MA role %older in t%e target domain wit% t%e &o#r$e DomainFAdministrator a$$o#nt: ass#ming t%at t%e &o#r$e DomainFDomain Administrators gro#p is a mem)er of t%e Administrators gro#p on ea$% $omp#ter. "ow to set up AD#T for a *indows 2000 to *indows Ser4er 2003 %i$ration 6ow to &et .p ADMT for a 2indows 2000 to 2indows &erver 200 Migration Jo# $an install t%e A$tive Dire$tory Migration Tool version 2 0ADMTv21 on any $omp#ter t%at is r#nning 2indows 2000 or later: in$l#ding> Mi$rosoft 2indows 2000 +rofessional Mi$rosoft 2indows 2000 &erver Mi$rosoft 2indows I+ +rofessional Mi$rosoft 2indows &erver 200 T%e $omp#ter on w%i$% yo# install ADMTv2 m#st )e a mem)er of eit%er t%e so#r$e or t%e target domain. ,ntraforest Migration ,ntraforest migration does not re=#ire any spe$ial domain $onfig#ration. T%e a$$o#nt yo# #se to r#n ADMT m#st %ave eno#g% permissions to perform t%e a$tions t%at are re=#ested )y

ADMT. 3or e?ample: t%e a$$o#nt m#st %ave t%e rig%t to delete a$$o#nts in t%e so#r$e domain: and to $reate a$$o#nts in t%e target domain. ,ntraforest migration is a move operation instead of a $opy operation. T%ese migrations are said to )e destr#$tive )e$a#se after t%e move: t%e migrated o)5e$ts no longer e?ist in t%e so#r$e domain. (e$a#se t%e o)5e$t is moved instead of $opied: some a$tions t%at are optional in interforest migrations o$$#r a#tomati$ally. &pe$ifi$ally: t%e s,D6istory and password are a#tomati$ally migrated d#ring all intraforest migrations. ,nterforest Migration ADMT re=#ires t%e following permissions to r#n properly> Administrator rig%ts in t%e so#r$e domain. Administrator rig%ts on ea$% $omp#ter t%at yo# migrate. Administrator rig%ts on ea$% $omp#ter on w%i$% yo# translate se$#rity. (efore yo# migrate a 2indows 2000")ased domain to a 2indows &erver 200 ")ased domain: yo# m#st ma9e some domain and se$#rity $onfig#rations. -omp#ter migration and se$#rity translation do not re=#ire any spe$ial domain $onfig#ration. 6owever: ea$% $omp#ter yo# want to migrate m#st %ave t%e administrative s%ares: -V and ADM,NV. T%e a$$o#nt yo# #se to r#n ADMT m#st %ave eno#g% permissions to $omplete t%e re=#ired tas9s. T%e a$$o#nt m#st %ave permission to $reate $omp#ter a$$o#nts in t%e target domain and organi/ational #nit: and m#st )e a mem)er of t%e lo$al Administrators gro#p on ea$% $omp#ter to )e migrated. .ser and *ro#p Migration Jo# m#st $onfig#re t%e so#r$e domain to tr#st t%e target domain. Aptionally: t%e target may )e $onfig#red to tr#st t%e so#r$e domain. 2%ile t%is may ease $onfig#ration: it is not re=#ired to finis% t%e ADMT migration. !e=#irements for Aptional Migration Tas9s Jo# $an $omplete t%e following tas9s a#tomati$ally )y r#nning t%e .ser Migration 2i/ard in Test mode and sele$ting t%e migrate s,D6istory option. T%e #ser a$$o#nt yo# #se to r#n ADMT m#st )e an Administrator in )ot% t%e so#r$e and t%e target domains for t%e a#tomati$ $onfig#ration to s#$$eed. -reate a new lo$al gro#p in t%e so#r$e domain t%at is named Gso#r$edomainGVVV. T%ere m#st )e no mem)ers in t%is gro#p. T#rn on a#diting for t%e s#$$ess and fail#re of A#dit a$$o#nt management on )ot% domains in t%e Defa#lt Domain -ontrollers poli$y. -onfig#re t%e so#r$e domain to allow !+- a$$ess to t%e &AM )y $onfig#ring t%e following registry entry on t%e +D- Em#lator in t%e so#r$e domain wit% a D2A!D val#e of 1>

67EJRLA-ALRMA-6,NEF&ystemF-#rrent-ontrol&etF -ontrolFL&AFT$pip-lient&#pport Jo# m#st restart t%e +D- Em#lator after yo# ma9e t%is $%ange. Note> 3or 2indows 2000 domains: t%e a$$o#nt yo# #se to r#n ADMTv2 m#st %ave domain administrator permissions in )ot% t%e so#r$e and target domains. 3or 2indows &erver 200 target domains: t%e NMigrate s,D6istoryN may )e delegated. 3or more information: see 2indows &erver 200 6elp W &#pport. Jo# $an t#rn on interforest password migration )y installing a DLL t%at r#ns in t%e $onte?t of L&A. (y r#nning in t%is prote$ted $onte?t: passwords are s%ielded from )eing viewed in $learte?t: even )y t%e operating system. T%e installation of t%e DLL is prote$ted )y a se$ret 9ey t%at is $reated )y ADMTv2: and m#st )e installed )y an administrator. To install t%e password migration DLL> Log on as an administrator or e=#ivalent to t%e $omp#ter on w%i$% ADMTv2 is installed. At a $ommand prompt: r#n t%e ADMT 7EJ so#r$edomainpat% XY Z password[ $ommand to $reate t%e password e?port 9ey file 0.pes1. ,n t%is e?ample: so#r$edomain is t%e Net(,A& name of t%e so#r$e domain and pat% is t%e file pat% w%ere t%e 9ey will )e $reated. T%e pat% m#st )e lo$al: )#t $an point to remova)le media s#$% as a floppy dis9 drive: \,+ drive: or writa)le -D media. ,f yo# type t%e optional password at t%e end of t%e $ommand: ADMT prote$ts t%e .pes file wit% t%e password. ,f yo# type t%e asteris9 0Y1: ADMT prompts for a password: and t%e system will not e$%o it as it is typed. Move t%e .pes file yo# $reated in step 2 to t%e designated +assword E?port &erver in t%e so#r$e domain. T%is $an )e any domain $ontroller: )#t ma9e s#re it %as a fast: relia)le lin9 to t%e $omp#ter t%at is r#nning ADMT. ,nstall t%e +assword Migration DLL on t%e +assword E?port &erver )y r#nning t%e +wmig.e?e tool. +wmig.e?e is lo$ated in t%e , C8FADMT folder on t%e 2indows &erver 200 installation media: or t%e folder to w%i$% yo# downloaded ADMTv2 from t%e ,nternet. 2%en yo# are prompted to do so: spe$ify t%e pat% to t%e .pes file t%at yo# $reated in step 2. T%is m#st )e a lo$al file pat%. After t%e installation $ompletes: yo# m#st restart t%e server. ,f yo# are ready to migrate passwords: modify t%e following registry 9ey to %ave a D2A!D val#e of 1. 3or ma?im#m se$#rity: do not $omplete t%is step #ntil yo# are ready to migrate. 67EJRLA-ALRMA-6,NEF&ystemF-#rrent-ontrol&etF -ontrolFL&AFAllow+asswordE?port T%e A$tive Dire$tory Migration Tool v2 is in$l#ded in t%e , C8FAdmt folder on t%e 2indows &erver 200 -D.

T%e A$tive Dire$tory Migration Tool provides an easy: se$#re: and fast way to migrate to 2indows 2000 A$tive Dire$tory servi$e. As a system administrator: yo# $an #se t%is tool to diagnose any possi)le pro)lems )efore starting migration operations to 2indows 2000 &erver A$tive Dire$tory. Jo# $an t%en #se t%e tas9")ased wi/ard to migrate #sers: gro#ps: and $omp#tersS set $orre$t file permissionsS and migrate Mi$rosoft E?$%ange &erver mail)o?es. T%e toolNs reporting feat#re allows yo# to assess t%e impa$t of t%e migration: )ot% )efore and after move operations. ,n many $ases: if t%ere is a pro)lem: yo# $an #se t%e roll)a$9 feat#res to a#tomati$ally restore previo#s str#$t#res. T%e tool also provides s#pport for parallel domains: so yo# $an maintain yo#r e?isting 2indows NT 4.0 domains w%ile yo# deploy 2indows 2000. Note> To s#$$essf#lly r#n t%e AD Migration Tool t%e so#r$e domain m#st )e r#nning 2indows NT 4.0 &ervi$e +a$9 4 or later: and t%e target domain will )e a 2indows 2000" )ased domain in Native mode. 4ersion 2.0 of ADMT is from 2indows &erver 200 and %as many new feat#res> &$ripting and -ommand line interfa$e +assword Migration &id Mapping 3iles for &e$#rity Translation 2indows 2000 Attri)#te E?$l#sion Agent -redentials Migration Log &9ip Mem)ers%ip !estoration

Cuestion on S'ste% State data 3a 7up> Diff t'pes of D1S roles and Eones> *!at are t!e steps 'ou follow w!en 'ou are pro%otin$ a ser4er as ADC in windows 2003> *!at are t!e two para%eters 'ou run +efore up$radin$ t!e ser4er to an ADC9Fforestprep- Fdo%ainprep;) *!at is t!e aut!enti ation pro ess> *!at is t!e role of <C in aut!enti ation pro ess>

*!at !appens if D1S ser4er fails) Can a user is a+le to lo$in if t!e D1S ser4er fails9if 'ou !a4e onl' one D1S Ser4er;) "ow do 'ou pro%ote a ser4er to a do%ain ontroller9in windows 2003; o4er a slow wan lin7s)

A. Ta9e t%e )a$9#p of systemstate from t%e D- and restore it in t%e server w%ere yo# are promoting #sing Ld$promo 'advM and sele$t restore from )a$9#p.

Working with Group Policy

This article deals with the mechanism of deploying and verifying GPO deployment. It will not deal in the GPO itself and the settings inside it (these settings and configurations will be discussed in different articles . Group Policy is a one of the most useful tools found in the Windows !"""#!""$ %ctive &irectory infrastructure. Group Policy can help you do the following'

1. 2. . 4. <. 8.

(onfigure user)s desktops (onfigure local security on computers Install applications *un start+up#shut+down or logon#logoff scripts (onfigure Internet ,-plorer settings *edirect special folders

In fact. you can configure any aspect of the computer behavior with it. %lthough it is a cool toy/ working with it without proper attention can cause une-pected behavior. 0ere are some basic terms you need to be familiar with before drilling down into Group Policy' Local policy + *efers to the policy that configures the local computer or server. and is not inherited from the domain. 1ou can set local policy by running gpedit.msc from the *un command. or you can add 2Group Policy Ob3ect ,ditor2 snap+in to 44(. 5ocal Policies also e-ist in the %ctive &irectory environment. but have many fewer configuration options that the full+fledged Group Policy in %&. GPO - Group Policy Object + *efers to the policy that is configured at the %ctive &irectory level and is inherited by the domain member computers. 1ou can configure a GPO 6 Group Policy Ob3ect + at the site level. domain level or O7 level. GPC Group Policy Container + The GP( is the store of the GPOs/ The GP( is where the GPO stores all the %&+related configuration. %ny GPO that is created is not effective until it is linked to an O7. &omain or a 8ite. The GPOs are replicated among the &omain (ontrollers of the &omain through replication of the %ctive &irectory. GPT - Group Policy Templates + The GPT is where the GPO stores the actual settings. The GPT is located within the 9etlogon share on the &(s.

Netlogon share + % share located only on &omain (ontrollers and contains GPOs. scripts and .PO5 files for policy of Windows 9T#:;. The 9etlogon share replicates among all &(s in the &omain. and is accessible for read only for the ,veryone group. and <ull (ontrol for the &omain %dmins group. The 9etlogon)s real location is' C:\WINDOWS\SYSVOL\sysvol\domain.com\SCRIPTS When a domain member computer boots up. it finds the &( and looks for the 9etlogon share in it. To see what &( the computer used when it booted. you can go to the *un command and type =logonse ve !\Netlogon. The content of the 9etlogon share should be the same on all &(s in the domain.

GPO behavior
Group Policy is processed in the following order' Local Policy > Site GPO > and so on. GPOs inherited from the %ctive &irectory are always stronger than local policy. When you configure a 8ite policy it is being overridden by &omain policy. and &omain policy is being overridden by O7 policy. If there is an O7 under the previous O7. its GPO is stronger the previous one. The rule is simple. as more you get closer to the ob3ect that is being configured. the GPO is stronger. What does it mean 2stronger2> If you configure a GPO and linke it to 2Organi?ation2 O7. and in it you configure Printer installation 6 allowed and then at the 2&allas2 O7 you configured other GPO but do not allow printer installation. then the &allas GPO is more powerful and the computers in it will not allow installation of printers. The e-ample above is true when you have different GPOs that have similar configuration. configured with opposite settings. When you apply couple of GPOs at different levels and every GPO has its own settings. all settings from all GPOs are merged and inherited by the computers or users. omain GPO > O! GPO > Chil" O! GPO

Group Policy sections

,ach GPO is built from ! sections' Computer con#iguration contains the settings that configure the computer prior to the user logon combo+bo-. !ser con#iguration contains the settings that configure the user after the logon. 1ou cannot choose to apply the setting on a single user. all users. including administrator. are affected by the settings.

Within these two section you can find more sub+folders' So#t$are settings an" %in"o$s settings both of computer and user are settings that configure local &55 files on the machine.

&"ministrative templates are settings that configure the local registry of the machine. 1ou can add more options to administrative templates by right clicking it and choose .%&4 files. 4any programs that are installed on the computer add their .%&4 files to !system oot!\in" folder so you can add them to the %dministrative Templates.

1ou can download .%&4 files for the 4icrosoft operating systems

Tools use" to con#igure GPO

1ou can configure GPOs with these set of tools from 4icrosoft (other $rd+party tools e-ist but we will discuss these in a different article '

1. Group Policy Ob3ect ,ditor snap+in in 44( + or + use gpedit.msc from the *un 2. . 4.

command. %ctive &irectory 7sers and (omputers snap in + or dsa.msc 6 to invoke the Group Policy tab on every O7 or on the &omain. %ctive &irectory 8ites and 8ervices + or dssite.msc 6 to invoke the Group Policy tab on a site. Group Policy 4anagement (onsole + or gpmc.msc + this utility is 9OT included in Windows !""$ server and needs to be separately installed. 1ou can download it from 0,*,

9ote that if you)d like to use the GP4( tool on Windows @P. you need to install it on computers running Windows @P 8P!. Installing it on computers without 8P! will generate errors due to unsupported and newer .%&4 files.

GP'C utility - Creating a GPO

When you create a GPO it is stored in the GPO container. %fter creation you should link the GPO to an O7 that you choose.

Lin(ing a GPO
To link a GPO simply right click an O7 and choose Lin#$an$e%isting$&PO or you can create and link a GPO in the same time. 1ou can also drag and drop a GPO from the Group Policy Ob3ects folder to the appropriate 8ite. &omain or O7. When you right+click a link you can' )"it a GPO + This will open the GPO window so you can configure settings. Lin(*!nlin( a GPO + This setting allows you to temporarily disable a link if you need to add settings to it or if you will activate it later.

)nabling*"isabling computer or user settings

GPO has computer and user settings but if you create a GPO that contains only computer settings. you might want to disable the user settings in that GPO. this will reduce the amount of settings replicated and can also be used for testing. To disable one of the configurations simply choose the GPO link and go to &etails tab'

+o$ "o , (no$ $hat are the settings in a GPO-

Prior to the use of GP4(. an administrator who wanted to find out which one of the hundreds of settings of a GPO were actually configured + had to open each GPO and manually comb through each and every node of the GPO sections. 9ow. with GP4(. you can simply see what the configurations of any GPO are if you point on that GPO and go to the 8ettings tab. There you can use the drop+down menus to see computer or user settings.

.loc(*)n#orce inheritance
1ou can block policy inheritance to an O7 if you donAt want the settings from upper GPOs to configure your O7. To block GPO inheritance. simply right click your O7 and choose 2Block Inheritance2. Blocking inheritance will block all upper GPOs. In case you need one of the upper GPOs to configure all downstream O7s and overcome Block inheritance. use the ,nforce option of a link. ,nforcing a GPO is a powerful option and rarely should be used. 1ou can see in this e-ample that when you look at (omputers O7. three different GPOs are inherited to it. In this e-ample you can see that choosing 2Block inheritance2 will re3ect all upper GPOs. 9ow. if we configure the 2&efault domain policy2 with the ,nforce option. it will overcome the inheritance blocking.

Lin( or"er
When linking more than one GPO to an O7. there could be a problem when two or more GPOs have the same settings but with opposite configuration. like. GPOC have %llow printer installation among other settings but GPO! is configured to prevent printer installation among other settings. Because the two GPOs are at the same level. there is a link order which can be changed. The GPO with the lowest link order is processed last. and therefore has the highest precedence.

Security /iltering
<iltering let you choose the user. group or computer that the GPO will apply onto. If you configured 2(omputers2 O7 with a GPO but you only want to configure Win @P stations with that GPO and e-clude Win !""" stations. you can easily create a group of Win @P computers and apply the GPO only to that group. This option save you from creating complicated O7 tree with each type of computer in it. % user or a group that you configure in the filtering field have by default the 2*ead2 and 2%pply2 permission. By default when you create a GPO link. you can see that 2%uthenticated users2 are listed. In the above e-ample. Office !D$ will be installed on all computers that are part of the two listed groups.

If we still were using %uthenticated users. the installation of the Office suite could have followed the user to any computer that he logs onto. like servers or other machines. 7sing filtering narrows the installation options. If you want to configure these permissions with higher resolution. you can go to &elegation tab and see the permissions. Going to the %dvanced Tab will let you configure the %(5 permission with the highest resolution.

+o$ the GPO is up"ate" on the computers

GPO inherited from %& is refreshed on the computers by several ways'

1. 2. . 4.

5ogon to computer (If the settings are of 2user settings2 in GPO *estart of the computer (If the settings are of 2computer settings2 in GPO ,very E" to :" minutes. the computers Fuery their &( for updates. 4anually by using gpupdate command. 1ou can add the #force switch to force all settings and not only the delta.

Note' Windows !""" doesn)t support the &p'pdate command so you need run a different command instead' for computer settings. for user settings. In both commands you can use the #enforce that is similar to the #force in gpupdate. If any configuration change reFuires a logoff or a restart message will appear' 1ou can force logoff or reboot using gpupdate switches.

+o$ to chec( that the GPO $as "eploye"

To be sure that GPO was deployed correctly. you can use several ways. The term for the results is called *8oP 6 *esultant 8ets of Policies.

1. 7se gpresult command in the command prompt.

The default result is for the logged on user on that machine. 1ou can also choose to check what is the results for other users on to that machine. If you use #v or #? switches you will get very detailed information. 1ou can see what GPOs were applied and what GPOs were filtered out and the reason for not being deployed.

2. Resultant Set of Policy snap+in in 44(.

The snap+in has two modes' Logging mo"e which tells you what are the real settings that were deployed on the machine Planning mo"e which tells you what will be the results if you choose some options.

This option is not so compatible because you need to browse in the *8oP data to find the settings.

1. Group Policy Results in GP4(.

This is the most comfortable option that let you check the *8oP data on every computer or user from a central location. This option also displays the summary of the *8oP and &etailed *8oP data in 0T45 format. In the e-ample above e-ample you can see the summary of applied or non applied GPOs both of computer and user settings. When looking at the 8ettings tab we can see what settings did applied on the computer and see which is the 2Winning GPO2 that actually configured the computer with the particular setting.