You are on page 1of 44

What Is Active Directory?

Active directory is a directory Service that stores information about objects on a network and makes this information available to users and network administrators. Active Directory gives network users access to permitted resources anywhere on the network using a single logon process. It provides network administrators with hierarchical view of the network and a single point of administration for all network objects a. Active Directory is a technology created by Microsoft, Introduce with windows 2000 b. Active Directory is Multimaster replication. Which lets us update the directory at any domain controllers b. Active Driectory is a centralized hierarchical Directory Database. A directory service stores information about network resources and make the resources accessible to users and computers. c.It helps to centrally manage, organize and control access to resources. AD objects include users, groups, computers, printers, etc. Servers, domains and sites are also considered as AD objects d.AD is a searchable Database. e. Active Directory uses DNS for its namespace. f. Active Directory uses LADP. Protocol for its client server commnuctaion. Lightweight Directory Access Protocol LDAP is the industry standard directory access protocol, making Active Directory widely accessible to management and query applications. Active Directory supports LDAPv3 and LDAPv2
Lightweight Directory Access Protocol (LDAP) An access protocol that defines how users can access or update directory service objects

Lightweight Directory Access Protocol Active Directory is an LDAP version 3 directory (with version 2 compatibility), not an X.500 directory LDAP provides a standard mechanism for naming objects stored in a directory for Location in a hierarchy Addition Removal Modification

Major requirements for Active Directory Windows Server 2003 Standard or Enterprise editions NTFS file system DNS Server Active Directory partition A contiguous subtree of the directory that forms a unit of replication. A given replica is always a replica of some directory partition. The directory always has at least three directory partitions:

The schema, which defines the object classes and attributes contained in Active directory. The configuration, which identifies the domain controllers, replication topology and other related information about the domain controllers within a specific implementation of Active directory. One or more domains that contain the actual Active directory. object data.

A domain controller always stores the partitions for the schema, configuration, and its own (and no other) domain. The schema and configuration are replicated to every domain controller in the domain tree or forest. The domain is replicated only to domain controllers for that domain. A subset of the attributes for all domain objects is replicated to the global catalog.

. . Note: In a lay man language Active Directory is some thing like Yellow Pages Domain Controller (D.C.) A server where A.D. is installed is called D.C.

Features of A.D.: 1. Fully integrated security system with the help of Kerberos. 2. Easy administration using group policy. 3. Scalable to any size n/w 4. Flexible (install/uninstall) 5. Extensible (modify the schema) New features in 2003 6. Rename computer name & Domain names.

7. Cross forest trust relationship. 8. Site-to-Site replication is faster.

What is a Domain
A group of computers under common security and administrative boundary What is a Domain Controller A Domain controller is system using which we can control access to the resoucres and implement security on users and computers in the domain What is DNS, WINS and DHCP Soln : DNS : Domain Name Service is a name resolution service that translates a domain name to an IP address and vice versa. WINS : Its used to resolve netbios names to IP Addresses. DHCP : Dynamic Host Control Protocol is a protocol for automatically assigning IP addresses to hosts joining a network. ARP : Address Resolution Protocol is a protocol that maps IP addresses to network card MAC addresses Protocol : A formal specification of a means of computer communication VPN : A Virtual Private Network, a network connected together via securely encrypted communication tunnels over a public network, such as the global Internet.

How does a PDC act when in Mixed mode and Native mode.
DOMAIN FUNCTIONAL LEVEL WINDOWS 2000 MIXED FUNCTIONAL LEVEL Domain controllers THAT WILL BE RUNNING IN THIS MODE ARE Windows NT Server 4.0 Windows 2000 Server Windows Server 2003 So the PDC emulator will have below responsebilties

Since windows NT server is already there in domain it will be responsible for authentication and time synchornization FOR WINDOWS 98,NT WORKSTATIONS
Soln : In Mixed mode the PDC acts 1. Account Lockouts

2. Password changes In Native Mode: 1. Its used for Authentication. 2. Account Lockouts 3. Password changes 4. Time Synchronization

Forest Functional Levels

The letter THREE contains TRE and Forest contains also TRE
1. Windows 2000 (default) Windows NT 4, Windows 2000, Windows Server 2003 family 2. Windows Server 2003 Interim ---- Windows NT 4, Windows Server 2003 family 3. Windows Server 2003 Family ----- Windows Server 2003 family

Domain Functional Levels

1. Windows 2000 Mixed Mode --- Windows NT 4, Windows 2000 orWindows Server 2003 DCs 2. Windows 2000 Native Mode --- Windows 2000,Windows Server 2003 DCs 3. Windows Server 2003 InterimNo 2000 DCs--- Windows NT 4, Windows Server 2003 DCs

4. Windows Server 2003 LevelAll Windows Server 2003 DCs

What is Kereboros Authentication Soln : Kerberos V5 is the primary security protocol for authentication within a domain.The Kerberos V5 protocol verfies both the identity of the user and network services. This dual verification is known as mutual authentication What is the difference between Domain Tree and Forest. Soln : Domain TREE will have contiguous namespace. That parent doamin namespace will
inhereted to child domain namespace

Forest : will have multiple domain trees can have a noncontiguous namespace
A forest consists of multiple domain trees. The domain tress in a forest do not form a contiguous namespace but share a common schema and GC

Features of Active Directory in windows 2003 Understanding the Structure of Active Directory

What are the boot files. Soln : NTLDR, BOOT.INI, NTDETECT.COM, BOOTSECT.DOS

What are the prequisite for installation of Exchange Server ? The pre requsite are IIS SMTP WWW service NNTP .NET Framework ASP.NET Then run Forestprep The run domainprep What are the content of System State backup ? The cotents are Boot fles,system files Active directory (if its done on DC) Sysvol folder(if it done on DC) Cerficate service ( on a CA server) Cluster database ( on a clsture server) registry Performance couter configuration information Component services class registration database What are the roles must be on the same server? Soln:Domain Naming Master and Global catalogue What are the roles those must not be on the same Domain Controller? Infrastructure Master and Global Catalogue Note: If you have only one domain then you wont get any problem even if you have both of them in the same server. If you have two or more domains in a forest then they shouldnt be in the same server.

Flexible Single Master Operation Roles(D.R.I.P.S) 1. Domain Naming Master Forest Wide Roles 2. Schema Master Forest Wide Roles 3. RID Master Domain Wide Roles 4. PDC Emulator Domain Wide Roles 5. Infrastructure Master Domain Wide Roles RID MASTER: Allocates RIDs to other domain controllers and Used when

security principals or object are created

{ RID makes the individual security principal security identifier (SID) unique within a domain Built-in RIDs are consistent between domains, for example, Built-in Administrator has a RID of 500 RID master gives other domain controllers RIDs to use when
new objects are created }


EMULATOR : Provides

backward compatibility

for windows 2000 per versions in the domain

Acts as a central manager for user password changes, replication, and

account lockouts Handles time synchronization

Infrastructure Master: This domain controller records changes made

concerning objects in a domain. All changes are reported to the Infrastructure Master first, and then they are replicated out to the other domain controllers. The Infrastructure Master deals with groups and group memberships for all domain objects. It is also an Infrastructure Master's role to update other domains with changes that have been made to objects
Manages user and group references for objects between domains Updates ACLs and group memberships as required Queries the global catalog to ensure that references are current Role should not be assigned to a global catalog server

Exception 1: There is only a single domain in the forest Exception 2: All domain controllers are also global catalog servers

Domain Naming Master : palys the role of adding or removing of domains.

{ Ensures domain names are unique in the forest. Domains cannot be added or removed if the domain naming master is not available. Enterprise Admins level access is required in order to add and remove domains }

Schema Master : is responsible for any update or change in the active directory SCHEMA

In Windows 2000 there are mainly 3 zones

1.Standard Primary zone information writes in Txt file 2.Standard Secondary copy of Primary 3.Active Directory Integrated Information stores in Active Directory in win2k3 one more zone is added that is Stub zone STUB ZONE : Is like secondary but it contains only copy of SOA records, copy of NS records, copy of A records for that zone. No copy of MX, SRV records etc., With this Stub zone DNS traffic will be low In Raid 5,Suppose i have 5 HDD of 10-10 GB, After configuring the Raid how much space do i have for utilise. A) -1 out of the total (eg- if u r using 5 u will get only 4 because 1 goes for parity).

How to synchronize manually a client computer to a domain controller? Windows 2000 (Win2K) and later computers in a domain should automatically synchronize time with a domain controller. But some times you may get a situation to synchronize manually. To manually synchronize time, open a command-line window, and run Net stop w32time Run w32time update Run Net start w32time

Manually verify the synchronization between the client computer and a domain controller. Also check the System event log to ensure that the W32Time service has not logged additional error messages. What are the commands do we use for DNS? Nslookup (and all interactive mode commands) Ipconfig /fulshdns Ipconfig /registerdns What is the difference between Primary zone and Secondary zone? Primary zone has read and write permissions, where as Secondary zone has read only permission. Note: Secondary zone is used for Backup and Load balancing. How to check whether DNS is working or not? Type the command nslookup at command prompt Then it gives the DNS server name and its IP address What is Dynamic Updates in DNS? Generally we need to create a host record for newly joined computer (either client or Member server or Domain controller). If you enable dynamic Update option, then DNS it self creates associated host record for newly joined computers What is an iterative query? This is the query which been queried by a client system to DNS server. If the DNS server as answer for that query it will answer. Other wise it repaly with no resource records found The query that has been sent to the DNS server from a Client is called iterative query What is Recursive query? Now your DNS server requests the root level DNS server for specific IP address. Now DNS server says that I dont know but I can give the address other person who can help you in finding IP address

What is the structure and purpose of a directory service? A directory service consists of a database that stores information about network resources, such as computer and printers, and the services that make this information available to users and applications.

What is a forest? Collection of one or more domain trees that do not form a contiguous namespace. Forests allow organizations to group divisions that operate independently but still need to communicate with one another. All trees in a forest share common Schema, configuration partitions and Global Catalog. All trees in a give forest trust each other with two way transitive trust relations.


Description Displays Group Policy settings and Resultant Set of Policy (RSoP) for a user or a computer Uses new WMI-based RSoP provider to show policy status Refreshes local and Active Directory Group Policy settings, including security settings Supersedes now obsolete /refreshpolicy option for secedit command



HOSTNAME Displays the computer name of the local system. IPCONFIG Displays the TCP/IP properties for network adapters installed on the system. You can also use it to renew and release DHCP information. NBTSTAT Displays statistics and current connections for NetBIOS over TCP/IP. NET Displays a family of useful networking commands. NETSH Displays and manages the network configuration of local and Remote computers.

NETSTAT Displays current TCP/IP connections and protocol statistics. NSLOOKUP Checks the status of a host or IP address when used with DNS. PATHPING Traces network paths and displays packet loss information. PING Tests the connection to a remote host. ROUTE Manages the routing tables on the system. TRACERT During testing, determines the network path taken to a remote host. To learn how to use these command-line tools, type the name at a command prompt followed by /?. Windows Server 2003 then provides an overview of how the command is used (in most cases). Using NET Tools You can more easily manage most of the tasks performed with the NET commands by using graphical administrative tools and Control Panel utilities. However, some of the NET tools are very useful for performing tasks quickly or for obtaining information,

especially during telnet sessions to remote systems. These commands include NET SEND Sends messages to users logged in to a particular system NET START Starts a service on the system NET STOP Stops a service on the system NET TIME Displays the current system time or synchronizes the system time with another computer NET USE Connects and disconnects from a shared resource NET VIEW Displays a list of network resources available to the system To learn how to use any of the NET command-line tools, type NET HELP followed by the command name, such as NET HELP SEND. Windows Server 2003 then provides an overview of how the command is used.

42.What is the similarities if I have 4 to 5 Domain Tress. Soln : common schema and may have common DNS root namespace 32. What is AD Replication Soln : A Process of copying information updates from one Domain Controller To another. 29. Can a DHCP Server be integrated with DNS. Soln : YES 30. Can we restore the system state data on different servers. Soln : No. But if we have the same Hardware it is possible Recommended Not to do so.

26. What is sysvol, and explain the same Soln : It contains Public Files of All DCs in a Domain It user FRS for Replication It contains Group Policy Information It contains Netlogon share for Client logon request It contains the policy folder shared as netlogon. 23. How to change schema master and what is the basic requirement? Soln: To change schema master one of the Primary FSMO role ,the user should be the member of SCHEMA ADMINS group and run the below command to register Schmmgmt.dll dynamic-link in order to make the Schema tool available as an MMC snap-in. Then run MMC and add the snap in and right click properties and change it into the required DC.

Active Directory and DNS Name resolution Resolve names of servers/clients to IP addresses and vice versa (possibly) Namespace definition An Active Directory domains name must be represented in DNS Active Directory requires DNS DNS does not require Active Directory Locating the physical components of Active Directory Client computers query DNS to locate domain controllers running specific services, such as global catalog (GC), Kerberos, LDAP, and so on LDAP

Lightweight Directory Access Protocol Active Directory is an LDAP version 3 directory (with version 2 compatibility), not an X.500 directory LDAP provides a standard mechanism for naming objects stored in a directory for Location in a hierarchy Addition Removal Modification

What is a SID? Security IDentifier Variable-length number that is used to identify security Principals Used in ACLs to identify security principals that are granted/denied access to objects in Active Directory and file system resources When a security principal is moved from one domain to another in Windows Server 2003, the objects SID changes .When a security principal is moved within a domain, its SID does not change

What is a RID? Relative IDentifier When a security principal is created in a Windows Server 2003 domain, the principals SID iscomprised of two concatenated values: The SID of the domain in which the principal is being created A relative identifier that is unique within that domain When a security principal is moved to another domain, it receives a new SID, which is comprised of the SID of the destination domain and a RID that is unique within the that domain Moves within a domain do not change SIDs/RIDs What is a GUID? Globally Unique IDentifier 128-bit number generated at the time an object is created in the directory Never changes Travels with an object When an object is moved, even between domains in a forest, its GUID does not change Used by domain controllers to identify objects in Active Directory for purposes of replication Not used to identify security principals i


Schema is a formal definitiona set of rules. The schema governs the structure of the directory, including how various objects in the directory fit into the directorys hierarchical structure. The schema is what makes Active Directory extensible. As organizations change, it may be necessary to add or modify object attributes, or even to create new classes. The use of certain applications, in particular, may require these kinds of modifications. Microsoft anticipates that application vendors will provide the means to modify the schema when necessary to support their applications specific requirements.

Global Catalog
Global catalog is a role, which maintains Indexes about objects. It contains full information of the objects in its own domain and partial information of the objects in other domains. Universal Group membership information will be stored in global catalog servers and replicate to all GCs in the forest

FSMO Roles The 5 FSMO server roles: Schema Master Domain Naming Master PDC Emulator RID Master Infrastructure Master Forest Level Forest Level Domain Level Domain Level Domain Level One per forest One per forest One per domain One per domain One per domain

1. Schema Master (Forest level) The schema master FSMO role holder is the Domain Controller responsible for performing updates to the active directory schema. It contains the only writable copy of the AD schema. This DC is the only one that can process updates to the directory schema, and once the schema update is complete, it is replicated from the schema master to all other DCs in the forest. There is only one schema master in the forest. 2. Domain Naming Master (Forest level)

The domain naming master FSMO role holder is the DC responsible for making changes to the forest-wide domain name space of the directory. This DC is the only one that can add or remove a domain from the directory, and that is it's major purpose. It can also add or remove cross references to domains in external directories. There is only one domain naming master in the active directory or forest. 3. PDC Emulator (Domain level) In a Windows 2000 domain, the PDC emulator server role performs the following functions: Password changes performed by other DCs in the domain are replicated preferentially to the PDC emulator first. Authentication failures that occur at a given DC in a domain because of an incorrect password are forwarded to the PDC emulator for validation before a bad password failure message is reported to the user. Account lockout is processed on the PDC emulator. Time synchronization for the domain. Group Policy changes are preferentially written to the PDC emulator. Additionally, if your domain is a mixed mode domain that contains Windows NT 4 BDCs, then the Windows 2000 domain controller, that is the PDC emulator, acts as a Windows NT 4 PDC to the BDCs. There is only one PDC emulator per domain. Note: Some consider the PDC emulator to only be relevant in a mixed mode domain. This is not true. Even after you have changed your domain to native mode (no more NT 4 domain controllers), the PDC emulator is still necessary for the reasons above. 4. RID Master (Domain level) The RID master FSMO role holder is the single DC responsible for processing RID Pool requests from all DCs within a given domain. It is also responsible for removing an object from its domain and putting it in another domain during an object move. When a DC creates a security principal object such as a user, group or computer account, it attaches a unique Security ID (SID) to the object. This SID consists of a domain SID (the same for all SIDs created in a domain), and a relative ID (RID) that makes the object unique in a domain. Each Windows 2000 DC in a domain is allocated a pool of RIDs that it assigns to the security principals it creates. When a DC's allocated RID pool falls below a threshold, that DC issues a request for additional RIDs to the

domain's RID master. The domain RID master responds to the request by retrieving RIDs from the domain's unallocated RID pool and assigns them to the pool of the requesting DC. There is one RID master per domain in a directory. 5. Infrastructure Master (Domain level) The DC that holds the Infrastructure Master FSMO role is responsible for cross domain updates and lookups. When an object in one domain is referenced by another object in another domain, it represents the reference by the GUID, the SID (for references to security principals), and the distinguished name (DN) of the object being referenced. The Infrastructure role holder is the DC responsible for updating an object's SID and distinguished name in a cross-domain object reference. When a user in DomainA is added to a group in DomainB, then the Infrastructure master is involved. Likewise, if that user in DomainA, who has been added to a group in DomainB, then changes his username in DomainA, the Infrastructure master must update the group membership(s) in DomainB with the name change. There is only one Infrastructure master per domain.

What if a FSMO server fails? Schema Master No updates to the Active Directory schema will be possible. Since schema updates are rare (usually done by certain applications and possibly an Administrator adding an attribute to an object), then the malfunction of the server holding the Schema Master role will not pose a critical problem. The Domain Naming Master must be available when adding or removing a domain from the forest (i.e. running DCPROMO). If it is not, then the domain cannot be added or removed. It is also needed when promoting or demoting a server to/from a Domain Controller. Like the Schema Master, this functionality is only used on occasion and is not critical unless you are modifying your domain or forest structure.

Domain Naming Master

PDC Emulator

The server holding the PDC emulator role will cause the most problems if it is unavailable. This would be most noticeable in a mixed mode domain where you are still running NT 4 BDCs and if you are using downlevel clients (NT and Win9x). Since the PDC emulator acts as a NT 4 PDC, then any actions that depend on the PDC would be affected (User Manager for Domains, Server Manager, changing passwords, browsing and BDC replication). In a native mode domain the failure of the PDC emulator isn't as critical because other domain controllers can assume most of the responsibilities of the PDC emulator. The RID Master provides RIDs for security principles (users, groups, computer accounts). The failure of this FSMO server would have little impact unless you are adding a very large number of users or groups. Each DC in the domain has a pool of RIDs already, and a problem would occur only if the DC you adding the users/groups on ran out of RIDs.

RID Master

Infrastructure Master This FSMO server is only relevant in a multi-domain environment. If you only have one domain, then the Infrastructure Master is irrelevant. Failure of this server in a multi-domain environment would be a problem if you are trying to add objects from one domain to another.

Placing FSMO Server Roles So where are these FSMO server roles found? Is there a one to one relationship between the server roles and the number of servers that house them? The first domain controller that is installed in a Windows 2000 domain, by default, holds all five of the FSMO server roles. Then, as more domain controllers are added to the domain, the FSMO roles can be moved to other domain controllers. Moving a FSMO server role is a manual process, it does not happen automatically. But what if you only have one domain controller in your domain? That is fine. If you have only one domain controller in your organization then you have one forest, one domain, and of course the one domain controller. All 5 FSMO server roles will exist on that DC. There is no rule that says you have to have one server for each FSMO server role.

However, it is always a good idea to have more than one domain controller in a domain for a number of reasons. Assuming you do have multiple domain controllers in your domain, there are some best practices to follow for placing FSMO server roles. The Schema Master and Domain Naming Master should reside on the same server, and that machine should be a Global Catalog server. Since all three are, by default, on the first domain controller installed in a forest, then you can leave them as they are. Note: According to MS, the Domain Naming master needs to be on a Global Catalog Server. If you are going to separate the Domain Naming master and Schema master, just make sure they are both on Global Catalog servers. The Infratructure Master should not be on the same server that acts as a Global Catalog server. The reason for this is the Global Catalog contains information about every object in the forest. When the Infrastructure Master, which is responsible for updating Active Directory information about cross domain object changes, needs information about objects not in it's domain, it contacts the Global Catalog server for this information. If they both reside on the same server, then the Infratructure Master will never think there are changes to objects that reside in other domains because the Global Catalog will keep it constantly updated. This would result in the Infrastructure Master never replicating changes to other domain controllers in it's domain. Note: In a single domain environment this is not an issue. Microsoft also recommeds that the PDC Emulator and RID Master must be on the same server. This is not mandatory like the Infrastructure Master and the Global Catalog server above, but is recommended. Also, since the PDC Emulator will receive more traffic than any other FSMO role holder, it should be on a server that can handle the load. It is also recommended that all FSMO role holders be direct replication partners and they have high bandwidth connections to one another as well as a Global Catalog server. FSMO Tools How do find out what servers in your domain/forest hold what server roles? How do you move a server role from one server to another? There are several tools that can be used to find out this information. Permissions

Before you can transfer a role, you must have the appropriate permissions depending on which role you plan to transfer: Schema Master Domain Naming Master PDC Emulator RID Master Infrastructure Master member of the Schema Admins group member of the Enterprise Admins group member of the Domain Admins group and/or the Enterprise Admins group member of the Domain Admins group and/or the Enterprise Admins group member of the Domain Admins group and/or the Enterprise Admins group

Active Directory Users and Computers - use this snap-in to find out where the domain level FSMO roles are located (PDC Emulator, RID Master, Infrastructure Master), and also to change the location of one or more of these 3 FSMO roles. Open Active Directory Users and Computers, right click on the domain you want to view the FSMO roles for and click "Operations Masters". A dialog box (below) will open with three tabs, one for each FSMO role. Click each tab to see what server that role resides on. To change the server roles, you must first connect to the domain controller you want to move it to. Do this by right clicking "Active Directory Users and Computers" at the top of the Active Directory Users and Computers snap-in and choose "Connect to Domain Controller". Once connected to the DC, go back into the Operations Masters dialog box, choose a role to move and click the Change button. When you do connect to another DC, you will notice the name of that DC will be in the field below the Change button (not in this graphic).

Active Directory Domains and Trusts - use this snap-in to find out where the Domain Naming Master FSMO role is and to change it's location. The process is the same as it is when viewing and changing the Domain level FSMO roles in Active Directory Users and Computers, except you use the Active Directory Domains and Trusts snap-in. Open Active Directory Domains and Trusts, right click "Active Directory Domains and Trusts" at the top of the tree, and choose "Operations Master". When you do, you will see the dialog box below. Changing the server that houses the Domain Naming Master requires that you first connect to the new domain controller, then click the Change button. You can connect to another domain controller by right clicking "Active Directory Domains and Trusts" at the top of the Active Directory Domains and Trusts snap-in and choosing "Connect to Domain Controller".

Active Directory Schema - this snap-in is used to view and change the Schema Master FSMO role. However... the Active Directory Schema snap-in is not part of the default Windows 2000 administrative tools or installation. You first have to install the Support Tools from the \Support directory on the Windows 2000 server CD or install the Windows 2000 Server Resource Kit. Once you install the support tools you can open up a blank Microsoft Management Console (start, run, mmc) and add the snap-in to the console. Once the snap-in is open, right click "Active Directory Schema" at the top of the tree and choose "Operations Masters". You will see the dialog box below. Changing the server the Schema Master resides on requires you first connect to another domain controller, and then click the Change button. You can connect to another domain controller by right clicking "Active Directory Schema" at the top of the Active Directory Schema snap-in and choosing "Connect to Domain Controller".

More Tools In addition to the tools mentioned above, there are other tools that can be used to view the FSMO server roles. Perhaps the easiest and fastest way to find out what server holds what FSMO role is by using the Netdom command line utility. Like the Active Directory Schema snap-in, the Netdom utility is only available if you have installed the Support Tools from the Windows 2000 CD or the Win2K Server Resource Kit. To use Netdom to view the FSMO role holders, open a command prompt window and type: netdom query fsmo and press enter. You will see a list of the FSMO role servers:

Another tool that comes with the Support Tools is the Active Directory Relication Monitor. Open this utility from Start, Programs, Windows 2000 Support Tools. Once open, click Edit, Add Monitored Server and add the name of a Domain Controller. Once added, right click the Server name and choose properties. Click the FSMO Roles tab to view the servers holding the 5 FSMO roles (below). You cannot change roles using Replication Monitor, but this tool has many other useful purposes in regard to Active Directory information. It is something you should check out if you haven't already.

Finally, you can use the Ntdsutil.exe utility to gather information about and change servers for FSMO roles. Ntdsutil.exe, a command line utility that is installed with Windows 2000 server, is rather complicated and beyond the scope of this document. FIVE FSMO ROLES(DRIPS)

D-Domain naming master ( FORSET WIDE )

R-Relative identifier (RID) master (DOMAIN WIDE) I-Infrastructure master(DOMAIN WIDE) P-Primary Domain Controller (PDC) emulator (DOMAIN WIDE)

S-Schema master( FORSET WIDE )

8. If DHCP is not available what happens to the client

Client will not get IP and it cannot be participated in network . If client already got the IP and having lease duration it use the IP till the lease duration expires

3. Difference between 2000 & 2003

In windows 2000 we cannot rename domain. Where as in Windows 2003 we can rename Domain In 2000 it supports of 8 processors and 64 GB RAM (In 2000 Advance Server) whereas in 2003 supports up to 64 processors and max of 512GB RAM. Win 2000 Supports IIS 5.0 and 2003 Supports IIS6.0 Win 2000 doesnt support Dot net whereas 2003 Supports Microsoft .NET 2.0 Win 2000 doesnt have any 64 bit server operating system whereas 2003 has 64 bit server operating systems (Windows Server 2003 X64 Std and Enterprise Edition) In 2003 we have concept of Volume shadow copy service In 2000 we have cross domain trust relation ship and 2003 we have Cross forest trust elationship. Win 2000 supports IPV4 whereas 2003 supports IPV4 and IPV6. We can drag-and-drop the objects DNS Stub zone has introduced in win2k3

Domains can be renamed or moved to a different level in an AD tree Schema attributes can be deleted as well as added Volume shadow copy services is introduced New command-line tools Windows Server 2003 includes a number of built-in command-line tools that were not available in Windows 2000, including: dsadd -- allows you to create objects from the command line dsmove -- moves an object from one OU or container to another within the same domain dsrm -- will delete an object from Active Directory dsquery -- will return an object or list of objects that matches criteria that you specify dsget -- will return one or more attributes of a particular Active Directory object

DNS Stub zone has introduced windows 2k - IIS 5 and windows 2k3 - II6
In 2000 we dont have end user policy management, whereas in 2003 we have a End user policy management which is done in GPMC (Group policy management console).

Difference Between windows 2008 & 2003 2008 is combination of vista and windows 2003r2. Some new services are introduced in it 1. RODC one new domain controller introduced in it [Read-only Domain controllers.] 2. WDS (windows deployment services) instead of RIS in 2003 server 3. shadow copy for each and every folders 4.boot sequence is changed 5.installation is 32 bit where as 2003 it is 16 as well as 32 bit, thats why installation of 2008 is

faster are known as role in it 7. Group policy editor is a separate option in ads 8) The main difference between 2003 and 2008 is Virtualization, management. 2008 has more inbuilt components and updated third party drivers Microsoft introduces new feature with 2k8 that is Hyper-V Windows Server 2008 introduces Hyper-V (V for Virtualization) but only on 64bit versions. More and more companies are seeing this as a way of reducing hardware costs by running several 'virtual' servers on one physical machine. If you like this exciting technology, make sure that you buy an edition of Windows Server 2008 that includes Hyper-V, then launch the Server Manger, add Roles

What is the Global Catalog Global catalog is a role, which maintains Indexes about objects. It contains full information of the objects in its own domain and partial information of the objects in other domains. Universal Group membership information will be stored in global catalog servers and replicate to all GCs in the forest Where is the AD database held? .%System root%/NTDS/NTDS.DIT (DIT Directory Information Tree).
What is LDAP? Lightweight Directory access protocol. LDAP is a client-server protocol for accessing a directory service

What is Site?

what is kcc?
kcc stands for knowledge consistency checker.apart of the ISTG<intersite topology generator> role in active directory.the kcc checks and as am option, re creates topology information for the active directory domain

What is WSUS server? Basci requirement of installing? difference between WSUS ans SUS? benifits of both?

WSUS - Windows Software Update Server.All the updates are downloaded into WSUS,then directed to the client PC's during the idle time of client PC's. To Configure WSUS Server 1)Run set up of WSUS server in win 2003 server with IIS runnig.No antivirus is required. 2)set the ip addr of proxy server in the set up wizard 3)set the synchronizing time. 4)approve the updates Finish.......... difference b/w SUS and WSUS SUS did a great job of keeping Windows up to date, but WUS will be able to update other products such as Microsoft Office, Exchange Server, and ISA Server. Eventually, WUS will be able to keep all current Microsoft server products up to date

5. Difference between DC & ADC

There is no difference between in DC and ADC both contains write copy of AD. Both can also handles FSMO roles (If transfers from DC to ADC). It is just for identification. Functionality wise there is no difference. 7. Types of DNS Servers Primary DNS Secondary DNS Active Directory Integrated DNS Forwarder Caching only DNS 10. what is the process of DHCP for getting the IP address to the client

There is a four way negotiation process b/w client and server DHCP Discover (Initiated by client)

DHCP Offer (Initiated by server) DHCP Select (Initiated by client) DHCP Acknowledgement (Initiated by Server) DHCP Negative Acknowledgement (Initiated by server if any issues after DHCP offer) 12. What are the port numbers for FTP, Telnet, HTTP, DNS

FTP-21, Telnet 23, HTTP-80, DNS-53, Kerberos-88, LDAP-389 How dow you check whether Active Directory has been installed properly or not?
1.By checking SRV Records In DNS Server. After Active Diretory is installed, DC will register SRV records in DNS. 2. Verify SYSVOL Folder 3. Verify Database and Log files NTDS.DIT,edb.*,Res*.log

Active Directory schema Contains the definition of all object classes and attributes used in the Active Directory database . attributes Used to define the characteristics of an object class within Active Directory . distinguished name (DN) An LDAP component used to uniquely identify an object throughout the entire LDAP hierarchy by referring to the relative distinguished name, domain name, and the container holding the object. domain A logically structured organization of objects, such as users, computers, groups, and printers, that are part of a network and share a common directory database. Domains are defined by an administrator and administered as a unit with common rules and procedures. Domain Name System (DNS) A hierarchical name resolution system that resolves host names and fully qualified domain names (FQDNs) into IP addresses and vice versa. It is a method for maintaining domain naming structure and locating network resources. forest A collection of Active Directory trees that do not necessarily share a contiguous DNS naming convention but do share a common global catalog and schema. forest root domain The first domain created within the Active Directory structure. global catalog An index of the objects and attributes used throughout the Active Directory structure.

It contains a partial replica of every Windows Server 2003 domain within Active Directory, enabling users to find any object in the directory. Group Policy The Windows Server 2003 feature that allows for policy creation that affects domain users and computers. Policies can be anything from desktop settings to application assignment to security settings and more. Internet connection sharing (ICS) A Windows Server 2003 service that allows the use of a single, live Internet IP address to be shared among multiple clients. DHCP and DNS cannot be configured. Lightweight Directory Access Protocol (LDAP) An access protocol that defines how users can access or update directory service objects . Management Saved Console (MSC) The filename extension of a console saved using the MMC. Microsoft Management Console (MMC) A customizable management interface that can contain a number of management tools to provide a single, unified application for network administration. multi-master replication A replication model in which any domain controller accepts and replicates directory changes to any other domain controller. This differs from other replication models in which one computer stores the single modifiable copy of the directory and other computers store back-up copies. network address translation (NAT) The process of converting between IP addresses used within an intranet or other private network (called a stub domain) and Internet IP addresses.This approach makes it possible to use a large number of addresses within the stub domain without depleting the limited number of available numeric Internet IP addresses. Also, the network is protected when NAT replaces the source internal address and ports of all outgoing packets with a single public IP address. object A collection of attributes that represent items within Active Directory, such as users, groups, computers, and printers. object classes Define which types of objects can be created within Active Directory, such as users, groups, and printers. organizational unit (OU) An Active Directory logical container used to organize objects within a single domain. Objects such as users, groups, computers, and other OUs can be stored in an OU container . relative distinguished name (RDN) An LDAP component used to identify an object within the objects container. Routing and Remote Access Services (RRAS) A Windows Server 2003 service that allows users to access a company network or access the Internet through a variety of ways such as dial-up,VPN, or NAT services. site A combination of one or more Internet Protocol (IP) subnets connected by a high-speed connection . site link A low-bandwidth or unreliable/occasional connection between sites. The site links can be adjusted for replication availability, bandwidth costs, and replication frequency.They enable control over replication and logon traffic

. snap-ins The management tools that are added to an MMC interface. taskpad Allows you to simplify administrative procedures by providing a graphical representation of the tasks that can be performed in an MMC. transitive trust The ability for domains or forests to trust one another, even though they do not have a direct explicit trust between them. tree A hierarchical collection of domains that share a contiguous DNS namespace. user principal name A user-account naming convention that includes both the user name and domain name in the format virtual private networking (VPN) A Windows Server 2003 service that allows a private and secure connection with a company network over the Internet.

Event Logging and Viewing

Event logs provide historical information that can help you track down system and security problems. The Event Log service controls whether events are tracked on Windows Server 2003 systems. When this service is started, you can track user actions and system resource usage events with the following event logs:

Application Log Records events logged by applications, such as the failure of Microsoft SQL Server to access a database. Default location is: %SystemRoot%\system32\config\AppEvent.Evt.

Directory Service Records events logged by Active Directory directory service and its related services. Default location is: %SystemRoot%\system32\config\NTDS.Evt.

DNS Server Records DNS queries, responses, and other DNS activities. Default location is: %SystemRoot %\system32\config\DNSEvent.Evt.

File Replication Service Records file replication activities on the system. Default location is: %SystemRoot %\system32\config\NtFrs.Evt.

Security Log

Records events you've set for auditing with local or global group policies. Default location is: %SystemRoot%\system32\config\SecEvent.Evt.

Windows Time and Windows Server 2003

Stand-alone and member servers are configured to synchronize with a time server automatically. This time server is referred to as the authoritative time server. The way Windows Time works depends on whether the system is part of a workgroup or a domain. Here's a basic overview of how Windows Time works in workgroups:

Systems are configured to synchronize with an Internet time server automatically. This time server is referred to as the authoritative time server. The default time server is You can also select other servers, such as, as the authoritative time server. The Windows Time service uses the Simple Network Time Protocol (SNTP) to poll the authoritative time server every four hours by default. The registry values MinPollInterval and MaxPollInterval under \HKEY_LOCAL_MACHINE\System\ CurrentControlSet\Services\W32Time\Config control the exact rates. If there are differences in time between the time server and the system, the Windows Time service slowly corrects the time. The registry values UpdateInterval and FrequencyCorrectRate under \HKEY_LOCAL_MACHINE\ System\CurrentControlSet\Services\W32Time\Config control the exact correction rate. Note The SNTP defaults to using User Datagram Protocol (UDP) port 123. If this port isn't open to the Internet, you can't synchronize the system with an Internet time server.

In domains, a domain controller is chosen automatically as the reliable time source for the domain, and other computers in the domain sync time with this server. Should this server be unavailable to provide time services, another domain controller takes over. You cannot, however, change the Windows Time configuration. If you want to better manage Windows Time in a domain, you should install the appropriate components. The two key components are:

Windows NTP Client Installs Windows Time and allows the system to synchronize its clock with designated time servers. The client is much more configurable than the standard time service that comes with Windows XP. You have precise control through Group Policy of every feature of the time service.

Windows NTP Server Installs Windows Time and configures the system to be a time server. Windows NTP clients, which can be Windows XP or Windows Server 2003 systems, can then synchronize time with this computer. As with NTP clients, you have precise control through Group Policy of every feature of the time service.

Active Directory Command-Line Tools

Several tools are provided to let you manage Active Directory from the command line. You can use:

DSADD Adds computers, contacts, groups, organizational units, and users to Active Directory. Type dsadd objectname /? at the command line to display help information on using the command, such as dsadd computer /?.

DSGET Displays properties of computers, contacts, groups, organizational units, users, sites, subnets, and servers registered in Active Directory. Type dsget objectname /? at the command line to display help information on using the command, such as dsget subnet /?.

DSMOD Modifies properties of computers, contacts, groups, organizational units, users, and servers that already exist in Active Directory. Type dsmod objectname /? at the command line to display help information on using the command, such as dsmod server /?.

DSMOVE Moves a single object to a new location within a single domain or renames the object without moving it. Type dsmove /? at the command line to display help information on using the command.

DSQUERY Finds computers, contacts, groups, organizational units, users, sites, subnets, and servers in Active Directory using search criteria. Type dsquery /? at the command line to display help information on using the command.

DSRM Removes objects from Active Directory. Type dsrm /? at the command line to display help information on using the command.

NTDSUTIL To view site, domain, and server information, manage operations masters, and perform database maintenance of Active Directory. Type ntdsutil /? at the command line to display help information on using the command.

Active Directory Support Tools

Many Active Directory tools are provided in the support toolkit. A list of some of the most useful support tools you can use to configure, manage, and troubleshoot Active Directory is shown in Table 7-1.

Table 7-1. Quick Reference for Active Directory Support Tools

Support Tool Executable Name Ldp.exe Description

Active Directory Administration Tool Active Directory Replication Monitor Directory Services Access Control Lists Utility Distributed File System Utility

Performs Lightweight Directory Access Protocol (LDAP) operations on Active Directory Manages and monitors replication using a graphical user interface (GUI) Manages access control lists for objects in Active Directory Manages the Distributed File System (DFS) and displays DFS information Manages properties of Domain Name System (DNS) servers, zones, and resource records Moves objects from one domain to another Manages and monitors replication using the command line Checks access control list propagation, replication, and inheritance




DNS Server Troubleshooting Tool Move Tree Replication Diagnostics Tool


Movetree.exe Repadmin.exe

Security Descriptor Check Utility


Table 7-1. Quick Reference for Active Directory Support Tools

Support Tool Executable Name Sidwalker.exe Description

Security ID Checker

Sets access control lists on objects previously owned by moved, deleted, or orphaned accounts Allows domain and trust relationships management from the command line

Windows Domain Manager


Table 12-2. Windows Server 2003 Support for RAID

RAID Level 0 RAID Type Disk striping Description Major Advantages

Two or more volumes, each on a separate drive, are configured as a striped set. Data is broken into blocks, called stripes, and then written sequentially to all drives in the striped set.


Disk mirroring

Two volumes on two drives are configured Redundancy. Better write identically. Data is written to both drives. If performance than disk striping one drive fails, there's no data loss because the with parity. other drive contains the data. (Doesn't include disk striping.) Uses three or more volumes, each on a separate drive, to create a striped set with parity error checking. In the case of failure, data can be recovered. Fault tolerance with less overhead than mirroring. Better read performance than disk mirroring.

Disk striping with parity

Understanding Scopes
Scopes are pools of IP addresses that you can assign to clients through leases and reservations. A reservation differs from a lease in that an IP address is assigned to a particular computer until you

remove the reservation. This allows you to set semipermanent addresses for a limited number of DHCP clients. You'll create scopes to specify IP address ranges that are available for DHCP clients. For example, you could assign the IP address range to a scope called Enterprise Primary. Scopes can use public or private IP addresses on

PUBLIC IP NETWORK NUMBER Class A Network Class B Network Class C Network Class D Network 1-126 128-191 192-223 224-239

The IP address is used for local loopback.

PRIVATE IP NETWORK NUMBER Class A Network Class B Network Class C Network

A single DHCP server can manage multiple scopes. Three types of scopes are available:

Normal scopes

Used to assign IP address pools for class A, B, and C networks.

Multicast scopes Used to assign IP address pools for class D networks. Computers use multicast IP addresses as secondary IP addresses in addition to a standard IP address assigned from a class A, B, or C network.

Superscopes These are containers for other scopes and are used to simplify management of multiple scopes.

Tip Although you can create scopes on multiple network segments, you'll usually want these segments to be in the same network class, such as all class C IP addresses. Don't forget that you must configure DHCP relays to relay DHCP broadcast requests between network segments. You can configure relay agents with the Routing and Remote Access Service (RRAS) and the DHCP Relay Agent Service. You can also configure some routers as relay agents

Changing the Log Usage

DHCP Server has a self-monitoring system that checks disk space usage. By default, the maximum size of all DHCP server logs is 70 MB, with each individual log being limited to one-seventh of this space. If the server reaches the 70 MB limit or an individual log grows beyond the allocated space, logging of DHCP activity stops until log files are cleared out or space is otherwise made available. Normally, this happens when a new day is reached and the server clears out the previous week's log file. Registry keys that control the log usage and other DHCP settings are located in the folder HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\DHCPServer\ Parameters.

Installing DNS Servers

You can configure any Windows Server 2003 system as a DNS server. Four types of DNS servers are available:

Active Directoryintegrated primary server A DNS server that's fully integrated with Active Directory. All DNS data is stored directly in Active Directory.

Primary server The main DNS server for a domain that uses partial integration with Active Directory. This server stores a master copy of DNS records and the domain's configuration files. These files are stored as text with the .dns extension.

Secondary server A DNS server that provides backup services for the domain. This server stores a copy of DNS records obtained from a primary server and relies on zone transfers for updates. Secondary servers obtain their DNS information from a primary server when they're started, and they maintain this information until the information is refreshed or expired.

Forwarding-only server A server that caches DNS information after lookups and always passes requests to other servers. These servers maintain DNS information until it's refreshed or expired or until the server is restarted. Unlike secondary servers, forwarding-only servers don't request full copies of a zone's database files. This means that when you start a forwarding-only server, its database contains no information.

Before you configure a DNS server, you must install the DNS Server service. Afterward, you can configure the server to provide integrated, primary, secondary, or forwarding-only DNS services. Active directory does not support deletion of schema objects; however, objects can be marked as deactivated providing many of the benefits of deletion

Hardware RAID Versus Software RAID RAID is usually implemented using a RAID disk controller and disk controllers are expensive. Software RAID is usually implemented at the disk partition level rather than the physical disk level as in hardware RAID. The drawback to software RAID is that it requires the network server processor to perform the work usually done by the RAID controller in hardware RAID. Software-based RAID does have one advantage over hardware-based RAID. In software-based RAID, the RAID implementation can be based on disk partitions rather than entire disk drives.

RAID 1 Configuration RAID 1 has two different implementations: disk mirroring and disk duplexing. In disk mirroring, everything written to one disk is also written to a second disk. Disk duplexing eliminates the single point of failure that exists in disk mirroring.

Level 10

RAID level 10 is known as mirroring with striping. This level uses a striped array of disks, which are then mirrored to another identical set of striped disks. RAID level 10 provides the performance benefits of disk striping (level 0) with the disk redundancy of mirroring (level 1). RAID 10 provides the highest read/write performance of any of the Hybrid RAID levels, but uses twice as many disks. What are the standard port numbers for SMTP, POP3, IMAP4, RPC, LDAP and Global Catalog? SMTP--25, POP3--110, IMAP4-143, RPC-135, LDAP - 389, Global Catalog 3268

List of important port numbers

15 - Netstat 21 - FTP 23 - Telnet 25 - SMTP 42 - WINS 53 - DNS 67 - Bootp 68 - DHCP 80 - HTTP 88 - Kerberos 101 - HOSTNAME 110 - POP3 119 - NNTP 123 - NTP (Network time protocol) 139 - NetBIOS 161 - SNMP 180 - RIS 389 - LDAP (Lightweight Directory Access Protocol) 443 - HTTPS (HTTP over SSL/TLS) 520 - RIP 79 - FINGER 37 - Time 3389 - Terminal services 443 - SSL (https) (http protocol over TLS/SSL) 220 - IMAP3 3268 - AD Global Catalog 3269 - AD Global Catalog over SSL 500 - Internet Key Exchange, IKE (IPSec) (UDP 500)

What is difference between scope and superscope

Scope in dhcp, where u can specify a range of IP Address which will be leased to the dhcp clients. Superscope is the combination of multiple scopes.

1.Default lease Length is 8days in the DHCP server DHCP.mdb is the DHCP assigned IP address database file In windows NT the SAM database is limited in size to approximately 40MB(40,000 objects) Windows NT uses a flat namespace meaning that the name of the domain does not reflect a hierarchical naming structure, Windows NT uses WINS FOR ITS name resolution Active directory uses DNS for its naming resolution

A RELATIVE DISTINGUISHED NAME IS the name that is assigned to the object by the administrator when the object is created for example when I create a user named ALANC the RDN is the Simplest of the three Active Directory name types and is sometimes called the common name of the object A DISTINGUISHED NAME CONSISTS OF an objects RDN, plus the objects location in Active directory . The DN supplies the complete path on the object. An objects DN includes its RDN. The name of the organizational unit that contains the objects(if any) and the FQDN of the domain for Example suppose that. I create a user named ALANC in an organizational unit called US in a domain named the DN of this user would be: A name that uniquely identifies an object by using the relative distinguished name for the object, plus the names of container objects and domains that contain the object. The distinguished name identifies the object as well as its location in a tree. Every object in Active Directory has a distinguished name. A typical distinguished name might be CN=MyName,CN=Users,DC=Microsoft,DC=Com This identifies the MyName user object in the domain A user principal name is a shortened version of the DN that is typically used for logon and e-mail purposes a UPN consists of the RDN plus the FQDN of the domain using my pervious Example the UPN for the user named alanc would be: WHAT IS ZONE ? Zones are delegated portions of the DNS namespace A zone is a collection of hierarchical domain names A zone is essentially a collection of resource records

Zone is a contiguous portion of the domain namespace for which a DNS server has authority to resolve DNS Queries Global Catalog A global catalog is used primarily for four main functions: Enables users to find Active Directory information from anywhere in the forest. Provides universal group membership information to facilitate logging on to the network. Supplies authentication services when a user from another domain logs on using a user principal name (UPN) (A UPN is a representation of a users logon credentials in the form a UPN is used, a domain name does not need to be explicitly specified in the Log on to drop-down box.) Responds to directory lookup requests from Exchange 2000 and other applications. The first domain controller in Active Directory automatically becomes a global catalog server.To provide redundancy, additional domain controllers can easily be configured to also be global catalog servers. Multiple global catalogs can improve user query and logon authentication performance, especially in Active Directory environments that include geographically distant sites connected by WAN links. Microsoft recommends that each Active Directory site be configured with at least one domain controller acting as a global catalog server.

What is the difference between LDAPv2 and LDAPv3?

LDAPv3 was developed in the late 1990's to replace LDAPv2. LDAPv3 adds the following features to LDAP:
o o o o o o

Strong Authentication via SASL Integrity and Confidentiality Protection via TLS (SSL) Internationalization through the use of Unicode Referrals and Continuations Schema Discovery Extensibility (controls, extended operations, and more)

LDAPv2 is considered historical. As deploying both LDAPv2 and LDAPv3 simultaneously can be quite problematic, LDAPv2 should be avoided. LDAPv2 is disabled by default.

Types of Server Clusters

There are three types of server clusters, based on how the cluster systems, called nodes, are connected to the devices that store the cluster configuration and state

data. This data must be stored in a way that allows each active node to obtain the data even if one or more nodes are down. The data is stored on a resource called the quorum resource. The data on the quorum resource includes a set of cluster configuration information plus records (sometimes called checkpoints) of the most recent changes made to that configuration. A node coming online after an outage can use the quorum resource as the definitive source for recent changes in the configuration. The sections that follow describe the three different types of server clusters:

Single quorum device cluster, also called a standard quorum cluster Majority node set cluster Local quorum cluster, also called a single node cluster

Event ID for sudden restart or shut down on windows 2003 is 6008

Types of system memory dumps: Small Dump: Also known as Minidump (64K) containing minimal debugging information (stop code, parameters, stack, drivers). Kernel Dump: Medium size dump containing kernel data structures, drivers and current process & thread information. Very useful. Complete Dump: Large memory dump containing complete contents of memory. Can take considerable time to dump memory. 1. How do you delete a lingering object? Windows Server 2003 provides a command called Repadmin that provides the ability to delete lingering objects in the Active Directory.

Share permissions Share permissions are Full Control, Read, and Change. Least restrictive permission is the users effective permission. A denied permission always overrides an allowed permission When NTFS and Share permissions are applied to a folder the most restrictive will be applied when we access the folder over the network

37.What is the difference between seize and Transfer? Soln : Seize : 1. When we decommission the server 5. When we dont bring up the server on the network.

Transfer : Transfer the roles using GUI. Normal transfer.

Active directory Logical Structure DOT

Domains Organizational units Trees Forests

Physical Structure SD Sites Domain controllers