Server Active Directory Related Interview Question And Answer.

What is Active Directory?

Active directory is a hierarchical structure that stores information about objects on the network. Active
Directory provides the methods for storing directory data and making this data available to network
users and administrators.

Active Directory Default Storage?

Active Directory Data base folder: - D:\WINDOWS\NTDS

Store active Directory log: - D:\WINDOWS\NTDS

SYSVOL:-The SYSVOL folder stores the server copy of domain public files. The contents of the SYSVOL
folder are replicated to all domain controllers in the domain.

Its must be located on an NTFS Volume

SYSVOL By default Location: - D:\WINDOWS\SYSVOL

What is Domain?

In Active Directory, a collection of computer, user, and group objects defined by the administrator. These
objects share a common directory database, security policies, and security relationships with other
domains. In Domain Name System (DNS), a domain is any tree or sub tree within the DNS namespace.
Although the names for DNS domains often correspond to Active Directory domains, DNS domains
should not be confused with Active Directory domains.

What is Domain Controller?

In an Active Directory forest, a server that contains a writable copy of the Active Directory database
participates in Active Directory replication, and controls access to network resources. Administrators can
manage user accounts, network access, shared resources, site topology, and other directory objects from
any domain controller in the forest. See also Active Directory; authentication; directory; forest.

What is Domain Services?

Active Directory provides the means to manage the identities and relationships that make up your
organization's network. Integrated with Windows Server 2008, Active Directory gives you out-of-the-box
functionality needed to centrally configure and administer system, user, and application settings. Active
Directory Domain Services (AD DS) stores directory data and manages communication between users
and domains, including user logon processes, authentication, and directory searches.

What is Global Catalog (GC)?

A domain controller that contains a partial replica of every domain in Active Directory. A global catalog
holds a replica of every object in Active Directory, but with a limited number of each objects attributes.
The global catalog stores those attributes most frequently used in search operations (such as a users
first and last names) and those attributes required to locate a full replica of the object. The Active
Directory replication system builds the global catalog automatically. The attributes replicated into the
global catalog include a base set defined by Microsoft. Administrators can specify additional properties
to meet the needs of their installation.

What is Forest?

A collection of one or more Active Directory domains that share a common schema, configuration, and
global catalog.

What is tree?

A tree in Active Directory is just an extension of the idea of a directory tree. Its a hierarchy of objects
and containers that demonstrates how objects are connected, or the path from one object to another.
Endpoints on the tree are usually objects.

What is Site?

One or more well-connected (highly reliable and fast) Transmission Control Protocol/Internet Protocol
(TCP/IP) subnets. A site allows administrators to con-figure Active Directory access and replication
topology quickly and easily to take advantage of the physical network. When users log on, Active
Directory clients locate Active Directory servers in the same site as the user. See also subnet; well-
connected.

What is Organizational unit (OU)?

A container object in Active Directory used to separate computers, users, and other resources into logical
units. An organizational unit is the smallest entity to which Group Policy can be linked. It is also the
smallest scope to which administration authority can be delegated.

What is Schema?

A description of the object classes and attributes stored in Active Directory. For each object class, the
schema defines what attributes an object class must have, what additional attributes it may have, and
what object class can be its parent. An Active Directory schema can be updated dynamically. For
example, an application can extend the schema with new attributes and classes and use the extensions
immediately. Schema updates are accomplished by creating or modifying the schema objects stored in
Active Directory. Like every object in Active Directory, a schema object has an access control list (ACL) so
that only authorized users can alter the schema.

What is LDAP?
LDAP is a communication protocol designed for use on TCP/IP networks. LDAP defines how a directory
client can access a directory server and how the client can perform directory operations and share
directory data.

Active Directory Lightweight Directory Service (AD LDS) provides directory services for directory-enabled
applications. AD LDS does not require or rely on Active Directory domains or forests. AD LDS was
previously known as Active Directory Application Mode (ADAM).

What is Single-master replication?

A type of replication where one domain controller is the master domain controller and operations are
not permitted to occur at different places in a network at the same time. In Active Directory, one or more
domain controllers can be assigned to perform single-master replication. Operations master roles are
special roles assigned to one or more domain controllers in a domain to perform single-master
replication. See also operations master role.

What is multimaster replication?

A replication model in which any domain controller accepts and replicates directory changes to any
other domain controller. This differs from other replication models in which one computer stores the
single modifiable copy of the directory and other computers store backup copies. See also domain
controller; replication.

What is FSMO role?

Flexible Single-Master Operation role. Mechanism used by Active Directory to prevent update conflicts
in multi master deployments. Some objects are updated in a single-master mode even if the deployment
is multi master, which is very similar to the old concept of a Primary Domain Controller (PDC) in
Windows NT domains. There are five FSMO Roles in an Active Directory deployment, but only the PDC-
emulator role affects Identity Synchronization for Windows. Because password updates are replicated
immediately only to the Active Directory domain controls with the PDC emulator role, Identity
Synchronization for Windows use this domain controller for synchronization.

What is Operations Master?

A domain controller that has been assigned one or more special roles in an Active Directory domain. The
domain controllers assigned these roles perform operations that are single master (not permitted to
occur at different places on the network at the same time). Examples of these operations include
resource identifier allocation, schema modification, primary domain controller (PDC) election, and
certain infrastructure changes. The domain controller that controls the particular operation owns the
operations master role for that operation. The ownership of these operations master roles can be
transferred to other domain controllers. Also known as flexible single-master operations (FSMO).
What is Schema Master?

The schema master domain controller controls all updates and modifications to the schema. To update
the schema of a forest, you must have access to the schema master. There can be only one schema
master in the entire forest.

What is Domain Naming Master?

The domain controller holding the domain naming master role controls the addition or removal of
domains in the forest. There can be only one domain naming master in the entire forest.

Note: - 1. Forest-wide operations master roles are Schema Master and Domain Naming Master.

2. Domain-wide operations master roles are Rid Master, PDC Emulator Master and Infrastructure
Master.

What is Relative ID (RID) Master?

The domain controller assigned to allocate sequences of relative IDs to each domain controller in its
domain. Whenever a domain controller creates a security principal (user, group, or computer object), the
domain controller assigns the object a unique security ID (SID). The SID consists of a domain SID that is
the same for all SIDs created in a particular domain and a relative ID that is unique for each SID created
in the domain. At any time, there can be only one relative ID master in a particular domain.

What is PDC Emulator master?

A domain controller that holds the PDC emulator operations master role in Active Directory. The PDC
emulator services network clients that do not have Active Directory client software installed, and it
replicates directory changes to any Microsoft Windows NT backup domain controllers (BDCs) in the
domain. The PDC emulator handles password authentication requests involving passwords that have
recently changed and not yet replicated. At any time, the PDC emulator master role can be assigned to
only one domain controller in each domain.

What is infrastructure master?

The domain controller assigned to update group-to-user references whenever group memberships are
changed and to replicate these changes to any other domain controllers in the domain. At any time,
there can be only one infrastructure master in a particular domain. The infrastructure master should not
be located on the same computer as the global catalog if there is more than one domain controller in the
forest.

What happen if Schema Master Failure

Temporary loss of the schema operations master is not visible to network users. It is not visible to
network administrators either, unless they are trying to modify the schema or install an application that
modifies the schema during installation. If the schema master will be unavailable for an unacceptable
length of time, you can seize the role to the domain controller youve chosen to act as the standby
schema master. However, seizing this role is a step that you should take only when the failure of the
schema master is permanent.

What happen if Domain Naming Master Failure

Temporary loss of the domain naming master is not visible to network users. It is not visible to network
administrators either, unless they are trying to add a domain to the forest or remove a domain from the
forest. If the domain naming master will be unavailable for an unacceptable length of time, you can seize
the role to the domain controller youve chosen to act as the standby domain naming master. However,
seizing this role is a step that you should take only when the failure of the domain naming master is
permanent.

What happen if RID Master Failure

Temporary loss of the RID operations master is not visible to network users. It is not visible to network
administrators either, unless they are creating objects and the domain in which they are creating the
objects runs out of relative identifiers. If the RID master will be unavailable for an unacceptable length of
time, you can seize the role to the domain controller youve chosen to act as the standby RID master.
However, seizing this role is a step that you should take only when the failure of the RID master is
permanent.

What happen if PDC Emulator Failure

The loss of the PDC emulator affects network users. Therefore, when the PDC emulator is not available,
you might need to immediately seize the role. If the current PDC emulator will be unavailable for an
unacceptable length of time and its domain has clients without Windows Server 2003 client software, or
if it contains Windows NT backup domain controllers, seize the PDC emulator role to the domain
controller youve chosen to act as the standby PDC emulator. When the original PDC emulator is
returned to service, you can return the role to the original domain controller.

What happen if Infrastructure Master Failure

Temporary loss of the infrastructure master is not visible to network users. It is not visible to network
administrators either, unless they have recently moved or renamed a large number of accounts. If the
infrastructure master will be unavailable for an unacceptable length of time, you can seize the role to a
domain controller that is not a global catalog but is well connected to a global catalog (from any
domain), ideally in the same site as a global catalog server. When the original infrastructure master is
returned to service, you can transfer the role back to the original domain controller.

What are the difference between Enterprise Admins and Domain

Admins groups in AD ?
Enterprise Admins : Members of this group have full control of all domains in
the forest. By default, this group is a member of the Administrators group on all
domain controllers in the forest. By default, the Administrator account is a
member of this group. Because this group has full control of the forest, add
users with caution.

Domain Admins : Members of this group have full control of the domain. By
default, this group is a member of the Administrators group on all domain
controllers, all domain workstations, and all domain member servers at the time
they are joined to the domain. By default, the Administrator account is a
member of this group. Because the group has full control in the domain, add
users with caution.

Where are the Windows NT Primary Domain Controller (PDC) and its Backup Domain Controller
(BDC) in Server 2003 ?
The Active Directory replaces them. Now all domain controllers share a multimaster peer-to-peer
read and write relationship that hosts copies of the Active Directory.

I am trying to create a new universal user group. Why cant I ?

Universal groups are allowed only in native-mode Windows Server 2003 environments. Native mode
requires that all domain controllers be promoted to Windows Server 2003 Active Directory.

What is LSDOU ?
Its group policy inheritance model, where the policies are applied toLocal machines, Sites, Domains
and Organizational Units.

Why doesnt LSDOU work under Windows NT ?

If the NTConfig.pol file exist, it has the highest priority among the numerous
policies.

>Whats the number of permitted unsuccessful logons on Administrator

account? Unlimited. Remember, though, that its the Administrator account,
not any account thats part of the Administrators group.

> Whats the difference between guest accounts in Server 2003 and
other editions?
More restrictive in Windows Server 2003.

> How many passwords by default are remembered when you check
"Enforce Password History Remembered"?
Users last 6 passwords.

> Can GC Server and Infrastructure place in single server If not explain
why ?
No, As Infrastructure master does the same job as the GC. It does not work
together.
> Which is service in your windows is responsible for replication of
Domain controller to another domain controller.
KCC generates the replication topology.
Use SMTP / RPC to replicate changes.

> What Intrasite and Intersite Replication ?

Intrasite is the replication with in the same site & intersite the replication
between sites.

> What is lost & found folder in ADS ?

Its the folder where you can find the objects missed due to conflict.
Ex: you created a user in OU which is deleted in other DC & when replication
happed ADS didnt find the OU then it will put that in Lost & Found Folder.

> What is Garbage collection ?

Garbage collection is the process of the online defragmentation of active
directory. It happens every 12 Hours.

> What System State data contains ?

Contains Startup files,
Registry
Com + Registration Database
Memory Page file
System files
AD information
Cluster Service information
SYSVOL Folder

>What is the difference between Windows 2000 Active Directory and

Windows 2003 Active Directory? Is there any difference in 2000 Group
Polices and 2003 Group Polices? What is meant by ADS and ADS
services in Windows 2003?
Windows 2003 Active Directory introduced a number of new security features,
as well as convenience features such as the ability to rename a domain
controller and even an entire domain
Windows Server 2003 also introduced numerous changes to the default settings
that can be affected by Group Policy - you can see a detailed list of each
available setting and which OS is required to support it by downloading the
Group Policy Settings Reference.

ADS stands for Automated Deployment Services, and is used to quickly roll out
identically-configured servers in large-scale enterprise environments. You can
get more information from the ADS homepage.

I want to setup a DNS server and Active Directory domain. What do I do

first? If I install the DNS service first and name the zone 'name.org' can
I name the AD domain 'name.org' too?
Not only can you have a DNS zone and an Active Directory domain with the
same name, it's actually the preferred way to go if at all possible. You can
install and configure DNS before installing Active Directory, or you can allow the
Active Directory Installation Wizard (dcpromo) itself install DNS on your server
in the background.

>How do I determine if user accounts have local administrative access?

You can use the net localgroup administrators command on each workstation
(probably in a login script so that it records its information to a central file for
later review). This command will enumerate the members of the Administrators
group on each machine you run it on. Alternately, you can use the Restricted
Groups feature of Group Policy to restrict the membership of Administrators to
only those users you want to belong.

>Why am I having trouble printing with XP domain users?

In most cases, the inability to print or access resources in situations like this
one will boil down to an issue with name resolution, either DNS or
WINS/NetBIOS. Be sure that your Windows XP clients' wireless connections are
configured with the correct DNS and WINS name servers, as well as with the
appropriate NetBIOS over TCP/IP settings. Compare your wireless settings to
your wired LAN settings and look for any discrepancies that may indicate where
the functional difference may lie.

>What is the ISTG? Who has that role by default?

Windows 2003 Domain controllers each create Active Directory Replication
connection objects representing inbound replication from intra-site replication
partners. For inter-site replication, one domain controller per site has the
responsibility of evaluating the inter-site replication topology and creating
Active Directory Replication Connection objects for appropriate bridgehead
servers within its site. The domain controller in each site that owns this role is
referred to as the Inter-Site Topology Generator (ISTG).

>What is difference between Server 2003 vs 2008?

1. Virtualization. (Windows Server 2008 introduces Hyper-V (V for
Virtualization) but only on 64bit versions. More and more companies are seeing
this as a way of reducing hardware costs by running several 'virtual' servers on
one physical machine.)
2. Server Core (provides the minimum installation required to carry out a
specific server role, such as for a DHCP, DNS or print server)
3. Better security.
4. Role-based installation.
5. Read Only Domain Controllers (RODC).
6. Enhanced terminal services.
7. Network Access Protection - Microsoft's system for ensuring that clients
connecting to Server 2008 are patched, running a firewall and in compliance
with corporate security policies.
8. PowerShell - Microsoft's command line shell and scripting language has
proved popular with some server administrators.
9. IIS 7 .
10. Bitlocker - System drive encryption can be a sensible security measure for
servers located in remote branch offices. >br> The main difference between
2003 and 2008 is Virtualization, management. 2008 has more in-build
components and updated third party drivers.
11. Windows Aero.

>What are the requirements for installing AD on a new server?

1 The Domain structure.
2 The Domain Name .
3 storage location of the database and log file.
4 Location of the shared system volume folder.
5 DNS config Methode.
6 DNS configuration.

>What are the default Active Directory Built in groups?

Groups in the Built-in container
- Account Operators
- Administrators
- Backup Operators
- Guests
- Incoming Forest Trust Builders
- Network Configuration Operators
- Performance Monitor Users
- Performance Log Users
- Pre-Windows 2000 Compatible Access
- Print Operators
- Remote Desktop Users
- Replicator
- Server Operators
- Users

Groups in the Users container

- Cert Publishers
- DnsAdmins (If installed with DNS)
- DnsUpdateProxy (If installed with DNS)
- Domain Admins
- Domain Computers
- Domain Controllers
- Domain Guests
- Domain Users
- Enterprise Admins (only appears in the forest root domain)
- Group Policy Creator Owners
- IIS_WPG (installed with IIS)
- RAS and IAS Servers
- Schema Admins (only appears in the forest root domain)

>What is LDP?
LDP : Label Distribution Protocol (LDP) is often used to establish MPLS LSPs
when traffic engineering is not required. It establishes LSPs that follow the
existing IP routing, and is particularly well suited for establishing a full mesh of
LSPs between all of the routers on the network.

>What are the Groups types available in active directory ?

Security groups: Use Security groups for granting permissions to gain access to
resources. Sending an e-mail message to a group sends the message to all
members of the group. Therefore security groups share the capabilities of
distribution groups.

Distribution groups: Distribution groups are used for sending e-main messages
to groups of users. You cannot grant permissions to security groups. Even
though security groups have all the capabilities of distribution groups,
distribution groups still requires, because some applications can only read
distribution groups.

>Explain about the groups scope in AD ?

Domain Local Group: Use this scope to grant permissions to domain resources
that are located in the same domain in which you created the domain local
group. Domain local groups can exist in all mixed, native and interim functional
level of domains and forests. Domain local group memberships are not limited
as you can add members as user accounts, universal and global groups from
any domain. Just to remember, nesting cannot be done in domain local group. A
domain local group will not be a member of another Domain Local or any other
groups in the same domain.

Global Group: Users with similar function can be grouped under global scope
and can be given permission to access a resource (like a printer or shared folder
and files) available in local or another domain in same forest. To say in simple
words, Global groups can be used to grant permissions to gain access to
resources which are located in any domain but in a single forest as their
memberships are limited. User accounts and global groups can be added only
from the domain in which global group is created. Nesting is possible in Global
groups within other groups as you can add a global group into another global
group from any domain. Finally to provide permission to domain specific
resources (like printers and published folder), they can be members of a
Domain Local group. Global groups exist in all mixed, native and interim
functional level of domains and forests.
Universal Group Scope: These groups are precisely used for email distribution
and can be granted access to resources in all trusted domain as these groups
can only be used as a security principal (security group type) in a windows 2000
native or windows server 2003 domain functional level domain. Universal group
memberships are not limited like global groups. All domain user accounts and
groups can be a member of universal group. Universal groups can be nested
under a global or Domain Local group in any domain.

>What is REPLMON ?
The Microsoft definition of the Replmon tool is as follows; This GUI tool enables
administrators to view the low-level status of Active Directory replication, force
synchronization between domain controllers, view the topology in a graphical
format, and monitor the status and performance of domain controller
replication.

>What is ADSIEDIT ?
ADSIEDIT :ADSIEdit is a Microsoft Management Console (MMC) snap-in that
acts as a low-level editor for Active Directory. It is a Graphical User Interface
(GUI) tool. Network administrators can use it for common administrative tasks
such as adding, deleting, and moving objects with a directory service. The
attributes for each object can be edited or deleted by using this tool. ADSIEdit
uses the ADSI application programming interfaces (APIs) to access Active
Directory. The following are the required files for using this tool: ADSIEDIT.DLL
ADSIEDIT.

>What is NETDOM ?
NETDOM is a command-line tool that allows management of Windows domains
and trust relationships. It is used for batch management of trusts, joining
computers to domains, verifying trusts, and secure channels.

>What is REPADMIN?
This command-line tool assists administrators in diagnosing replication
problems between Windows domain controllers.Administrators can use
Repadmin to view the replication topology (sometimes referred to as RepsFrom
and RepsTo) as seen from the perspective of each domain controller. In
addition, Repadmin can be used to manually create the replication topology
(although in normal practice this should not be necessary), to force replication
events between domain controllers, and to view both the replication metadata
and up-to-dateness vectors.

>How to take backup of AD ?

For taking backup of active directory you have to do this : first go START ->
PROGRAM ->ACCESORIES -> SYSTEM TOOLS -> BACKUP OR Open run window
and ntbackup and take systemstate backup when the backup screen is flash
then take the backup of SYSTEM STATE it will take the backup of all the
necessary information about the syatem including AD backup , DNS ETC.
>What are the DS* commands ?
The following DS commands: the DS family built in utility .
DSmod - modify Active Directory attributes.
DSrm - to delete Active Directory objects.
DSmove - to relocate objects
DSadd - create new accounts
DSquery - to find objects that match your query attributes.
DSget - list the properties of an object

>What are the requirements for installing AD on a new server?

An NTFS partition with enough free space.
An Administrator's username and password.
The correct operating system version.
A NIC Properly configured TCP/IP (IP address, subnet mask and - optional -
default gateway).
A network connection (to a hub or to another computer via a crossover cable) .
An operational DNS server (which can be installed on the DC itself) .
A Domain name that you want to use .
The Windows 2000 or Windows Server 2003 CD media (or at least the i386
folder).

>Explain about Trust in AD ?

To allow users in one domain to access resources in another, Active Directory
uses trusts. Trusts inside a forest are automatically created when domains are
created.

The forest sets the default boundaries of trust, not the domain, and implicit,
transitive trust is automatic for all domains within a forest. As well as two-way
transitive trust, AD trusts can be a shortcut (joins two domains in different
trees, transitive, one- or two-way), forest (transitive, one- or two-way), realm
(transitive or nontransitive, one- or two-way), or external (nontransitive, one-
or two-way) in order to connect to other forests or non-AD domains.

Trusts in Windows 2000 (native mode)

One-way trust One domain allows access to users on another domain, but
the other domain does not allow access to users on the first domain.
Two-way trust Two domains allow access to users on both domains.
Trusting domain The domain that allows access to users from a trusted
domain.
Trusted domain The domain that is trusted; whose users have access to the
trusting domain.
Transitive trust A trust that can extend beyond two domains to other
trusted domains in the forest.
Intransitive trust A one way trust that does not extend beyond two
domains.
Explicit trust A trust that an admin creates. It is not transitive and is one
way only.
Cross-link trust An explicit trust between domains in different trees or in the
same tree when a descendant/ancestor (child/parent) relationship does not
exist between the two domains.

Windows 2000 Server supports the following types of trusts:

Two-way transitive trusts.
One-way intransitive trusts.
Additional trusts can be created by administrators. These trusts can be:
Shortcut
Windows Server 2003 offers a new trust type the forest root trust. This type
of trust can be used to connect Windows Server 2003 forests if they are
operating at the 2003 forest functional level. Authentication across this type of
trust is Kerberos based (as opposed to NTLM). Forest trusts are also transitive
for all the domains in the forests that are trusted. Forest trusts, however, are
not transitive.

>Difference between LDIFDE and CSVDE?

CSVDE is a command that can be used to import and export objects to and from
the AD into a CSV-formatted file. A CSV (Comma Separated Value) file is a file
easily readable in Excel. I will not go to length into this powerful command, but
I will show you some basic samples of how to import a large number of users
into your AD. Of course, as with the DSADD command, CSVDE can do more
than just import users. Consult your help file for more info.

LDIFDE is a command that can be used to import and export objects to and
from the AD into a LDIF-formatted file. A LDIF (LDAP Data Interchange Format)
file is a file easily readable in any text editor, however it is not readable in
programs like Excel. The major difference between CSVDE and LDIFDE (besides
the file format) is the fact that LDIFDE can be used to edit and delete existing
AD objects (not just users), while CSVDE can only import and export objects.

>What is tombstone lifetime attribute ?

The number of days before a deleted object is removed from the directory
services. This assists in removing objects from replicated servers and
preventing restores from reintroducing a deleted object. This value is in the
Directory Service object in the configuration NIC.

>What are application partitions? When do I use them ?

AN application diretcory partition is a directory partition that is replicated only
to specific domain controller.Only domain controller running windows Server
2003 can host a replica of application directory partition.
Using an application directory partition provides redundany,availability or fault
tolerance by replicating data to specific domain controller pr any set of domain
controllers anywhere in the forest.
>How do you create a new application partition ?
Use the DnsCmd command to create an application directory partition.
To do this, use the following syntax:
DnsCmd ServerName /CreateDirectoryPartition FQDN of partition

>How do you view all the GCs in the forest?

C:\>repadmin /showreps domain_controller where domain_controller is the DC
you want to query to determine whether it?s a GC.
The output will include the text DSA Options: IS_GC if the DC is a GC.

>Can you connect Active Directory to other 3rd-party Directory

Services? Name a few options.
Yes, you can use dirXML or LDAP to connect to other directories.
In Novell you can use E-directory.

>What is IPSec Policy

IPSec provides secure gateway-to-gateway connections across outsourced
private wide area network (WAN) or Internet-based connections using
L2TP/IPSec tunnels or pure IPSec tunnel mode. IPSec Policy can be deployed
via Group policy to the Windows Domain controllers 7 Servers.

>What are the different types of Terminal Services ?

User Mode & Application Mode.

>What is RsOP
One challenge of Group Policy administration is to understand the cumulative
effect of a number of Group Policy objects (GPOs) on any given computer or
user, or how changes to Group Policy, such as reordering the precedence of
GPOs or moving a computer or user to a different organizational unit (OU) in
the directory, might affect the network. The Resultant Set of Policy (RSoP)
snap-in offers administrators one solution. Administrators use the RSoP snap-in
to see how multiple Group Policy objects affect various combinations of users
and computers, or to predict the effect of Group Policy settings on the network.

>What is the System Startup process ?

Windows 2K boot process on a Intel architecture.

1. Power-On Self Tests (POST) are run.

2. The boot device is found, the Master Boot Record (MBR) is loaded into
memory, and its program is run.

3. The active partition is located, and the boot sector is loaded.

4. The Windows 2000 loader (NTLDR) is then loaded.

The boot sequence executes the following steps:

1. The Windows 2000 loader switches the processor to the 32-bit flat memory
model.

2. The Windows 2000 loader starts a mini-file system.

3. The Windows 2000 loader reads the BOOT.INI file and displays the operating
system selections (boot loader menu).

4. The Windows 2000 loader loads the operating system selected by the user. If
Windows 2000 is selected, NTLDR runs NTDETECT.COM. For other operating
systems, NTLDR loads BOOTSECT.DOS and gives it control.

5. NTDETECT.COM scans the hardware installed in the computer, and reports

the list to NTLDR for inclusion in the Registry under the
HKEY_LOCAL_MACHINE_HARDWARE hive.

6. NTLDR then loads the NTOSKRNL.EXE, and gives it the hardware information
collected by NTDETECT.COM. Windows NT enters the Windows load phases.

>How do you change the DS Restore admin password ?

In Windows 2000 Server, you used to have to boot the computer whose
password you wanted to change in Directory Restore mode, then use either the
Microsoft Management Console (MMC) Local User and Groups snap-in or the
command net user administrator * to change the Administrator password.
>How do I use Registry keys to remove a user from a group?
In Windows Server 2003, you can use the dsmod command-line utility with the
-delmbr switch to remove a group member from the command line. You should
also look into the freeware utilities available from www.joeware.net . ADFind
and ADMod are indispensable tools in my arsenal when it comes to searching
and modifying Active Directory.

>Why are my NT4 clients failing to connect to the Windows 2000

domain?
Since NT4 relies on NetBIOS for name resolution, verify that your WINS server
(you do have a WINS server running, yes?) contains the records that you
expect for the 2000 domain controller, and that your clients have the correct
address configured for the WINS server.

>Difference between KCC and ISTG?

KCC (Knowledge consistency checker) is responsible for generating site
replication toplolgies between domain controllers. KCC runs in each DC of a
domain and creates a connection object for each DC in AD. It is responsible for
all intra-site replication.
In case of an inter-site scenario, there will be a bridge-head server to manage
site-site replication. Here, the connection objects for the bridge-head servers
are created in a seperate way. ISTG (Inter-Site Topology Generator) is
responsible for creating connection objects in bridge-head servers. ISTG is
nothing but a KCC server(DC), which is responsible for reviewing the inter-site
topology and creating inbound replication connection objects as necessary for
bridgehead servers in the site in which it resides.The domain controller holding
this role may not necessarily also be a bridgehead server.

> What Are Active Directory Functional Levels?

In Active Directory Domain Services (AD DS), domain controllers can run
different versions of Windows Server operating systems. The functional level of
a domain or forest depends on which versions of Windows Server operating
systems are running on the domain controllers in the domain or forest. The
functional level of a domain or forest controls which advanced features are
available in the domain or forest.

Ideally, all servers in an organization could run the latest version of Windows
and take advantage of all the advanced features that are available with the
newest software. But organizations often have a mixture of systems, generally
running different versions of operating systems, which are migrated to the
latest version only as organizational requirements demand additional
functionality, either for the entire organization or for a specific area of the
organization.

AD DS supports phased implementation of new versions of Windows Server and

advanced features on domain controllers by providing multiple functional levels,
each of which is specific to the versions of Windows Server operating systems
that are running on the domain controllers in the environment. These functional
levels provide configuration support for the AD DS features and ensure
compatibility with domain controllers running earlier versions of Windows
Server.

AD DS does not automatically enable advanced features, even if all domain

controllers within a forest are running the same version of Windows Server.
Instead, an administrator raises a domain or forest to a specific functional level
to safely enable advanced features when all domain controllers in the domain or
forest are running an appropriate version of Windows Server. When an
administrator attempts to raise the functional level, AD DS checks whether all
domain controllers are running an appropriate Windows Server operating
system to ensure the proper environment for enabling new Active Directory
features.

> Domain functional level.

Six domain functional levels are available:
- Windows 2000 mixed (the default in Windows Server 2003)
- Windows 2000 native
- Windows Server 2003 interim
- Windows Server 2003
- Windows Server 2008
- Windows Server 2008 R2

> Forest functional level.

Five forest functional levels are available:
- Windows 2000(the default in Windows Server 2003 and Windows Server
2008)
- Windows Server 2003 interim
- Windows Server 2003 (the default in Windows Server 2008 R2)
- Windows Server 2008
- Windows Server 2008 R2