Professional Documents
Culture Documents
Active directory is a hierarchical structure that stores information about objects on the network. Active
Directory provides the methods for storing directory data and making this data available to network
users and administrators.
SYSVOL:-The SYSVOL folder stores the server copy of domain public files. The contents of the SYSVOL
folder are replicated to all domain controllers in the domain.
What is Domain?
In Active Directory, a collection of computer, user, and group objects defined by the administrator. These
objects share a common directory database, security policies, and security relationships with other
domains. In Domain Name System (DNS), a domain is any tree or sub tree within the DNS namespace.
Although the names for DNS domains often correspond to Active Directory domains, DNS domains
should not be confused with Active Directory domains.
In an Active Directory forest, a server that contains a writable copy of the Active Directory database
participates in Active Directory replication, and controls access to network resources. Administrators can
manage user accounts, network access, shared resources, site topology, and other directory objects from
any domain controller in the forest. See also Active Directory; authentication; directory; forest.
Active Directory provides the means to manage the identities and relationships that make up your
organization's network. Integrated with Windows Server 2008, Active Directory gives you out-of-the-box
functionality needed to centrally configure and administer system, user, and application settings. Active
Directory Domain Services (AD DS) stores directory data and manages communication between users
and domains, including user logon processes, authentication, and directory searches.
What is Forest?
A collection of one or more Active Directory domains that share a common schema, configuration, and
global catalog.
What is tree?
A tree in Active Directory is just an extension of the idea of a directory tree. Its a hierarchy of objects
and containers that demonstrates how objects are connected, or the path from one object to another.
Endpoints on the tree are usually objects.
What is Site?
One or more well-connected (highly reliable and fast) Transmission Control Protocol/Internet Protocol
(TCP/IP) subnets. A site allows administrators to con-figure Active Directory access and replication
topology quickly and easily to take advantage of the physical network. When users log on, Active
Directory clients locate Active Directory servers in the same site as the user. See also subnet; well-
connected.
A container object in Active Directory used to separate computers, users, and other resources into logical
units. An organizational unit is the smallest entity to which Group Policy can be linked. It is also the
smallest scope to which administration authority can be delegated.
What is Schema?
A description of the object classes and attributes stored in Active Directory. For each object class, the
schema defines what attributes an object class must have, what additional attributes it may have, and
what object class can be its parent. An Active Directory schema can be updated dynamically. For
example, an application can extend the schema with new attributes and classes and use the extensions
immediately. Schema updates are accomplished by creating or modifying the schema objects stored in
Active Directory. Like every object in Active Directory, a schema object has an access control list (ACL) so
that only authorized users can alter the schema.
What is LDAP?
LDAP is a communication protocol designed for use on TCP/IP networks. LDAP defines how a directory
client can access a directory server and how the client can perform directory operations and share
directory data.
Active Directory Lightweight Directory Service (AD LDS) provides directory services for directory-enabled
applications. AD LDS does not require or rely on Active Directory domains or forests. AD LDS was
previously known as Active Directory Application Mode (ADAM).
A type of replication where one domain controller is the master domain controller and operations are
not permitted to occur at different places in a network at the same time. In Active Directory, one or more
domain controllers can be assigned to perform single-master replication. Operations master roles are
special roles assigned to one or more domain controllers in a domain to perform single-master
replication. See also operations master role.
A replication model in which any domain controller accepts and replicates directory changes to any
other domain controller. This differs from other replication models in which one computer stores the
single modifiable copy of the directory and other computers store backup copies. See also domain
controller; replication.
Flexible Single-Master Operation role. Mechanism used by Active Directory to prevent update conflicts
in multi master deployments. Some objects are updated in a single-master mode even if the deployment
is multi master, which is very similar to the old concept of a Primary Domain Controller (PDC) in
Windows NT domains. There are five FSMO Roles in an Active Directory deployment, but only the PDC-
emulator role affects Identity Synchronization for Windows. Because password updates are replicated
immediately only to the Active Directory domain controls with the PDC emulator role, Identity
Synchronization for Windows use this domain controller for synchronization.
A domain controller that has been assigned one or more special roles in an Active Directory domain. The
domain controllers assigned these roles perform operations that are single master (not permitted to
occur at different places on the network at the same time). Examples of these operations include
resource identifier allocation, schema modification, primary domain controller (PDC) election, and
certain infrastructure changes. The domain controller that controls the particular operation owns the
operations master role for that operation. The ownership of these operations master roles can be
transferred to other domain controllers. Also known as flexible single-master operations (FSMO).
What is Schema Master?
The schema master domain controller controls all updates and modifications to the schema. To update
the schema of a forest, you must have access to the schema master. There can be only one schema
master in the entire forest.
The domain controller holding the domain naming master role controls the addition or removal of
domains in the forest. There can be only one domain naming master in the entire forest.
Note: - 1. Forest-wide operations master roles are Schema Master and Domain Naming Master.
2. Domain-wide operations master roles are Rid Master, PDC Emulator Master and Infrastructure
Master.
The domain controller assigned to allocate sequences of relative IDs to each domain controller in its
domain. Whenever a domain controller creates a security principal (user, group, or computer object), the
domain controller assigns the object a unique security ID (SID). The SID consists of a domain SID that is
the same for all SIDs created in a particular domain and a relative ID that is unique for each SID created
in the domain. At any time, there can be only one relative ID master in a particular domain.
A domain controller that holds the PDC emulator operations master role in Active Directory. The PDC
emulator services network clients that do not have Active Directory client software installed, and it
replicates directory changes to any Microsoft Windows NT backup domain controllers (BDCs) in the
domain. The PDC emulator handles password authentication requests involving passwords that have
recently changed and not yet replicated. At any time, the PDC emulator master role can be assigned to
only one domain controller in each domain.
The domain controller assigned to update group-to-user references whenever group memberships are
changed and to replicate these changes to any other domain controllers in the domain. At any time,
there can be only one infrastructure master in a particular domain. The infrastructure master should not
be located on the same computer as the global catalog if there is more than one domain controller in the
forest.
Temporary loss of the schema operations master is not visible to network users. It is not visible to
network administrators either, unless they are trying to modify the schema or install an application that
modifies the schema during installation. If the schema master will be unavailable for an unacceptable
length of time, you can seize the role to the domain controller youve chosen to act as the standby
schema master. However, seizing this role is a step that you should take only when the failure of the
schema master is permanent.
Temporary loss of the domain naming master is not visible to network users. It is not visible to network
administrators either, unless they are trying to add a domain to the forest or remove a domain from the
forest. If the domain naming master will be unavailable for an unacceptable length of time, you can seize
the role to the domain controller youve chosen to act as the standby domain naming master. However,
seizing this role is a step that you should take only when the failure of the domain naming master is
permanent.
Temporary loss of the RID operations master is not visible to network users. It is not visible to network
administrators either, unless they are creating objects and the domain in which they are creating the
objects runs out of relative identifiers. If the RID master will be unavailable for an unacceptable length of
time, you can seize the role to the domain controller youve chosen to act as the standby RID master.
However, seizing this role is a step that you should take only when the failure of the RID master is
permanent.
The loss of the PDC emulator affects network users. Therefore, when the PDC emulator is not available,
you might need to immediately seize the role. If the current PDC emulator will be unavailable for an
unacceptable length of time and its domain has clients without Windows Server 2003 client software, or
if it contains Windows NT backup domain controllers, seize the PDC emulator role to the domain
controller youve chosen to act as the standby PDC emulator. When the original PDC emulator is
returned to service, you can return the role to the original domain controller.
Temporary loss of the infrastructure master is not visible to network users. It is not visible to network
administrators either, unless they have recently moved or renamed a large number of accounts. If the
infrastructure master will be unavailable for an unacceptable length of time, you can seize the role to a
domain controller that is not a global catalog but is well connected to a global catalog (from any
domain), ideally in the same site as a global catalog server. When the original infrastructure master is
returned to service, you can transfer the role back to the original domain controller.
Domain Admins : Members of this group have full control of the domain. By
default, this group is a member of the Administrators group on all domain
controllers, all domain workstations, and all domain member servers at the time
they are joined to the domain. By default, the Administrator account is a
member of this group. Because the group has full control in the domain, add
users with caution.
Where are the Windows NT Primary Domain Controller (PDC) and its Backup Domain Controller
(BDC) in Server 2003 ?
The Active Directory replaces them. Now all domain controllers share a multimaster peer-to-peer
read and write relationship that hosts copies of the Active Directory.
What is LSDOU ?
Its group policy inheritance model, where the policies are applied toLocal machines, Sites, Domains
and Organizational Units.
> Whats the difference between guest accounts in Server 2003 and
other editions?
More restrictive in Windows Server 2003.
> How many passwords by default are remembered when you check
"Enforce Password History Remembered"?
Users last 6 passwords.
> Can GC Server and Infrastructure place in single server If not explain
why ?
No, As Infrastructure master does the same job as the GC. It does not work
together.
> Which is service in your windows is responsible for replication of
Domain controller to another domain controller.
KCC generates the replication topology.
Use SMTP / RPC to replicate changes.
ADS stands for Automated Deployment Services, and is used to quickly roll out
identically-configured servers in large-scale enterprise environments. You can
get more information from the ADS homepage.
>What is LDP?
LDP : Label Distribution Protocol (LDP) is often used to establish MPLS LSPs
when traffic engineering is not required. It establishes LSPs that follow the
existing IP routing, and is particularly well suited for establishing a full mesh of
LSPs between all of the routers on the network.
Distribution groups: Distribution groups are used for sending e-main messages
to groups of users. You cannot grant permissions to security groups. Even
though security groups have all the capabilities of distribution groups,
distribution groups still requires, because some applications can only read
distribution groups.
Global Group: Users with similar function can be grouped under global scope
and can be given permission to access a resource (like a printer or shared folder
and files) available in local or another domain in same forest. To say in simple
words, Global groups can be used to grant permissions to gain access to
resources which are located in any domain but in a single forest as their
memberships are limited. User accounts and global groups can be added only
from the domain in which global group is created. Nesting is possible in Global
groups within other groups as you can add a global group into another global
group from any domain. Finally to provide permission to domain specific
resources (like printers and published folder), they can be members of a
Domain Local group. Global groups exist in all mixed, native and interim
functional level of domains and forests.
Universal Group Scope: These groups are precisely used for email distribution
and can be granted access to resources in all trusted domain as these groups
can only be used as a security principal (security group type) in a windows 2000
native or windows server 2003 domain functional level domain. Universal group
memberships are not limited like global groups. All domain user accounts and
groups can be a member of universal group. Universal groups can be nested
under a global or Domain Local group in any domain.
>What is REPLMON ?
The Microsoft definition of the Replmon tool is as follows; This GUI tool enables
administrators to view the low-level status of Active Directory replication, force
synchronization between domain controllers, view the topology in a graphical
format, and monitor the status and performance of domain controller
replication.
>What is ADSIEDIT ?
ADSIEDIT :ADSIEdit is a Microsoft Management Console (MMC) snap-in that
acts as a low-level editor for Active Directory. It is a Graphical User Interface
(GUI) tool. Network administrators can use it for common administrative tasks
such as adding, deleting, and moving objects with a directory service. The
attributes for each object can be edited or deleted by using this tool. ADSIEdit
uses the ADSI application programming interfaces (APIs) to access Active
Directory. The following are the required files for using this tool: ADSIEDIT.DLL
ADSIEDIT.
>What is NETDOM ?
NETDOM is a command-line tool that allows management of Windows domains
and trust relationships. It is used for batch management of trusts, joining
computers to domains, verifying trusts, and secure channels.
>What is REPADMIN?
This command-line tool assists administrators in diagnosing replication
problems between Windows domain controllers.Administrators can use
Repadmin to view the replication topology (sometimes referred to as RepsFrom
and RepsTo) as seen from the perspective of each domain controller. In
addition, Repadmin can be used to manually create the replication topology
(although in normal practice this should not be necessary), to force replication
events between domain controllers, and to view both the replication metadata
and up-to-dateness vectors.
The forest sets the default boundaries of trust, not the domain, and implicit,
transitive trust is automatic for all domains within a forest. As well as two-way
transitive trust, AD trusts can be a shortcut (joins two domains in different
trees, transitive, one- or two-way), forest (transitive, one- or two-way), realm
(transitive or nontransitive, one- or two-way), or external (nontransitive, one-
or two-way) in order to connect to other forests or non-AD domains.
LDIFDE is a command that can be used to import and export objects to and
from the AD into a LDIF-formatted file. A LDIF (LDAP Data Interchange Format)
file is a file easily readable in any text editor, however it is not readable in
programs like Excel. The major difference between CSVDE and LDIFDE (besides
the file format) is the fact that LDIFDE can be used to edit and delete existing
AD objects (not just users), while CSVDE can only import and export objects.
>What is RsOP
One challenge of Group Policy administration is to understand the cumulative
effect of a number of Group Policy objects (GPOs) on any given computer or
user, or how changes to Group Policy, such as reordering the precedence of
GPOs or moving a computer or user to a different organizational unit (OU) in
the directory, might affect the network. The Resultant Set of Policy (RSoP)
snap-in offers administrators one solution. Administrators use the RSoP snap-in
to see how multiple Group Policy objects affect various combinations of users
and computers, or to predict the effect of Group Policy settings on the network.
2. The boot device is found, the Master Boot Record (MBR) is loaded into
memory, and its program is run.
1. The Windows 2000 loader switches the processor to the 32-bit flat memory
model.
3. The Windows 2000 loader reads the BOOT.INI file and displays the operating
system selections (boot loader menu).
4. The Windows 2000 loader loads the operating system selected by the user. If
Windows 2000 is selected, NTLDR runs NTDETECT.COM. For other operating
systems, NTLDR loads BOOTSECT.DOS and gives it control.
6. NTLDR then loads the NTOSKRNL.EXE, and gives it the hardware information
collected by NTDETECT.COM. Windows NT enters the Windows load phases.
In Windows 2000 Server, you used to have to boot the computer whose
password you wanted to change in Directory Restore mode, then use either the
Microsoft Management Console (MMC) Local User and Groups snap-in or the
command net user administrator * to change the Administrator password.
>How do I use Registry keys to remove a user from a group?
In Windows Server 2003, you can use the dsmod command-line utility with the
-delmbr switch to remove a group member from the command line. You should
also look into the freeware utilities available from www.joeware.net . ADFind
and ADMod are indispensable tools in my arsenal when it comes to searching
and modifying Active Directory.
Ideally, all servers in an organization could run the latest version of Windows
and take advantage of all the advanced features that are available with the
newest software. But organizations often have a mixture of systems, generally
running different versions of operating systems, which are migrated to the
latest version only as organizational requirements demand additional
functionality, either for the entire organization or for a specific area of the
organization.