Professional Documents
Culture Documents
X.500: is the first directory designed in 1984.It introduced distinguished name and relative
Distinguished name.
Q.What is LDAP?
Q.What is Novell?
Novell directory service(now called E directory) was introduced in 1992 which can run on Linux, Unix,
Windows NT/2000/2003.
Q.Explain Domains?
Domain is container object of the Ad components.
In a Ad installation the first thing that gets installed is Domain and this Domain
is called Tree root Domain. it is highest AD domain in the tree.
A tree root domain can also be a forest root Domain.
Each Domain should have one or more Ad domain controllers.
Domains can have child domains and grandchild domain.
Q.What is a Tree?
AD tree is group of domains based on the same namespace.
Here Domain are connected with a two way transitive trust.
They share the same schema.
Have Common Global Catalogs.
Q.What is a Forest?
Forest is multiple trees linked together.
Any number of trees can be linked to make up a forest.
A forest root domain is the first domain created in the Ad forest.
Q. What is a Schema?
A schema is a building blocks that make up all the attributes of any particular
object in a tree.
A schema of a user would have last name, first name and logon id .
Q.What is Ad site ?
Ad site is one or more well connected highly reliable and fast TCP/IP subnets.
Ad site will contain servers and site links.
Site is used to configure AD access and replication topologies according to the
network’s physical layer.
2 sites can be in the same domain and vice versa.
Q.Where does the server’s copy of the domain public files saved?
It is saved in C:\windows\sysvol.
Q.How do you prepare AD before installing windows server 2003 server into an existing windows
2000 AD?
If you are installing a Windows Server 2003 server into an existing Windows 2000 Active Directory
structure, you must first prepare Active Directory for the installation by taking the following steps:
Apply Service Pack 2 or later on all domain controllers.
Back up your data.
On the schema master for the forest, disconnect the server from the network and
run Adprep /forestprep. Reconnect the server and wait at least 15 minutes (or as
long as a half a day or more) for synchronization to occur.
If Active Directory has multiple domains, or if the infrastructure master for the
domain is on a different server than the schema master, run Adprep /domainprep
on the infrastructure master for the domain.
Q.What are the circumstances where you can rename the Domains?
All domain controllers are running windows server 2003.
The domain functional level is at windows 2003.
The forest functional level is at windows 2003.
Tool Description
Directory Services log Use Event Viewer to examine the log. The log lists informational,
warning, and error events.
Netdiag Run from the command line. Test for domain controller connectivity (in
some cases, it can make repairs).
DCDiag Analyzes domain controller states and tests different functional levels of
Active Directory.
Dcpromo log files Located in %Systemroot%/Debug folder.
Dcpromoui gives a detailed progress report of Active Directory
installation and removal.
Dcpromos is created when a Windows 3.x or NT 4 domain controller is
promoted.
Ntdsutil It is a command line tool provides management facilities for Ad.
Can remove orphaned data or a domain controller object from Active
Directory.
Note: Microsoft gives the following as the best practice procedure for restoring Active Directory
from backup media:
Reboot into Active Directory restore mode. Log in using the password you
specified during setup (not a domain account).
Restore the System State data from backup to its original and to an alternate
location.
Run Ntdsutil to mark the entire Active Directory database (if you're restoring
the entire database) or specific Active Directory objects (if you're only restoring
selected Active Directory objects) as authoritative.
Reboot normally.
Restore Sysvol contents by copying the Sysvol directory from the alternate
location to the original location to overwrite the existing Sysvol directory (if
you're restoring the entire database). Or, copy the policy folders (identified by
GUID) from the alternate location to the original location to overwrite the
existing policy folders.
Q.What is a Guid?
Guid is a globally unique identifier.
Guid is a 128 bit number that is guaranteed to be unique across the network.
It is assigned to objects when they are created and guid never changes even if
the objects renamed or moved.
Q.What is a SID?
Sid is a security identifier.
Sid is a unique number that is assigned when an account is created.
Every account on the network has a unique Sid and are used to track the account
rather than the account’s user or group.
Account Sid is made up of the domain sid and unique Rid.
Deleting and recreating/moving an account results in a new Sid assigned, so the
rights and permissions made to the account will have to be recreated and re
assigned.
Q.What is RID?
Relative identifier (RID) is the part of a Security identifier (SID) that uniquely
identifies an account or group within a domain.
It is unique to all Sid’s in a domain.
Q.What is a group?
Group is a set of users or computers or other groups all put together to provide
access to resources or providing them as a distribution list.
It can include any combination of object types.
It is used to make administration simpler.
Q.What are the objects you can delegate administrative containers to?
Domains.
Organizational units.
Containers.
Q.What is a trust?
Trust is a link between two or more domains.
It is a communication path which is secure allows security principles from one
domain to the authenticated and accepted other domain.
Trusting domain is the domain granting authentications to security principles in
another domain
Trusted is the domain housing the security principles that will be trusted.
Forest functional levels depend on the domain functional levels. The table below shows
the forest functional levels.
Forest Domain
Functional Functional Features
Level Level
2000 2000 Mixed The following features are available in 2000:
or
2000 Native • Global catalog replication improvements are
available if both replication partners are running
Windows Server 2003.
2003 2003 The following features are available in 2003:
Q.What are the reasons to upgrade/change domain and forest functional level?
Domain functional levels (formerly known as domain modes) provide a way to
enable domain-wide Active Directory features within your network
environment.
Four domain functional levels are available: Windows 2000 mixed (default),
Windows 2000 native, Windows Server 2003 interim, and Windows Server
2003.
The change in domain functional level is only one way it cannot be reversed.
You can rename the domains in your forest if both domain and forest functional
levels are windows server 2003 level.
Eg: if you want to change the schema of Ad forest from one location to another and this can be done by
operation master role.
Q.Provide us some more facts about object management tasks and tools?
You should know be familiar with the following object management tasks and
tools:
The Active Directory Migration Tool (ADMT) is a GUI-based utility that lets
you migrate users and other objects between domains. The tool requires that the
source domain trust the target domain.
You can use the ADMT to retain an object's SID.
Moving an object within a domain retains its permissions.
Deleting the object deletes existing permissions.
You should rename or move an object rather than delete and recreate the object.
The Ldp utility allows you to search for and view the properties of multiple
Active Directory objects.
If a computer that does not have an account is joined to the domain, a computer
object is created by default in the built-in Computers OU.
Use the Dsadd command to add an OU object to Active Directory from the
command line.
The easiest way to create a single OU in Active Directory is to use the Active
Directory Users and Computers snap-in in the MMC.
To view the Lost And Found folder, select Advanced Features from the View
menu in the Active Directory Users and Computers snap-in.
Container Contents
Builtin Built-in domain local security groups.
These groups are pre-assigned permissions needed to perform
domain management tasks.
All computers joined to the domain without a computer
Computers
account.
All domain controllers.
Domain Controllers*
This OU cannot be deleted.
Proxy objects for security principals in NT 4.0 domains or
ForeignSecurityPrincipals
domains outside of the forest.
Objects moved or created at the same time an Organizational
Unit is deleted. Because of Active Directory replication, the
parent OU can be deleted on one domain controller.
LostAndFound** Administrators at other domain controllers can add or move
objects to the deleted OU before the change has been replicated.
During replication, new objects are placed in the
LostAndFound container.
Objects that contain limits on the number of objects users and
NTDS Quotas**
groups can own.
Application-specific data created by other programs.
Program Data** This container is empty until a program designed to store
information in Active Directory uses it.
Configuration information about the domain including security
System** groups and permissions, the domain SYSVOL share, Dfs
configuration information, and IP security policies.
Built-in user and group accounts.
Users Users and groups are pre-assigned membership and permissions
for completing domain and forest management tasks.
*Be aware that the Domain Controllers OU is the only default organizational unit object.
All other default containers are just containers, not OUs. As such, you cannot apply a
GPO to any default container except for the Domain Controllers OU.
**By default, these containers are hidden in Active Directory Users and Computers. To
view these containers, click View/Advanced Features from the menu.
Software Installation and Folder Redirection don't refresh because it is too risky to install/uninstall
Software or move files while users are using their computers.
To manually refresh group policy settings, use the Gpupdate command with the following switches:
Switch Function
No switch Refresh user and computer-related group policy.
/target:user Refresh user-related group policy.
/target:computer Refresh computer-related group policy.
Q.How do you create and edit group policy?
Group policy can be created with group policy object editor(MMC)
Edit Permissions
You can control the application of GPOs by editing the permissions in the GPO
access control list (ACL). (When you deny an object the required permissions to a
GPO, the object will not receive the GPO.)
To deny access to a GPO, add the user, group, or computer to the GPO permissions
and deny the Apply Group Policy and Read permissions.
To apply a GPO to specific users, groups, or computers, remove the Authenticated
Users group from the GPO permissions. Add the specific user, group, or computer
and grant the Apply Group Policy and Read permissions.
Block Inheritance
You can prevent Active Directory child objects from inheriting GPOs that are linked to the parent
objects. To block GPO inheritance,
Click the Group Policy tab for the domain or OU for which you want to block GPO
inheritance.
Select the Block Policy inheritance check box.
You cannot block inheritance on a per-GPO basis. Blocking policy inheritance prevents the domain or
OU (along with all the containers and objects beneath them) from inheriting GPOs.
No Override
You should know the following facts about the No Override option:
The no override option prevents a GPO from being overridden by another GPO.
When no override is set on more than one GPO, the GPO highest in the Active
Directory hierarchy takes precedence.
No override cannot be set on a local GPO.
By default, Group Policy configuration applies Computer Configuration GPOs during startup and User
Configuration GPOs during logon. User Configuration settings take precedence in the event of a
conflict.
You can control how Group Policy is applied by enabling loopback processing. Following are some
circumstances when you might use loopback processing:
Q.What Is Gpresult?
Gpresult is a command line tool that allows you to examine the policy settings
of specific users and computers.
Start Gpresult by entering Gpresult at the command line (use the /? switch for
syntax help).
Gpresult can show the following:
o Last application of Group Policy and the domain controller from which
policy was applied.
o Detailed list of the applied GPOs.
o Detailed list of applied Registry settings.
o Details of redirected folders.
o Software management information, like information about assigned and
published software.
Q.What is Rsop?
RSoP (Resultant Set of Policy) is the accumulated results of the group policies applied to a user or
computer. You should know the following facts about RSoP:
The RSoP wizard reports on how GPO settings affect users and computers. The
wizard runs in two modes: logging and planning.
The RSoP wizard logging mode reports on existing group policies applied
against computers or users.
The RSoP wizard planning mode simulates the effects policies would have if
applied to computers or users.
You can access the Resultant Set of Policy (RSoP) wizard in various ways. Here are some common ways:
Install the RSoP wizard as an MMC snap-in
Use the Start > Run sequence and run Rsop.msc.
You can also select an object in Active Directory Users and Computer and
select Resultant Set of Policy (in planning or logging mode) from the All Tasks
menu
Note: Both Rsop and Gpresult are used to identify the net effects of all applied GPO’s.
Q.What Is Gpupdate?
Gpupdate is Group policy update.
It is used to force the update of Group policy settings.
Q.What is a Gpotool?
Gpotool is a command line tool which lets us check the health of Gpo on
Domain controller.
It can also be used to check Gpo for consistency.
It can also be used to Gpo to make sure they have been replicated.
It will allow us to display information about a particular Gpo object.
Q.What are the tasks can Domain admin do?
They can’t link GPO’s to sites.
They can do anything within the domain like creating gpo, linking gpo in the
domain.
Note: Advanced publishing or assigning check box would pop when you link a Msi file to gpo which
would install the application when the computer boots up.
Q.