You are on page 1of 320

KCC

The KCC is a built-in process that runs on all domain controllers and generates
replication topology for the Active Directory forest. The KCC creates separate
replication topologies depending on whether replication is occurring within a
site (intrasite) or between sites (intersite). The KCC also dynamically adjusts
the topology to accommodate new domain controllers, domain controllers
moved to and from sites, changing costs and schedules, and domain controllers
that are temporarily unavailable.

How do you view replication properties for AD?


By using Active Directory Replication Monitor.
Start--> Run--> Replmon

what are sites? What are they used for?


Its one or more well-connected (highly reliable and fast) TCP/IP subnets. A site
allows administrators to configure Active Directory access and replication
topology to take advantage of the physical network.

Name some OU design considerations?


OU design requires balancing requirements for delegating administrative rights
- independent of Group Policy needs - and the need to scope the application of
Group Policy. The following OU design recommendations address delegation
and scope issues:
Applying Group Policy An OU is the lowest-level Active Directory container to
which you can assign Group Policy settings. Delegating administrative authority
usually don't go more than 3 OU levels
http://technet.microsoft.com/en-us/library/cc783140.aspx

What are FMSO Roles? List them.


Fsmo roles are server roles in a Forest
There are five types of FSMO roles
1-Schema master
2-Domain naming master
3-Rid master
4-PDC Emullator
5-Infrastructure master

Logical Diagram of Active Directory ?, What is the difference between child


domain & additional domain Server?
Well, if you know what a domain is then you have half the answer. Say you
have the domain Microsoft.com. Now microsoft has a server named server1 in
that domain, which happens to the be parent domain. So it's FQDN is
server1.microsoft.com. If you add an additional domain server and name it
server2, then it's FQDN is server2.microsoft.com.
Now Microsoft is big so it has offices in Europe and Asia. So they make child
domains for them and their FQDN would look like this: europe.microsoft.com &
asia.microsoft.com. Now lets say each of them have a server in those child
domains named server1. Their FQDN would then look like this:
server1.europe.microsoft.com & server1.asia.microsoft.com.
What are Active Directory Groups?
Groups are containers that contain user and computer objects within them as
members. When security permissions are set for a group in the Access Control
List on a resource, all members of that group receive those permissions.
Domain Groups enable centralized administration in a domain. All domain
groups are created on a domain controller.
In a domain, Active Directory provides support for different types of groups and
group scopes. The group type determines the type of task that you manage
with the group. The group scope determines whether the group can have
members from multiple domains or a single domain.

Group Types
* Security groups: Use Security groups for granting permissions to gain access
to resources. Sending an e-mail message to a group sends the message to all
members of the group. Therefore security groups share the capabilities of
distribution groups.
* Distribution groups: Distribution groups are used for sending e-main
messages to groups of users. You cannot grant permissions to security groups.
Even though security groups have all the capabilities of distribution groups,
distribution groups still requires, because some applications can only read
distribution groups.

Group Scopes
Group scope normally describe which type of users should be clubbed together
in a way which is easy for there administration. Therefore, in domain, groups
play an important part. One group can be a member of other group(s) which is
normally known as Group nesting. One or more groups can be member of any
group in the entire domain(s) within a forest.
* Domain Local Group: Use this scope to grant permissions to domain resources
that are located in the same domain in which you created the domain local
group. Domain local groups can exist in all mixed, native and interim functional
level of domains and forests. Domain local group memberships are not limited
as you can add members as user accounts, universal and global groups from any
domain. Just to remember, nesting cannot be done in domain local group. A
domain local group will not be a member of another Domain Local or any other
groups in the same domain.
* Global Group: Users with similar function can be grouped under global scope
and can be given permission to access a resource (like a printer or shared
folder and files) available in local or another domain in same forest. To say in
simple words, Global groups can be use to grant permissions to gain access to
resources which are located in any domain but in a single forest as their
memberships are limited. User accounts and global groups can be added only
from the domain in which global group is created. Nesting is possible in Global
groups within other groups as you can add a global group into another global
group from any domain. Finally to provide permission to domain specific
resources (like printers and published folder), they can be members of a
Domain Local group. Global groups exist in all mixed, native and interim
functional level of domains and forests.
* Universal Group Scope: these groups are precisely used for email distribution
and can be granted access to resources in all trusted domain as these groups
can only be used as a security principal (security group type) in a windows 2000
native or windows server 2003 domain functional level domain. Universal group
memberships are not limited like global groups. All domain user accounts and
groups can be a member of universal group. Universal groups can be nested
under a global or Domain Local group in any domain.

What are the types of backup? Explain each?


Incremental
A "normal" incremental backup will only back up files that have been changed
since the last backup of any type. This provides the quickest means of backup,
since it only makes copies of files that have not yet been backed up. For
instance, following our full backup on Friday, Monday’s tape will contain only
those files changed since Friday. Tuesday’s tape contains only those files
changed since Monday, and so on. The downside to this is obviously that in
order to perform a full restore, you need to restore the last full backup first,
followed by each of the subsequent incremental backups to the present day in
the correct order. Should any one of these backup copies be damaged
(particularly the full backup), the restore will be incomplete.

Differential
A cumulative backup of all changes made after the last full backup. The
advantage to this is the quicker recovery time, requiring only a full backup and
the latest differential backup to restore the system. The disadvantage is that
for each day elapsed since the last full backup, more data needs to be backed
up, especially if a majority of the data has been changed.

What is the SYSVOL folder?


The Windows Server 2003 System Volume (SYSVOL) is a collection of folders and
reparse points in the file systems that exist on each domain controller in a
domain. SYSVOL provides a standard location to store important elements of
Group Policy objects (GPOs) and scripts so that the File Replication service
(FRS) can distribute them to other domain controllers within that domain.
You can go to SYSVOL folder by typing : %systemroot%/sysvol

What is the ISTG Who has that role by default?


The first server in the site becomes the ISTG for the site, The domain
controller holding this role may not necessarily also be a bridgehead server.

What is the order in which GPOs are applied?


Local, Site, Domain, OU

UNC Universal Naming Convention


\\servername\shared name (It is used to access the shared folder)
MAC Media Access Control
PDC Primary Domain Controllers
BDC Backup Domain Controllers
SMP Symmetric Multi Processors
AMP Asymmetric Multi Processing
EFS Encrypted File System
FAT File Allocation Table
HCL Hardware Compatibility List
IIS Internet Information Service
LSA Local Security Authority
MMC Microsoft Management Console
OU Organizational Unit
RAS Remote Access Service
RDP Remote Desktop Protocol (used for Terminal Services)
RRAS Routing and Remote Access Service
SID Security Identifier
WINS Windows Internet Name Service
GUID Globally Unique identifier
IAS Internet Authentication Service
UPN User Principle Name (Username@domainname.com)
BIOS Basic Input Output System
Net BIOS Network Basic Input/Output System
ARP Address Resolution Protocol
DVD Digital Video Disk
GPO Group Policy Object (LGPO Local Group Policy Object)
IPsec Internet Protocol Security
ISP Internet Service Provider
NAT Network Address Translation
MBT Master Boot Record
USB Universal Serial Bus
POST Power On Self Test
SCSI Small Computer System Interface
SMTP Simple Mail Transfer Protocol
URL Uniform Resource Locator
RAID Redundant Array of Independent Disk
IDE Intelligent drive Electronics or Integrated Drive Electronics
FQDN FullyQualified Domain Name (full computer name)
[computername.domainname.com]
OSPF Open Shortest Path First (these two are routing protocols)
RIP Routing Information Protocol
POP3 Post Office Protocol (used to receive the mails)
SMTP Simple Mail Transfer Protocol (Used to send the mails)
SMPS Switch Mode Power Supply
PING Packet Internet Groper
VNC Virtual Network Computing
EULA End User License Agreement
CAL Client Access License
TSCALTerminal Services Client Access License
UPS Uninterruptible Power Supply
BIND Berkeley Internet Name Domain
PXE Pre boot eXecutable Environment
UDF Uniqueness Database file
LDAP Light weight Directory Access Protocol
ISDN Integrated Services Digital Network
VLSM Variable Length Subnet Mask
CIDR Classless Inter Domain Routing
IGMP Internet Group Management Protocol
FSMO Flexible Single Master Operations
APIPA Automatic IP addressing
NetBEUI Net Bios Enhanced User Interface
UDP User Datagram Protocol
FTP File Transfer Protocol
Mbps Mega bits per second
Ntds.dit Nt directory services.directory information tree.
ICMP Internet Control message Protocol
IGMP Internet group Management Protocol
NNTP Network News Transfer Protocol
RADIUS Remote Authentication Dial In User service
SNMP Simple Network Management protocol
VPN Virtual Private Network
L2TP Layer2 Tunneling Protocol
PPTP Point to Point Tunneling Protocol
ADSI Active Directory Service Interfaces
SUS Software Update Service
SMS System Management Service
WUS Windows Update service
TFTP Trivial File Transfer Protocol

List of important port numbers

15  Netstat
21  FTP
23  Telnet
25  SMTP
42  WINS
53  DNS
67  Bootp
68  DHCP
80  HTTP
88  Kerberos
101  HOSTNAME
110  POP3
119  NNTP
123  NTP (Network time protocol)
139  NetBIOS
161  SNMP
180  RIS
389  LDAP (Lightweight Directory Access Protocol)
443  HTTPS (HTTP over SSL/TLS)
520  RIP
79  FINGER
37  Time
3389  Terminal services
443  SSL (https) (http protocol over TLS/SSL)
220  IMAP3
3268  AD Global Catalog
3269  AD Global Catalog over SSL
500  Internet Key Exchange, IKE (IPSec) (UDP 500)
diskpart.exe This command is used for disk management in Windows 2003.
nltest /dsgetdc:domainname
replacing domainname with the name of the domain that you are trying to log
on to. This
command verifies that a domain controller can be located. Nltest is included in
Support
Tools

How to synchronize manually a client computer to a domain controller?


Windows 2000 (Win2K) and later computers in a domain should automatically
synchronize time with a domain controller. But some times you may get a
situation to synchronize manually.
To manually synchronize time, open a command-line window, and run
Net stop w32time
Run
w32time –update
Run
Net start w32time
Manually verify the synchronization between the client computer and a domain
controller. Also check the System event log to ensure that the W32Time service
has not logged additional error messages.

What are the icons available in Control Panel?


Around 27 icons are available in control panel
Accessibility options, Add/Remove Hard ware, Add/Remove Programs,
Administrative tools, Automatic updates.
Key board, mouse, printer, Phone and modem, Scanner and cameras, Power
options
System, Display, Network and dial up connections, Internet options, folder
options
Date and time, Sounds and multi media, Regional settings, Users and
passwords,
Scheduled tasks

What are the icons that don’t get delete option on the Desktop (up to 2000
O. S.)?
My Computer
My Network Places
Recycle Bin
Note: In Windows 2003 you can delete My computer, My network places. You
can also get back them.
Right click on Desktop Properties  Click on Desktop tab  click on
customize desktop  select the appropriate check boxes.
Even in 2003 you cannot delete Recycle bin.
Note: You can delete any thing (even Recycle bin) from the desktop by using
registry settings in 2000/2003.

What are the properties of Recycle bin?


General
Check box for Display delete confirmation dialogue box
Check box for whether to move a deleted to Recycle bin or directly
delete
Global options (applies to all drives)
Individual Partitions (for each partition there exist one partition)
How to configure the DNS?
Open the DNS Console
Then you will find there
DNS
Server name
Forward Lookup Zone
Reverse Lookup Zone
Note: If you have selected create automatically zones during the setup, then it
creates the root zone and domain zone under forward lookup zone.
If no zones are there under forward lookup zone first create root zone
then create domain zone.

How to create a zone?


Right click on forward lookup zone new zone
Active Directory Integrated
Primary
Secondary

Select any one of above.


Note: The option Active Directory Integrated Zone is available on when you
have installed the Active Directory; if you have not installed Active Directory
the option is disabled.
Note: If you want to select a Secondary zone u should have already a primary
zone or Active Directory Integrated zone.

DNS Name [____________________]


Give the DNS name
Note: If you r creating a root zone then just type in the name box “.”
(only dot)
Then click Next
Finish

After creating the root zone then create another zone with Domain Name
Right click on Forward Lookup zone  New zone Active Directory
Integrated (you can choose any one) DNS Name [___]Next Finish

Creation of zone in Reverse lookup zone


Right Click on Reverse lookup zoneNew zone Type Network IdNext
Name Finish
After this
Right Click on zone select Create associate Ptr (pointer) record Next
finish

What tabs are there on properties of Domain?


General
Start of Authority (SOA)
Named servers
WINS
Zone transfers
What tabs are there on properties of sever?
Interface
Forwarders
Advanced
Root hints
Logging
Monitoring

Where to create the primary, secondary, Active Directory Integrated zones?

If you want to create an Active Directory integrated zone, the server must be
Domain Controller.
If you want to create the Primary DNS, you can create on Domain Controller or
Member server. But if create on member you could not get 4 options under the
domain which are meant for Active directory.
You can create Secondary zone on a Member Server or on a Domain Controller.
There is no difference between them.

What are the advantages with Windows 2000 DNS?


Or
What are the features of Widows 2000 DNS?
Supports SRV (service) records
Supports Dynamic Updates
Supports IXFR (Incremental Zone Transfer)
Supports security

Explain each one of the above?


In windows 2000 Domain you need to have a DNS server to find different
services. The SRV records identify these services.
When you enable the Dynamic updates, all the records in the zone are
automatically created. As we add a computer to the domain, as we add a
Domain controller to the domain the corresponding records are automatically
created. I.e., you need to create a record in the DNS zone manually to identify
those computers or services.
When an update is made in the Master it has to be replicated to the
Secondary. Previous we used to transfer the entire zone (which is called AXFR
(entire zone transfer)). But with Windows 2000 domain we transfer on the
records that have been modified. This is called IXFR (Incremental Zone
Transfer).
We get the security with Active Directory Integrated zone. We can set
permission on Active Directory like who can use and who can't use the DNS. And
also we have Secure Dynamic updates with Active Directory Integrated zone. By
this only specified computers only can dynamically update the records in the
zone.

What are the commands do we use for DNS?


Nslookup (and all interactive mode commands)
Ipconfig /fulshdns
Ipconfig /registerdns
Note: A best strategy of using DNS in corporate network is use two DNS servers.
One is on internal network and another one is between two firewalls. For more
security keep the zone as secondary in the DNS server which is between
firewalls.

How we make more available our DNS?


By adding more tuple servers or By windows 2000 clustering.

What is the purpose of forward lookup?


It resolves the Host names (Friendly Name) to IP addresses

What is the purpose of Reverse lookup zone?


It resolves the IP addresses to Host names

What is the difference between Primary zone and Secondary zone?


Primary zone has read and write permissions, where as Secondary zone has
read only permission.
Note: Secondary zone is used for Backup and Load balancing.

How to check whether DNS is working or not?


Type the command “nslookup” at command prompt
Then it gives the DNS server name and its IP address

What is Dynamic Updates in DNS?


Generally we need to create a host record for newly joined computer (either
client or Member server or Domain controller). If you enable dynamic Update
option, then DNS it self creates associated host record for newly joined
computers.

How to get Dynamic Update option?


Right Click on any zone  properties  on General tab u will get Allow
Dynamic Updates? [_Yes/No/Secure Updates]

Note: Put always Dynamic Updates “YES”


Note: If it is Active Directory Integrated zone you will get above three options.
But if it is Primary or Secondary zone you will get only “YES/NO” (You won’t
get secure updates)

What is name Resolution?


The process of translating the name into some object or information that the
name represents is called name resolution. A telephone book forms a
namespace in which the names of telephone subscribers can be resolved to the
phone numbers.

What is BIND?

What are the ports numbers used for Kerberos, LDAP etc in DNS?

What is a zone?
A database of records is called a zone.
Also called a zone of authority, a subset of the Domain Name System (DNS)
namespace that is managed by a name server.

What is an iterative query?


The query that has been sent to the DNS server from a Client is called iterative
query.
(i. e., iterative query is nothing but give the answer for my question, don’t ask
to contact that person or this person or don’t say some thing else. Simply just
answer to my question. That’s all)

What is Recursive query?


Now your DNS server requests the root level DNS server for specific IP address.
Now DNS server says that I don’t know but I can give the address other person
who can help you in finding IP address.

What Type of Records do you find in DNS database?


Host Record
Mail Exchange Record (MX record)
Alias

How to convert a Domain Controller to a member server?


Go to registry Hkey_local_machine systemcontolset001
controlproductoptions

In that change product type from “lanmanNt” to “serverNt”

Or
Go to Registry then search for lanmanNt then change it as serverNt

Is there any possibility to have two Primary DNS zones?


No, you should not have two primary DNS zones. Why because if u have two
primary DNS zones some clients contacts first one, some clients contacts
second one according to their configuration in TCP/IP properties. Then you will
get problems. Actually Primary DNS zone means Single master. i.e., master is
only one that is only one primary DNS zone. But you can have as many as
Secondary zones.
To overcome from above problem (i.e., single master problem) in Windows
2000 we have Active Directory Integrated zones, which are multi masters.

How to create a Secondary DNS zone?


To create a secondary zone you should have Primary DNS zone or Active
Directory Integrated DNS zone.

You have to follow the same procedure as same as primary DNS configuration.
But at the time selection, select Secondary zone instead of primary zone. After
that it asks the primary DNS zone address provide that address.

Create forward lookup zone and reverse lookup zone as usual.


Then,
Right click on forward lookup zone New zone
Active Directory Integrated
Primary
Secondary

Select Secondary zone


(Note:-The option Active Directory Integrated Zone is available on when you
have installed the Active Directory; if you have not installed Active Directory
the option is disabled.)

Then it asks for Primary DNS zone details, provide those details then
click on finish.

Now go to Primary or Active Directory integrated zone then right click on


zone name  properties click on zone transfer Tab

Select allow zone Transfers


Here you can see three options.
To any server
Only to servers listed on the Name servers tab
Only to the following servers

Select anyone and give the details of secondary zone (only in case of second
and third option).
Click on apply, then OK

Note: In zone transfers tab you can find another option Notify, this is to
automatically notify secondary severs when the zone changes. Here also you
can select appropriate options.

Note: In secondary zone you cannot modify any information. Every one has
read only permission.
Whenever Primary DNS is in down click on “change” tab on general tab of
properties, to change as primary, then it acts as primary, there you can write
permission also.

What is the default time setting in primary zone to refresh, Retry, Expire
intervals for secondary zone?
The default settings are

To Refresh interval 10 minutes


To Retry interval, 15 minutes
To Expire after 1 day

Suppose the Secondary zone is Expired then, how to solve the problem?

First go to primary zone check primary zone is working or not.


IF primary zone is working then go to secondary zone, Right click on zone name
select the “Transfer from Master” then it automatically contacts the primary
DNS, if any updates are there then it takes the updates from the Primary.

How to know whether the recent changes in Primary are updated to


secondary zone or not?
Compare the Serial Number on Start of Authority tab in both secondary on
primary DNS zone properties.
If both are same then recent updates are made to secondary zone.
If not (i.e., secondary is less then primary) click on “Transfer from Master”

How to change form Primary to Secondary or Secondary to primary or Active


directory integrated to secondary or primary like that (simply one type of zone
to another type of zone)?

Go to the properties of the zone click on general tab, there you can find the
option called “Change” click on it then select appropriate option.
Then click on OK

How to pause the zone?


Go to properties of a zone click on General tab click on Pause button.

What system is used before DNS to resolve this host names?

How to know whether a DNS name is exist or not in the internet?

Iterative query
The query that has been sent to my DNS server from my computer.
Recursive query
The query that has been sent to other DNS servers to know the IP address of a
particular server from my DNS server.

When you install a Windows 2000 DNS server, you immediately get all of the
records of root DNS servers. So every windows 2000 DNS server installed on
Internet has pre configured with the address of root DNS servers. So every
single DNS server in the Internet can get root servers.

DNS requirements:
First and foremost has to support SRV records (SRV record identifies a
particular service in a particular computer) (in windows 2000 we use SRV
records to identify Domain controllers, identifying Global Catalogue, etc.

Second and third are not requirements but recommended.


Second is Dynamic Updates
Third one is IXFR (Incremental Zone Transfer)

Note: Most DNS servers support AXFR (i.e., Entire zone transfer)
In incremental we transfer only changes, but in AXFR we transfer whole.

How does DNS server know the root domain server addresses?
Every DNS server that has installed on Internet has pre configured with root
DNS server addresses.
Every single server can get to the root. So that only every DNS server on the
Internet first contacts root DNS servers for name resolution.

Where can you find the address of root servers in the DNS server?
Open the DNS console  Right click on the domain name  drag down to
properties  click on Root hints. Here you can find different root server
addresses.

Note: When you install DNS service in a 2000 server operating system (still you
have not configured anything on DNS server), then it starts its functionality as
caching only DNS server.
What is caching only DNS server?

What is a forwarder?
(Open DNS console  Right click on Domain name  Click on forwarder tab)
A forwarder is server, which has more access than the present DNS server. May
be our present DNS server is located in internal network and it cannot resolve
the Internet names. May be it is behind a firewall or may it is using a proxy
server or NAT server to get to the Internet. Then this server forwards the query
to another DNS server that can resolve the Internet names.

What is DHCP?
Dynamic Host Configuration Protocol (DHCP) is a network protocol that enables
a server to automatically assign an IP address to a computer from a defined
range of numbers (i.e., a scope) configured for a given network.

How to install DHCP?

We can install DHCP by two ways

1) While installing Operating System

While installing Operating System, It asks at Network Settings


whether u want Typical settings or Custom Settings
Select Custom SettingsSelect Network Servicesclick on
DetailsSelect DHCPclick on OK

2) Independently

Programs Settings Control Panel Add/Remove Programs 


Add/Remove Windows Components Select the Network
ServicesClick on properties Select DHCP OK
(During the installation it asks for CD)

Note: When you have installed DHCP a icon will appear in Administrative Tools
(DHCP)

How to uninstall DHCP?


Programs Settings Control Panel Add/Remove Programs 
Add/Remove Windows Components Select the Network
ServicesClick on properties Deselect DHCP OK

How to open DHCP?


StartProgramsAdministrative ToolsDHCP
Or
StartRundhcpmgmt.msc

How to configure DHCP?


Open DHCP console by typing “dhcpmgmt.msc” at run prompt
Now you will find in DHCP console

DHCP

Right Click on DHCP Click on Add Server

Then you will get a window

This server
[________________] BROWSE

Select the DHCP server

OK

Now you will get

DHCP
Servername.domain.com [IP address]

Note: Some time the window comes automatically with creating the “Add
Server”. Such cases check the IP address whether it is correct or not. If it is
wrong delete it and recreate it.
Now you have DHCP server.
Now you have to authorize the DHCP Server to provide IP addresses to the
clients.

Who can authorize DHCP server in the entire domain?


An Enterprise administrator can only authorize DHCP server. No other person in
the domain can authorize the DHCP server. Even if u r Administrator without
enterprise administrator privileges you can’t authorize the DHCP server.

Note: If it is not authorized a red symbol (down red arrow) will appear, if u
authorize it then a green up arrow will appear.

How to authorize the DHCP server?


Login with Enterprise administrator privileges.
Right Click on Servername.Domainname.com
Click on Authorize
Then it will be authorized (Indication is you will get green up arrow)

Now you have to create scope.


Note: A scope is range of IP addresses that you want to allocate to the clients.

How to create a scope?


Right click on servername.Domainname.com
Click on New Scope.
Click on Next.
Type Name [ ______________________]
Description [_______________________]

Note: Generally we give the name as Network ID.

Click on Next.

Start IP address [______________________]


End IP address [______________________]

(Provide the starting IP address and End IP address)

Click on Next

Note: If you want to any exclusion you can do.

Starting IP address [______________] Ending IP address [__________]

aaaaaaaaaaaaaaaaaaaaaaaaaaa
aaaaa
Add
Remov
e

What is the default lease duration, minimum lease duration and maximum
lease duration?
By default any system will get 8 lease days to use IP address.
Note: You can increase or decrease the Lease duration, You have assign at
least minimum duration of 1 second and you can assign Maximum duration of
999 days 23 hours 59 minutes.
Note: If you haven’t log on for 50% of the duration continuously the IP address
will be released.
Click Next
Now you will get a Window asking whether you want to configure the options
(DNS, WINS, and Router etc.)
You can configure the options now itself or you can authorize after completion
of this.
Select any one then click Next.

Click Finish.

Note: If u have selected “NO” in the above window you can configure above
things anytime like below

Click on server optionconfigure options 


Select the required ones
Enter server name, IP address
Click OK
Now you have to activate the “Scope”

Right click on Scope Click on Activate

Note: You can reserve IP address for specific Clients. Or You can Exclude IP
address (without allocation) for future purpose.

The above things all are in server.

Now you have to configure Client system.

Go to Client System

Right click on My Network Places drag down to properties  Right click on


Local area connection drag down to properties  select TCP/IP  click on
properties

Now you will get one window containing TCP/IP properties

In that select “assign IP address automatically” and select “assign DNS address
automatically”
Click on “More” delete the DNS suffix if anything is there.

Click OK

Then the client takes IP address automatically from DHCP server.


The DHCP server also provides DNS, WINS, ROUTER addresses also.

Note: You must assign a static IP address for DHCP server.


(Generally in real time people will assign static IP address not only for DHCP
server but also for all servers. Because if you assign automatic IP Address if
DHCP is down then all servers will not function properly.)

Note: The DHCP server assigns IP address to the clients. But apart from that it
also provides DNS address, default gateway, WINS address and so on, which are
configured in DHCP server.

What is the protocol that is used for DHCP process?


Bootp

Why DHCP Relay Agent is used?


To extend DHCP services beyond routers (IF “bootp” is not installed in router)

What are the commands used for DHCP?


Ipconfig
Ipconfig /all
Ipconfig /release
Ipconfig /renew
What is the process of assigning IP address by DHCP service?
There are four stages in assigning IP address to a host by DHCP server.
1) DHCP discover
2) DHCP offer
3) DHCP request
4) DHCP Acknowledge

DHCP Discover:
When ever client has to obtain an IP address from a DHCP server it will
broadcast a message called “DHCP discover” , which contains destination
address 255.255.255.255 and source IP address as 0.0.0.0 and its MAC address.
DHCP offer:
The DHCP server on the network will respond to DHCP discover by
sending a DHCP offer message to the client requesting an IP address.
DHCP request:
The client after receiving offer message will send a “DHCP request”
message asking the DHCP server to confirm the IP address it has offered to it
through DHCP offer message.
DHCP Acknowledge:
DHCP server will respond to the “DHCP request” message by sending
acknowledge message through which it confirms the IP address to other
machine.

Note: You can also enable DHCP in work group for dynamic allocation of IP
addresses.
Configure the server operating system in work group as a DHCP then go for
client in TCP/IP properties select obtain IP address automatically. Then the
client gets IP address from the DHCP server.
Note: You need not to configure DNS or anything.
Using APIPA
On occasion, a network PC boots up and finds that the DHCP server is not
available. When this happens, the PC continues to poll for a DHCP server using
different wait periods.

The Automatic Private IP Addressing (APIPA) service allows the DHCP client to
automatically configure itself until the DHCP server is available and the client
can be configured to the network. APIPA allows the DHCP client to assign itself
an IP address in the range of 169.254.0.1 to 169.254.254.254 and a Class B
subnet mask of 255.255.0.0. The address range that is used by APIPA is a Class
B address that Microsoft has set aside for this purpose.

What is the family of Windows 2000?


• Windows 2000 Professional (Desktop Operating System)
• Windows 2000 Server (Server Operating System)
• Windows 2000 Advanced Server (Server Operating System)
• Windows 2000 Data center Server (Server Operating System)

What is the family of Windows NT?


• Windows NT workstation (Desktop)
• Windows NT 4.0 server (Server)
• Windows NT 4.0 Enterprise server (Server)

What is the family of Widows 2003 family?


• ■ Windows Server 2003, Web Edition
• ■Windows Server 2003, Standard Edition
• ■ Windows Server 2003, Enterprise Edition
• ■ Windows Server 2003, Data center Edition

What is the Difference between Desktop and Server?

In desktop system we cannot load Active directory.


In server system we can load Active directory. So that we can create a Domain
in server, advanced server, Data center server.
In professional there is no fault tolerance on the hard drive (i.e., disk
mirroring, RAID 5).
In server we have fault tolerance on the hard drive.

What is the difference between windows 2000 server and Windows 2000
advanced server, Data center server?
In Windows 2000 server we don’t have Clustering, Network load balancing.
Where as in Windows 2000 advanced server and in Data center server we have
Clustering and Network load balancing.
In 2000-Advanced server and Data center server we have more RAM and more
Processors.

What are the minimum and Maximum configurations for Windows family?

Windows 2000 Operating System family

OS Name Processor RAM RAM Free Hard Supported


(min.) (rec.) disk space no. of RAM
Pros.
Windows 2000 Pentium / 32 MB 64 MB 650 MB 2 4 GB
Professional 133MHz 1 GB (rec.)
Windows 2000 Pentium / 128 MB 256 MB Approx.1 GB 4 4 GB
Server 133MHz (Rec. 2 GB)
Windows 2000 Pentium / 128 MB 256 MB Approx 1 GB 8 8 GB
Advanced 133MHz (Rec. 2 GB)
Server
Windows 2000 Pentium / 128 MB 256 MB Approx 1 GB 32 64 GB
Datacenter 133MHz (Rec. 2 GB)
Server

CPU Requirements for Windows Server 2003


Windows Windows
Specification Server 2003, Server 2003,
Standard Edition Enterprise Edition
Minimum recommended CPU 550 MHz 550 MHz
speed
Number of CPUs supported 1–4 1–8

Minimum and Maximum RAM for Windows Server 2003


Windows Windows
RAM Specification Server 2003, Server 2003,
Standard Edition Enterprise Edition
Minimum recommended RAM 256 megabytes(MB) 256 MB
Maximum RAM 4 gigabytes (GB) 32 GB

What are the differences between windows 2000 professional and server
versions?
In professional we don’t have fault tolerance (Mirroring, RAID5) where as in all
server versions we have.
In professional we cannot load Active Directory where as in all server versions
we can.
In professional and 2000 server we don’t clustering and network load balancing
where as in 2000 advanced server and in Data centre server we have Clustering
and NLB.
As you move from server to advanced server, advanced server to data centre
server we get more RAM and more Processors.

What are the features of Windows 2000 professional?


Windows 2000 Professional improves the capabilities of previous versions of
Windows in five main areas: ease of use, simplified management, increased
hardware support, enhanced file management, and enhanced security features.

What are the Operating Systems can u upgrade to Windows 2000?


We cannot upgrade window 3.1 to windows 2000.
We can upgrade directly from windows 95/98/NT 3.51/NT 4.0 to Windows
2000.
If we have Windows NT 3.1/NT 3.50 first we need to upgrade to Windows
NT3.51 or NT 4.0 then we can upgrade to windows 2000.

What is the primary difference between a workgroup and a domain?


A workgroup is a distributed directory maintained on each computer
within the workgroup. A domain is a centralized directory of resources
maintained on domain controllers and presented to the user through Active
Directory services.

What is a Stand-alone computer?


A computer that belongs to a workgroup, not a domain, is called a stand-alone
computer.

What is Domain Controller and Member server?


With Windows 2000, servers in a domain can have one of two roles:
Domain controllers, which contain matching copies of the user accounts and
other Active Directory data in a given domain.
Member servers, which belong to a domain but do not contain a copy of the
Active
Directory data.
Member servers running Windows 2000 Server: A member server is a server
that isn't configured as a domain controller. A member server doesn't store
Directory information and can't authenticate users. Member servers provide
shared resources such as shared folders or printers.

Client computers running Windows 2000 Professional: Client computers run a


user's desktop environment and allow the user to gain access to resources in
the domain.

Can you change the Name of a Domain Controller?


You cannot change the name of a server while it is a domain controller in
windows 2000 domain. Instead, you must change it to a member or stand-alone
server, change the name, and finally make the server a domain controller once
again.
But you can change the name of a domain controller in windows 2003
Operating System.

Why do we need Multiple Domain Controllers?


If you have multiple domain controllers, it provides better support for users
than having only one. Multiple domain controllers provide automatic backup for
user accounts and other Active Directory data, and they work together to
support domain controller functions (such as validating logons).

What is the structure and purpose of a directory service?


A directory service consists of a database that stores information about
network resources, such as computer and printers, and the services that make
this information available to users and applications.

What is Active Directory?


Active Directory is a directory service, which stores information about network
resources such as users, groups, computes, printers, and shares. Active
Directory provides single point for organization, control, management.
Note: In a lay man language Active Directory is some thing like Yellow Pages.

What roles does a Main Domain Controller (the first domain controller in the
entire forest) will have by default?
By default it gets 5 roles.
• Schema Master
• Domain Naming Master
• PDC Emulator
• Relative Identifier (RID)
• Infrastructure Master (IM)

Note: The above roles are called operations master roles.

What are the roles an Additional Domain controller will have by default?
By default you cannot get any role. But if you want to assign any role you can
transfer from master.
What are the roles a Child Main Domain Controller will have by default?
By default it gets only three roles.
• PDC Emulator
• Relative Identifier (RID)
• Infrastructure Master (IM)

What are the roles a Child additional Domain controller will have by default?
By default it won’t get any role. But if want to assign you can transfer from
main child domain controller.

Explain the activities of each role?


1) Schema Master:
It will govern the Active Directory to all the Domain Controllers in a
forest.
2) Domain Naming Master:
Maintains the unique Domain Naming System in a forest to avoid
duplication.
3) RID master:
It assigns unique ID to every user account. (Domain + RID)
4) PDC Emulator:
If PDC is upgraded to windows 2000 it will send data to BDC’s on the
network. (Replication of user Database)
If the user password is not matching in a particular Domain, then it will
contact PDC emulator of first Domain Controller (Master Domain
controller)
5) Infrastructure Master:
Maintains the infrastructure group proper files on the master Domain
controller.

What are the roles must be on the same server?


Domain Naming Master and Global catalogue

What are the roles those must not be on the same Domain Controller?
Infrastructure Master and Global Catalogue
Note: If you have only one domain then you won’t get any problem even if you
have both of them in the same server.
If you have two or more domains in a forest then they shouldn’t be in the same
server.

What is Global Catalogue?


This is a database on one or more domain controllers. Each copy of the
database contains a replica of every object in the Active Directory but with a
limited number of each object's attributes.

Use of Global catalogue


Contains partial replica of all objects in the entire forest
Contains universal groups
Validates user principle names (UPN) when you are creating. This checks that
any UPN exists with this name or not in the entire forest.

How to check the above roles to which server they have assigned?
Install support tools from CD
Programssupport toolstoolscmd prompt (Go to the command prompt in
this way only)
At command prompt type “netdom query fsmo”

What is FSMO?
Flexible Single Master Operations
Note: The above five roles are called FSMO roles.

How to check which server is having Global Catalogue?


First load support tools
Run  cmd ldp
Then you will get a window there
Click on file  Select connect to  type the required server
Then you will get some information, at the bottom you can find “Global
Catalogue” TRUE/FALSE. If TRUE is there then it is a global catalogue server. If
FALSE is there then it is not a global catalogue server.

Note: By default the Global Catalogue service is enabled in Main Domain


controller. And by default the Global Catalogue service is disabled in additional
Domain Controllers. If you want to transfer Global Catalogue service from Main
Domain Controller to Additional Domain Controller, then you can transfer.

How to transfer a role from on Domain Controller to another Domain


controller?
Start  Programs  Administrative tools  Active Directory sites and services

Right click on Domain Name First connect to the required server by the
option “connect to”. Then  Right click on Domain Name select Operations
Masters  there you will get 3 roles tabs. Select the required one  click on
change tab  OK

How to start/stop a service from command prompt?


Go to the command prompt, type
“Net start service name” (To start a service)
“Net stop service name” (To stop a service)
Ex: “net start netlogon”
“Net stop netlogon”

What is a Domain controller?


Domain controllers, which contain matching copies of the user accounts and
other Active Directory data in a given domain.

What is a Member server?


Member servers, which belong to a domain but do not contain a copy of the
Active Directory data.
What is standalone server?
A server that belongs to a workgroup, not a domain, is called a stand-alone
server.
What is standalone computer?
A computer that belongs to a workgroup, not a domain, is called a stand-alone
computer.
Note: With Windows 2000, it is possible to change the role of a server back and
forth from domain controller to member server (or stand-alone server), even
after Setup is complete.

What is a client?
A client is any device, such as personal computer, printer or any other server,
which requests services or resources from a server. The most common clients
are workstations.

What is a server?
A server is a computer that provides network resources and services to
workstations and other clients.

What is Main Domain Controller?


The first computer in the entire forest on which you have performed DCPROMO

What is additional Domain controller?


To share or reduce the work load on primary DC additional requires

What is child domain controller?


The main difference of child and additional domain is additional domain is the
backup domain which is used for load balancing and for fault tolerance and
child domain is the sub domain. And both will be having the different roles.

How to know whether a server is Domain Controller or not?


You can find in three ways
1) By log on dialogue box
If it is a Domain Controller at Domain Names you won’t get “this
computer” option.
If you get “this computer” option in a server Operating System
that must be a Member Server.

2) By My computer Properties
On Network Identification tab, the Properties button will be
disabled.

3) By typing DCPROMO
If it is already a Domain Controller you will uninstallation wizard
for Active Directory.
If it is not a Domain Controller you will get installation wizard for
Active Directory.
4. You should see the share of netlog and sysvol … just type netshare
at the cmd prompt
5. You should be able o see the ntds setting in the winnt directory
6. You should see the ntds folder in regedit ..

Who will replicate the Password changes?


PDC emulator (immediately it replicates to all the Domain Controllers)
What are the file systems we have in windows?
FAT/FAT16/FAT32/NTFS 4.0/NTFS 5.0

How to convert from FAT to NTFS?


Convert drive /fs:ntfs

What is a forest?
Collection of one or more domain trees that do not form a contiguous
namespace. Forests allow organizations to group divisions that operate
independently but still need to communicate with one another.

All trees in a forest share common Schema, configuration partitions and Global
Catalog. All trees in a give forest trust each other with two way transitive trust
relations.

What is a Domain?
A group of computers that are part of a network and shares a common
directory and security policies. In Windows 2000 a domain is a security
boundary and permissions that are granted in one domain are not carried over
to other domains

What is a user principle name?


username@domainname.com

What is Fully Qualified Domain Name?


Hostname.domainname.com (this is also referred as computer name)

How many hard disks can you connect to a system at a time?


Maximum we can connect four Hard disks (If we don’t have CD ROM).

What are they?


Primary Master
Primary Slave
Secondary Master
Secondary Slave
Note: We cannot have two of same type at a time.

How types of disks are there in windows 2000?


Basic Disk
Dynamic Disk
Dynamic disk format does not work on a computer that contains more than one
operating system. The only operating system that can access a hard disk using
dynamic disk format is windows 2000.

What is a partition?
Disk Partition is a way of dividing your Physical Disk so that each section
functions as a separate unit. A partition divides a disk into sections that
function as separate units and that can be formatted for use by a file system.

How many types of partitions are there?


Two types of partitions are there.
Primary partition
Extended partition.

What is the difference between primary and secondary partition?


A primary partition or system partition is one on which you can install the files
needed to load an operating system.

How many partitions can you create maximum? (Among that how many
primary and how many Extended?)
Maximum we can create 4 partitions in basic disk. Among that we can create
maximum 1 extended partition. You can create 4 primary partitions if you do
not have Extended.

What is a volume?
Disk volume is a way of dividing your Physical Disk so that each section
functions as a separate unit.

How many types of volumes are there?


There are 5 types of volumes are there.
Simple
Spanned
Striped (also called RAID 0)
Mirror (Also called RAID 1)
RAID 5 (Also called striped volumes with parity)

What is the difference between partition and volume?


You have limitations on number of Partitions.
You don’t have limitations on number of volumes.
You cannot extend the size of a partition.
You can extend the size of a volume.

What is active (system) partition?


The partition in which your current Operating System boot files are there.

What is system volume and boot volume?


The system volume is the one in which your boot files are there.
Whatever partition is marked as active that partition is called system partition.
The boot volume is the one in which your system files are there.

Note: In Windows NT and Windows 2000 by default the system files will be
copied to winnt directory and in Windows 2003 by default they are copied into
Windows directory.

What can you understand by seeing Logon Dialogue box?


IF it is windows 2000 professional operating system, that may be standalone
computer or a client in a domain.
If you can see the domain name, then it is client. If not it is standalone.
If it is Windows 2000 server family operating system, that may be standalone
computer or member server or Domain controller.
If you can see the domain name, then it is either member server or Domain
controller.
If not it is standalone computer.
You have domain name but you don’t have this computer option then it must
be domain controller.
You have domain name and also you have this computer option then it is
member server.

1. I have a file to which the user has access, but he has no folder
permission to read it. Can he access it? It is possible for a user to
navigate to a file for which he does not have folder permission. This
involves simply knowing the path of the file object. Even if the user
can’t drill down the file/folder tree using My Computer, he can still gain
access to the file using the Universal Naming Convention (UNC). The best
way to start would be to type the full path of a file into Run… window.

What are Unicast, Multicast, and Broad cast?


Unicast: Just from one computer to one computer.
Multicast: Those who ever register for a particular multicast group to those
only.
Broadcast: To all the computers.

What is BIOS?
A computer's basic input/output system (BIOS) is a set of software through
which the operating system (or Setup) communicates with the computer's
hardware devices.

What is the advantage of NTFS over FAT?


You must use the NTFS file system on domain controllers. In addition, any
servers that have any partition formatted with FAT or FAT32 will lack many
security features. For example, on FAT or FAT32 partitions, a shared folder can
be protected only by the permissions set on the share, not on individual files,
and there is no software protection against local access to the partition.

• File and folder level security


• We can do disk compression
• We can do disk quotas
• We can encrypt files
• We can do remote storage
• We can do dynamic volume
• We can mount volumes to folders
• We can support Macintosh files
• POSIX sub system

Note: When you format the operating system with NTFS then Windows NT and
Windows 2000 are only the operating systems that can read the data.

Note: The only reason to use FAT or FAT32 is for dual booting with previous
versions windows 2000 O. S.

What is NetMeeting? What is the use of NetMeeting?


NetMeeting enables you to communicate with others over the Internet or your
local intranet. Using NetMeeting you can:
• Talk to others
• Use video to see others and let others see you
• Share applications and documents with others
• Collaborate with others in shared applications
• Send files to others
• Draw with others in a shared Whiteboard
• Send messages to others in chat

What are the features will you get when you upgrade from Windows NT to
Windows 2000?
Active Directory includes the following features:

* Simplified management of network-resource information and user


information.
* Group Policy, which you can use to set policies that apply across a given
site, domain, or organizational unit in Active Directory.
* Security and authentication features, including support for Kerberos V5,
Secure Sockets Layer v3, and Transport Layer Security using X.509v3
certificates.
* Directory consolidation, through which you can organize and simplify the
management of users, computers, applications, and devices, and make it easier
for users to find the information they need. You can take advantage of
synchronization support through interfaces based on the Lightweight Directory
Access Protocol (LDAP), and work wit
directory consolidation requirements specific to your applications.
* Directory-enabled applications and infrastructure, which make it easier to
configure and manage applications and other directory-enabled network
components.
* Scalability without complexity, a result of Active Directory scaling to
millions of objects per domain and using indexing technology and advanced
replication techniques to speed performance.
* Use of Internet standards, including access through Lightweight Directory
Access Protocol and a namespace based on the Domain Name System (DNS).
* Active Directory Service Interfaces (ADSI), a powerful development
environment.
* Additional features

Features Available with Upgrade of Any Server


The features in the following list are available when member servers are
upgraded in a domain, regardless of whether domain servers have been
upgraded. The features available when domain controllers are upgraded
include not only the features in the following list, but also the features in the
previous one.

* Management tools:
Microsoft Management Console Plug and
Play Device Manager Add/Remove Hardware wizard (in Control
Panel) Support for universal serial bus New Backup utility

* File system support:


Enhancements to the latest version of the NTFS file system include support
for disk quotas, the ability to defragment directory structures, and compressed
network I/O.

* Application services:
Win32 Driver Model DirectX 5.0 Windows Script Host

* Printer protocol support:


Device and protocol support allowing choices from more than 2,500
different printers. Other printing enhancements are included, for example,
Internet Printing Protocol support, which allows users to print directly to a URL
over an intranet or the Internet.

* Scalability and availability:


Improved symmetric multiprocessor support

* Security:
Encrypting file system

Is there any situation to use the file system FAT or FAT32?


There is one situation in which you might want to choose FAT or FAT32 as your
file system. If it is necessary to have a computer that will sometimes run an
earlier operating system and sometimes run Windows 2000, you will need to
have a FAT or FAT32 partition as the primary (or startup) partition on the hard
disk.

Note: For anything other than a situation with multiple operating systems,
however, the recommended file system is NTFS.

NTFS
Some of the features you can use when you choose NTFS are:
* Active Directory, which you can use to view and control network resources
easily.
* Domains, which are part of Active Directory, and which you can use to fine-
tune security options while keeping administration simple. Domain controllers
require NTFS.
* File encryption, which greatly enhances security.
* Permissions that can be set on individual files rather than just folders.
* Sparse files. These are very large files created by applications in such a way
that only limited disk space is needed. That is, NTFS allocates disk space only
to the portions of a file that are written to.
* Remote Storage, which provides an extension to your disk space by making
removable media such as tapes more accessible.
* Recovery logging of disk activities, which helps you restore information
quickly in the event of power failure or other system problems.
* Disk quotas, which you can use to monitor and control the amount of disk
space used by individual users.
* Better scalability to large drives. The maximum drive size for NTFS is much
greater than that for FAT, and as drive size increases, performance with NTFS
doesn't degrade as it does with FAT.
Note:
It is recommended that you format the partition with NTFS rather than
converting from FAT or FAT32. Formatting a partition erases all data on the
partition, but a partition that is formatted with NTFS rather than converted
from FAT or FAT32 will have less fragmentation and better performance.

What are the options do u get when you are shut downing?
Log off
Restart
Shut down
Stand by
Hibernate
Disconnect
Standby: Turns off your monitor and hard disks, and your computer use
less power.
A state, in which your computer consumes less electric power when it is
idle, but remains available for immediate use. Typically, you’d put your
computer on stand by to save power instead of leaving it on for extended
periods.
In stand by mode, information in computer memory is not saved on your
hard disk. If the computer loses power, the information in memory will be lost.
This option appears only if your computer supports this feature and you
have selected this option in Power Options. See Power Options overview in
Help.
Hibernation: Turns off your monitor and hard disk, saves everything in memory
on disk, and turns off your computer. When you restart your computer, your
desktop is restored exactly as you left it.
A state in which your computer saves any Windows settings that you
changed, writes any information that is currently stored in memory to your
hard disk, and turns off your computer. Unlike shutting down, when you restart
your computer, your desktop is restored exactly as it was before hibernation.
Hibernate appears only if your computer supports this feature and you
have selected the Enable hibernate support option in Power Options. See
Power Options overview in Help.

Disconnect
A state, in which your Terminal Services session is disconnected, but
remains active on the server. When you reconnect to Terminal Services, you
are returned to the same session, and everything looks exactly as it did before
you disconnected.
Disconnect appears only if you are connected to a Windows 2000 Server
running Terminal Services.

Shut down
A state in which your computer saves any Windows settings that you
changed and writes any information that is currently stored in memory to your
hard disk. This prepares your computer to be turned off.

Restart
A state in which your computer saves any Windows settings that you
changed, writes any information that is currently stored in memory to your
hard disk, and then restarts your computer.

Log off
A state in which your computer closes all your programs, disconnects
your computer from the network, and prepares your computer to be used by
someone else.
When connected to a Windows 2000 Server running Terminal Services,
Log off closes all programs running in your Terminal Services session,
disconnects your session, and returns you to your Windows desktop.

What are the setup files that are used to install windows 2000?
If you are installing from the Operating system DOS the setup file is winnt.
If you are installing from Operating system windows 95/98, Win NT, Win 2000,
the setup file is winnt32.

What is the error message do u get when you run “winnt” instead of
winnt32 on 32 bit windows operating system (like Win 95/98, Win NT, and
Win 2000)?

You will get the following message in DOS mode screen.


Windows 2000 Setup
════════════════════
This program does not run on any 32-bit version of Windows.
Use WINNT32.EXE instead.
Setup cannot continue. Press ENTER to exit.

What is the location of “hcl.txt” (Hard ware compatibility list)?


In Windows 2000 (either professional or any kind of server) CD, there is a folder
called “support”. In the support folder the HCL.txt is placed.

What is the location of winnt and winnt32?


They are located in “i386” folder.

Where is the location of support tools?


In Windows 2000 (either professional or any kind of server) CD, there is a folder
called “support”. In the support folder there is a sub folder called “Tools”

How to load support tools?


In the Windows 2000 CD (either professional or any kind of server),
Click on support  Click on tools  Click on setup.exe

How to load Admin Pack?


In windows 2000 CD (Only server family),
Click on i386 folder  Click on adminpak.msi
Or
Go to command prompt (in server operating system only) Go to
winnt/system32 directory  type adminpak.msi or type Msiexec /i
adminpak.msi
Note: Adminpak.msi is not included in the professional CD.
If you want to load the administrative tools in the local computer you can load.
But you must have administrative permissions for the local computer to install
and run Windows 2000 Administration Tools.

How do you install the Windows 2000 deployment tools, such as the Setup
Manager Wizard and the System Preparation tool?
To install the Windows 2000 Setup Tools, display the contents of the Deploy.
cab file, which is located in the Support\Tools folder on the Windows 2000 CD-
ROM. Select all the files you want to extract, right-click a selected file, and
then select Extract from the menu. You will be prompted for a destination, the
location and name of a folder, for the extracted files.

How to create a boot floppy?


To create a boot floppy, open windows 2000 CD.
Click on boot disk folder  click on either makeboot or makebt32
Note: If you want to boot from MS-DOS then create floppy disk by using the
command
Makeboot.

What is Desktop?
The desktop, which is the screen that you see after you log on to
Windows 2000, is one of the most important features on your computer. The
desktop can contain shortcuts to your most frequently used programs,
documents, and printers.

Suppose if your CD is auto play CD. Then what is the key that is used to stop
the auto play of the CD?
Hold the shift key for some time immediately after inserting the CD.

What is Netware?
Netware is a computer network operating system developed by Novell.

What is Network?
A network is a group of computers that can communicate with each other,
share resources such as hard disks and printers, and access remote hosts or
other networks.

The basic components of a network are:


• One or more servers
• Workstations
• Network Interface Cards
• Communication media
• Peripheral devices (such as printers)

What is network Interface card?


A Network Interface Card is a circuit board installed on each computer to allow
servers and workstations to communicate with each other.
What are peripheral devices?
Peripheral devices are computer related devices, such as local printers, disk
drivers and modems.

What is LAN driver?


The LAN driver controls the workstation’s Network Interface card.
A LAN driver serves as a link between an operating system of a station and the
physical network parts.

Why should we logon?


Login enables the user to use the resources and services, such as files, printers
and messaging, which are available in the Network.
When the user Identity is authenticated and his or her rights to resources
and services are determined.
When the user logs out, he or she is then disconnected from all parts of
the network.

Drive Letters:
Each workstation can assign up to 26 letters to regular drive mappings.
Drive letters that are not used by local devices are available for network
drives.
Generally the Drive letters A and B represents floppy disk drives and C
represents the local hard disk.

What do you call the right hand side portion (i.e., where the clock and
other icons exist) of task bar?
System Tray or Notification area

What is Plug and Play?


Plug and Play hardware, which Windows 2000 automatically detects, installs,
and configures.

What is the command to encrypt a file from command prompt?


Cipher.exe

What is the minimum and maximum configuration to create a partition in


NTFS?
The minimum size to create a partition in NTFS is 8 MB.
The maximum size to create a partition in NTFS is the disk capacity.

How many ways can you install Windows 2000?


1) Insert the CD, boot from the CD, and install the O.S. (This is the best way)

2) Boot from the floppy, insert the CD, and install the O.S.

3) Install over the network or install over the Hard disk. For this you have to
run the files WinNT or winnt32.

Note: WinNT is used when you r installing from the operating system other than
Windows NT or 2000. (I.e., DOS, windows 95/98 or any other)
Winnt32 is used if you are installing from O.S. Windows NT or Windows 2000.
What is WINS and what it does?
WINS stands for Windows Internet Naming Service. It resolves NETBIOS
names to IP addresses. WINS is used only when you need to access the NETBIOS
resources.

What is there in the network before wins?


Initially the computers in the network used to communicate with
broadcast. If there is less number of hosts, then there is no problem. But when
there is more number of hosts on the network more traffic will be generated.
So later they invented lmhost file (LAN Manager Host file). By this they
configure the lmhost file of each computer with the entries of each computer’s
IP address and NETBIOS name. So each computer will look into its lmhost file to
resolve NETBIOS names. But configuring each computer lmhost file manually is
time consuming and more difficult. Later then invented centralized lmhost file.
By this they configure lmhost on one server, and tell each computer to use that
lmhost file. But in this you need to configure the centralized lmhost file
manually. So Microsoft introduced WINS. By this you need to install WINS on a
server in the network and configure the computers to use that WINS server.
That’s all, you need not configure any thing on WINS server. The WINS server
makes an entry automatically when a client is initialized to use WINS.
Note: A UNIX does not have ability to register into WINS database. But if a UNIX
server is there in network and you need to resolve it, then for this you need to
configure manually the entry of that UNIX server in the WINS server.

What is NETBIOS?
NETBIOS stands for Network Basic Input Output System. It is a naming
interface, it is interface by which client can connect to access the lower level
of the TCP/IP model to be able to communicate and access those resources.
We share resources with the NETBIOS interface in windows NT. This
means that we are using NetBIOS name to connect the client to the server.

What is the length of NETBIOS name?


A NETBIOS name is 16 characters long. The first fifteen characters you
can use for the server name, the 16th character is an identifier for what type of
service it is registering.

What is the location of lmhost file (LAN Manager Host file) in windows 2000?
Winnt/system32/drivers/etc/lmhost.sam
Note: Extension represents that it is a sample file. You can create lmhost file
with out that extension.

What are Windows 2000 WINS enhancements when compare to the previous
versions?
• Better Management interface
• Better clients
• Replication can maintain persistent connections.
• Supports automatic partner discovery
• Integrates with DNS and DHCP
• Supports burst mode handling
What is the port used for Terminal Services?
3389

How to know 3389 is working or not?


Netstat -a (Displays all connections and listening of ports)

What are the different sub net classes are there?


Class A Addresses 1-126.x.x.x
Class B Addresses 128-191.x.x.x
Class C Addresses 192-223.x.x.x
Class D Addresses 224-239.x.x.x
Class E Addresses 240-254.x.x.x

What are the features and benefits of windows 2000 professional?


 Windows 2000 professional is an upgrade of Windows NT workstation. So
we have the base code of Windows NT rather than Windows 95/98. So
you get the security and stability of Windows NT. But from Windows
2000 we get some of the features of 95/98. Specifically Plug and Play,
Device manager.
 We have personalized start menus with windows 2000.
 We can deploy software automatically.
 We also have Widows installer package.
 We have synchronization manager.
 We have Internet printing protocol.
 We have Kerberos V5 protocol technology.
 We have EFS (Encrypting file system).
 We have IPSec protocol.
 We have a support for smart card.
 We have secondary log on service.
 Kerberos 5 security protocol
And many more
Note: Suppose you have a computer in remote location. In that you have
multiple operating systems. You want to restart it from here with a specific
operating system. Then go to Properties of My computer  Advanced tab 
settings 
At this place set default operating system as required operating system. Then
restart the computer.

Note: In windows 2000 if you want to update objects immediately we use


secedit /refreshpolicy refresh_machine and another one. In windows 2003 the
alternate command for this is gpupdate, type this command at run prompt
then it updates automatically.

How can you know that Active directory is installed properly?


It will create a folder called sysvol under c:\windows. With in the sysvol folder
you should have four folders, namely Domain, staging, sysvol, staging area.
Apart form this you should have NTDS folder (In c:\windows) containing ntds.dit
file and four log files.
How can you see the post screen when the system started?
When the system starts press the Break key. Then it post screen is stopped
there only, to continue press Enter.

When a user logs on the start up options will be loaded. How to stop them?
(The notification area icons)
When a user types user name and password, and presses enter immediately
hold down Shift key. Then the above things will not be loaded.

What are the features of Active directory?


See the “benefits of Active directory” document in this folder.

What is the range of addresses in the classes of internet addresses?


Class A 0.0.0.0 - 127.255.255.255
Class B 128.0.0.0 - 191.255.255.255
Class C 192.0.0.0 - 223.255.255.255
Class D 224.0.0.0 - 239.255.255.255
Class E 240.0.0.0 - 254.255.255.255

Note: Class A, Class B, Class C are used to assign IP addresses. Class D is used
for Multicasting. Class E is reserved for the future (Experimental).

What is hot swapping?


Replacing the hard disks other than active disk, when the computers on.

What commands do you need to execute before upgrading to windows 2000


to windows 2003?
Before upgrading to windows 2000 to windows 2003 insert the CD of windows
2003 then open 1386 folder, then at command prompt type the following
commands.
Adprep /forestprep
Adprep /domainprep
(i. e., f:\1386(2003)>adprep /forestprep and f:\1386(2003)>adprep
/domainprep)
If you are upgrading entire forest type the adprep /forestprep at root
domain.
If you are upgrading only a domain then type the adprep /domainprep at
root domain.
Note: You have to type the above commands on the server which has IM role.

Then only you have to upgrade your systems.

How to take backup?


StartProgramsAccessoriesSystem tools  backup  click on backup tab
There you can select the required one.
The system state backup includes the following files
• Boot files
• Com+ class registration database
• Registry
If the system is domain controller then apart from above files it takes backup
of the following files also.
• Active directory
• Sys vol

Note: If you want to restore the system state backup on a domain controller
you have to restart the computer in Directory Services restore mode, because
you are restoring Active Directory when it is in active. If you want to restore
Active Directory it should not be in active. If you restart the computer in
Directory services restore mode the Active directory is not in active, so you can
restore the Active directory.
You can restore Active Directory in two ways
Authoritative restore
Non Authoritative restore

Non Authoritative restore


Restart the computer
Press F8 to select Directory services restore mode
Start  Programs Accessories  system tools  Backup  Click on
restore tab  Select the restore file  Click on restore now
Restart the computer

Authoritative Restore mode


Restart the computer
Press F8 to select Directory services restore mode
Start  Programs Accessories  system tools  Backup  Click on
restore tab  Select the restore file  Click on restore now
Open command prompt
Type ntdsutil
Type authoritative restore
Note: Here you can restore authoritatively entire database or a particular OU.
But you cannot restore a particular object.
Type restore sub tree distinguished name of OU
Ex: research is a OU under yahoo.com, then you have to type distinguished
name like ou=research, dc=yahoo, dc=com

What are the logical components of Active Directory?


Organizational Units
Domains
Trees
Forests

What are the physical components of Active Directory?


Sites
Domain Controllers
Global Catalogue

Who can create site level Group Policy?


Enterprise Admin

Who can create Domain lever Group Policy?


Domain Admin

Who can create Organization Unit lever Group Policy?


Domain Admin
Who can create Local Group Policy?
Local Administrator or Domain Administrator

What is the hierarchy of Group Policy?

Local policy

Site Policy

Domain Policy

OU Policy

Sub OU Policy (If any are there)

Explain about Active Directory database.


The information stored in the Active Directory is called Active Directory
database.
The information stored in the Active Directory (i. e., Active directory database)
on every domain controller in the forest is partitioned into three categories.
They are
• Domain Partition
• Configuration Partition
• Schema Partition
Domain Partition
The domain partition contains all of the objects in the directory for a
domain. Domain data in each domain is replicated to every domain controller
in that domain, but not beyond its domain.

Configuration Partition
The configuration partition, which contains replication configuration
information (and other information) for the forest

Schema Partition
The schema partition contains all object types and their attributes that
can be created in Active Directory. This data is common to all domain
controllers in the domain tree or forest, and is replicated by Active Directory to
all the domain controllers in the forest.

What is Global Catalogue?


The global catalogue holds a partial replica of domain data directory
partitions for all domains in the forest. By default, the partial set of attributes
stored in the global catalog includes those attributes most frequently used in
search operations, because one of the primary functions of the global
catalogue is to support clients querying the directory.

Explain about different groups in Active directory.


There are two types of groups are the in Active directory.
Security group
Distributed group

What is the protocol that is used for security in Windows 2000?


Kerberos V5

How many can you open Task Manager?


One can open Task Manager in three ways
1) Start Run Taskmgrok
2) Right click on Task bar Select Task manager
3) Press CTRL + ALT + DELETE  click on Task Manager
4) Press CTRL+ Shift + ESC (short cut key)

How many ways do you have to determine whether a computer is Domain


Controller or not?
There are several ways to determine
1) On log on Windows dialogue box see whether the log on field has this
computer option or not. If it contains only domain names then it is a
Domain Controller, if it contains this computer option then it is either
Work station or Member server.

2) Start  Run Type netdom query fsmo  The computer names that have
been listed there are Domain Controller.

3) Search for NTDS and Sysvol folder in system directory, if they are there
then it is a Domain Controller.

4) StartRun Regedit32 Search for NTDS folder in HKEY_LOCALMACHINE


If you find that one then it is a Domain Controller.

5) Start  Programs Administrative tools  Active Directory Users and


Computers  Click on Domain Controller OU  the names that are listed
there are the names of the domain controllers.

6) In 2000 you cannot change the name of the Domain Controller so Right click
on My computer Properties Network Identification  There Change
button is grayed out.

Diagnostic Utilities
a) PING b) finger c) hostname d) Nslookup e) ipconfig f)
Netstat
g) NBTStat h) Route i) Tracer j) ARP

PING:
Verifies that TCP/IP is configured and another host is available.

FINGER:
Retrieves system information from a remote computer that supports
TCP/IP finger services

HOSTNAME:
It displays the host name.

NSLOOKUP:
Examines Entries in the DNS database, which pertains to a particular
host or domain

NETSTAT:
Displays protocol statistics and the current state of TCP/IP concepts.

NBTSTAT:
Checks the state of current NetBIOS over TCP/IP connections, updates
LMhost’s cache or determines your registered name or scope ID.

Route:
Views or modifies the local routing table.

TRACERT
Verifies the route from the local host to remote host

ARP
Displays a cache of local resolved IP address to MAC address

What is Dedicated Line?


Any telecommunications line that is continuously available for the
subscriber with little or no latency. Dedicated lines are also referred to as
“leased lines.”
Note: The other one is the Dial up line.

What is Dial up line?


Any telecommunications link that is serviced by a modem. Dial-up lines are
ordinary phone lines used for voice communication, while dedicated or leased
lines are digital lines with dedicated circuits. Dial-up lines are generally much
less expensive to use, but they have less available bandwidth.

What is FQDN (Fully Qualified Domain Name)?


Hostname.Domain.com

Give an Example for FQDN?


For example, the fully qualified domain name (FQDN)
barney.northwind.microsoft.com can be broken down as follows:

• Host name: barney


• Third-level domain: north wind (stands for North wind Traders Ltd., a
fictitious Microsoft subsidiary)
• Second-level domain: Microsoft (Microsoft Corporation)
• Top-level domain: com (commercial domain)

The root domain has a null label and is not expressed in the FQDN
How to know port 3389 (Terminal services) is working or not?
netstat -a (Displays all connections and listening of ports)

What is a host?
Any device on a TCP/IP network that has an IP address. Example includes
severs, clients, network interface print devices, routers.

How is the host identified in the network?


By a TCP/IP address.

What is a Host name?


An alias given to a computer on TCP/IP network to identify it on the network.
Host names are friendlier way to TCP/IP hosts than IP address.
A host name can contain A-Z, 0-9, “.”, “-“, characters.

What is Logon Credentials?


The information authenticate a user, generally consisting of
User Name
Password
Domain Name

What is the Refresh interval for Group Policy?


Refresh interval for Domain Controllers is 5 minutes, and the refresh interval
for all other computers in the network is 45 minutes (doubt).

How many ports are there?


There are 65535 ports are there.

Note: The ports 0-1023 are called well known ports and all other ports are
called Dynamic or private ports (i.e., 1024-65535)

How to do quick shutdown/restart?


Press Ctrl +Alt +Del, on the dialogue box you can shutdown button.
While pressing shutdown button hold CTRL key

What is native mode and what is mixed mode?


If some of your domain controller are Windows NT in the windows 2000
domain, that is called mixed mode. If you want to compatible with NT domain
controller in windows 2000 domain you should be in mixed mode.
If all of your domain controllers are windows 2000 then you can change
mixed mode to native mode. After changing to native mode you will some
extra functionality to secure your windows 2000 domain.
Ex: On user account properties, click on dial-in tab then you can see some
extra options.

How to change mixed mode to native mode?


Start  Programs  Administrative tools  Active directory users and
computers  Right click on Domain  Drag down to properties  on General
tab click on Change mode button  Click Yes
Note: By default windows 2000 will be loaded in mixed mode. You can change
windows 2000 from mixed mode to native mode, but once if you change mixed
mode to native mode you cannot change from native mode to mixed mode.

Note: When you are formatting the disk, if you set the block size as default,
windows 2000/XP/2003 divides the partition into 4 KB blocks. When you are
creating a file or folder it allocates space to that file or folder in multiples of 4
KB. When you create a new file first time it allocates 4 KB, after 4 KB is filled
up it allocates another 4 KB size, it goes on like this until the disk space is
completed.

Note: With windows 2000 advanced server and data centre server we can NLB
cluster 2 to 32 servers. It supports clustering up to 2 nodes.
Note: With disk quotas we can track the usage of disk space for each user. We
can limit each user to use certain amount of space.

What is latency?
The required time for all updates to be completed throughout all domain
controllers on the network domain or forest.

What is convergence?
The state at which all domain controllers have the same replica contents
of the Active Directory database.

How to force KCC to generate connection object immediately without


delay?
Type the command repadmin /kcc. This command forces the KCC to generate
connection object immediately without any delay.

What are the file names that we cannot create in Windows operating
system?
The file names that cannot be created in Windows operating system are
 Con
 Prn
 Lpt1, Lpt2, Lpt3, Lpt4, ….., Lpt9
 Com1, com2 com3, com4, com5,….., com9
 Nul
 Aux
Note: The file name clock$ cannot be created in DOS 6.22 or earlier versions of
DOS.

What is QoS?
QoS stands for Quality of Service. With QoS we can reserve bandwidth to
certain applications.

What is NAT?
NAT stands for Network Address Translation. It is a device between the
Internet (i.e., public network) and our private network. On one NIC card it has
valid Internet address; on the other NIC it has our private (internal) network
address.
NAT is a device that translates one valid public IP address to more tuple
internal private address.
We load Windows 2000 RRAS (Routing and Remote Access service)
service into this Windows 2000 server and we turn in to a router. Now we add
NAT protocol, so now onwards our internal clients sends their traffic through
this router to the internet, when it passing through this NAT server it stripes off
the internal network IP address and assigns a valid public IP address. So goes
out and communicates with that valid public IP address, comes back in the NAT
server stripes off the public IP address and replaces private IP address, sends
the traffic back to that particular client.
For client perspective they don’t know any thing except they are surfing
internet.

We load RRAS in to windows 2000 server; we turn this server as router. Now we
add NAT protocol, so that now on our clients can send traffic to internet
through this router , as it passes through the NAT server this server stripes off
the internal IP address and replaces with a valid public IP address. Then it goes
to the internet surf the internet when it comes back through the NAT server,
now NAT server stripes off the valid public IP address and replaces it with its
internal IP address sends the traffic to that particular client.

How to go to the NAT options?


Start  Programs  Administrative tools  RRAS  IP routing  NAT

Note: Windows 2000 NAT can acts as a DHCP server. So it is possible to give IP
address with our NAT server. When you are doing this make sure that you don’t
have DHCP server in your network.
If you have less clients (5 or 6) then there is no harm assigning IP address
through NAT, but if your network is big then best is to use DHCP.

How to enable DHCP service through NAT?


Start  Programs  Administrative tools  RRAS  IP routing  Right click on
NAT  go to properties  Click on Address assignment  Select the option
automatically assign IP address by using DHCP
Note: If don’t want to use your NAT server to assign IP addresses clear the
check box.

Note: NAT server contains at least two NIC, because one for internal IP address
and another one for external (Public IP).

How to add public IP address pools to our NAT server?


Start  Programs  Administrative tools  RRAS  IP routing  click on NAT
 on Right hand side you see network cards  click on external NIC (which has
a valid public IP) Click on Address pool tab  Click on add button  Give the
pool of IP addresses.
Note: By default there is no access to the internal devices on the NAT network
to out side clients. By default out side clients cannot access any thing in our
Nat network.

What are the limitations of Windows 2000 NAT?


 Supports only TCP/IP
There is no support for IPX or other protocol.
No support for:
 SNMP (so we cannot do SNMP monitoring for our NAT devices)
 LDAP
 Com / Dcom
 Kerberos V5
 RPC
 IPSec
Note: Windows 2000 NAT doesn’t allow L2TP traffic, it allows only PPTP traffic.

What is proxy?
NAT server helps the client to access Internet, where as proxy server
does every thing for client. When a request comes from the client the proxy
server surfs the internet and caches the results to its local disk, sends that
result to the client.
With proxy we have performance improvement, because results are
cached to the local hard disk.
With proxy we have security, because only one system in the internal
network communicating with the Internet.
Rather than allowing clients to access internet by changing IP address,
the proxy server does all the surfing for clients and caches to its local disk and
gives to the clients.

How to install proxy server 2.0 on windows 2000?


There is a patch to install proxy on windows 2000. It doesn’t install natively on
windows 2000. You have to install along with the windows 2000 patch. You can
download this patch from Microsoft website. Or you can get this in windows
proxy CD.
Go to Proxy folder  Click on windows proxy update  click on the patch file
 Go through the wizard.
This patch file invokes the proxy installation.
To configure the proxy settings
Start  Programs Microsoft proxy server  Microsoft management console 
we get MMC for Internet Information Service, because our proxy server is
incorporated with in IIS service.

With proxy we have two types of caching.


• Active caching
• Passive caching

How to set proxy setting to the clients?


Right click Internet explorer  Click on connections  Click on LAN settings
 Click use proxy server  type the IP address of the proxy server and port
that we are using

What are the features of Microsoft proxy 2.0?


Active / Passive caching
User level control
IP filters
Access logs
Access to the internet for IPX clients
What we get with RRAS?
We will get with RRAS the ability to create a fully functional router with our
windows 2000 server.
We will get quite a bit of Remote connectivity functionality. It also can
support clients dialing in through phone lines, or through the internet through a
virtual private network.

What IAS does for us?


Internet Authentication server gives us RADIUS server. RADIUS stands for
Remote Authentication Dial in User Server, RADIUS is an industry standard.

Note: an IP address is assigned to every device that you want access on the
network, and each have unique IP address. A client, server, every interface of
router, printer and all devices on the network should have an IP address to
communicate in the network.

Note: In class C address we have 254 clients for each subnet.


In class B address we have approximately 65,534 hosts per subnet.
In class A address we have millions of hosts per subnet.
Numbers can range from 0-255, but x.x.x.0 is used for identifying
network and x.x.x.255 is used for broadcasting, so we use the numbers from 1-
254.

Note: The portion between two firewalls is called screened subnet, in


corporate network we call it as DMZ (De Militarized zone)

Who is responsible to assign Public IP address?


The responsible organization to assign IP address is IntetNIC (Internet Network
Information Centre). This organization assigns public IP address to all
individuals or organizations. But you can take IP address from ISP’s (Internet
Service Providers), because ISP’s buys a pool IP addresses from InterNIC and
then sells to others.

Note: Tracrt command traces the root (path) for which we are connecting.
Pathping is combination of tracert and ping. It displays path and some
other information.

Note: When DNS stops you will see the event ID is 2.


When DNS starts you will see the event ID is 3.
When GC is enabled you will see the event ID 1119 on that particular
server.
When time synchronization enabled you can see event ID’s 35 and 37.

How to increase or decrease tomb stone interval?


By default tomb stone interval is 60 days. You can increase or decrease the
tomb stone interval. You can decrease till 2 days. You can increase as much as
you want.
To decrease tomb stone interval we use ADSI edit.
With windows 2000 we have the advantage being able to configure our
Windows 2000 server with RRAS service, and turn our windows 2000 server into
a router.
What are the functionalities of RRAS?
 Supports IP + IPX routing
 Supports numerous interface types
 IP filters
 Integrates with active directory
 Supports standard routing protocols
• RIP version 1 or version 2 (Routing information protocol)
• OSPF
• IGMP ( Internet Group Management Protocol)
This is for multicasting. Ex: Video conference sent to more people
at a time.

What are Unicast, Multicast, and Broad cast?


Unicast: Just from one computer to one computer.
Multicast: Those who ever register for a particular multicast group to those
only.
Broadcast: To all the computers.

Note: with RIP version 1 we cannot do CIDR /VLSM. To transfer the route table
to the all routers RIP version 1 uses broad cast. With RIP version 2 we can do
CIDR. To transfer the route table to all routers RIP version 2 uses multicast.
Also with version 2 we have password authentication to transfer router table.

What is VPN?
VPN stands for Virtual Private Network. By using public media we are
establishing a private secure connection. To communicate through VPN we use
PPTP (Point to Point Tunneling Protocol) or L2TP (Layer2 Tunneling Protocol).
Most cases we use L2TP because this is more secure. The only one case
that we use PPTP is only when we are trying to use VPN through a NAT server,
another reason to use is if don’t have windows clients that have capability to
establish L2TP VPN connection.

RADIUS
RADIUS stands for Remote Authentication Dial in User Service. It
is used to authenticate remote users. Instead of authenticating users at
individual RAS server, we pass a request to central server (RADIUS server), and
let the authentication happen there. All RAS servers pass authentication
requests to this central server (RADIUS server) that is doing the authentication.
It is authenticating users based on Active Directory. It is also doing reporting,
so it is doing .accounting and authentication. With RADIUS authentication will
takes place at a central location. Now there is no need to maintain a local
database of users for each RAS server. When ever authentication needed RAS
server forwards query to RADIUS server.
Accounting means we keep tracking who is connected, how long, why they
failed to connect etc., the information is all centralized here.
By centralizing accountability and authentication we are doing our RAS
servers as dumb devices. So when RAS server fails then there is no need to
worry about the 100 or 1000 accounts we manually created on the RAS server,
so that we can authenticate. All you need to do is swap out this device with
another and configure it to pass the authentication to RADIUS server.
Note: Terminology wise the central server is RADIUS server. Clients for RADIUS
are RAS servers.

How to configure RADIUS client?


RADIUS client is nothing but RAS server. In windows 2000 it is RRAS server.
Go to RRAS server  Start  Programs  Administrative tools  RRAS  Right
click the server  drag down to the properties  click on security  Select
Authentication provider as RADIUS server  Select Accounting provider as
RADIUS server  Click on configure (at Authentication as well as at
Accounting)  Add the server that is going to act as a RADIUS server  hit OK
 Restart RRAS service.

How to create a RADIUS server?


To make server as a RADIUS server we install Internet Authentication Service.
Start  Settings  Control panel  Add/Remove programs  Add/Remove
windows components  Select Network services  click on details  Select
Internet Authentication service  Click on OK

Now you can open IAS MMC.


Start  Programs  Administrative tools  Internet Authentication Service 
Right click on client  Add new client  give the names of RAS servers 
Select the appropriate options  click finish

Note: One of thing you have to do is Register Internet Authentication service in


Active Directory.
Administrative tools  Internet Authentication service  Right click at the
root  select Register service in Active Directory
Now our IAS can access Active Directory so that it can authenticate users by
using Active Directory our Active Directory database.

Note: Put your RAS server close to the clients. Put your RADIUS server close to
the Active Directory database.

Tell me how to upgrade from 2000 to 2003?


Actually it is one month procedure. I will brief you important things.
Perform adprep /forestprep on the domain controller which has schema role.
This is one time operation per forest.
Perform adprep /domainprep on the domain controller which has IM role (You
have to this in the domain for which you want up gradation)
This is one time operation per domain.
Now the following things are common to all domain controllers which you are
upgrading from 2000 to 2003.
 Remove administrative tools and support tools
 Run the command winnt32.exe /checkupgrade only.
 Install any hot fixes, if there are any suggested Microsoft, or suggested
by End market administrator (if they have any own applications)
 Then upgrade by running the command winnt32.exe from windows 20003
CD ROM

How do you take back ups?


On Monday we will take Normal backup.
Then we follow Incremental backup till Friday
Note: For incremental backup more no. of tapes are required. For differential
backup much space is required on the tape, but we need only two tapes to
restore the data.

How to know the MAC address of a Network interface card?


First type the Ping IP address (IP address of the Network interface card for
which you want to know the MAC address)
Then it caches the MAC address.
Now type Arp –a
This command shows the cached MAC address of that particular NIC.

Note: If you install DCPROMO in member server then it will become Domain
Controller, if you uninstall DCPROMO in Domain Controller then it will become
Member server, if you are uninstalling DCPROMO on last domain controller then
it will become standalone server.

Note: Always file size is less than or equal to file size on disk except when file
compressed. If file is compressed file size greater than file size on disk.

The data replicated between domain controllers is called data and also
called naming context. Once a domain controller has been established only
changes are replicated.

The replication path that Active Directory data travels through an


enterprise is called the replication topology.
The change will be replicated to all domain controllers in the site with in
15 minutes since there can only be three hops.

Note: Each domain controller keeps a list of other known domain controllers
and the last USN received from each controller.

What is propagation dampening?


This is used to prevent unnecessary replication by preventing updates
from being sent to the servers that are sent already. To prevent this domain
controller uses up-to-vector numbers.

In windows 2000 SYSVOL share is used to authenticate users. The sysvol


share includes group policies information which is replicated to all local domain
controllers. File replication service (FRS) is used to replicate sysvol share. The
“Active Directory users and computers” tool is used to change the file
replication service schedule.

The DNS IP address and computer name is stored in Active Directory for
Active Directory integrated DNS zones and replicated to all local domain
controllers. DNS information is not replicated to domain controllers outside the
domain.

What is the protocol that is used to replicate data?


Normally Remote Procedure Call (RPC) is used to replicate data and is always
used for intrasite replication since it is required to support the FRS. RPC
depends on IP (Internet Protocol) for transport.
SMTP may be used for replication between sites, where each site is
separate domain, because SMTP can’t replicate the domain partition.

Clustering: This is supported by only Windows 2000 advanced server and


datacenter server. Cluster makes several computers appear as one to
applications and clients. It supports clustering up to 2 nodes. You can cluster 2
to 32 servers. The “cluster service” must be installed to implement clustering.

Note: FAT16 supports partitions up to 4 GB in Windows 2000.


FAT32 supports partitions up to 32 GB in Windows 2000.
NTFS supports partitions 7 MB to 2 TB.
When you are formatting a partition,
 If you enter the size less than 4 GB, on file system dialogue box you can
see FAT, FAT32, and NTFS.
 If you enter the between 4 GB and 32 GB, on file system dialogue box
you can see FAT32, and NTFS.
 If you enter the size more than 32 GB, on file system dialogue box you
can see only NTFS.
Note: You cannot compress or encrypt folders on FAT partition.

Internet Information Service (IIS)


This is used to host web sites.
First install the IIS service.
How to install IIS?
Start  Settings  Control panel  add/remove programs  Add/remove
Windows components  Select Application server  Select Internet
Information Service  Click OK

How to open IIS?


Start  Programs  Administrative tools  IIS
Or
Start  Run  type inetmgr.exe  click OK

How to host a website?


Start  Programs  Administrative tools  IIS  Right click on web sites 
Select New  Select website  Click Next  give description of the web site
 Enter the IP address to use web site, enter the port number (by default port
80)  Enter the path for home directory  Select Read, Run Scripts, and
Browse  Click finish

Note: If you want you can change the port number, but generally we don’t
change the port number. If you have changed the port number, then when
typing URL you have to type the port number followed by the URL.
Ex: www.google.com:83
If you haven’t typed any thing by default it takes the port number as 80.

OSI Layers & Functions


Layer Protocol Responsibility
FTP, HTTP, Telnet, DNS, TFTP, Provides network
Application
POP3, SMTP, News services to the end users
PCT, TIFF, JPEG, MIDI, MPEG
Presentation
NFS, SQL, RPC, X Windows
Session
Transport
TCP, UDP
IP, IPX, ICMP, ARP, RIP, OSPF,
Network
IGRP, EIGRP, IPSec
PPP, PPTP, L2TP, HDLC, Frame
Data-Link
relay
Physical

What is WINS and what it does?


WINS stands for Windows Internet Naming Service. It resolves NETBIOS
names to IP addresses. WINS is used only when you need to access the NETBIOS
resources.

What is NetBIOS?
NetBIOS stands for Network Basic Input Output System. It is naming interface
by which client can access network resources. It manages data transfer
between nodes on a network.

What is NETBIOS?
NETBIOS stands for Network Basic Input Output System. It is a naming
interface, it is interface by which client can connect to access the lower level
of the TCP/IP model to be able to communicate and access those resources.
We share resources with the NETBIOS interface in Windows NT. This
means that we are using NetBIOS name to connect the client to the server.

What is the length of NETBIOS name?


A NETBIOS name is 16 characters long. The first fifteen characters you can use
for the server name, the 16th character is an identifier for what type of service
it is registering.

Note: Computer names are not the only names that are registered as a NetBIOS
names, a domain name can be registered as NetBIOS name, any service on the
network can be registered as the NetBIOS names, for example messenger
service.
Note: Communication in the network happen IP address to IP address,
ultimately MAC address to MAC address.

What is there in the network before WINS?


Initially the computers in the network used to communicate with
broadcast. If there is less number of hosts, then there is no problem. But when
there is more number of hosts on the network more traffic will be generated.
So later they invented lmhost file (LAN Manager Host file). By this they
configure the lmhost file of each computer with the entries of each computer’s
IP address and NETBIOS name. So each computer will look into its lmhost file to
resolve NETBIOS names. But configuring each computer lmhost file manually is
time consuming and more difficult. Later then invented centralized lmhost file.
By this they configure lmhost on one server, and configure each computer to
use that lmhost file. But in this you need to configure the centralized lmhost
file manually. So Microsoft introduced WINS. By this you need to install WINS on
a server in the network and configure the computers to use that WINS server.
That’s all, you need not configure any thing on WINS server. The WINS server
makes an entry automatically when a client is initialized to use WINS.

Note: A UNIX does not have ability to register into WINS database. But if a UNIX
server is there in network and you need to resolve it, then for this you need to
configure manually the entry of that UNIX server in the WINS server.

What is the location of lmhost file (LAN Manager Host file) in windows
2000?
Winnt/system32/drivers/etc/lmhost.sam
Note: Extension represents that it is a sample file. You can create lmhost file
with out that extension.

What are Windows 2000 WINS enhancements when compare to the previous
versions?
• Better Management interface
• Better clients
• Replication can maintain persistent connections.
• Supports automatic partner discovery
• Integrates with DNS and DHCP
• Supports burst mode handling

Note: Windows 2000 doesn’t use WINS for its naming structure. Windows 2000
uses DNS for its naming structure. The only time that you need WINS in
Windows 2000 environment is when you want resolve NETBIOS based resources
such as NT file server. In native Windows 2000 environment there is no need to
use WINS.

How to install WINS?


Start  Settings  Control Panel  Add/remove programs  Add/remove
Windows components  Select Network Services  Select WINS  Click next
 insert the Windows 2000 CD  click OK  click on finish
This is all you have to do in WINS server. Now go to each and every client and
configure them to use WINS server.

How to configure a client to use WINS server?


Go to the client computer  Open TCP/IP properties dialogue box  Click on
Advanced button  Click on WINS tab  give the IP address of WINS server 
click OK

How to open WINS?


Start  Programs  Administrative tools  WINS
Or
Start  Run  winsmgmt.msc
How to see records in WINS database?
Open WINS MMC  Right click on Active Registration  Select either find by
owner or find by name  Provide appropriate details  Then you can see
records in WINS database.

How to configure an entry manually in WINS?


Open WINS MMC  Click on Active Registration  Right click on right hand side
 Select new static entry Enter the NETBIOS name and IP address  Click
OK

Note: You can configure as many as WINS servers as you want on the network.
No matter that which client is using which WINS server, but all WINS server
should be configured to replicate the data with each other.

How to configure the WINS servers to replicate database with other WINS
servers on the network?
Open WINS MMC  Right click on Replication partners  Select New
replication partner  Give the IP address of the other WINS server  click OK

Note: By default WINS makes its replications partners as push/pull replication


partners.
Note: Group policies won’t apply for Windows 95/98 clients.

First create a shared folder and put installation files on that shared folder.

What is the program that is used to create .msi files when .msi files are not
available?
Wininstall

How to deploy software using Group Policy?


Open the Group Policy Object  Here you have two places to set deployment
of software, one is software settings under computer configuration and
another one is software settings under user configuration  to set a package
for either user or computer right click on appropriate software installation 
Select New  Select package
 Select the .msi file or .zap file of an application  Select either assign or
publish
 Click OK.
Perform the above procedure for each application that you want to deploy
through Group Policy.

What is the different between deploying applications per computer or per


user basis?
If you deploy applications per computer that applications will be deployed to
that computer when the computer has started. If you deploy applications per
user basis then applications will be deployed when a users logs on.
For computers you can only assign packages.
For users you can assign or publish packages.

What is assign of a application to a computer?


For computer we can only assign, we cannot publish. For computers assign
means when the computer starts that time only those applications will be
installed. For assigning applications to the computers we have to have .msi
files.

What is difference between assign and publish of a package to a user?


When we assign an application
• Icons are placed (in start menu or on desktop), but application will be
installed on demand. i.e., when you click on the icon then only
application will be installed.
Or application will be installed when you are trying corresponding
document.
Or go to Add/Remove programs add corresponding package.
When we publish an application
• Application will be installed when you are trying corresponding
document.
Or go to Add/Remove programs add corresponding package.

Note: With assign we install a package in 3 ways where as with publish we can
install in 2 ways.

To assign a package you have to have a .msi file.


To publish a package you have to have either .msi files or .zap files

Note: With assign you will get the more functionality than publish. So when it
is possible for assign, choose assign only.
Note: When ever you have a .msi file then only you can repair or upgrade that
application. With .zap you cannot do them.

How to install published applications through Add/Remove programs?


Start  Settings  Control panel  Add/Remove programs  Click on Add
New programs  Click on required application  Click on add button.

How to upgrade an existing application in software installation folder of


GPO?

How to apply service packs to an existing application in software installation


folder of GPO?

How to delete a application from software installation folder of GPO?

How to set minimum password length through Group Policy?


Open GPO  Click on Computer configuration  Windows settings  Security
settings  Account policies  Password policies  select minimum password
length  give the number  click OK

What do we call the area between two firewalls?


The area between two firewalls is called DMZ (De Militarized Zone) or Screened
subnet.
Note: Depending on the situation, Windows 2000 can be licensed in a per-seat
or per-server mode. Per-server can be changed to Per-Seat once. Per-seat is a
permanent choice.
When licensing Windows 2000 Server, Client Access Licenses (CALs) must also
be purchased for the number of clients that will be accessing the server,
regardless of the desktop operating system that is installed on the clients.

Note: For Disk Management in Windows 2003 you can use command line tool
diskpart.exe (New feature in Windows 2003). For more details type
diskpart.exe at command prompt and then type “?”.

Note: ForeignSecurityPrincipals Container for security principals from trusted


external domains. Administrators should not manually change the contents of
this container.
Note: By default Search doesn’t display hidden files. i.e., you are searching for
a file which has hidden attribute, even though it is exists your search doesn’t
display it.

Note: By default search doesn’t displays hidden files. But if you want to search
hidden files also you can search by modifying the following key in registry.
Mycomputer\HKEY_CURRENT_USER\SOFTWARE\MICROSOFT\WINDOWS\CURRENT
VERSION\EXPLORER\
Here you can search hidden attribute. Click on this and change value from 0 to
1.

File and folder Attributes:


Write Users can copy and paste new files and folders and users can change
folder attributes. However, users cannot open or browse the folder unless you
grant the Read permission.

Read  Users can see the names of files and subfolders in a folder and view
folder attributes, ownership, and permissions. Users can open and view files,
but they cannot change files or add new files.

List Folder Contents Users can see the names of files and subfolders in the
folder. However, users cannot open files to view their contents.

Read & Execute  Users have the same rights as those assigned through the
Read permission, as well as the ability to traverse folders. Traverse folders
rights allow a user to reach files and folders located in subdirectories, even if
the user does not have permission to access portions of the directory path.

What is the work FRS (File Replication Service?


It is used to replicate both the contents of the SYSVOL share between domain
controllers and the contents of Distributed File System (DFS) replicas.

What are the contents of SYSVOL folder?


SYSVOL includes the actual SYSVOL file share, the NETLOGON file share,
all Windows 9x and Windows NT System Policies, and all Win2K and later Group
Policy Objects (GPOs).
SYSVOL also contains all user and computer logon and logoff (and startup and
shutdown) scripts. By default, SYSVOL is stored in C:\Windows\Sysvol, exists on
all domain controllers, and should be identical on each domain controller in a
domain.

What is Distinguished Name (DN)?


The DN identifies the domain that holds the object, as well as it provides
complete path through the container hierarchy by which the object is reached.
A typical DN is as follows. CN=someone, CN=Users, DC=Microsoft, DC=com.

What is Relatively Distinguished Name (RDN)?


The RDN is part of the name that is an attribute of the object it self. In the
above example The RDN of the someone user object is “CN=someone”. The
RDN of the parent object is “CN=Users”.

Note: The replication happen for every 5 minutes. Because if replication


happen immediately for each modification there will more traffic, so it
replicates modifications collectively that are done during default interval.

How do determine the Operating system type that you are working on?
Right click on My computer  Select properties  on general tab you can see
operating system type and version.

ADSI edit:
When you open ADSI edit you can see 3 database partitions, i.e., domain
partition, configuration partition, and schema partition. Under this you can
see CN, and Distinguished names of different objects.

How to cluster two computers?


First go to one of the computer that is going to cluster.
Start  Programs  Administrative tools  Cluster administrator  You will
get open connection to cluster dialogue box (if you wont get this dialogue
box, then click on file  click on open connection)  Select Create new
cluster  Go through the wizard.

Then go to the 2nd computer


Start  Programs  Administrative tools  Cluster administrator  You will
get open connection to cluster dialogue box (if you wont get this dialogue
box, then click on file  click on open connection)  Select Add a node to
the cluster  Go through the wizard.

Note: In 2003 Cluster administrator installed by default.


In 2000 Cluster administrator installed when Cluster service component
is installed.

How to install cluster service component?


Start  Settings  Control panel  Add/remove programs  Add/remove
windows components  Select Cluster services  Click ok

Note: By using cluster Administrator you can configure, control, manage and
monitor clusters.

Note: Clustering is only supported with Windows Server 2003, Enterprise


Edition and Windows Server 2003, Datacenter Edition, Windows 2000 Advanced
server and Data center server.

A cluster consists of at least two connected physical computers, or


nodes, and a shared storage device, such as RAID-5 disk set channel. The
cluster provides a redundant hardware solution. Because services can run on
one or both of the nodes in the cluster, users can connect to either node in the
same way that they would connect to a stand-alone server; thereby providing
greater user availability.

What is failover?Cluster service monitors the services on all nodes. If a node


fails, Cluster service restarts or moves the services on the failed node to a
functional node. This process is called failover. The ability to use multiple
servers at all times reduces system costs while increasing reliability, because
you do not have to dedicate servers for disaster recovery. When the failed node
is restored, the resources may be returned to the original node. This process is
called failback Failover and failback in a cluster can be performed manually by
the people who maintain the cluster or can occur automatically when there is
an unplanned hardware or application failure.

What is active/active clustering and active/passive clustering? Active/active


clustering describes clustering when both members of the cluster are online
and able to accept user service requests. This is different from active/passive
clustering where only one member of a cluster provides service to users at a
time. Active/passive is the preferred recommended cluster configuration.
In an active/passive cluster, the cluster includes at least one passive
node and one or more active nodes. A node is active if it runs an instance of an
Exchange virtual server (EVS). A node is passive if it does not run an instance of
EVS (Exchange Virtual Server) or any other application. A passive node is ready
to take over the tasks of an active node whenever a failover occurs on any
active node. Whether a node is active or passive may change over the lifetime
of a node. After a failover, the passive node which now runs the failed-over
EVS is an active node and the original node became a passive node. In an
active/passive cluster, the active node is actively handling requests while the
passive node is standing by waiting for another node to fail.
Similar to active/passive clustering, in active/active clustering, when
one node fails or is taken offline, the other node in the cluster takes over
for the failed node. However, because the failover causes the other node to
take on additional processing operations, the overall performance of your
Exchange cluster may be reduced.

Note: Microsoft recommends active/passive cluster configurations over


active/active configurations. Active/active clusters have more limitations than
active/passive clusters. Active/active clusters have a limit of 1,900 concurrent
connections to a node hosting EVSs, and they are only supported on two nodes.

Note: Windows 2000 Advanced server supports 2 nodes clustering.


Windows 2000 Data center server supports 4 nodes clustering.
Windows 2003 Enterprise and Data center supports 8 nodes
clustering.
Kerberos Authentication
• Kerberos is the Internet standard security protocol for handling
authentication of users or system identity.
• Kerberos allows UNIX clients and servers to have Active Directory accounts
and obtain authentication from a domain controller.
• Services can impersonate users allowing middle-tier service to authenticate
to a back-end data server on behalf of the user.
Scripts
Scripts are used to run commands automatically when a user logging on.
Generally in small organizations scripts are used to map drives automatically.
How to create a Script?
Open note pad.
Write the script.
Save it as *.bat file in net logon folder.
Then go to the user properties for whom you want to run that particular script
 Click on profile  type the file name in the logon script box. (Just type the
file name, no need to give path of the file)  Click OK.
Example of a script for mapping drives.
Open a note pad file. Type the following information (with in the lines) as it is.
Net use p: \\liveserver\common
Net use x: \\liveserver\pdata
Save it as *.bat in net logon folder.
Note: The contents of a script file are nothing but command those we use at
command prompt. A user can run these commands when he logs on and can get
same functionality. But running all these commands at each log on will be
difficult. So to automatically run all these commands at command prompt
when ever a user logs on, we use scripts.
Note: The location of the net logon folder is My network places  Entire
Network  Microsoft Windows Network  Click on Domain name  Click on
Server name  Select NET LOGON folder.
Note: Actually NET LOGON is not a folder but it is share name of the folder
%systemroot%\sysvol\sysvol\domainname.com\scripts. So there is no folder
called NET LOGON in the server but it is share name scripts folder.
So when you save a script file it will be saved in the Script folder
Note: You have store scripts in Scripts folder. So when Sysvol is replicated to
all Domain controllers in the domain these scripts are also replicated.
Note: In Sysvol folder policies and Scripts are stored in respective sub folders.

Suppose you have deleted Active Directory Users and Computers from
Administrative tools, how to restore it?
Start  Programs  Right click on Administrative tools  Select All Users 
Right click in the window  drag down to New  Select short cut  click on
Browse  My computer  C:\Windows\System32  Select dsa.msc  Click OK
 Give the name as Active Directory Users and Computers  Click OK.
Note: You can add all snap ins in Administrative tools like this only.
Note: The same procedure applied for any thing to place in start menu, just
right click on the parent folder select open all users, and create a short cut
there, that’s all.

How to dismount a volume through command line?


The command to dismount a volume through command prompt is
“fsutil volume dismount <volume pathname>”

How can I quickly find all the listening or open ports on my computer?
Usually, if you want to see all the used and listening ports on your computer,
you'd use the NETSTAT command.
Open Command Prompt and type: C:\WINDOWS>netstat -an |find /i "listening"
This command displays all listening ports.
C:\netstat -an |find /i "listening" > c:\openports.txt
This command redirects the output to a file openport.txt in C drive.
C:\netstat -an |find /i "listening" > c:\openports.txt
This command is used to see what ports your computer actually communicates
with.

Note: Suppose you have some roles on a domain controller. With out
transferring the roles to other domain controller you have demoted the domain
controller to a member server by the command dcpromo. Then what will
happen?
When you demote a domain controller which has roles by the command
dcpromo, during the demotion the roles will be transferred to the nearest
domain controller.

What is the location of device manager?


Right click on My computer  drag down to properties  Click on hardware
tab  Click on device manager
Or
Start  programs  Administrative tools  computer management  device
manager
Or
Start  Run  type compmgmt.msc

Where do you get windows 2000 professional resource kit?


You get Windows 2000 professional resource kit along with Microsoft technet
subscription.
Note: If you want to know complete information about system hardware,
software and everything regarding system use the command winmsd.exe.
Note: Disk quotas cannot be applied to groups in Windows 2000/2003.
You can apply disk quotas to groups in Unix.
Windows Server 2003
When you first logon to a new installation of W2k3 the default desktop is blank
apart from the Recycle bin. All the rest of the icons are moved to the start
menu.
You can readjust the desktop to the old Windows 2000 style by the following
way.
Right click on Taskbar  Select Properties  Click on Start tab  Select
Classic
Right click on Start menu  Select Properties  Select Classic Start menu

What is Manage your Server Wizard?


When you first logon to the Windows 2003 you will get Manage Your Server
Wizard.
A host of configuration and management tools have been brought together in
the Manage Your Server Wizard. It also includes the ability to configure a
profile – called a server role. There are 11 roles. (What are they?)
The roles are
• File server
• Print server
• Application server (IIS, ASP.NET)
• Mail Server (POP3, SMTP)
• Terminal Server
• Remote Access/ VPN server
• Domain Controller (Active Directory)
• DNS Server
• DHCP server
• Streaming Media Server
• WINS server
There is a role called “application server” but this provides IIS, ASP.NET and
Web development functionality only and should only be selected if these are
required.

How to add a role to a server?


Click on start menu  Choose Manage Your Server  Click on Add or Remove
Role Icon  Highlight the role you wish to Add  Click Next
Note: When adding a role, depending upon your choice, you may be prompted
to provide additional information to configure the role. You may be also
prompted for the W2K3 CD if additional files are required.
You can remove a role from the server using this Wizard.
Click on start menu  Choose Manage Your Server  Click on Add or Remove
Role Icon  Highlight the role you wish to Add  Click Next
By this if a role has not been added, it can be added. If it has already been
added, you can remove it.
Note: If the role you want to add or remove is not listed in Manage Your server
Wizard, go to Add/Remove Programs.
Note: You can change the computer name by using Manage Your server
Wizard, you can also add it to a Workgroup or Domain.
Remote Administration (formerly Terminal Services in Administration Mode)
Remote Administration is now installed by default, you do not need to install
Terminal Services separately as this is now solely for user Terminal Sessions. It
will need to be enabled and access granted to the appropriate users.
Administrator has access by default but you must have a password set or
otherwise you will not be able to logon.
Remote Administation can be configured by
Right Click on My computer  Select properties  click on Remote tab
Adding/Removing Users to Remote Administration
Click on the Select Remote user button  click on Add/Remove button  If
adding either enter the full user name (Domain\username) or select Advanced
and search for the user locally or in a domain.

Volume Shadow copy (Currently Not Recommended)


Volume Shadow Copy Service (VSS) was specifically designed to provide point –
in – time snapshots of volumes and eliminated problems with backups of open
files. It can also provide recovery of files for end users or Administrators
without having to do a restore from backup.
The shadow copy process works on a schedule and is not recommended to be
done more than once per hour. The default schedule is twice a day.
In order for the copy to work you will need to set aside a certain amount of
space on the same or another volume.
Users can access the previous versions of the files through Explorer. If they
have Windows 2000 then they will require the installation of a software to
enable the Explorer options.
Note: In Windows 2003 you can add upto 32 servers can work in a NLB.
In Windows 2003 you can add upto 8 server to participate in a cluster.

Windows System Resource Manager (WSRM)


Microsoft Windows System Resource Manager (WSRM) provides resource
management and enables the allocation of resources, including processor and
memory resources, among multiple applications. It has uses in enabling
consolidaion of applications but ensuring they are given the resources they
require to run on a single server.
Note: WSRM only runs on Windows server 2003 Enterprise and Datacenter
Editions.
WSRM allows administrators to control CPU and memory resource allocation to
applications, services, and processors. This feature can be used to manage
multiple applications on a single computer or multiple users on a computer that
runs Microsoft Terminal Services. The WSRM architecture also allows
administrators to manage resources on multiple systems. WSRM provides GUI as
well as command line interfaces for resource management.

What is the location of the event log files in the system?


The location of event viewer log files is %systemroot%\system32\config\ .
Here all event log files i.e., application log, security log, system log etc will be
stored.

What are the switches that are available with repadmin?


Repadmin /showrepl  Shows replication status
Repadmin /failcache  Show recent failed cached replication events.
Repadmin /syncall  Synchronizes replication to all domain controllers in
entire forest. If you want to synchronize to only one domain controller type the
FQDN of the domain controller followed by the repadmin /syncall.
Nltest 
Replmon 
Adsiedit.msc 

How to associate an existing subnet object with a site?


Associating existing subnet with a site under the following conditions.
 When you are removing the site to which the subnet was associated.
 When you have temporarily associated the subnet with a different site
and want to associate it with its permanent site.
Required credentials : Enterprise Admins
To associate an existing subnet object with a site
Start  Programs  Administrative tools  Active Directory Sites and Services
 Click on sites  Click on subnet container  Right click on the subnet with
which you want to associate the site and click on properties  On the site box
click the site with which you want to associate the subnet, click ok.

How to change the delay of initial Notification of an Intrasite Replication


partner?
Or
How to change the default replication interval between domain controller
with in a site?
The default Replication interval between the Domain controllers with in a site
is 5 minutes (300 seconds). To change the interval follow the below steps
Log in as Domain Administrator  Start  Run  Regedt32.exe  Navigate to
HKLM\SYSTEM\CurrentControlset\services\NTDS\  Click on Parameters 
Double click on Replication notify pause after modify (secs)  In the base
box, click decimal  In the value data box, type the number of seconds for
the delayClick OK

How to change the Garbage Collection Period?


The Garbage collection period determines how often expired tombstones are
removed from the directory database. This period is governed by an attribute
value on the Directory services object in the configuration container. The
default value is 12 (hours).
Decrease the period to perform garbage collection more frequently. Increase
the period to perform garbage collection less frequently.

Log in Enterprise Admin  Start  Programs  Support tools  Tools  ADSI


Edit  Expand Configuration container  Expand CN= Configuration 
Expand CN = Services  Expand CN =Windows NT  Right Click CN=Directory
Service  click on properties  Click Garbagecollperiod  click Set  Click
OK

How to change the Priority for DNS SRV Records in the Registry?
To prevent Clients from sending all requests to a single domain controller, the
domain controllers are assigned a priority value. Client always send requests to
the domain controller that has the lowest priority value. If more than one
domain controller has the same value, The clients randomly choose from the
group of domain controllers with the same value. If no domain controllers with
the lowest priority value are available, then the clients send requests to the
domain controller with the next highest priority. A domain Controller’s priority
value is stored in registry. When the domain controller starts, the Net Logon
service registers domain controller, the priority value is registered with the
rest of its DNS information. When a client uses DNS to discover a domain
controller, the priority for a given domain controller is returned to the client
with the rest of the DNS information. The client uses the priority values to help
determine to which domain controller to send requests.
The value is stored in the LdapSrvPriority registry entry. The default value is
0 and it can be range from 0 through 65535.
Note: A lower value entered for LdapSrvPriority indicates a higher priority. A
domain controller with an LdapSrvPriority setting of 100 has a lower priority
than a domain controller with a setting of 10. Therefore, client attempts to use
the domain controller with the setting of 100 first.
To change priority for DNS SRV records in the registry
Log on as Domain Admin  Start  Run  Regedit  HKLM\SYSTEM|
CurrentControlSet\Services\Netlogon\Parameters  Click Edit  Click New 
Click DWORD value  For the New value name, type LdapSrvPriority  Click
Enter  Double click the value name that just you typed to open the Edit
DWORD Value dialogue box  Enter a value from 0 through 65535. The default
value is 0  Choose Decimal as the Base option  Click OK  Close the
Registry editor.

How to change the Weight for DNS Records in the Registry?


To increase client requests sent to other domain controllers relative to a
particular domain controller, adjust the weight of the particular domain
controller to a lower value than the others. All domain controllers starts with a
default weight setting of 100 and can be configured for any value from 0
through 65535, with a data type of decimal. When you adjust the weight,
consider it as a ratio of the weight of this domain controller to the weight of
the other domain controllers. Because the default for the other domain
controller is 100, the number you enter for weight is divided by 100 to establish
the ratio. For example, if you specify a weight of 60, the ratio to the other
domain controller is 60/100. The reduces to 3/5, so you can expect clients to
be referred to other domain controller 5 times for every 3 times they get
referred to the domain controller you are adjusting.
To change weight for DNS SRV records in the registry
Log on As domain Admin  Start  Run  regedit 
HKLM\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters  Click edit 
Click New  Click DWORD Value  For the new value name, type
LdapSrvWeight Click Enter  Double click on the value name you just typed
to open the Edit DWORD Value dialogue box  Enter a Value from 0 through
65535, the default value is 100.  Choose Decimal as the Base option  Click
OK  Close Registry editor.

How to check Directory Database Integrity?


Prior to performing any other troubleshooting procedures relative to a
suspected database problem, or immediately following offline
defragmentation, perform a database integrity check.
Restart the domain controller in Directory Services Restore Mode  Open
command prompt  Type Ntdsutil, press enter  Type files, press Enter 
type integrity, press enter.
Note the status that is reported when the integrity check is completed.
 If the integrity check completes successfully, type q and press Enter to
return to the ntdsutil prompt. Then go for semantic database analysis.
 If the integrity check reports errors, perform directory database
recovery.
Semantic Database Checkup:
At ntdsutil prompt type Semantic database analysis, press enter  At the
Semantic checker: prompt type verbose on, and then press Enter  at the
semantic checker: prompt type Go and then press enter
Complete the Database Integrity check as follows:
 If no errors are detected in the status at the end of the procedure,
type quit again to close Ntdsutil.exe, and then restart in normal mode.
 If Symantic Database analysis reports recoverable errors, then
perform semantic database analysis with fixup. If errors are not
recoverable, then either restore the domain controller from backup or
rebuild the domain controller.

How to do metadata clean up?


If you give the new domain controller the same name as the failed computer,
then you need perform only the first procedure to clean up metadata, which
removes the NTDS settings object of the failed domain controller. If you will
give the new domain controller a different name, then you need to perform all
three procedures.: Clean up metadata, remove failed server object from the
site and remove the computer object from the domain controller container.
Log on as Enterprise admin  Open command prompt  Type ntdsutil  Type
metadata cleanup  At the metadata cleanup: prompt type connect to the
server servername, Where servername is the name of the domain controller
(any functional domain controller in the same domain) from which you plan to
clean up the metadata of the failed domain controller, press Enter  Type
quit and press Enter to return to the metadata cleanup: prompt.  Type
Select operation target and press Enter  Type List domains and press Enter,
this list the all domains in the forest with a number associated with each. 
Type select domain number, where number is the number corresponding to
the domain in which he failed server was located, press Enter  Type list
sites, press enter  Type select site number, where number is the number of
the site in which the domain controller was a member, press enter  Type list
servers in site press Enter  Type Select server number, and then press Enter
where number refers to the domain controller to be removed.  Type quit
press Enter, the metadata cleanup menu is displayed.  Type remove
selected server press Enter.
At this point, Active Directory confirms that the domain controller was
removed successfully. If you receive an error that the object could not be
found, Active Directory might have already removed from the domain
controller.
Type quit, and press Enter until you return to the command prompt.
If a new domain controller receives a different name than the failed domain
controller, perform the following additional steps.
Note: Do not perform the additional steps if the computer will have the same
name as the failed computer,. Ensure that the hardware failure was not the
cause of the problem. If the faulty hardware is not changed, then restoring
through reinstallation might not help.
To remove the failed server object from the sites
In the Active Directory sites and services, Expand the appropriate site 
Delete the server object associated with the failed domain controller.
To remove the failed server object from the domain controllers container
In Active Directory users and computers, expand the domain controllers
container  Delete the computer object associated with the failed domain
controller.

How to view the list of preferred list of Bridgehead servers?


To see all servers that have been selected as preferred bridgehead servers in a
forest, you can view the bridgeheadserverlistBL attribute on the IP container
object.
Log in Domain Admin  Open ADSI edit  Expand Configuration container 
Expand CN=Configuration,DC=ForestRootDomainName, CN=Sites, and
CN=Inter-Site Trasports.  Right Click on CN=IP and then click properties 
In the Select a property to view box, click bridgeheadServerListBL.
The Values box displays the distinguished name for each server object that is
currently selected as a preferred bridgehead server in the forest. If the value is
<not set>, no preferred bridgehead servers are currently selected.

How to view replication metadata of an object?


Replication metadata identifies the history of attributes that have been
replicated for a specified object. Use this procedure to identify time, dates,
and Update Sequence Numbers (USNs) of attribute replications, as well as the
domain controller on which replication originated.
To view replication metadata of an object
Log in as Domain Admin  Open command prompt and type the following
command press enter.
Repadmin /showmeta distinguishedName serverName
/u:DomainName\Username /pw:*
Where:
 Distinguisedname is the LDAP distinguished name of an object that exists
on ServerName.
 Domain Name is the domain of ServerName
 Username is the name of an administrative account in that domain.
Note: If you are logged on as an administrator in the domain of the destination
domain controller, omit the /u: and /pw: switches.

How to verify the Existence of the Operations Master?


Or
How do you verify whether Operations Masters working properly or not?
This test verifies that the operations masters are located and that they are
online and responding.
Dcdiag /s:domaincontroller /test:knowsofroleholders
Dcdiag /s:domaincontroller /test:fsmocheck

How to verify that Windows Time Service is Synchronizing Time?


To verify use the following commands.
Net stop w32time
W32tm –once –test
Net start w32time

How to verify Successful Replication to a Domain Controller?


Use Repadmin.exe to verify success of Replication to a specific domain
controller. Run the /showreps command on the domain controller that
receives replication (the destination domain controller). In the output under
INBOUND NEIGHBORS, Repadmin.exe shows the LDAP distinguished name of
each directory partition for which inbound directory replication has been
attempted, the site and name of the source domain controller, and whether it
succeeded or not, as follows.
 Last attempt @ YYYY-MM-DD HH:MM.SS was successful.
 Last attempt @ [Never} was successful.
To verify successful replication to a domain controller
Use the following command
Repadmin /showreps ServerName /u:domainName\Username /pw:*
Where servername is the name of the destination domain controller.

How to verify Replication is Functioning?


To check if replication is working, use the following command
Dcdiag /test:replications
To verify that the proper permissions are set for replication, use the following
command.
Dcdiag /test:netlogons

How to verify Network connectivity?


To verify network connectivity first ping to the self IP address, and then ping to
the default gateway, and then ping to the remote computer.
To verify that the routers on the way to the destination are functioning
correctly. Use the pathping command.
Pathping <IP address>

What is the switch that is used to restart in Directory service Restore mode
in boot.ini file?
Use the following switch along with the path.
/safeboot:dsrepair (I hope this switch is available in Windows 2003 only)

Suppose ipconfig /registerdns command is not working. What could be the


problem?
The dhcp client service might be stopped. So go to the services.msc and
enable the dhcp client service.

What are the functional levels we have in Windows 2003?


There are 2 types of functional levels in Windows 2003.
 Forest Functional Level
 Domain Functional Level

What is forest functional level in Windows 2003?


The functional level of Active Directory forest that has one or more domain
controllers running Windows server 2003. The functional level of a forest can
be raised to enable new Active Directory features that will apply to every
domain controller in the forest. There are 3 forest functional level.
 Windows 2000 (Supports NT, 2000, 2003 domain controllers)
 Windows server 2003 interim (supports only NT, 2003 domain controllers)
 Windows server 2003 (Supports only 2003 family domain controllers)
Note: When you raise the functional level to windows server 2003 interim or
windows server 2003 you will get advanced forest wide Active Directory
features.

What is domain functional level in Windows 2003?


The functional level of Active Directory domain that has one or more domain
controllers running Windows server 2003. The functional level of a domain can
be raised to enable new Active Directory features that will apply to that
domain only. There are 4 domain functional level.
 Windows 2000 mixed (supports NT, 2000, 2003 domain controllers)
 Windows 2000 native (supports 2000, 2003 domain controllers only)
 Windows server 2003 interim (supports NT, 2003 domain controllers only)
 Windows server 2003 (Supports only 2003 domain controllers)
Note: When you raise the domain functional level you will get additional
features.
Note: By default domain operates at the Windows 2000 mixed mode functional
level.

How to raise forest functional level in Windows 2003?


Start  Programs  Administrative tools  Active Directory Domains and
Trusts  Right click on the Active Directory Domains and Trusts  Select Raise
Forest functional level  Select the required forest functional level  click
OK
Note: To perform this you must be member of Domain Admin group (in the
forest root domain) or the Enterprise admin group.

How to raise domain functional level in Windows 2003?


Start  Programs  Administrative tools  Active Directory Users and
computes  Right click on the domain name  Select Raise domain functional
level  Select the appropriate domain level  click OK

Note: If the functional level is windows server 2003 then you will get all the
features that are available with 2003. When Windows NT or Windows 2000
domain controllers are included in your domain or forest with domain
controller running Windows server 2003, Active Directory features are limited.

Note: Once if you raise the domain or forest functional level you cannot revert
back.
Advantages of different functional levels:
When ever you are in Windows 2000 mixed mode the advantage is you can use
Windows NT, 2000, 2003 domain controllers. The limitations are
 you cannot create universal groups
 You cannot nest groups
 You cannot convert groups (i.e., conversion between security groups and
distribution groups)
 some additional dial in features will be disabled
 you cannot rename the domain controller.
 SID history disabled.

About cable modems


Unlike traditional modems, which convert analog and digital signals to
exchange data over a telephone line, cable modems use Internet protocol to
transmit data over a cable television line.
About digital subscriber lines
Digital subscriber lines, such as ADSL or DSL, are high-speed Internet
connections offered by an Internet service provider (ISP). You operate as
though you are on a network and are assigned an IP address.
About ISDN lines
Integrated Services Digital Networks (ISDN) are digital telephone services that
can transmit digital and voice data at much faster speeds than traditional
modems.

What is Automated System Recovery?


Windows server 2003 has some tools to assist the administrator in safeguarding
the system against failure. One such tool is the Automated System Recovery
(ASR) set that should be created after installing the server, after major
changes are made and also schedule at a regular interval.

How to create an ASR set?


Logon as administrator or backup operator  start  Run  ntbackup.exe 
Select Automated System Recovery

How to Recovering from a system failure with the ASR set?


Insert the original operating system Installation CD into CD drive  Restart
your computer  boot from CD  Press F6 when prompted for Automated
System Recovery  Insert the Floppy disks of ASR

How to redirect output of a command to a text file from command prompt?


To redirect output of a command to a text file use the following syntax,
Commandname > filename.txt

What is the command that is used to display and modify security


permissions of a folder?
The command is xcacls.exe.

What is teaming?
Teaming is the concept of combing two or more LAN cards for more speed. For
n number of LAN cards there will be only one IP address. By teaming you can
increase speed. For example if you are teaming 5 LAN cards of 100 MBPS now
your network speed is 500 MBPS.
Note: You can assign one IP address to n number of LAN cards and at the same
you can assign n number of IP addresses to LAN card.

Skills required for Microsoft Server Administrator


Microsoft has specified more than twenty-five objectives for the 70-297
test, which are grouped under four topics. Following are the important
areas in which an individual should possess good knowledge before taking
the 70-297 test:

1. Analyzing business and technical requirements of an organization.


2. Analyzing the impact of Active Directory on the existing technical
environment.
3. Analyzing existing and planned business models and organizational
structure.
4. Analyzing the structure of IT management.
5. Evaluating the company's existing and planned technical environments.
6. Analyzing existing network operating system implementation.
7. Analyzing the impact of Active Directory on a planned environment.
8. Analyzing the business requirement for client computer desktop
management.
9. Analyzing security requirements for the Active Directory directory
service.
10.Designing an Active Directory and domain structure.
11.Designing an Active Directory naming strategy including planning of DNS.
12.Designing an organizational unit structure and a site structure. Designing
a replication strategy.
13.Designing a user and computer authentication strategy.
14.Designing the placement of operations masters, global catalog servers,
domain controllers, and DNS servers.
15.Identifying network topology and performance levels.

What is Active Directory Migration Tool (ADMT)? The Active Directory


Migration Tool (ADMT) is used to migrate from an earlier implementation of
Windows NT to Windows Server 2003 or Windows 2000 Server. ADMT supports
not only migration from Windows NT 4.0 to Active Directory but also interforest
and intraforest migrations. ADMT is designed to migrate an Active Directory
schema from one forest to another, regardless of whether a change in
operating systems is involved.

ADMT 2.0 has many new features such as a command-line interface and a
better interface to work with Microsoft Exchange Server. ADMT also supports a
user-account password migration.
How to restart Active Directory Domain Services? Take the following steps to
restart Active Directory Domain Services:

Start the Services console through Start > Administrative Tools > Services.

What is LDIFDE? LDIFDE is a command-line tool in the Windows Server 2003


operating system. It is used to create, modify, and delete objects on computers
running on Windows Server 2003 and Windows XP Professional. LDIFDE is also
used to extend the schema, export Active Directory user and group information
to other applications or services, and populate Active Directory with data from
other directory services.

What is primary restore method? The primary restore method is a type of


backup restoration of the System State data. This method is used to restore
Active Directory data on a stand-alone domain controller. This method of
restoration is also used in a situation when a completely failed forest needs to
be restored

What is replication? Replication is a process through which the changes made


to a replica on one domain controller are synchronized to replicas on all other
domain controllers in the network. Each domain controller stores three types of
replicas:

Schema partition: This partition stores definitions and attributes of objects


that can be created in the forest. Changes made in this partition are replicated
to all the domain controllers in all the domains in the forest.

Configuration partition: This partition stores the logical structure of the forest
deployment. It includes the domain structure and replication topology. Changes
made in this partition are replicated to all the domain controllers in all the
domains in the forest.

Domain partition: This partition stores all the objects in a domain. Changes
made in this partition are replicated to all the domain controllers within the
domain.

Note: Windows supports a new type of directory partition named Application


directory partition. This partition is available only to the Windows 2003 (or
above) domain controllers. The applications and services use this partition to
store application-specific data.
Creating, modifying, moving, or deleting an object triggers a replication
between domain controllers. Replications are of two types:

Intrasite: In the intrasite (within a site) replication, the data is not


compressed, as the replication mostly uses LAN connections. This saves the
computer's CPU time of processing data. In the intrasite replication, the
replication partners poll each other periodically and notify each other when
changes need to be replicated, and then pull the information for processing.
Active Directory uses the remote procedure call (RPC) transport protocol for
intrasite replication.

Intersite: As intersite (between sites) replication uses WAN connections, a


large amount of data is compressed to save bandwidth. For the same reason,
the replication partners do not notify each other when changes need to be
replicated. Instead, administrators configure the replication schedule to
update the information. Active Directory uses the IP or SMTP protocol for
intersite replication.

What is NLB Manager? Network Load Balancing (NLB) Manager is a Windows


Server 2008 GUI tool to manage NLB. NLB Manager is used to add or remove
hosts from an NLB cluster, to configure a cluster, and to manage a cluster. NLB
Manager can be installed by using Add Features within Server Manager

What are group policies?


Group policies specify how programs, network resources, and the operating
system work for users and computers in an organization. They are collections of
user and computer configuration settings that are applied on the users and
computers (not on groups). For better administration of group policies in the
Windows environment, the group policy objects (GPOs) are used.

What is GPO?
Group policy object (GPO) is a collection of group policy settings. It can be
created using a Windows utility known as the Group Policy snap-in. GPO affects
the user and computer accounts located in sites, domains, and organizational
units (OUs). The Windows 2000/2003 operating systems support two types of
GPOs, local and non-local (Active Directory-based) GPOs.

Local GPOs
Local GPOs are used to control policies on a local server running Windows
2000/2003 Server. On each Windows 2000/2003 server, a local GPO is stored.
The local GPO affects only the computer on which it is stored. By default, only
Security Settings nodes are configured. The rest of the settings are either
disabled or not enabled. The local GPO is stored in the %systemroot
%SYSTEM32GROUPPOLICY folder.

Non-local GPOs
Non-local GPOs are used to control policies on an Active Directory-based
network. A Windows 2000/2003 server needs to be configured as a domain
controller on the network to use a non-local GPO. The non-local GPOs must be
linked to a site, domain, or organizational unit (OU) to apply group policies to
the user or computer objects. The non-local GPOs are stored in %systemroot
%SYSVOL<domain name>POLICIES<GPO GUID>ADM, where <GPO GUID> is the
GPO's globally unique identifier. Two non-local GPOs are created by default
when the Active Directory is installed:

Default Domain Policy: This GPO is linked to the domain and it affects all users
and computers in the domain.

Default Domain Controllers Policy: This GPO is linked to the Domain Controllers
OU and it affects all domain controllers placed in this OU.

What is ADS (Automated Deployment Services)? Microsoft Windows Server


2003 Automated Deployment Services (ADS) is used by administrators to build
and manage very large and scaled out deployment of Windows servers. It
includes a new set of imaging tools for rapidly deploying Windows 2000 Server
and Windows Server 2003 remotely. An AD offers improved communication
security and a reliable script execution framework. It uses the image-based
deployment method

Under what conditions should Administrators create multiple forests?


Microsoft recommends the creation of multiple forests under the following
conditions:

If Administrators do not trust each other: An Administrator can create a


"denial of service" condition. One can create this condition by rapidly
creating or deleting objects, hence causing a large amount of replication
to the global catalog. This replication can waste network bandwidth and
slow down global catalog servers, as they spend time in processing
replication. This condition forces administrators to create multiple
forests.

Organizations cannot agree on a forest change policy: Changes in


schema, configuration, and the addition of new domains to a forest have
forest-wide impact. If organizations in a forest cannot agree on a common
policy, they cannot share the same forest, forcing administrators to
create multiple forests.

If one wants to limit the scope of a trust relationship: All domains in a


forest trust each other. In order to prevent certain users from being
granted permissions to certain resources, those users must be placed in a
forest different from the forest containing those resources. Administrators
can use explicit trust relationships to allow those users to be granted
access to resources in specific domains, if required

What is GPMC tool? The Group Policy Management Console (GPMC) is a tool
for managing group policies in Windows Server 2003. It provides
administrators a single consolidated environment for working on group policy-
related tasks. GPMC provides a single interface with drag-and-drop
functionality to allow an administrator to manage group policy settings across
multiple sites, domains, or even forests. GPMC is used to back up, restore,
import, and copy group policy objects. It also provides a reporting interface
on how group policy objects (GPOs) have been deployed.

What is Performance Monitor? Performance Monitor is used to get statistical


information about the hardware and software components of a server.
Performance Monitor is used for the following:

• Monitor objects on multiple computers.


• Log data pertaining to objects on multiple computers, over time.
• Analyze the effects of changes made to a computer.
• Launch programs and send notifications when thresholds are reached.
• Export data for analysis in spreadsheet or database applications.
• Save counter and object settings for repeated use.
• Create reports for use in analyzing performance, over time.

What is System Monitor? System Monitor is a Windows graphical tool for


measuring the performance of a host or remote computer. It is used to view
reports on CPU load, memory usage, and interrupt rate, and the overall
throughput of the traffic on a network. Using System Monitor, administrators
can perform the following functions:

• Create charts and reports to measure a computer's efficiency.


• Identify and troubleshoot possible issues, such as unbalanced resource
use, insufficient hardware, or poor program design.
• Plan for additional hardware needs.

System Monitor can also be used to monitor the resource use of specific
components and program processes.

What is the SQL Server: General Statistics: User Connections counter? The
SQL Server: General Statistics: User Connections counter displays the number
of user connections in SQL Server. Its maximum value is 255. An increase in
the value of the counter causes performance problems and affects
throughput. A Database Administrator should monitor this counter to resolve
performance issues.
What is Simple Mail Transfer Protocol (SMTP)? Simple Mail Transfer Protocol
(SMTP) is a protocol used for sending e-mail messages between servers. It is
mostly used to send messages from a mail client such as Microsoft Outlook to
a mail server. Most of the e-mail systems that send mails over the Internet
use SMTP to send messages from one server to another. Due to its limitations
in queuing messages at the receiving end, it is generally used with either the
POP3 or IMAP protocol, which enables a user to save and download messages
from the server.

What is bluescreen error? Bluescreen error, sometimes called Blue Screen of


Death (BSOD), is the condition that occurs when a Windows computer fails to
boot properly or quits unexpectedly. Microsoft refers these blue screens as
"Stop errors". There are several causes of the blue screen popping up. It can
be due to a poorly written device driver, bad memory, damaged registry, or
usage of incompatible versions of DLLs. In Windows NT, Windows 2000,
Windows XP, Windows Server 2003, and Windows Vista, a blue screen of
death occurs when the kernel or a driver running in kernel mode encounters
an error from which it cannot recover. This is usually caused by an illegal
operation being performed. The only safe action to overcome such situations
is to restart the computer.

What is the netstat command? The netstat command displays protocol-


related statistics and the state of current TCP/IP connections. It is used to
get information about the open connections on a computer, incoming and
outgoing data, as well as the ports of remote computers to which the
computer is connected. The netstat command gets all this networking
information by reading the kernel routing tables in the memory.

What is IIS? Internet Information Services (IIS) is a software service that


supports Web site creation, configuration, and management, along with other
Internet functions. Microsoft Internet Information Services includes Network
News Transfer Protocol (NNTP), File Transfer Protocol (FTP), and Simple Mail
Transfer Protocol (SMTP).

Clustering A cluster is a group of two or more computers (servers) connected


to provide fault tolerance and load balancing. It is dedicated to run a specific
application. Each server in a cluster is known as a node. The failover and
failback capabilities of a cluster bring the application downtime to zero.
Note: Server clustering is intended to provide high availability for
applications and not for data.
Failover In the cluster, each node or computer runs the same critical
application. In case one computer fails, the other computers detect the
failure and take charge immediately. This phenomenon is called failover.

Failback When the failed node returns back to the network, other nodes take
notice and the cluster begins to use the restored node again. This
phenomenon is called failback.

Types of Clusters: Windows Server 2003 supports two types of clusters:

• Server clusters
• Network Load Balancing (NLB)

Server Clusters In server clusters, all nodes are connected to a common data
set, such as a storage area network. All nodes have access to the same
application data. Any of these nodes can process a request from a client at any
time. Nodes can be configured as either active or passive. Only an active node
can process requests from clients. In the event of a failure of the active node,
the passive node takes charge and becomes active. Otherwise, the passive
node remains idle.

Server clusters are created for running applications that have frequently
changing data sets and have long-running in-memory states. The applications
such as database servers, e-mail and messaging servers, and file and print
services can be included in server clusters.

A server cluster is treated as a single destination for a client. It has its own
name and IP address. This address is different from the individual IP addresses
of the servers in the cluster. Hence, when any server fails in the cluster, the
passive server becomes active. Clients send their requests to the server cluster
address. Therefore, this change over does not affect the functionality of the
cluster.

Windows Server 2003 supports eight nodes in a cluster. However, Windows 2000
Server supports only two nodes in a cluster.

Network Load Balancing Network Load Balancing (NLB) is a type of clustering.


It is used to provide high availability and reliability of the application servers.
NLB is configured for the applications that rarely change and that have very
small data sets. Web servers, FTP servers, VPN servers are the areas where NLB
can be used successfully.

In the NLB cluster, all nodes are active and have separate identical data sets.
Multiple servers (or nodes) are used to distribute the load of processing data.
Clients send the requests to the cluster, and then the clustering software
distributes incoming client requests among the nodes. If a node fails, the
clients' requests are served by other nodes. Network Load Balancing is highly
scaleable. Both Windows 2003 and Windows 2000 operating systems support
NLB clusters of up to thirty-two nodes.

What is Task Manager Utility? The Task Manager utility provides information
about programs and processes running on a computer. By using Task Manager,
a user can end or run programs, end processes, and display a dynamic
overview of his computer's performance. Task Manager provides an
immediate overview of system activity and performance.
What is DNS namespace? DNS namespace is the hierarchical structure of the
domain name tree. It is defined such that the names of all similar
components must be similarly structured, but similarly identifiable. The full
DNS name must point to a particular address. Consider the following image of
DNS namespace of the Internet:

The salessrv1 and salessrv2 are host names of the hosts configured in the
sales.ucertify.com domain. The fully qualified domain name (FQDN) of the
host salessrv1 is salessrv1.sales.ucertify.com. No two hosts can have the
same FQDN.

What is ADSIEdit? ADSIEdit is a Microsoft Management Console (MMC) snap-in


that acts as a low-level editor for Active Directory. It is a Graphical User
Interface (GUI) tool. Network administrators can use it for common
administrative tasks such as adding, deleting, and moving objects with a
directory service. The attributes for each object can be edited or deleted by
using this tool. ADSIEdit uses the ADSI application programming interfaces
(APIs) to access Active Directory. The following are the required files for
using this tool:

• ADSIEDIT.DLL
• ADSIEDIT.MSC
Regarding system requirements, a connection to an Active Directory
environment and Microsoft Management Console (MMC) is necessary.

What are group scopes? The scope of a group defines two characteristics:

• It determines the level of security applying to a group.


• It determines which users can be added to a group.

Windows Server 2003 supports the following scopes:

Domain Local: Domain local groups are used to assign permissions to local
resources such as files and printers. Members can come from any domain.

Global: Members of this group can access resources in any domain. Members
can only come from the local domain.

Universal: Members can be added from any domain in the forest. Members can
access resources from any domain. Universal groups are used for managing the
security across domains. Universal groups can also contain global groups.
Universal groups are only available in the domains having functional level
Windows 2000 native or Windows Server 2003.

What is IPv6? IP addressing version 6 (IPv6) is the latest version of IP


addressing. IPv6 is designed to solve many of the problems that were faced
by IPv4, such as address depletion, security, auto-configuration, and
extensibility. With the fast increasing number of networks and the expansion
of the World Wide Web, the allotted IP addresses are depleting rapidly, and
the need for more network addresses is arising. IPv6 solves this problem, as it
uses a 128-bit address that can produce a lot more IP addresses. These
addresses are hexadecimal numbers, made up of eight octet pairs. An
example of an IPv6 address is 45CF: 6D53: 12CD: AFC7: E654: BB32: 543C:
FACE.

What is DSMOD? DSMOD is a command-line utility that is used to modify


existing objects, such as users, computers, groups, servers, OUs etc., in
Active Directory

What is NTDSUTIL utility? NTDSUTIL.EXE is a command-line tool that is used


to manage Active Directory. This utility is used to perform the following
tasks:
• Performing database maintenance of Active Directory.
• Managing and controlling operations master roles.
• Removing metadata left behind by domain controllers.

Note: The NTDSUTIL utility is supposed to be used by experienced


administrators.

What is System File Checker utility? The System File Checker utility is used
to verify the integrity of the operating system files, to restore them if they
are corrupt, and to extract compressed files (such as drivers) from
installation disks. It can also be used to backup the existing files before
restoring the original files.

What is SCHTASKS tool? The SCHTASKS tool is used to schedule commands


and programs to run periodically or at a specific time. It adds and removes
tasks from the schedule, starts and stops tasks on demand, and displays and
changes scheduled tasks.

What is CHKDSK? CHKDSK is a command-line tool used to scan and repair


volumes on the hard disk for physical problems such as bad blocks. It also
repairs volumes for logical structure errors such as lost clusters, cross-linked
files, or directory errors.

Network Configuration and Management Utilities Administrators use various


utilities to configure and manage networks. Following are some commonly used
utilities:

WINIPCFG: WINIPCFG is a Windows 9x Internet Protocol (IP) configuration


utility used to display all current TCP/IP network configuration values for a
computer running Microsoft TCP/IP. Network configuration values include the
current IP address allocated to the computer and other useful data about
TCP/IP allocation. This utility is of particular use on networks using Dynamic
Host Configuration Protocol (DHCP), allowing users to determine which TCP/IP
configuration values have been configured by DHCP.

IPCONFIG: IPCONFIG is a command-line utility used to display current TCP/IP


network configuration values, and to update or release the Dynamic Host
Configuration Protocol (DHCP) allocated leases. It is also used to display,
register, or flush Domain Name System (DNS) names.

NSLOOKUP: NSLOOKUP is a utility for diagnosing and troubleshooting Domain


Name System (DNS) problems. It performs its function by sending queries to the
DNS server and obtaining detailed responses at the command prompt. This
information can be useful for diagnosing and resolving name resolution issues,
verifying whether or not the resource records are added or updated correctly in
a zone, and debugging other server-related problems. This utility is installed
along with the TCP/IP protocol through the Control Panel.

PING: PING is a command-line utility used to test connectivity with a host on a


TCP/IP-based network. This is achieved by sending out a series of packets to a
specified destination host. On receiving the packets, the destination host
responds with a series of replies. These replies can be used to determine if the
network is working properly.

TRACERT: TRACERT is a route-tracing Windows utility that displays the path an


IP packet takes to reach its destination. It shows the Fully Qualified Domain
Name (FQDN) and the IP address of each gateway along the route to the
remote host.

PATHPING: PATHPING is a command-line utility that pings each hop along the
route for a set period of time and shows the delay and packet loss along with
the tracing functionality of TRACERT, which helps determine a weak link in the
path.

NBTSTAT: NBTSTAT is a Windows utility used to check the state of current


NetBIOS over TCP/IP connections, update the NetBIOS name cache, and
determine the registered names and scope IDs.

NETSTAT: NETSTAT is a command-line utility that displays protocol related


statistics and the state of current TCP/IP connections. It is used to obtain
information about the open connections on a computer, incoming and outgoing
data, and also the ports of remote computers to which the computer is
connected. The NETSTAT command gets all this networking information by
reading the kernel routing tables in the memory.

TELNET: TELNET is a command-line connectivity utility that starts terminal


emulation with a remote host running the Telnet Server service. TELNET allows
users to communicate with a remote computer, offers the ability to run
programs remotely, and facilitates remote administration. The TELNET utility
uses the Telnet protocol for connecting to a remote computer running the
Telnet server software, to access files. It uses TCP port 23 by default.

What is a certificate? A certificate is a digital representation of information


that identifies authorized users on the Internet and intranets. It can be used
with applications and security services to provide authentication. Certificates
are issued by certification authorities (CAs).

What is a nonclustered index? A nonclustered index has the same B-tree


structure as the clustered index. The index consists of a root page,
intermediate levels, and a leaf level. The leaf level of a nonclustered index
does not contain the actual data. It contains pointers to the data that is
stored in the data pages. A nonclustered index does not physically rearrange
the data.

Monitoring Physical Server Performance SQL Server 2005 can be installed


on a Windows 2000 or Windows 2003 server computer. A database
administrator is always concerned about the performance of the SQL Server
database engine and the server computer. Database Administrators monitor
the performance of the server using various tools to analyze performance and
resolve performance issues.

System Monitor: System Monitor is a tool used to monitor the performance of


the server. It gives information about the resources that are under pressure.
The values of various counters in System Monitor indicate which resource is
under pressure. Performance deterioration can be diagnosed by setting
performance alerts. These alerts show the increase or decrease in a counter
value with respect to the pre-defined value. Normally the counters are
monitored for a period of 24-hours. If an error occurs, a message regarding
the error can either be sent to the administrator or written to the
Application log. Log files can be saved in various formats such as text file,
binary file, or SQL database file.

The counters that are to be measured in order to resolve performance issues


are as follows:

• Memory: Pages/sec
• Memory: Available Bytes
• SQL Server: Buffer Manager: Buffer Cache Hit Ratio
• Physical Disk: Disk Reads/sec
• Physical Disk: Disk Writes/sec
• Physical Disk: %Disk Time
• Physical Disk: Avg: Disk Queue Length
• Physical Disk: % Free Space
• Logical Disk: %Free Space
• Processor: %Processor Time
• System: Processor Queue Length
• Network Interface: Bytes Received/sec
• Network Interface: Bytes Sent/sec
• Network Interface: Bytes/sec
• Network Interface: Output Queue Length
• SQL Server: General: User Connection

Tip for server roles. There are eight server roles. These roles are as follows:

• sysadmin
• dbcreator
• bulkadmin
• diskadmin
• processadmin
• serveradmin
• setupadmin
• securityadmin

What is virus? A virus is a malicious program. A computer virus passes from


one computer to another in the same way as a biological virus passes from
one person to another. Most viruses are written with a malicious intent, so
that they can cause damage to programs and data in addition to spreading
themselves. Viruses infect existing programs to alter the behavior of
programs, actively destroy data, and perform actions on storage devices that
render their stored data inaccessible.

Computer viruses attack the software of a computer such as operating


systems, data files, application software, and e-mails. However, viruses do
not affect the computer hardware

Network Protocols
Protocol is a set of rules and conventions by which two computers pass
messages across a network. Sets of standard protocols facilitate communication
between the computers in a network having different types of hardware and
software. Both the sender and the receiver computers must use exactly the
same set of protocols in order to communicate with each other. A protocol can
lay down the rules for the message format, timing, sequencing, and error
handling.

The description of the primary protocols in the suite is as follows:

Protocol Description
Name
IP Internet Protocol (IP) is a connectionless network-layer protocol that
is the primary carrier of data on a TCP/IP network.
TCP Transmission Control Protocol (TCP) is a reliable, connection-oriented
protocol operating at the transport layer. This protocol can transmit
large amounts of data. Application-layer protocols, such as HTTP and
FTP, utilize the services of TCP to transfer files between clients and
servers.
UDP User Datagram Protocol (UDP) is a connectionless, unreliable
transport-layer protocol. UDP is used primarily for brief exchange of
requests and replies.
Telnet Telnet is a protocol that enables an Internet user to log onto and
enter commands on a remote computer linked to the Internet, as if
the user were using a text-based terminal directly attached to that
computer.
FTP File Transfer Protocol (FTP) is a primary protocol of the TCP/IP
protocol suite, used to transfer text and binary files between
computers over a TCP/IP network.
SMTP Simple Mail Transfer Protocol (SMTP) is used for transferring or
sending e-mail messages between servers.

PPP: Point-to-Point Protocol (PPP) is a set of industry-standard framing and


authentication protocols included with Windows remote access to ensure
interoperability with third-party remote access software. It is a data link-layer
protocol designed to create a direct connection between two computers,
typically using telephone lines.

POP3: Post Office Protocol version 3 (POP3) is a protocol used for retrieving e-
mail messages. The POP3 servers allow access to a single Inbox in contrast to
IMAP servers that provide access to multiple server-side folders.

IMAP: Internet Message Access Protocol (IMAP) is a protocol for receiving e-mail
messages. It allows an e-mail client to access and manipulate a remote e-mail
file without downloading it to the local computer. It is used mainly by the users
who want to read their e-mails from remote locations.
PPTP: Point-to-Point Tunneling Protocol (PPTP) is an encryption protocol used
to provide secure, low-cost remote access to corporate networks through
public networks such as the Internet. Using PPTP, remote users can use PPP-
enabled client computers to dial a local ISP and connect securely to the
corporate network through the Internet.

HTTP: Hypertext Transfer Protocol (HTTP) is a client/server TCP/IP protocol


used on the World Wide Web (WWW) to display Hypertext Markup Language
(HTML) pages. HTTP defines how messages are formatted and transmitted, and
what actions Web servers and browsers should take in response to various
commands. For example, when a client application or browser sends a request
to the server using HTTP commands, the server responds with a message
containing the protocol version, success or failure code, server information,
and body content, depending on the request. HTTP uses TCP port 80 as the
default port.

HTTPS: Hypertext Transfer Protocol Secure (HTTPS) protocol is a protocol used


in the Uniform Resource Locator (URL) address line to connect to a secure site.
If a site has been made secure by using the Secure Sockets Layer (SSL), HTTPS
(instead of HTTP protocol) should be used as a protocol type in the URL.

ARP: Address Resolution Protocol (ARP) is a network maintenance protocol of


the TCP/IP protocol suite. It is responsible for the resolution of IP addresses to
media access control (MAC) addresses of a network interface card (NIC). The
ARP cache is used to maintain a correlation between a MAC address and its
corresponding IP address. ARP provides the protocol rules for making this
correlation and providing address conversion in both directions. ARP is limited
to physical network systems that support broadcast packets.

ICMP: Internet Control Message Protocol (ICMP) is a maintenance protocol and


is normally considered a part of the IP layer. ICMP messages are encapsulated
within IP datagrams, so that they can be routed throughout an internetwork.

Internet Message Access Protocol 4 (IMAP4): It is an e-mail message retrieval


protocol that allows e-mail clients to retrieve e-mail messages from e-mail
servers. IMAP4 has the following advantages over the POP3 protocol:

• IMAP4 can be used to download only specific mails from the mail server,
while POP3 downloads all the mails from the mail server at a time.
• IMAP4 can download only a part of the message (e.g., the header)
initially. Then depending upon the user, the entire message can be
downloaded afterwards. However, POP3 downloads the entire message
at a time.
• IMAP4 only marks a message as deleted as soon as it is being read. The
message will then be deleted as soon as the user logs off, or sends the
EXPUNGE command to the mail server.
• IMAP4 supports server side storage. Hence, the location of the user is
insignificant. However, POP3 uses a local client application to read the
mails.
• Since IMAP4 stores messages on the server side, the user does not have
to bother about fault tolerance and system crashes. When the POP3
protocol is used, the messages once downloaded from the server are
stored locally and can be lost if the local system crashes.
• IMAP4 allows a user to create multiple mailboxes on multiple servers
under the same user name. The user can personalize these mailboxes for
receiving specific kinds of mails in each mailbox. However, POP3 allows
only a single user account to be configured.
• Changes made to a mail are propagated to the IMAP4 server. This
feature is not available under POP3 protocol.

However, there are some disadvantages of IMAP4 over the POP3 protocol,
which are as follows:

• If the connection with the mail server drops while reading a mail, it has
to be re-established. On the other hand, POP3 downloads the entire mail
at a time. Hence, if the connection with the mail server is dropped at
the time of reading a mail, it does not affect the reading.
• The POP3 protocol is mostly supported by the commercially available
mail servers.
• Since the mails in IMAP4 are stored on the server, the space storage
management is a primary concern on such mail servers.

IP Addressing IP Addresses are used to uniquely identify the computers in a


network, so each computer must have its own unique IP address. An IP address
consists of two parts: a network identifier and a host identifier. The network
identifier denotes the type of network, and the host identifier is a unique
number of a particular computer. So in a particular type of network, each node
has the same network id and a host id, which are unique.
The type of IP address also depends on the subnet mask, which is used to
determine which part of the IP address denotes the network id and which part
is the host id. For example, if the IP address is 192.168.1.200 and the subnet
mask is 255.255.255.0, the network id will be 192.168.1 and the host id will be
200. In the same way, if the subnet mask is 255.255.0.0, the network id will be
192.168 and the host id will be 1.200. If the subnet mask is 255.0.0.0, the
network id will be 192 and the host id will be 168.1.200.

There are two versions of IP addressing, the commonly used IPv4 and the latest
version known as IPv6. They have been discussed in detail in the following
paragraphs.

IPv4
IP Address In this version of IP addressing, an IP address is of 32 bits in length,
and is divided into four 8 bit decimal values known as octets. In these types of
IP addresses, the leftmost bit has the value of 128, which is followed by 64, 32,
16, 8, 4, 2, and 1. An IP address can have values from 0 to 255 because each
bit can be either a 0 or a 1. So if all the bits are 1, the value will be 255; and if
all the bits are 0, the value will be 0.

Subnet Mask A subnet mask determines which part of the IP address denotes
the network id and which part is the host id. It is also a 32-bit number, which is
expressed in decimal format. The subnet mask is assigned according to the
class of IP address used.

IP Address Classes The Internet Assigned Number Authority registers the IP


addresses used in the networks to ensure their uniqueness. IP addresses have
been divided into five groups or classes known as IP Address classes. Each class
of IP address has a particular subnet mask associated with it. The five classes
of IP addresses are class A, B, C, D and E, in which class D is reserved for
multicast addressing and class E is reserved for future use. So only classes A
through C are used for assigning IP addresses to client computers.

• In class A addresses, only the first octet is used to define the network id,
and the rest are used for the host id. It has the address range from 1 to
126 and so it can have only 126 numbers of networks. The number of
hosts possible in these types of networks is 16,777,214. It uses the
subnet mask 255.0.0.0.
• In class B networks, the first two octets represent the network id and
the rest are the host id. It has a range of 128-191 and can have 16384
networks with 65,534 hosts. The standard subnet mask assigned to these
IP addresses is 255.255.0.0.

• In class C addresses, the first three octets are used to represent the
network id. It has a range of 192-223 and can have 2,097,152 networks
with 253 hosts. The subnet mask associated with it is 255.255.255.0.

• Class D addresses have an address range of 224-239, and class E


addresses have an address range of 240-255.

Default Gateway Default gateway is a TCP/IP configuration option, used to


communicate with TCP/IP nodes on remote network segments. At least one
interface must be configured with the IP address of a default gateway.

IPv6 The current version of IP addressing (i.e., IPv4) has its limitations. With
the fast increasing number of the networks and the expansion of the World
Wide Web, the IP addresses allotted are finishing fast and the need for more
network addresses has arisen. IPv6 can solve this problem, as it uses a 128-bit
address that can produce a lot more IP addresses. These addresses are
hexadecimal numbers, made up of eight octet pairs. An example of an IPv6
address can be 45CF: 6D53: 12CD: AFC7: E654: BB32: 543C.

Subnetting Subnets are subdivisions of an IP address network, used for creating


smaller broadcast domains and for better utilization of the bits in the host ID.
Through subnetting, the host id portion of an IP address can be used to create
more networks than by using the default subnet mask.

Suppose that a company has been assigned a Class C IP address 200.1.1.0, and
the standard subnet mask is 255.255.255.0. This means that the network id will
be 200.1.1 and the total number of hosts will be 254. The company has two
departments: production and sales. Members of the production department do
not need to access the computers of the sales department. So it is better to
have separate networks for both the departments for better security and
manageability. Through subnetting, the bits from the host id portion can be
used to create more networks, which will work as separate networks.

Public and Private Networks Network can be differentiated as private and


public. A public network is a network, which can be accessed by anyone from
the general public, an example being the Internet. In contrast, a private
network is accessible only by those people who have special permissions on
that particular network. An example of a private network is a network within
an organization such as a company, a hospital, or a college.

Public and private networks have different types of IP addressing schemes.


Addresses on the Internet are assigned by the IANA (Internet Assigned Numbers
Authority), which assigns them to the Internet Service Providers (ISPs), who
then distribute them to the users. Apart from the public address, some
addresses have been reserved for the private networks. These are not available
for general public and are used in private networks.

Some addresses from each of the classes A, B, and C have been assigned for use
by private networks. The address range for class A addresses is from 10.0.0.0 to
255.255.255, for class B addresses it is from 172.6.0.0 to 172.31.255.255, and
for class C addresses, it is from 192.168.0.0 to 192.168.255.255.

IP Addressing Methods:
Static Addressing In static addressing, every computer is assigned an IP address
manually. It is not preferred in large networks, which have lots of hosts,
because the chance of assigning duplicate addresses will be more. This will
result in a conflict of IP addresses and deterioration of the speed. Also it is
time consuming, as every system is configured manually and if some changes
are to be made afterwards, it will consume a lot of time doing it manually for
every computer.

Dynamic Addressing In this type of addressing scheme, the IP addresses are


assigned automatically by the use of Dynamic Host Configuration Protocol
(DHCP) to all the computers in the network. This results in much less burden on
the network administrator and faster configuration of the network. This type of
addressing needs a DHCP server, to which a range of IP addresses is allotted.
The DHCP server automatically assigns any address from the range of IP
addresses defined to the workstations on the network.

APIPA Automatic private IP addressing (APIPA) is a feature of Windows XP


TCP/IP that configures a unique IP address for each computer on a network
when the TCP/IP protocol is configured for dynamic addressing and a DHCP
server is not available or offline. The key function of APIPA is to allow
resources to be available even if the DHCP server is offline. APIPA addresses
are always in the range of 169.254.0.1 and 169.254.255.254 and use a subnet
mask of 255.255.0.0.

When a user configures a TCP/IP connection to obtain an IP address


automatically, by default the computer tries to find a DHCP server for
obtaining the address. The user obtains the address if the computer finds the
DHCP server. If it does not find the DHCP server, the computer uses APIPA to
configure a unique IP address for the computers of a network. Since APIPA does
not offer a gateway address, it can never be used on the Internet, and the
clients using APIPA cannot access resources outside the local subnet.

TCP/UDP Ports The default TCP/UDP ports associated with TCP/IP protocol or
applications are as under:

Protocol Port
HTTP 80
HTTPS 443
POP3 110
FTP 20
FTP 21
IMAP4 143
SMTP 25
NNTP 119
NTP 123
DNS 53
TFTP 69
Telnet 23
SSH 22

What are cluster configurations? Server clusters using the Cluster service
can be set up as one of the following three different cluster configurations:

1. Single Node server clusters: They can be configured with or without


external cluster storage devices. For Single Node server clusters without
an external cluster storage device, the local disk is configured as the
cluster storage device.
2. Single Quorum Device server clusters: They can have two or more
nodes and are so configured as to attach every node to one or more
shared storage devices, such as an external array of Small Computer
System Interface (SCSI) disks. The cluster configuration data is stored on
a single cluster storage device, also known as the quorum disk.
3. Majority Node Set server clusters: They can have two or more nodes,
but nodes might not be attached to one or more cluster storage devices.
The cluster configuration data is stored on multiple disks across the
cluster, and the Cluster service guarantees that this data is kept
consistent across the disks.

However, server clusters using the Cluster service are set up depending on the
specific needs for failovers, in which application services are moved to another
node in the cluster.

What is N+I Hot Standby Server? N+I Hot Standby Server is one of the
failover models. It is commonly referred to as an Active/Passive mode. In an
active/passive mode, the active nodes handle all client requests, whereas
the passive nodes monitor the active nodes. In N+I Hot Standby Server, N
denotes the number of active nodes, and I refers to the number of passive
nodes. This model has a drawback that the server resources remain idle for a
long time and are utilized only when another server fails. However, it is the
most scalable and reliable model.

What is failover? Failover is a term associated with cluster services. It refers


to the ability of a server to immediately start servicing the requests if a
primary server fails. If the application services in a cluster-node fail, the
Cluster Service generally tries to restart them on the same node. If the
services do not start, then it moves the services to another node in the
cluster and restarts them on that node.

Windows Server 2003 Active Directory and Network Infrastructure


Windows Server 2003 Active Directory is a centralized database that stores
the collection of information about all the resources available on the
Windows Server 2003 domain. It is a hierarchical representation of all the
objects and their attributes available on the network. It enables
administrators to manage the network resources, i.e., computers, users,
printers, shared folders, etc., in an easy way. The logical structure
represented by Active Directory consists of forests, trees, domains,
organizational units, and individual objects. This structure is completely
independent from the physical structure of the network, and allows
administrators to manage domains according to the organizational needs
without bothering about the physical network structure.
Following is the description of all logical components of the Active Directory
structure:

1. Forest: A forest is the outermost boundary of an Active Directory


structure. It is a group of multiple domain trees that share a common
schema but do not form a contiguous namespace. It is created when the
first Active Directory-based computer is installed on a network. There is
at least one forest on a network. The first domain in a forest is called a
root domain. It controls the schema and domain naming for the entire
forest. It can be separately removed from the forest. Administrators can
create multiple forests and then create trust relationships between
specific domains in those forests, depending upon the organizational
needs.

2. Trees: A hierarchical structure of multiple domains organized in the


Active Directory forest is referred to as a tree. It consists of a root
domain and several child domains. The first domain created in a tree
becomes the root domain. Any domain added to the root domain
becomes its child, and the root domain becomes its parent. The parent-
child hierarchy continues until the terminal node is reached. All domains
in a tree share a common schema, which is defined at the forest level.
Depending upon the organizational needs, multiple domain trees can be
included in a forest.

3. Domains: A domain is the basic organizational structure of a Windows


Server 2003 networking model. It logically organizes the resources on a
network and defines a security boundary in Active Directory. The
directory may contain more than one domain, and each domain follows
its own security policy and trust relationships with other domains.
Almost all the organizations having a large network use domain type of
networking model to enhance network security and enable
administrators to efficiently manage the entire network.

4. Objects: Active Directory stores all network resources in the form of


objects in a hierarchical structure of containers and subcontainers,
thereby making them easily accessible and manageable. Each object
class consists of several attributes. Whenever a new object is created for
a particular class, it automatically inherits all attributes from its
member class. Although the Windows Server 2003 Active Directory
defines its default set of objects, administrators can modify it according
to the organizational needs.

5. Organizational Unit (OU): It is the least abstract component of the


Windows Server 2003 Active Directory. It works as a container into which
resources of a domain can be placed. Its logical structure is similar to an
organization's functional structure. It allows creating administrative
boundaries in a domain by delegating separate administrative tasks to
the administrators on the domain. Administrators can create multiple
Organizational Units in the network. They can also create nesting of
OUs, which means that other OUs can be created within an OU.

In a large complex network, the Active Directory service provides a single point
of management for the administrators by placing all the network resources at a
single place. It allows administrators to effectively delegate administrative
tasks as well as facilitate fast searching of network resources. It is easily
scalable, i.e., administrators can add a large number of resources to it without
having additional administrative burden. It is accomplished by partitioning the
directory database, distributing it across other domains, and establishing trust
relationships, thereby providing users with benefits of decentralization, and at
the same time, maintaining the centralized administration.

The physical network infrastructure of Active Directory is far too simple as


compared to its logical structure. The physical components are domain
controllers and sites.

1. Domain Controller: A Windows 2003 server on which Active Directory


services are installed and run is called a domain controller. A domain
controller locally resolves queries for information about objects in its
domain. A domain can have multiple domain controllers. Each domain
controller in a domain follows the multimaster model by having a
complete replica of the domain's directory partition. In this model, every
domain controller holds a master copy of its directory partition.
Administrators can use any of the domain controllers to modify the
Active Directory database. The changes performed by the administrators
are automatically replicated to other domain controllers in the domain.

However, there are some operations that do not follow the multimaster
model. Active Directory handles these operations and assigns them to a
single domain controller to be accomplished. Such a domain controller is
referred to as operations master. The operations master performs
several roles, which can be forest-wide as well as domain-wide.

o Forest-wide roles: There are two types of forest-wide roles:


Schema Master and Domain Naming Master. The Schema Master is
responsible for maintaining the schema and distributing it to the
entire forest. The Domain Naming Master is responsible for
maintaining the integrity of the forest by recording additions of
domains to and deletions of domains from the forest. When new
domains are to be added to a forest, the Domain Naming Master
role is queried. In the absence of this role, new domains cannot
be added.

o Domain-wide roles: There are three types of domain-wide roles:


RID Master, PDC Emulator, and Infrastructure Master.

Domain controllers can also be assigned the role of a Global


Catalog server. A Global Catalog is a special Active Directory
database that stores a full replica of the directory for its host
domain and the partial replica of the directories of other domains
in a forest. It is created by default on the initial domain controller
in the forest. It performs the following primary functions
regarding logon capabilities and queries within Active Directory:

1. It enables network logon by providing universal group


membership information to a domain controller when a
logon request is initiated.
2. It enables finding directory information about all the
domains in an Active Directory forest.

A Global Catalog is required to log on to a network within a


multidomain environment. By providing universal group
membership information, it greatly improves the response time
for queries. In its absence, a user will be allowed to log on only
to his local domain if his user account is external to the local
domain.

2. Site: A site is a group of domain controllers that exist on different IP


subnets and are connected via a fast and reliable network connection. A
network may contain multiple sites connected by a WAN link. Sites are
used to control replication traffic, which may occur within a site or
between sites. Replication within a site is referred to as intrasite
replication, and that between sites is referred to as intersite replication.
Since all domain controllers within a site are generally connected by a
fast LAN connection, the intrasite replication is always in uncompressed
form. Any changes made in the domain are quickly replicated to the
other domain controllers. Since sites are connected to each other via a
WAN connection, the intersite replication always occurs in compressed
form. Therefore, it is slower than the intrasite replication.

What are domain functional levels? The domain functional levels are the
various states of a domain, which enable domain-wide Active Directory
features within a network environment. Domain levels are the same as
domain modes in Windows 2000. Windows supports four types of functional
levels:

1. Windows 2000 Mixed: This is the default domain functional level. When
a first domain controller is installed or upgraded to Windows 2003, the
domain controller is configured to run in the Windows 2000 mixed
functional level. In this mode, domain controllers running the following
operating systems are supported:
o Windows NT Server 4.0
o Windows 2000 Server
o Windows Server 2003
2. Windows 2000 Native: In this level, domain controllers running Windows
2000 and Windows 2003 can interact with each other. No domain
controller running a pre-Windows 2000 version is supported in this
functional level of the domain.

3. Windows Server 2003 Interim: This functional level allows a Windows


Server 2003 domain controller to interact with domain controllers in the
domain running Windows NT 4.0 or Windows Server 2003. This functional
level is used to upgrade the first Windows NT domain to a new forest.

Note: Windows Server 2003 interim functional level does not support
domain controllers running Windows 2000.

4. Windows Server 2003: This functional level of domain allows a Windows


Server 2003 domain controller to interact only with the domain
controllers running Windows 2003 in the domain. A domain level can be
raised to Windows Server 2003 only when all the domain controllers in
the domain are running Windows Server 2003

What is site? A site is a collection of one or more well-connected (usually a


local area network) TCP/IP subnets. The network between the subnets must
be highly reliable and fast (512 Kbps and higher). Although the sites are
defined on the basis of location, they can be spanned over more than one
location. A site structure corresponds to the physical environment, whereas
a domain is the logical environment of the network. A site can contain
single or multiple domains, and a domain can contain single or multiple
sites. Sites are created to physically group the computers and resources for
optimizing the network traffic. Administrators can configure Active
Directory access and replication technology to take advantage of the
physical network by configuring sites. When a user logs on to a network, the
authentication request searches for the domain controllers in the same site
where the user is located. A site prevents the network traffic from traveling
on wide area network (WAN) links that are slow.

What is DCDIAG tool? AD Trubleshooting tool. Domain Controller Diagnostic


(DCDIAG) is a diagnostic tool that is used to analyze the domain controllers in
a forest to report problems or issues. The scope of this tool covers the
functions of the domain controllers and interactions across an entire
enterprise. The DCDIAG tool is used to diagnose the domain controller status
for the following issues:

• Connectivity
• Replication
• Integrity of topology
• Permissions on directory partition heads
• Permissions of users
• Functionality of the domain controller locator
• Consistency among domain controllers in the site
• Verification of trusts
• Diagnosis of replication latencies
• Replication of trust objects
• Verification of File Replication service
• Verification of critical services
Note: DCDIAG is an analyzing tool, which is mostly used for the reporting
purposes. Although this tool allows specific tests to be run individually, it is not
intended as a general toolbox of commands for performing specific tasks.

What is NETDOM? NETDOM is a command-line tool that allows management


of Windows domains and trust relationships. It is used for batch management
of trusts, joining computers to domains, verifying trusts, and secure channels

Windows 2003 system services? Windows Server 2003 comes with many
system services that have different functionalities in the operating system.
When Windows Server 2003 is first installed, the default system services are
created and are configured to run when the system starts

Example: Following are some important system services of Windows Server


2003:

Alerter
Automatic Updates
Cluster Service
DHCP
Distributed File System
DNS Client service
DNS Server service
Event Log service
Remote Installation
Remote Procedure Call (RPC)
Routing and Remote Access

What is a paging file? A paging file is a hidden file on the hard disk used by
Windows operating systems to hold parts of programs and data that do not fit
in the computer's memory. The paging file and the physical memory, or
random access memory (RAM), comprise the virtual memory. Windows
operating systems move data from the paging file to the memory as required
and move data from the memory to the paging file to make room for new
data. A paging file is also known as a swap file.

What are authoritative and non-authoritative Active Directory restores?


There are two general methods of restoring Active Directory from the backup
media: authoritative and non-authoritative.

Authoritative restore makes the computer authoritative over other domain


controllers. Data restored authoritatively in a computer takes precedence
over other domain controllers' data, despite the fact that the restored data is
older than the current replicas. Authoritative restore is typically used to
restore a system to a previously known state. The NTDSUTIL command-line
tool allows authoritatively restoring the entire directory, a subtree, or
individual objects, provided they are leaf objects.

A non-authoritative restore results in the restored data (which may be


outdated) becoming synchronized with the data on other domain controllers
through replication.

What is ADPREP tool? The ADPREP tool is used to prepare Windows 2000
domains and forests for an upgrade to Windows Server 2003. It extends the
schema, updates default security descriptors of selected objects, and adds
new directory objects as required by some applications.

Syntax: ADPREP {/forestprep | /domainprep}

Parameter Description
/forestprep Prepares a Windows 2000 forest for an upgrade to a Windows
Server 2003 forest.
/domainprep Prepares a Windows 2000 domain for an upgrade to a Windows
Server 2003 domain.
/? Displays help for the command.

To run ADPREP /forestprep, the administrator must be a member of the


Enterprise Admins group and the Schema Admins group in Active
Directory. The ADPREP /forestprep command must be run on the schema
master.

To run ADPREP /domainprep, the administrator must be a member of the


Domain Admins group or the Enterprise Admins group in Active Directory.
The ADPREP /domainprep command must be run on each infrastructure
master.

Which files are included in the System State data? Following are the files
included in the System State data:

• Boot files, including the system files and all files protected by Windows
File Protection (WFP)
• Active Directory (on domain controller only)
• SYSVOL (on domain controller only)
• Certificate Services (on certification authority only)
• Cluster database (on cluster node only)
• Registry
• IIS metabase
• Performance counter configuration information
• Component Services Class registration database

What is RENDOM utility? RENDOM is a Windows 2003 utility used to rename


and restructure a domain in the forest. It can perform the following tasks:

• Change the DNS and NetBIOS names of the forest-root domain.


• Change the DNS and NetBIOS names of any tree-root domain.
• Change the DNS and NetBIOS names of the parent and child domains.
• Restructure a domain's position in the forest.

The utility is supplied by Microsoft and is placed in the


ValueaddMsftMgmtDomren directory on the Windows Server 2003 CD-ROM.

Note: Renaming a domain is a thorough multi-step process that requires a


detailed understanding of the operation. It affects every domain controller in
the forest.

What is volume shadow copy? The Windows Backup provides a feature of


taking a backup of files that are opened by a user or system. This feature is
known as volume shadow copy. Volume shadow copy makes a duplicate copy
of all files at the start of the backup process. In this way, files that have
changed during the backup process are copied correctly. Volume shadow
copy ensures the following:

• Applications continue to write data to the volume during a backup


• Backups are scheduled at any time without locking out users.

What are Performance Logs and Alerts? Performance Logs and Alerts is an
MMC snap-in that is used to establish performance baselines, diagnose
system problems, and anticipate increased system resource demands. It is
used to obtain useful data for detecting system bottlenecks and changes in
system performance. The alerting functionality of this tool is extremely
useful for troubleshooting intermittent and difficult-to-reproduce problems.
It uses the same performance counters as the System Monitor for capturing
information to log files over a period of time. The prime benefit of this tool
is the ability to capture performance counter information for further
analysis. Performance Logs and Alerts runs as a service and loads during
computer startup. It does not require a user to log on to a computer.

Network Interface Card A network interface card (NIC) is a computer


circuit board or card installed in a computer. It provides a physical
connection between a computer and the network. Network interface
cards provide a dedicated, full-time connection to a network. Each
network Interface card has a unique Media Access Control (MAC) address.

Media Access Control (MAC) address is a numerical identifier that is


unique for each network interface card (NIC). MAC addresses are 48-bit
values expressed as twelve hexadecimal digits, usually divided into
hyphen-separated pairs, for example, FF-00-F8-32-13-19. MAC addresses
are also referred to as hardware addresses, Ethernet addresses, and
universally administered addresses (UAAs).

Hub A hub is a device used to link computers in a network. It connects


computers that have a common architecture, such as Ethernet, ARCnet,
FDDI, or Token Ring. All hub-computer connections for a particular
network use the same type of cable, which can be twisted-pair, coaxial,
or fiber-optic. Hubs are generally used in star topology networks. Token
Ring hubs are also known as Multistation Access Units (MSAUs). A hub
works on the physical layer of the OSI model. Two types of hubs are
available as follows:

1. Active hub is a central device used to connect computers in a star


network. It regenerates and retransmits deteriorated signals on the
network.
2. Passive hub is a central device used to connect computers in a star
network. It receives information through one of its ports and sends it to
the computers connected to every other port. Therefore, although the
information is broadcasted to the network, only the destination
computer reads it. A passive hub does not regenerate signals.

Repeater A repeater is a basic LAN connection device. It allows a network


cabling system to extend beyond its
maximum allowed length and reduces distortion by amplifying or regenerating
network signals. Repeaters can also be used to connect network segments
composed of different media, such as connecting a twisted pair cable segment
to a fiber-optic cable segment. A repeater works at the physical layer of the
OSI model.
Switch A switch is a network connectivity device that brings media segments
together in a central location. It reads the destination's MAC address or
hardware address from each incoming data packet and forwards the data
packet to its destination. This reduces the network traffic. Switches operate at
the data-link layer of the OSI model.

Router A router is a device that routes data packets between computers in


different networks. It is used to connect multiple networks, and it determines
the path to be taken by each data packet to its destination computer. A router
maintains a routing table of the available routes and their conditions. By using
this information, along with distance and cost algorithms, the router
determines the best path to be taken by the data packets to the destination
computer. A router can connect dissimilar networks, such as Ethernet, FDDI,
and Token Ring, and route data packets among them. Routers operate at the
network layer (layer 3) of the Open Systems Interconnection (OSI) model.

Brouter A brouter is a combination of a bridge and a router. It is used to


connect dissimilar network segments, and it routes only a specific transport
protocol such as TCP/IP. A brouter also works as a bridge for all types of
packets, passing them on as long as they are not local to the LAN segment from
which they have originated.

Bridge A bridge is an interconnectivity device that connects two local area


networks (LANs) or two segments of the same LAN using the same
communication protocols and provides address filtering between them. Users
can use this device to divide busy networks into segments and reduce network
traffic. A bridge broadcasts data packets to all the possible destinations within
a specific segment. Bridges operate at the data-link layer of the OSI model.

Gateway A gateway is a network interconnectivity device that translates


different communication protocols and is used to connect dissimilar network
technologies. It provides greater functionality than a router or bridge because
a gateway functions both as a translator and a router. Gateways are slower
than bridges and routers. A gateway is an application layer device.

Modem Modem stands for Modulator-Demodulator. It is a device that enables a


computer to transmit information over standard telephone lines. Since a
computer stores information digitally and a telephone line is analog, a modem
converts digital signals to analog and vice versa. The conversion of a digital
signal to analog is known as modulation and that of an analog signal to digital is
known as demodulation.

Normal Backups When an administrator chooses to use a normal backup,


all selected files and folders are backed up and the archive attribute of
all files are cleared. A normal backup does not use the archive attribute
to determine which files to back up. A normal backup is used as the first
step of any backup plan. It is used with the combination of other backup
types for planning a backup strategy of an organization. Normal backups
are the most time-consuming and are resource hungry. Restoration from a
normal backup is more efficient than other types of backups.
Incremental Backups An incremental backup backs up files that are
created or changed since the last normal or incremental backup. It takes
the backup of files of which the archive attribute is set. After taking a
backup, it clears the archive attribute of files. An incremental backup is
the fastest backup process. Restoring data from an incremental backup
requires the last normal backup and all subsequent incremental backups.
Incremental backups must be restored in the same order as they were
created.
Note: If any media in the incremental backup set is damaged or data
becomes corrupt, the data backed up after corruption cannot be
restored.

Differential Backups Differential backup backs up files that are created


or changed since the last normal backup. It does not clear the archive
attribute of files after taking a backup. The restoration of files from a
differential backup is more efficient than an incremental backup.

Copy Backups A copy backup copies all selected files and folders. It
neither uses nor clears the archive attribute of the files. It is generally
not a part of a planned scheduled backup.

Daily Backups A daily backup backs up all selected files and folders that
have changed during the day. It backs up data by using the modified date
of the files. It neither uses nor clears the archive attribute of the files.

Combining backup types The easiest backup plan is to take a normal


backup every night. A normal backup every night ensures that the data is
restored from a single job the next day. Although the restoration of data
from a normal backup is easy, taking a backup is time consuming. Hence,
an administrator is required to make an optimal backup plan. An
administrator must consider the following points before creating a backup
plan:

• The time involved in taking the backup.


• The size of the backup job.
• The time required to restore a system in the event of a system failure.

The most common solutions for the needs of different organizations include the
combination of normal, differential, and incremental backups.
Combination of Normal and Differential Backups An administrator can use a
combination of a normal backup and a differential backup to save time in
taking a backup as well as for a restoration of data. In this plan, a normal
backup can be taken on Sunday, and differential backups can be taken on
Monday through Friday every night. If data becomes corrupt at any time, only a
normal and last differential backup are required to be restored. Although this
combination is easier and takes lesser time for restoration, it takes more time
to take backup, if data changes frequently.

Combination of Normal and Incremental Backups A combination of normal


and incremental backups can be used to save more time for taking backups. In
this plan, a normal backup is taken on Sunday and incremental backups on
Monday through Friday every night. If data becomes corrupt at any time, a
normal and all incremental backups till date are required to be restored.

Backing up a System State Data


System State Data System State data contains critical elements of the Windows
2000 and Windows Server 2003 operating systems. Following are the files
included in the System State data:

• Boot files, including the system files and all files protected by Windows
File Protection (WFP)
• Active Directory (on domain controller only)
• SYSVOL (on domain controller only)
• Certificate Services (on certification authority only)
• Cluster database (on cluster node only)
• Registry
• IIS metabase
• Performance counter configuration information
• Component Services Class registration database

What is Internet Security and Acceleration (ISA) Server 2000? Internet


Security and Acceleration Server 2000 is a Microsoft product that is used to
provide powerful security and network acceleration while accessing the
Internet. It works as a firewall as well as a Web cache server. It integrates
with the Microsoft Windows 2000 operating system for policy-based
security, acceleration, and management of internetworking.

Features of ISA Server


• It provides an additional level of security.
• It offers industry-leading Web cache performance.
• It integrates with Microsoft Windows 2000.
• It enables administrators to use bandwidth efficiently.
• It provides increased manageability.
• It provides enhanced usability.
• It provides integrated services.
• It provides increased extensibility.
• It provides improved interoperability.
• It provides enhanced scalability.

Site and Replication

What is a Site? A site is a collection of one or more well-connected


(usually a local area network) TCP/IP subnets. The network between the
subnets must be highly reliable and fast (512 Kbps and higher). Although
the sites are generally defined on the basis of location, they can be
spanned over more than one location. A site structure corresponds to the
physical environment, whereas a domain is the logical environment of the
network. A site can contain single or multiple domains, and a domain can
contain single or multiple sites.

The sites are created to physically group the computers and resources to
optimize network traffic. Administrators can configure Active Directory
access and replication technology to take advantage of the physical
network by configuring sites. When a user logs on to the network, the
authentication request searches for the domain controllers in the same
site as the user. A site prevents the network traffic from traveling on
slow wide area network (WAN) links.

What are Directory Tree, Directory Partition, and Replica? Directory


tree is a hierarchy of objects and containers of Active Directory, which
represents all the objects in the forest. Each domain controller stores a
copy of a specific part of the directory tree, called a directory partition
(sometimes called naming context). The copy of the directory partition is
called a replica. A replica contains all attributes for each directory
partition object. Each domain controller in the forest stores a replica.

What is replication? Replication is a process through which the changes


made to a replica on one domain controller are synchronized to replicas
on all the other domain controllers in the network. Each domain
controller stores three types of replicas:

• Schema partition: This partition stores definitions and attributes of


objects that can be created in the forest. The changes made in this
partition are replicated to all the domain controllers in all the domains
in the forest.
• Configuration partition: This partition stores the logical structure of the
forest deployment. It includes the domain structure and the replication
topology. The changes made in this partition are replicated to all the
domain controllers in all the domains in the forest.
• Domain partition: This partition stores all the objects in a domain.
Changes made in this partition are replicated to all the domain
controllers within the domain.

Note: Windows Server 2003 supports a new type of directory partition named
Application directory partition. This partition is available only to Windows 2003
domain controllers. The applications and services use this partition to store
application-specific data.

Creating, modifying, moving, and deleting an object trigger a replication


between domain controllers. Replications are of two types:

• Intrasite: An intrasite (within a site) replication mostly uses LAN


connections. As intrasite replication does not compress data, it saves a
computer's CPU time. In an intrasite replication, the replication partners
poll each other periodically and notify each other when changes need to
be replicated, and then pull the information for processing. Active
Directory uses a remote procedure call (RPC) transport protocol for
intrasite replication.
• Intersite: As an intersite (between sites) replication uses WAN
connections, a large amount of data is compressed to save WAN
bandwidth. For the same reason, the replication partners do not notify
each other when changes need to be replicated. Instead, administrators
configure the replication schedule to update the information. Active
Directory uses an IP or SMTP protocol for intersite replication.

For intrasite replication to take place, connection objects are required. The
Active Directory automatically creates and deletes connection objects as and
when required. Connection objects can be created manually to force
replication.

What are Site Links? Site links are logical, transitive connections between two
or more sites. For intersite replication to take place, site links are required to
be configured. Once a site link has been configured, the knowledge consistency
checker (KCC) then automatically generates the replication topology by
creating the appropriate connection objects. Site links are used to determine
the paths between two sites. They must be created manually.

Site links are transitive in nature. For example, if Site 1 is linked with Site 2
and Site 2 is linked with Site 3, then Site 1 and Site 3 are linked transitively.
The administrators can control transitivity of the site link. By default,
transitivity is enabled. Site link transitivity can be enabled or disabled through
a bridge.

What is Site Link Bridge? A site link bridge is created to build a transitive and
logical link between two sites that do not have an explicit site link. The site
link bridge is created only when the transitivity of the site link is disabled.

What is Site Link Cost? Site link cost is an attribute of a site link. Each site link
has been assigned a default cost of 100. The knowledge consistency checker
(KCC) uses the site link cost to determine which site links should be preferred
for replication. It should be remembered that the lower the site link cost, the
more preferred is the link.

For example, an administrator has to configure the site link cost of links
between Site 1 and Site 2. There are two site links available as shown in the
image below:
S1S2 is a T1 site link that uses T1 lines for replication, whereas S1S2DU uses a
dial-up connection for replication. If the administrator requires that the KCC
should prefer the S1S2 site link to the S1S2DU site link for replication, he will
have to configure the SIS2 link with a lower cost than that of the S1S2DU link.
Any site link configured with the site link cost of one (1) will always get
preference over the other site links with a higher cost.

What is Bridgehead Server? A bridgehead server is a domain controller in each


site, which is used as a contact point to receive and replicate data between
sites. For intersite replication, KCC designates one of the domain controllers as
a bridgehead server. In case the server is down, KCC designates another one
from the domain controller. When a bridgehead server receives replication
updates from another site, it replicates the data to the other domain
controllers within its site.

What is Preferred Bridgehead Server? A preferred bridgehead server is a


domain controller in a site, specified by an administrator, to act as a
bridgehead server. Administrators can specify more than one preferred
bridgehead server, but only one server is active at a time in a site. A preferred
bridgehead server is designated to take advantage of a certain domain
controller having the appropriate bandwidth to transmit and receive
information

What are Performance Logs and Alerts? Performance Logs and Alerts is an
MMC snap-in that is used to establish performance baselines, diagnose
system problems, and anticipate increased system resource demands. It is
used to obtain useful data for detecting system bottlenecks and changes in
system performance. The alerting functionality of this tool is extremely
useful for troubleshooting intermittent and difficult-to-reproduce problems.
It uses the same performance counters as the System Monitor for capturing
information to log files over a period of time. The prime benefit of this tool
is the ability to capture performance counter information for further
analysis. Performance Logs and Alerts runs as a service and loads during
computer startup. It does not require a user to log on to a computer

What is WLBS.EXE? WLBS.EXE is a command-line tool, which is used as a


Network Load Balancing control program. WLBS.EXE is used to start, stop,
and administer Network Load Balancing, as well as to enable and disable
ports and to query cluster status.
Note: WLBS.EXE cannot be used to change the registry parameters of
Network Load Balancing.

What is buffer overflow? Buffer overflow is a condition in which an


application receives more data than it is configured to accept. This usually
occurs due to programming errors in the application. Buffer overflow can
terminate or crash the application

What is DMZ? Demilitarized zone (DMZ) or perimeter network is a small


network that lies in between the Internet and a private network. It is the
boundary between the Internet and an internal network, usually a
combination of firewalls and bastion hosts that are gateways between inside
networks and outside networks. DMZ provides a large enterprise network or
corporate network the ability to use the Internet while still maintaining its
security

What is Kerberos v5? Kerberos v5 is an authentication method used by


Windows operating systems to authenticate users and network services.
Windows 2000/2003 and XP clients and servers use Kerberos v5 as the default
authentication method. Kerberos has replaced the NT LAN Manager (NTLM)
authentication method, which was less secure. Kerberos uses mutual
authentication to verify both the identity of the user and network services.
The Kerberos authentication process is transparent to the users.

Note: Kerberos v5 is not supported on Windows XP Home clients or on any


clients that are not members of an Active Directory domain.

What is Software Update Services (SUS)? Software Update Services (SUS) is


a tool used to acquire and distribute critical Windows patches to computers
running Windows operating systems. Administrators use SUS to download and
test the patches, and then deploy the patches to the appropriate computers
running the Automatic Updates clients. SUS consists of three components:

1. Software Update Services (SUS) that runs on the server.


2. Automatic Updates (AU) that runs on client computers.
3. Group Policy settings that control AU clients from Active Directory.

SUS does not support Microsoft Office or Microsoft BackOffice products. It


updates the operating systems (except Windows NT or Windows 9x), Microsoft
IIS, and Microsoft Internet Explorer (IE) only.

Which installation modes are available with ISA Server? The following
modes are available as a part of the ISA Server setup process:

• Firewall: In Firewall mode, network configuration can be secured by


configuring rules that control communication between a corporate
network and the Internet. In this mode, internal servers can also be
published to share data with Internet users.
• Cache: In Cache mode, network performance can be improved and
bandwidth can be saved by storing commonly accessed Internet objects
locally. Requests can be routed from the Internet users to an
appropriate internal Web server.
• Integrated: Integrated mode is a combination of Firewall and Cache
modes. It supports all the features available in Firewall and Cache
modes of ISA Server

Windows Server 2003 interview and certification questions

How do you double-boot a Win 2003 server box? The Boot.ini file is set
as read-only, system, and hidden to prevent unwanted editing. To
change the Boot.ini timeout and default settings, use the System option
in Control Panel from the Advanced tab and select Startup.

What do you do if earlier application doesn’t run on Windows Server


2003? When an application that ran on an earlier legacy version of
Windows cannot be loaded during the setup function or if it later
malfunctions, you must run the compatibility mode function. This is
accomplished by right-clicking the application or setup program and
selecting Properties –> Compatibility –> selecting the previously
supported operating system.

If you uninstall Windows Server 2003, which operating systems can


you revert to? Win ME, Win 98, 2000, XP. Note, however, that you
cannot upgrade from ME and 98 to Windows Server 2003.
How do you get to Internet Firewall settings? Start –> Control Panel –>
Network and Internet Connections –> Network Connections.

What is Active Directory? Active Directory is a network-based object


store and service that locates and manages resources, and makes these
resources available to authorized users and groups. An underlying
principle of the Active Directory is that everything is considered an
object—people, servers, workstations, printers, documents, and devices.
Each object has certain attributes and its own security access control list
(ACL).

Where are the Windows NT Primary Domain Controller (PDC) and its
Backup Domain Controller (BDC) in Server 2003? The Active Directory
replaces them. Now all domain controllers share a multimaster peer-to-
peer read and write relationship that hosts copies of the Active
Directory.

How long does it take for security changes to be replicated among the
domain controllers? Security-related modifications are replicated within
a site immediately. These changes include account and individual user
lockout policies, changes to password policies, changes to computer
account passwords, and modifications to the Local Security Authority
(LSA).

What’s new in Windows Server 2003 regarding the DNS management?


When DC promotion occurs with an existing forest, the Active Directory
Installation Wizard contacts an existing DC to update the directory and
replicate from the DC the required portions of the directory. If the
wizard fails to locate a DC, it performs debugging and reports what
caused the failure and how to fix the problem. In order to be located on
a network, every DC must register in DNS DC locator DNS records. The
Active Directory Installation Wizard verifies a proper configuration of the
DNS infrastructure. All DNS configuration debugging and reporting
activity is done with the Active Directory Installation Wizard.

When should you create a forest? Organizations that operate on


radically different bases may require separate trees with distinct
namespaces. Unique trade or brand names often give rise to separate
DNS identities. Organizations merge or are acquired and naming
continuity is desired. Organizations form partnerships and joint
ventures. While access to common resources is desired, a separately
defined tree can enforce more direct administrative and security
restrictions.

How can you authenticate between forests? Four types of


authentication are used across forests: (1) Kerberos and NTLM network
logon for remote access to a server in another forest; (2) Kerberos and
NTLM interactive logon for physical logon outside the user’s home forest;
(3) Kerberos delegation to N-tier application in another forest; and (4)
user principal name (UPN) credentials.
What snap-in administrative tools are available for Active Directory?
Active Directory Domains and Trusts Manager, Active Directory Sites and
Services Manager, Active Directory Users and Group Manager, Active
Directory Replication (optional, available from the Resource Kit), Active
Directory Schema Manager (optional, available from adminpak)

What types of classes exist in Windows Server 2003 Active Directory?

o Structural class. The structural class is important to the system


administrator in that it is the only type from which new Active
Directory objects are created. Structural classes are developed
from either the modification of an existing structural type or the
use of one or more abstract classes.
o Abstract class. Abstract classes are so named because they take
the form of templates that actually create other templates
(abstracts) and structural and auxiliary classes. Think of abstract
classes as frameworks for the defining objects.
o Auxiliary class. The auxiliary class is a list of attributes. Rather
than apply numerous attributes when creating a structural class,
it provides a streamlined alternative by applying a combination of
attributes with a single include action.
o 88 class. The 88 class includes object classes defined prior to
1993, when the 1988 X.500 specification was adopted. This type
does not use the structural, abstract, and auxiliary definitions,
nor is it in common use for the development of objects in
Windows Server 2003 environments.

How do you delete a lingering object? Windows Server 2003 provides a


command called Repadmin that provides the ability to delete lingering
objects in the Active Directory.

What is Global Catalog? The Global Catalog authenticates network user


logons and fields inquiries about objects across a forest or tree. Every
domain has at least one GC that is hosted on a domain controller. In
Windows 2000, there was typically one GC on every site in order to
prevent user logon failures across the network.

How is user account security established in Windows Server 2003?


When an account is created, it is given a unique access number known as
a security identifier (SID). Every group to which the user belongs has an
associated SID. The user and related group SIDs together form the user
account’s security token, which determines access levels to objects
throughout the system and network. SIDs from the security token are
mapped to the access control list (ACL) of any object the user attempts
to access.

If I delete a user and then create a new account with the same
username and password, would the SID and permissions stay the
same? No. If you delete a user account and attempt to recreate it with
the same user name and password, the SID will be different.
What do you do with secure sign-ons in an organization with many
roaming users? Credential Management feature of Windows Server 2003
provides a consistent single sign-on experience for users. This can be
useful for roaming users who move between computer systems. The
Credential Management feature provides a secure store of user
credentials that includes passwords and X.509 certificates.

Anything special you should do when adding a user that has a Mac?
"Save password as encrypted clear text" must be selected on User
Properties Account Tab Options, since the Macs only store their
passwords that way.

What remote access options does Windows Server 2003 support? Dial-
in, VPN, dial-in with callback.

Where are the documents and settings for the roaming profile stored?
All the documents and environmental settings for the roaming user are
stored locally on the system, and, when the user logs off, all changes to
the locally stored profile are copied to the shared server folder.
Therefore, the first time a roaming user logs on to a new system the
logon process may take some time, depending on how large his profile
folder is.

Where are the settings for all the users stored on a given machine?
\Document and Settings\All Users

What languages can you use for log-on scripts? JavaScipt, VBScript,
DOS batch files (.com, .bat, or even .exe)

Windows Server 2003 Active Directory and Security questions

What’s the difference between local, global and universal groups?


Domain local groups assign access permissions to global domain groups
for local domain resources. Global groups provide access to resources in
other trusted domains. Universal groups grant access to resources in all
trusted domains.

I am trying to create a new universal user group. Why can’t I?


Universal groups are allowed only in native-mode Windows Server 2003
environments. Native mode requires that all domain controllers be
promoted to Windows Server 2003 Active Directory.

What is LSDOU? It’s group policy inheritance model, where the policies
are applied to Local machines, Sites, Domains and Organizational Units.

Why doesn’t LSDOU work under Windows NT? If the NTConfig.pol file
exist, it has the highest priority among the numerous policies.

Where are group policies stored? %SystemRoot%System32\GroupPolicy

What is GPT and GPC? Group policy template and group policy
container.
Where is GPT stored? %SystemRoot
%\SYSVOL\sysvol\domainname\Policies\GUID

You change the group policies, and now the computer and user
settings are in conflict. Which one has the highest priority? The
computer settings take priority.

You want to set up remote installation procedure, but do not want


the user to gain access over it. What do you do? gponame–> User
Configuration–> Windows Settings–> Remote Installation Services–>
Choice Options is your friend.

What’s contained in administrative template conf.adm? Microsoft


NetMeeting policies

How can you restrict running certain applications on a machine? Via


group policy, security settings for the group, then Software Restriction
Policies.

You need to automatically install an app, but MSI file is not available.
What do you do? A .zap text file can be used to add applications using
the Software Installer, rather than the Windows Installer.

What’s the difference between Software Installer and Windows


Installer? The former has fewer privileges and will probably require user
intervention. Plus, it uses .zap files.

What can be restricted on Windows Server 2003 that wasn’t there in


previous products? Group Policy in Windows Server 2003 determines a
users right to modify network and dial-up TCP/IP properties. Users may
be selectively restricted from modifying their IP address and other
network configuration parameters.

How frequently is the client policy refreshed? 90 minutes give or take.

Where is secedit? It’s now gpupdate.

You want to create a new group policy but do not wish to inherit.
Make sure you check Block inheritance among the options when
creating the policy.

What is "tattooing" the Registry? The user can view and modify user
preferences that are not stored in maintained portions of the Registry. If
the group policy is removed or changed, the user preference will persist
in the Registry.

How do you fight tattooing in NT/2000 installations? You can’t.

How do you fight tattooing in 2003 installations? User Configuration -


Administrative Templates - System - Group Policy - enable - Enforce
Show Policies Only.
What does IntelliMirror do? It helps to reconcile desktop settings,
applications, and stored files for users, particularly those who move
between workstations or those who must periodically work offline.

What’s the major difference between FAT and NTFS on a local


machine? FAT and FAT32 provide no security over locally logged-on
users. Only native NTFS provides extensive permission control on both
remote and local files.

How do FAT and NTFS differ in approach to user shares? They don’t,
both have support for sharing.

Explan the List Folder Contents permission on the folder in NTFS.


Same as Read & Execute, but not inherited by files within a folder.
However, newly created subfolders will inherit this permission.

I have a file to which the user has access, but he has no folder
permission to read it. Can he access it? It is possible for a user to
navigate to a file for which he does not have folder permission. This
involves simply knowing the path of the file object. Even if the user
can’t drill down the file/folder tree using My Computer, he can still gain
access to the file using the Universal Naming Convention (UNC). The best
way to start would be to type the full path of a file into Run… window.

For a user in several groups, are Allow permissions restrictive or


permissive? Permissive, if at least one group has Allow permission for
the file/folder, user will have the same permission.

For a user in several groups, are Deny permissions restrictive or


permissive? Restrictive, if at least one group has Deny permission for
the file/folder, user will be denied access, regardless of other group
permissions.

What hidden shares exist on Windows Server 2003 installation?


Admin$, Drive$, IPC$, NETLOGON, print$ and SYSVOL.

What’s the difference between standalone and fault-tolerant DFS


(Distributed File System) installations? The standalone server stores the
Dfs directory tree structure or topology locally. Thus, if a shared folder
is inaccessible or if the Dfs root server is down, users are left with no
link to the shared resources. A fault-tolerant root node stores the Dfs
topology in the Active Directory, which is replicated to other domain
controllers. Thus, redundant root nodes may include multiple
connections to the same data residing in different shared folders.

We’re using the DFS fault-tolerant installation, but cannot access it


from a Win98 box. Use the UNC path, not client, only 2000 and 2003
clients can access Server 2003 fault-tolerant shares.

Where exactly do fault-tolerant DFS shares store information in


Active Directory? In Partition Knowledge Table, which is then replicated
to other domain controllers.
Can you use Start->Search with DFS shares? Yes.

What problems can you have with DFS installed? Two users opening the
redundant copies of the file at the same time, with no file-locking
involved in DFS, changing the contents and then saving. Only one file
will be propagated through DFS.

I run Microsoft Cluster Server and cannot install fault-tolerant DFS.


Yeah, you can’t. Install a standalone one.

Is Kerberos encryption symmetric or asymmetric? Symmetric.

How does Windows 2003 Server try to prevent a middle-man attack


on encrypted line? Time stamp is attached to the initial client request,
encrypted with the shared key.

What hashing algorithms are used in Windows 2003 Server? RSA Data
Security’s Message Digest 5 (MD5), produces a 128-bit hash, and the
Secure Hash Algorithm 1 (SHA-1), produces a 160-bit hash.

What third-party certificate exchange protocols are used by Windows


2003 Server? Windows Server 2003 uses the industry standard PKCS-10
certificate request and PKCS-7 certificate response to exchange CA
certificates with third-party certificate authorities.

What’s the number of permitted unsuccessful logons on Administrator


account? Unlimited. Remember, though, that it’s the Administrator
account, not any account that’s part of the Administrators group.

If hashing is one-way function and Windows Server uses hashing for


storing passwords, how is it possible to attack the password lists,
specifically the ones using NTLMv1? A cracker would launch a
dictionary attack by hashing every imaginable term used for password
and then compare the hashes.

What’s the difference between guest accounts in Server 2003 and


other editions? More restrictive in Windows Server 2003.

How many passwords by default are remembered when you check


"Enforce Password History Remembered"? User’s last 6 passwords.

Technical Interview Questions – Networking


What is an IP address?

An Internet Protocol address (IP address) is a numerical label that is assigned


to devices participating in a computer network that uses the Internet Protocol
for communication between its nodes. An IP address serves two principal
functions: host or network interface identification and location addressing. Its
role has been characterized as follows: "A name indicates what we seek. An
address indicates where it is. A route indicates how to get there.
What is a subnet mask? The word subnetwork (usually shortened to subnet)
has two related meanings. In the older and more general meaning, it meant
one physical network of an internetwork. In the Internet Protocol (IP), a
subnetwork is a division of a classful network. The rest of this article is about
the second meaning. Subnetting an IP network allows a single large network to
be broken down into what appear (logically) to be several smaller ones. It was
originally introduced before the introduction of classful network numbers in
IPv4, to allow a single site to have a number of local area networks. Even after
the introduction of classful network numbers, subnetting continued to be
useful, as it reduced the number of entries in the Internet-wide routing table
(by hiding information about all the individual subnets inside a site). As a side
benefit, it also resulted in reduced network overhead, by dividing the parts
which receive IP broadcasts.

What is ARP? The Address Resolution Protocol (ARP) is a computer networking


protocol for determining a network host's link layer or hardware address when
only it’s Internet Layer (IP) or Network Layer address is known. This function is
critical in local area networking as well as for routing internetworking traffic
across gateways (routers) based on IP addresses when the next-hop router must
be determined. ARP was defined by RFC 826 in 1982. It is Internet Standard STD
37.

What is ARP Cache Poisoning? ARP stands for Address Resolution Protocol.
Every computer in a LAN has 2 identifiers: IP and MAC address. IP is either
entered by the user or dynamically allocated by a server. But the MAC address
is unique for any Ethernet card. For example, if you have 2 ethernet cards, one
for wired and the other for WiFi, you have 2 MAC addresses on your machine.
The MAC address is a hardware code for your ethernet card.
The communications between computers is done on the IP level. Means that if
you want to send a file to a computer, you need to know the other computer
IP.
Now, ARP is the protocol that matches every IP with a certain MAC address in
ARP table that is saved on your switch in your LAN.
ARP cache poisoning is changing this ARP table on the switch.
For Normal case, when a machine tries to connect to another machine. The
first machine goes to the ARP table with the other machine IP, the ARP table
provide the MAC address for the other machine and the communication starts.
But if someone plays with the table, the first machine goes with the IP and the
ARP table will provide a faulty MAC address to a 3rd machine who wants to
intrude through your communication.
This Kind of attach is known as "Man in the Middle".

What is the ANDing process? In order to determine whether a destination host


is local or remote, a computer will perform a simple mathematical
computation referred to as an AND operation. While the sending host does this
operation internally, understanding what takes place is the key to
understanding how an IP-based system knows whether to send packets directly
to a host or to a router.

What is a default gateway? What happens if I don't have one? A gateway is a


routing device that knows how to pass traffic between different subnets and
networks. A computer will know some routes (a route is the address of each
node a packet must go through on the Internet to reach a specific destination),
but not the routes to every address on the Internet. It won’t even know all the
routes on the nearest subnets. A gateway will not have this information either,
but will at least know the addresses of other gateways it can hand the traffic
off to. Your default gateway is on the same subnet as your computer, and is
the gateway your computer relies on when it doesn’t know how to route
traffic. The default gateway is typically very similar to your IP address, in that
many of the numbers may be the same. However, the default gateway is not
your IP address. To see what default gateway you are using, follow the steps
below for your operating system.

Can a workstation computer be configured to browse the Internet and yet


NOT have a default gateway? If we are using public ip address, we can browse
the internet. If it is having an intranet address a gateway is needed as a router
or firewall to communicate with internet.Without default gateway you cannot
browse internet. It doesnt matter if you are on public or private network.
Default Gateway is required to route your IP packets from your network to the
other networks.
What is a subnet? Why do I care?

A subnet specifies a range of IP addresses. The special attribute of a subnet is


that all the computers within the subnet (a "sub-network") can talk directly to
each other, and don't need a router to communicate.

When it's time to send a packet, your computer delivers a packet a) directly to
the destination computer or b) sends it to the router for ultimate delivery.

But how does your computer know whether the packet's destination is within its
subnet? The answer is that your computer uses the subnet mask to determine
the members of the subnet. If your computer's address and the destination
computer's IP addresses are in the same subnet address range, then they can
send packets directly to each other. If they're not in the same range, then they
must send their data through a router for delivery.The chart below associates
the number of IP addresses in a subnet to the subnet mask. For example, the
subnet mask "255.255.255.0" represents 254 consecutive IP addresses.

Subnet Mask # of Addresses Subnet Mask # of Addresses


/1 128.0.0.0 2.1 billion /17 255.255.128.0 32,766
/2 192.0.0.0 1 billion /18 255.255.192.0 16,382
/3 224.0.0.0 536 million /19 255.255.224.0 8,190
/4 240.0.0.0 268 million /20 255.255.240.0 4,094
/5 248.0.0.0 134 million /21 255.255.248.0 2,046
/6 252.0.0.0 67 million /22 255.255.252.0 1,022
/7 254.0.0.0 34 million /23 255.255.254.0 510
/8 255.0.0.0 17 million (Class A) /24 255.255.255.0 254 (Class C)
/9 255.128.0.0 8.4 million /25 255.255.255.128 126
/10 255.192.0.0 4.2 million /26 255.255.255.192 62
/11 255.224.0.0 2.1 million /27 255.255.255.224 30
/12 255.240.0.0 1 million /28 255.255.255.240 14
/13 255.248.0.0 524 thousand /29 255.255.255.248 6
/14 255.252.0.0 262 thousand /30 255.255.255.252 2
/15 255.254.0.0 131 thousand /31 255.255.255.254 RFC 3021
/16 255.255.0.0 65,534 (Class B) /32 255.255.255.255. A single address

What is APIPA? Zero configuration networking (zeroconf), is a set of techniques


that automatically creates a usable Internet Protocol (IP) network without
manual operator intervention or special configuration servers.Automatic
Private IP Addressing: a safety mechanism in dynamic host client processing to
assign IP addresses within a given range when the main DHCP mechanism fails

APIPA, also known as Automatic Private IP Addressing, is a feature used in


Windows operating systems. It comes into action only when DHCP (Dynamic
Host Configuration Protocol) servers are available. When the DHCP client first
comes on, it will try to establish a connection with the DHCP server in order to
get an IP address. It is when this server is (or at a later point becomes)
unavailable, that APIPA will kick in.

As the client is unable to connect with the server, APIPA will automatically try
to configure itself with an IP address from an specially reserved range. (This
reserved IP address range goes from 169.254.0.0 to 169.254.255.255).

What is an RFC? Name a few if possible (not necessarily the numbers, just
the ideas behind them) A Request For Comments (RFC) document defines a
protocol or policy used on the Internet. An RFC can be submitted by anyone.
Eventually, if it gains enough interest, it may evolve into an Internet Standard
Each RFC is designated by an RFC number. Once published, an RFC never
changes. Modifications to an original RFC are assigned a new RFC number.

What is RFC 1918? RFC 1918 is Address Allocation for Private Internets The
Internet Assigned Numbers Authority (IANA) has reserved the following three
blocks of the IP address space for private internets: 10.0.0.0 - 10.255.255.255
(10/8 prefix) 172.16.0.0 - 172.31.255.255 (172.16/12 prefix) 192.168.0.0 -
192.168.255.255 (192.168/16

prefix) We will refer to the first block as "24-bit block", the second as "20-bit
block", and to the third as "16-bit" block. Note that (in pre-CIDR notation) the
first block is nothing but a single class A network number, while the second
block is a set of 16 contiguous class B network numbers, and third block is a set
of 256 contiguous class C network numbers.

What is CIDR? CIDR (Classless Inter-Domain Routing, sometimes known as


supernetting) is a way to allocate and specify the Internet addresses used in
inter-domain routing more flexibly than with the original system of Internet
Protocol (IP) address classes. As a result, the number of available Internet
addresses has been greatly increased. CIDR is now the routing system used by
virtually all gateway hosts on the Internet's backbone network. The Internet's
regulating authorities now expect every Internet service provider (ISP) to use it
for routing.

The original Internet Protocol defines IP addresses in four major classes of


address structure, Classes A through D. Each of these classes allocates one
portion of the 32-bit Internet address format to a network address and the
remaining portion to the specific host machines within the network specified by
the address. One of the most commonly used classes is (or was) Class B, which
allocates space for up to 65,533 host addresses. A company who needed more
than 254 host machines but far fewer than the 65,533 host addresses possible
would essentially be "wasting" most of the block of addresses allocated. For
this reason, the Internet was, until the arrival of CIDR, running out of address
space much more quickly than necessary. CIDR effectively solved the problem
by providing a new and more flexible way to specify network addresses in
routers. (With a new version of the Internet Protocol - IPv6 - a 128-bit address
is possible, greatly expanding the number of possible addresses on the Internet.
However, it will be some time before IPv6 is in widespread use.)
Using CIDR, each IP address has a network prefix that identifies either an
aggregation of network gateways or an individual gateway. The length of the
network prefix is also specified as part of the IP address and varies depending
on the number of bits that are needed (rather than any arbitrary class
assignment structure). A destination IP address or route that describes many
possible destinations has a shorter prefix and is said to be less specific. A
longer prefix describes a destination gateway more specifically. Routers are
required to use the most specific or longest network prefix in the routing table
when forwarding packets.

A CIDR network address looks like this:

192.30.250.00/18
The "192.30.250.00" is the network address itself and the "18" says that the first
18 bits are the network part of the address, leaving the last 14 bits for specific
host addresses. CIDR lets one routing table entry represent an aggregation of
networks that exist in the forward path that don't need to be specified on that
particular gateway, much as the public telephone system uses area codes to
channel calls toward a certain part of the network. This aggregation of
networks in a single address is sometimes referred to as a supernet.
CIDR is supported by the Border Gateway Protocol, the prevailing exterior
(interdomain) gateway protocol. (The older exterior or interdomain gateway
protocols, Exterior Gateway Protocol and Routing Information Protocol, do not
support CIDR.) CIDR is also supported by the OSPF interior or intradomain
gateway protocol.

You have the following Network ID: 192.115.103.64/27. What is the IP


range for your network?
It ranges from 192.115.103.64 - 192.115.103.96

But the usable addresses are from 192.115.103.64 - 192.115.103.94

192.115.103.95 - it is the broadcast address


192.115.103.96 - will be the ip address of next range

We can use 30 hostes in this network

You have the following Network ID: 131.112.0.0. You need at least 500
hosts per network. How many networks can you create? What subnet mask
will you use? Subnet mask is 255.255.252.0, we can create 4 subnet and at
least we can connect 500host per network

You need to view at network traffic. What will you use? Name a few tools
Depends what type of traffic I want to monitor and the network design. I really
liked using Fluke Networks OptiView Network Analyzer. Software though I
would say wireshark, sitrace, Iris Network Traffic Analyzer, Airsnare,
Packetcapsa. Backtrack (a linux live CD) has tons of different applications that
you can use to monitor and view network traffic

How do I know the path that a packet takes to the destination? use "tracert"
command-line
What is DHCP? What are the benefits and drawbacks of using it?

Benefits:

1. DHCP minimizes configuration errors caused by manual IP address


configurationDHCP minimizes configuration errors caused by manual IP address
configuration

2. Reduced network administration.

Disadvantage

Your machine name does not change when you get a new IP address. The DNS
(Domain Name System) name is associated with your IP address and therefore
does change. This only presents a problem if other clients try to access your
machine by its DNS name.

Benefits:

1. DHCP minimizes configuration errors caused by manual IP address


configurationDHCP minimizes configuration errors caused by manual IP address
configuration

2. Reduced network administration.

Disadvantage

Your machine name does not change when you get a new IP address. The DNS
(Domain Name System) name is associated with your IP address and therefore
does change. This only presents a problem if other clients try to access your
machine by its DNS name.

Describe the steps taken by the client and DHCP server in order to obtain an
IP address. At least one DHCP server must exist on a network. Once the DHCP
server software is installed, you create a DHCP scope, which is a pool of IP
addresses that the server manages. When clients log on, they request an IP
address from the server, and the server provides an IP address from its pool of
available addresses. DHCP was originally defined in RFC 1531 (Dynamic Host
Configuration Protocol, October 1993) but the most recent update is RFC 2131
(Dynamic Host Configuration Protocol, March 1997). The IETF Dynamic Host
Configuration (dhc) Working Group is chartered to produce a protocol for
automated allocation, configuration, and management of IP addresses and
TCP/IP protocol stack parameters.

What is the DHCPNACK and when do I get one? Name 2 scenarios. Recently I
saw a lot of queries regarding when the Microsoft DHCP server issues a NAK to
DHCP clients. For simplification purposes, I am listing down the possible
scenarios in which the server should NOT issue a NAK. This should give you a
good understanding of DHCP NAK behavior.

When a DHCP server receives a DHCPRequest with a previously assigned address


specified, it first checks to see if it came from the local segment by checking
the GIADDR field. If it originated from the local segment, the DHCP server
compares the requested address to the IP address and subnet mask belonging
to the local interface that received the request.

DHCP server will issue a NAK to the client ONLY IF it is sure that the client, "on
the local subnet", is asking for an address that doesn't exist on that subnet.

The server will send a NAK EXCEPT in the following scenarios:-

1. Requested address from possibly the same subnet but not in the address pool
of the server:-

This can be the failover scenario in which 2 DHCP servers are serving the same
subnet so that when one goes down, the other should not NAK to clients which
got an IP from the first server.

2. Requested address on a different subnet:- If the Address is from the same


superscope to which the subnet belongs, DHCP server will ACK the REQUEST.

What ports are used by DHCP and the DHCP clients? Requests are on UDP port
68, Server replies on UDP 67 double check. These are reversed.

Describe the process of installing a DHCP server in an AD infrastructure.

Terms you'll need to understand:


• DHCP Lease duration
• Scopes
• Superscopes
• Multicast scopes
• Scope options

Techniques you'll need to master:

• Installing DHCP
• Understanding the DHCP lease process
• Creating scopes, superscopes, and multicast scopes
• Configuring the lease duration
• Configuring optional IP parameters that can be assigned to DHCP clients
• Understanding how DHCP interacts with DNS
• Configuring DHCP for DNS integration
• Authorizing a DHCP server in Active Directory
• Managing a DHCP server
• Monitoring a DHCP server
Introduction
The TCP/IP protocol is an Active Directory operational requirement. This means
that all computers on Windows 2000 network require a unique IP address to
communicate with the Active Directory. Static IP addresses can add a lot of
administrative overhead. Not only can management of static IP addresses
become time consuming, but such management also increases the chances of
misconfigured parameters. Imagine having to manually type 10,000 IP
addresses and not make a single error. The Dynamic Host Configuration
Protocol (DHCP) can be implemented to centralize the administration of IP
addresses. Through DHCP, many of the tasks associated with IP addressing can
be automated. However, implementing DHCP also introduces some security
issues because anyone with physical access to the network can plug in a laptop
and obtain IP information about the internal network.

In this chapter, you'll learn how to implement a DHCP server, including the
installation process, authorization of the server, and the configuration of DHCP
scopes. The chapter ends by looking at how to manage a DHCP server and
monitor its performance.

What is DHCPINFORM? DHCPInform is a DHCP message used by DHCP clients to


obtain DHCP options. While PPP remote access clients do not use DHCP to
obtain IP addresses for the remote access connection, Windows 2000 and
Windows 98 remote access clients use the DHCPInform message to obtain DNS
server IP addresses, WINS server IP addresses, and a DNS domain name. The
DHCPInform message is sent after the IPCP negotiation is concluded.

The DHCPInform message received by the remote access server is then


forwarded to a DHCP server. The remote access server forwards DHCPInform
messages only if it has been configured with the DHCP Relay Agent..

Describe the integration between DHCP and DNS. Traditionally, DNS and
DHCP servers have been configured and managed one at a time. Similarly,
changing authorization rights for a particular user on a group of devices has
meant visiting each one and making configuration changes. DHCP integration
with DNS allows the aggregation of these tasks across devices, enabling a
company's network services to scale in step with the growth of network users,
devices, and policies, while reducing administrative operations and costs.

This integration provides practical operational efficiencies that lower total cost
of ownership. Creating a DHCP network automatically creates an associated
DNS zone, for example, reducing the number of tasks required of network
administrators. And integration of DNS and DHCP in the same database instance
provides unmatched consistency between service and management views of IP
address-centric network services data.

Windows Server 2003 DNS supports DHCP by means of the dynamic update of
DNS zones. By integrating DHCP and DNS in a DNS deployment, you can provide
your network resources with dynamic addressing information stored in DNS. To
enable this integration, you can use the Windows Server 2003 DHCP service.
The dynamic update standard, specified in RFC 2136: Dynamic Updates in the
Domain Name System (DNS
UPDATE), automatically updates DNS records. Both Windows Server 2003 and
Windows 2000 support dynamic update, and both clients and DHCP servers can
send dynamic updates when their IP addresses change.
Dynamic update enables a DHCP server to register address (A) and pointer
(PTR) resource records on behalf of a DHCP client by using DHCP Client FQDN
option 81. Option 81 enables the DHCP client to provide its FQDN to the DHCP
server. The DHCP client also provides instructions to the DHCP server
describing how to process DNS dynamic updates on behalf of the DHCP client.
The DHCP server can dynamically update DNS A and PTR records on behalf of
DHCP clients that are not capable of sending option 81 to the DHCP server. You
can also configure the DHCP server to discard client A and PTR records when
the DHCP client lease is deleted. This reduces the time needed to manage
these records manually and provides support for DHCP clients that cannot
perform dynamic updates. In addition, dynamic update simplifies the setup of
Active Directory by enabling domain controllers to dynamically register SRV
resource records.
If the DHCP server is configured to perform DNS dynamic updates, it performs
one of the following actions:

The DHCP server updates resource records at the request of the client. The
client requests the DHCP server to update the DNS PTR record on behalf of the
client, and the client registers A.

The DHCP server updates DNS A and PTR records regardless of whether the
client requests this action or not.
By itself, dynamic update is not secure because any client can modify DNS
records. To secure dynamic updates, you can use the secure dynamic update
feature provided in Windows Server 2003. To delete outdated records, you can
use the DNS server aging and scavenging feature.

What options in DHCP do you regularly use for an MS network?

• Automatic providing IP address


• Subnet mask
• DNS server
• Domain name
• Default getaway or router

What are User Classes and Vendor Classes in DHCP? Microsoft Vendor Classes

How do I configure a client machine to use a specific User Class? The


command to configure a client machine to use a specific user class is

ipconfig /setclassid "<Name of your Network card>" <Name of the class you
created on DHCP and you want to join (Name is case sensitive)>

Eg:

ipconfig /setclassid " Local Area Network" Accounting


What is the BOOTP protocol used for, where might you find it in Windows
network infrastructure? BootP (RFC951) provides a unique IP address to the
requester (using port 67) similar to the DHCP request on port 68 AND can
provide (where supported) the ability to boot a system without a hard drive (ie:
a diskless client)

Apple OS X 10.* Server supports BootP (albeit) renamed as NetBoot. The facility
allows the Admin to maintain a selected set of configurations as boot images
and then assign sets of client systems to share(or boot from) that image. For
example Accounting, Management, and Engineering departments have
elements in common, but which can be unique from other departments.
Performing upgrades and maintenance on three images is far more productive
that working on all client systems individually.

Startup is obviously network intensive, and beyond 40-50 clients, the Admin
needs to carefully subnet the infrastructure, use gigabit switches, and host the
images local to the clients to avoid saturating the network. This will expand
the number of BootP servers and multiply the number of images, but the
productivity of 1 BootP server per 50 clients is undeniable :)

Sunmicro, Linux, and AIX RS/600 all support BootP.

Todate, Windows does not support booting "diskless clients".

DNS zones – describe the differences between the 4 types. Dns zone is actual
file which contains all the records for a specific domain.

i) Forward Lookup Zones: - This zone is responsible to resolve host name to ip.

ii) Reverse Lookup Zones: - This zone is responsible to resolve ip to host


name.

iii) Stub Zone: - Stubzone is read only copy of primary zone, but it contains
only 3 records viz the SOA for the primary zone, NS record and a Host (A)
record.

DNS record types – describe the most important ones.

• A (Host) Classic resource record. Maps hostname to IP(ipv4)


• PTR Maps IP to hostname (Reverse of A (Host)
• AAAA Maps hostname to ip (ipv6)
• Cname Canonical name, in plain English an alias.such as
• Web Server,FTP Server, Chat Server
• NS Identifies DNS name servers. Important for forwarders
• MX Mail servers, particularly for other domains.MX records required to
deliver internet email.
• _SRV Required for Active Directory. Whole family of underscore service,
records, for example, gc = global catalog.
• SOA Make a point of finding the Start of Authority (SOA) tab at the DNS
Server.
SRV records: - A SRV or Service Record is a category of data in the DNS
specifying information on available services. When looking up for a service, you
must first lookup the SRV Record for the service to see which server actually
handles it. Then it looks up the Address Record for the server to connect to its
IP Address.

Authoritative Name Server [NS] Record:-A Zone should contain one NS Record
for each of its own DNS servers (primary and secondary). This mostly is used for
Zone Transfer purposes (notify). These NS Records have the same name as the
Zone in which they are located.

SOA:-This record is used while syncronising data between multiple computers.A


given zone must have precisely one SOA record which contains Name of Primary
DNS Server,Mailbox of the Responsible Person,Serial Number: Used by
Secondary DNS Servers to check if the Zone has changed. If the Serial Number
is higher than what the Secondary Server has, a Zone Transfer will be
initiated,Refresh Interval: How often Secondary DNS Servers should check if
changes are made to the zone,Retry Interval: How often Secondary DNS Server
should retry checking, if changes are made - if the first refresh fails,Expire
Interval: How long the Zone will be valid after a refresh. Secondary Servers will
discard the Zone if no refresh could be made within this interval.Minimum
(Default) TTL: Used as the default TTL for new Records created within the
zone. Also used by other DNS Server to cache negative responses (such as
Record does not exist, etc.).

Describe the process of working with an external domain name

Serving Sites with External Domain Name Servers

If you host Web sites on this server and have a standalone DNS server acting as
a primary (master) name server for your sites, you may want to set up your
control panel's DNS server to function as a secondary (slave) name server:

To make the control panel's DNS server act as a secondary name server:

Go to Domains > domain name > DNS Settings (in the Web Site group).

Click Switch DNS Service Mode.

Specify the IP address of the primary (master) DNS server.

Click Add.

Repeat steps from 1 to 5 for each Web site that needs to have a secondary
name server on this machine.

To make the control panel's DNS server act as a primary for a zone:

Go to Domains > domain name > DNS Settings (in the Web Site group).

Click Switch DNS Service Mode. The original resource records for the zone will
be restored.
If you host Web sites on this server and rely entirely on other machines to
perform the Domain Name Service for your sites (there are two external name
servers - a primary and a secondary), switch off the control panel's DNS service
for each site served by external name servers.

To switch off the control panel's DNS service for a site served by an external
name server:

Go to Domains > domain name > DNS Settings (in the Web Site group).

Click Switch Off the DNS Service in the Tools group. Turning the DNS service
off for the zone will refresh the screen, so that only a list of name servers
remains.

Note: The listed name server records have no effect on the system. They are
only presented on the screen as clickable links to give you a chance to validate
the configuration of the zone maintained on the external authoritative name
servers.

Repeat the steps from 1 to 3 to switch off the local domain name service for
each site served by external name servers.

If you wish to validate the configuration of a zone maintained on authoritative


name servers:

Go to Domains > domain name > DNS Settings (in the Web Site group).

Add to the list the entries pointing to the appropriate name servers that are
authoritative for the zone: click Add, specify a name server, and click OK.
Repeat this for each name server you would like to test.

The records will appear in the list.

Click the records that you have just created. Parallels Plesk Panel will retrieve
the zone file from a remote name server and check the resource records to
make sure that domain's resources are properly resolved.

The results will be interpreted and displayed on the screen.

Describe the importance of DNS to AD. When you install Active Directory on a
server, you promote the server to the role of a domain controller for a
specified domain. When completing this process, you are prompted to specify a
DNS domain name for the Active Directory domain for which you are joining
and promoting the server.If during this process, a DNS server authoritative for
the domain that you specified either cannot be located on the network or does
not support the DNS dynamic update protocol, you are prompted with the
option to install a DNS server. This option is provided because a DNS server is
required to locate this server or other domain controllers for members of an
Active Directory domain

Describe a few methods of finding an MX record for a remote domain on the


Internet. In order to find MX Records for SMTP domains you can use Command-
line tools such as NSLOOKUP or DIG. You can also use online web services that
allow you to perform quick searches and display the information in a
convenient manner.

What does "Disable Recursion" in DNS mean? In the Windows 2000/2003 DNS
console (dnsmgmt.msc), under a server's Properties -> Forwarders tab is the
setting Do not use recursion for this domain. On the Advanced tab you will find
the confusingly similar option Disable recursion (also disables forwarders).

Recursion refers to the action of a DNS server querying additional DNS servers
(e.g. local ISP DNS or the root DNS servers) to resolve queries that it cannot
resolve from its own database. So what is the difference between these
settings?

The DNS server will attempt to resolve the name locally, then will forward
requests to any DNS servers specified as forwarders. If Do not use recursion for
this domain is enabled, the DNS server will pass the query on to forwarders,
but will not recursively query any other DNS servers (e.g. external DNS servers)
if the forwarders cannot resolve the query.

If Disable recursion (also disables forwarders) is set, the server will attempt to
resolve a query from its own database only. It will not query any additional
servers.

If neither of these options is set, the server will attempt to resolve queries
normally:
... the local database is queried
... if an entry is not found, the request is passed to any forwarders that are set
... if no forwarders are set, the server will query servers on the Root Hints tab
to resolve queries beginning at the root domains.

What could cause the Forwarders and Root Hints to be grayed out? Win2K
configured your DNS server as a private root server

What is a "Single Label domain name" and what sort of issues can it cause?
Single-label names consist of a single word like "contoso".
• Single-label DNS names cannot be registered by using an Internet registrar.
• Client computers and domain controllers that joined to single-label domains
require additional configuration to dynamically register DNS records in single-
label DNS zones. • Client computers and domain controllers may require
additional configuration to resolve DNS queries in single-label DNS zones.
• By default, Windows Server 2003-based domain members, Windows XP-based
domain members, and Windows 2000-based domain members do not perform
dynamic updates to single-label DNS zones.
• Some server-based applications are incompatible with single-label domain
names. Application support may not exist in the initial release of an
application, or support may be dropped in a future release. For example,
Microsoft Exchange Server 2007 is not supported in environments in which
single-label DNS is used.
• Some server-based applications are incompatible with the domain rename
feature that is supported in Windows Server 2003 domain controllers and in
Windows Server 2008 domain controllers. These incompatibilities either block
or complicate the use of the domain rename feature when you try to rename a
single-label DNS name to a fully qualified domain name.

What is the "in-addr.arpa" zone used for? When creating DNS records for your
hosts, A records make sense. After all, how can the world find your mail server
unless the IP address of that server is associated with its hostname within a
DNS database? However, PTR records aren't as easily understood. If you already
have a zone file, why does there have to be a separate in-addr.arpa zone
containing PTR records matching your A records? And who should be making
those PTR records--you or your provider? Let's start by defining in-addr.arpa.
.arpa is actually a TLD like .com or .org. The name of the TLD comes from
Address and Routing Parameter Area and it has been designated by the IANA to
be used exclusively for Internet infrastructure purposes. In other words, it is an
important zone and an integral part of the inner workings of DNS. The RFC for
DNS (RFC 1035) has an entire section on the in-addr.arpa domain. The first two
paragraphs in that section state the purpose of the domain: "The Internet uses
a special domain to support gateway location and Internet address to host
mapping. Other classes may employ a similar strategy in other domains. The
intent of this domain is to provide a guaranteed method to perform host
address to host name mapping, and to facilitate queries to locate all gateways
on a particular network in the Internet. Note that both of these services are
similar to functions that could be performed by inverse queries; the difference
is that this part of the domain name space is structured according to address,
and hence can guarantee that the appropriate data can be located without an
exhaustive search of the domain space." In other words, this zone provides a
database of all allocated networks and the DNS reachable hosts within those
networks. If your assigned network does not appear in this zone, it appears to
be unallocated. And if your hosts don't have a PTR record in this database, they
appear to be unreachable through DNS. Assuming an A record exists for a host,
a missing PTR record may or may not impact on the DNS reachability of that
host, depending upon the applications running on that host. For example, a
mail server will definitely be impacted as PTR records are used in mail header
checks and by most anti-SPAM mechanisms. Depending upon your web server
configuration, it may also depend upon an existing PTR record. This is why the
DNS RFCs recommend that every A record has an associated PTR record. But
who should make and host those PTR records? Twenty years ago when you
could buy a full Class C network address (i.e. 254 host addresses) the answer
was easy: you. Remember, the in-addr.arpa zone is concerned with delegated
network addresses. In other words, the owner of the network address is
authoritative (i.e. responsible) for the host PTR records associated with that
network address space. If you only own one or two host addresses within a
network address space, the provider you purchased those addresses from needs
to host your PTR records as the provider is the owner of (i.e. authoritative for)
the network address. Things are a bit more interesting if you have been
delegated a CIDR block of addresses. The in-addr.arpa zone assumes a classful
addressing scheme where a Class A address is one octet (or /8), a Class B is 2
octets (or /16) and a Class C is 3 octets (or /24). CIDR allows for delegating
address space outside of these boundaries--say a /19 or a /28. RFC 2317
provides a best current practice for maintaining in-addr.arpa with these types
of network allocations. Here is a summary regarding PTR records: • Don't wait
until users complain about DNS unreachability--be proactive and ensure there is
an associated PTR record for every A record. • If your provider hosts your A
records, they should also host your PTR records. • If you only have one or two
assigned IP addresses, your provider should host your PTR records as they are
authoritative for the network those hosts belong to. • If you own an entire
network address (e.g. a Class C address ending in 0), you are responsible for
hosting your PTR records. • If you are configuring an internal DNS server within
the private address ranges (e.g. 10.0.0.0 or 192.168.0.0), you are responsible
for your own internal PTR records. • Remember: the key to PTR hosting is
knowing who is authoritative for the network address for your domain. When in
doubt, it probably is not you.

DNS requirements for installing Active Directory

When you install Active Directory on a member server, the member server is
promoted to a domain controller. Active Directory uses DNS as the location
mechanism for domain controllers, enabling computers on the network to
obtain IP addresses of domain controllers.

During the installation of Active Directory, the service (SRV) and address (A)
resource records are dynamically registered in DNS, which are necessary for the
successful functionality of the domain controller locator (Locator) mechanism.

To find domain controllers in a domain or forest, a client queries DNS for the
SRV and A DNS resource records of the domain controller, which provide the
client with the names and IP addresses of the domain controllers. In this
context, the SRV and A resource records are referred to as Locator DNS
resource records.

When adding a domain controller to a forest, you are updating a DNS zone
hosted on a DNS server with the Locator DNS resource records and identifying
the domain controller. For this reason, the DNS zone must allow dynamic
updates (RFC 2136) and the DNS server hosting that zone must support the SRV
resource records (RFC 2782) to advertise the Active Directory directory service.
For more information about RFCs, see DNS RFCs.

If the DNS server hosting the authoritative DNS zone is not a server running
Windows 2000 or Windows Server 2003, contact your DNS administrator to
determine if the DNS server supports the required standards. If the server does
not support the required standards, or the authoritative DNS zone cannot be
configured to allow dynamic updates, then modification is required to your
existing DNS infrastructure.

For more information, see Checklist: Verifying DNS before installing Active
Directory and Using the Active Directory Installation Wizard.

Important

• The DNS server used to support Active Directory must support SRV resource
records for the Locator mechanism to function. For more information, see
Managing resource records.

• It is recommended that the DNS infrastructure allows dynamic updates of


Locator DNS resource records (SRV and A) before installing Active Directory,
but your DNS administrator may add these resource records manually after
installation.

After installing Active Directory, these records can be found on the domain
controller in the following location: systemroot\System32\Config\Netlogon.dns

How do you manually create SRV records in DNS? this is on windows server

go to run ---> dnsmgmt.msc

right click on the zone you want to add srv record to and choose "other new
record"

and choose service location(srv).....

Name 3 benefits of using AD-integrated zones.

• You can give easy name resolution to your clients.


• By creating AD- integrated zone you can also trace hacker and spammer
by creating reverse zone.
• AD integrated zoned all for incremental zone transfers which on transfer
changes and not the entire zone. This reduces zone transfer traffic.
• AD Integrated zones support both secure and dynamic updates.
• AD integrated zones are stored as part of the active directory and
support domain-wide or forest-wide replication through application
partitions in AD.

What are the benefits of using Windows 2003 DNS when using AD-integrated
zones?

Advantages:

DNS supports Dynamic registration of SRV records registered by a Active


Directory server or a domain controller during promotion. With the help of SRV
records client machines can find domain controllers in the network.

• DNS supports Secure Dynamic updates. Unauthorized access is denied.


• Exchange server needs internal DNS or AD DNS to locate Global Catalog
servers.
• Active Directory Integrated Zone. If you have more than one domain
controller (recommended) you need not worry about zone replication.
Active Directory replication will take care of DNS zone replication also.
• If your network uses DHCP with Active Directory then no other DHCP will
be able to service client requests coming from different network. It is
because DHCP server is authorized in AD and will be the only server to
participate on network to provide IP Address information to client
machines.
• Moreover, you can use NT4 DNS with Service Pack 4 or later. It supports
both SRV record registration and Dynamic Updates.
• Using Microsoft DNS gives the following benefits:
If you implement networks that require secure updates
If you want to take benefit of Active Directory replication
If you want to integrate DHCP with DNS for Low-level clients to register
their Host records in Zone database

You installed a new AD domain and the new (and first) DC has not registered
its SRV records in DNS. Name a few possible causes. The machine cannot be
configured with DNS client her own The DNS service cannot be run

What are the benefits and scenarios of using Stub zones? One of the new
features introduced in the Windows Server 2003-based implementation of DNS
are stub zones. Its main purpose is to provide name resolution in domains, for
which a local DNS server is not authoritative. The stub zone contains only a few
records: - Start of Authority (SOA) record pointing to a remote DNS server that
is considered to be the best source of information about the target DNS
domain, - one or more Name Server (NS) records (including the entry associated
with the SOA record), which are authoritative for the DNS domain represented
by the stub zone, - corresponding A records for each of the NS entries
(providing IP addresses of the servers). While you can also provide name
resolution for a remote domain by creating a secondary zone (which was a
common approach in Windows Server 2000 DNS implementation) or delegation
(when dealing with a contiguous namespace), such approach forces periodic
zone transfers, which are not needed when stub zones are used. Necessity to
traverse network in order to obtain individual records hosted on the remote
Name Servers is mitigated to some extent by caching process, which keeps
them on the local server for the duration of their Time-to-Live (TTL)
parameter. In addition, records residing in a stub zone are periodically
validated and refreshed in order to avoid lame delegations.

What are the benefits and scenarios of using Conditional Forwarding? The
benefits are speed up name resolution in certain scenarios. According to
research that is forwarded to the correct server or with specific speed. And
down where DNS queries are sent in specific areas.

What are the differences between Windows Clustering, Network Load


Balancing and Round Robin, and scenarios for each use? I will make a few
assumptions here: 1) By "Windows Clustering Network Load Balancing" you
mean Windows Network Load Balancing software included in Windows Server
software a.k.a NLB., and 2) By Round Robin, you mean DNS Round Robin
meaning the absence of a software or hardware load balancing device, or the
concept of the Round Robin algorithm available in just about every load
balancing solution.

Microsoft NLB is designed for a small number (4 - 6) of Windows Servers and a


low to moderate number of new connections per second, to provide
distribution of web server requests to multiple servers in a virtual resource
pool. Some would call this a "cluster", but there are suttle differences between
a clustered group of devices and a more loosely configured virtual pool. From
the standpoint of scalability and performance, almost all hardware load
balancing solutions are superior to this and other less known software load
balancing solutions [e.g. Bright Tiger circa 1998].
DNS Round Robin is an inherent load balancing method built into DNS. When
you resolve an IP address that has more than one A record, DNS hands out
different resolutions to different requesting local DNS servers. Although there
are several factors effecting the exact resulting algorithm (e.g. DNS caching,
TTL, multiple DNS servers [authoritative or cached]), I stress the term "roughly"
when I say it roughly results in an even distribution of resolutions to each of
the addresses specified for a particular URL. It does not however, consider
availability, performance, or any other metric and is completely static. The
basic RR algorithm is available in many software and hardware load balancing
solutions and simply hands the next request to the next resource and starts
back at the first resource when it hits the last one.

NLB is based on proprietary software, meant for small groups of Windows


servers only on private networks, and is dynamic in nature (takes into account
availability of a server, and in some cases performance). "Round Robin", DNS or
otherwise, is more generic, static in nature (does not take into account
anything but the resource is a member of the resource pool and each member
is equal), and ranges from DNS to the default static load balancing method on
every hardware device in the market.

How do I clear the DNS cache on the DNS server?

To clear DNS Cache do the following:

• Start
• Run
• Type "cmd" and press enter
• In the command window type "ipconfig /flushdns"
• A. If done correctly it should say "Successfully flushed the DNS Resolver
Cache."
• B. If you receive an error "Could not flush the DNS Resolver Cache:
Function failed during execution.", follow the Microsoft KB Article
919746 to enable the cache. The cache will be empty however this will
allow successful cache-flush in future.

What is the 224.0.1.24 address used for? WINS server group address. Used to
support autodiscovery and dynamic configuration of replication for WINS
servers. For more information, see WINS replication overview

WINS server group address. Used to support autodiscovery and dynamic


configuration of replication for WINS servers. For more information, see WINS
replication overview by following the below link

What is WINS and when do we use it? WINS is windows internet name service
who is use for resolved the NetBIOS (computer name) name to IP address. This
is proprietary for Windows. You can use in LAN.

DNS is a Domain Naming System, which resolves Host names to


IP addresses. It uses fully qualified domain names. DNS is an Internet standard
used to resolve host names
Can you have a Microsoft-based network without any WINS server on it?
What are the "considerations" regarding not using WINS? Yes, you can. WINS
was designed to speed up information flow about the Windows workstations in
a network. It will work without it, and most networks do not utilize WINS
servers anymore because it is based on an old protocol (NetBUI) which is no
longer in common use.

Describe the differences between WINS push and pull replications. To


replicate database entries between a pair of WINS servers, you must configure
each WINS server as a pull partner, a push partner, or both with the other WINS
server.

A push partner is a WINS server that sends a message to its pull partners,
notifying them that it has new WINS database entries. When a WINS server's
pull partner responds to the message with a replication request, the WINS
server sends (pushes) copies of its new WINS database entries (also known as
replicas) to the requesting pull partner.

A pull partner is a WINS server that pulls WINS database entries from its push
partners by requesting any new WINS database entries that the push partners
have. The pull partner requests the new WINS database entries that have a
higher version number than the last entry the pull partner received during the
most recent replication.

What is the difference between tombstoning a WINS record and simply


deleting it?

Simple deletion removes the records that are selected in the WINS console
only from the local WINS server you are currently managing. If the WINS
records deleted in this way exist in WINS data replicated to other WINS servers
on your network, these additional records are not fully removed. Also, records
that are simply deleted on only one server can reappear after replication
between the WINS server where simple deletion was used and any of its
replication partners.

Tombstoning marks the selected records as tombstoned, that is, marked


locally as extinct and immediately released from active use by the local WINS
server. This method allows the tombstoned records to remain present in the
server database for purposes of subsequent replication of these records to
other servers. When the tombstoned records are

replicated, the tombstone status is updated and applied by other WINS servers
that store replicated copies of these records. Each replicating WINS server then
updates and tombstones

Name the NetBIOS names you might expect from a Windows 2003 DC that is
registered in WINS. 54 name the NetBIOS names you might expect from a
windows 2003 dc that is registered in wins

What are router interfaces? What types can they be?


Router Interfaces

Routers can have many different types of connectors; from Ethernet, Fast
Ethernet, and Token Ring to Serial and ISDN ports. Some of the available
configurable items are logical addresses (IP,IPX), media types, bandwidth, and
administrative commands. Interfaces are configured in interface mode which
you get to from global configuration mode after logging in.

Logging in to the Router

Depending on the port you're using, you might have to press enter to get the
prompt to appear (console port). The first prompt will look like Routername>
the greater than sign at the prompt tell you that you are in user mode. In user
mode you can only view limited statistics of the router in this mode. To change
configurations you first need to enter privileged EXEC mode. This is done by
typing enable at the Routername> prompt, the prompt then changes to
Routername#. This mode supports testing commands, debugging commands,
and commands to manage the router configuration files. To go back to user
mode, type disable at the Routername# prompt. If you want to leave
completely, type logout at the user mode prompt. You can also exit from the
router while in privileged mode by typing exit or logout at the Routername#
prompt.

Global Configuration Mode

Enter this mode from the privileged mode by typing configure terminal or
(conf t for short). The prompt will change to Routername(config)#. Changes
made in this mode change the running-config file in DRAM. Use configure
memory to change the startup-config in NVRAM. Using configure network
allows you to change the configuration file on a TFTP server. If you change the
memory or network config files, the router has to put them into memory
(DRAM) in order to work with them, so this will change your router's current
running-config file.

Interfaces mode
While in global configuration mode you can make changes to individual
interfaces with the command Routername(config)#interface ethernet 0 or
Routername(config)#int e0 for short, this enters the interface configuration
mode for Ethernet port 0 and changes the prompt to look like
Routername(config-if)#.
Bringing Up Interfaces
If an interface is shown administratively down when the show interface
command is given in privileged EXEC mode, use the command no shutdown to
enable the interface while in interface configuration mode.
Setting IP Addresses

In global configuration mode, enter the interface configuration mode


(Routername(config)#int e0) and use the command Routername(config-if)#ip
address [ip address] [network mask]. If it is the first time using the
interface, also use the no shutdown command to enable and bring up the
interface.
Router_2(config)#int e0
Router_2(config-if)#ip address 192.168.1.1 255.255.255.0
Router_2(config-if)#no shutdown
Secondary IP Addresses

You can add another IP address to an interface with the secondary command.
The syntax is the same as setting an IP address except you add secondary to
the end of it. Using secondary interfaces, it allows you to specify 2 IP
addresses for 1 interface. Use subinterfaces instead, since they allow for more
than 2 IP addresses on an interface and secondaries will probably be replaced
soon.

Subinterfaces In global configuration mode you can create virtual interfaces


(subinterfaces), so at the prompt Routername(config)# type int e0.1 and the
prompt will change to Routername(config-subif)#. For all practical purposes
there isn't a limit to the amount of subinterfaces an interface can have.
Show Interfaces
To view information about an interface, use the command:
Router_2#show interface e0
Ethernet0 is up, line protocol is up
Hardware is Lance, address is 0000.cc34.ec7d (bia 0000.cc34.ec7d)
Internet address is 192.168.1.1/24
MTU 1500 bytes, BW 10000 Kbit, DLY 1000 usec, rely 255/255, load 1/255
Encapsulation ARPA, loopback not set, keepalive set (10 sec)
ARP type: ARPA, ARP Timeout 04:00:00
Last input never, output 00:00:07, output hang never
Last clearing of "show interface" counters never
Queueing strategy: fifo
Output queue 0/40, 0 drops; input queue 0/75, 0 drops
5 minute input rate 0 bits/sec, 0 packets/sec
5 minute output rate 0 bits/sec, 0 packets/sec
0 packets input, 0 bytes, 0 no buffer
Received 0 broadcasts, 0 runts, 0 giants, 0 throttles
0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
0 input packets with dribble condition detected
614 packets output, 58692 bytes, 0 underruns
0 output errors, 0 collisions, 2 interface resets
0 babbles, 0 late collision, 0 deferred
0 lost carrier, 0 no carrier
0 output buffer failures, 0 output buffers swapped out

Interface Problems

When using the command show interface [type #] interface problems can be
seen and appropriate action taken.

Message Solution
Ethernet0 is up, line protocol
None needed, interface working properly
is up
Ethernet0 is up, line protocol Clocking or framing problem, check clock
is down rate and encapsulation type on both routers
Ethernet0 is down, line Cable or interface problem, check interfaces
protocol is down on both ends to ensure they aren't shutdown
The interface has been shutdown, use the
Ethernet0 is administratively
no shutdown command in the interface's
down, line protocol is down
configuration mode
Serial Interfaces
The serial interface is usually attached to a line that is attached to a CSU/DSU
that provides clocking rates for the line. However, if two routers are
connected together, one of the serial interfaces must act as the DCE device
and provide clocking. The DCE end of the cable is the side of the cable that
has a female connector where it connects to the other cable. The clocking
rate on the DCE device is set in interface configuration mode with the
commands:
Router3(config)#int s0
Router3(config-if)#clock rate ?

Speed (bits per second)


1200
2400
4800
9600
19200
38400
56000
64000
72000
125000
148000
250000
500000
800000
1000000
1300000
2000000
4000000

<300-8000000> Choose clockrate from list above


Router3(config-if)#clock rate 56000

Bandwidth Cisco routers ship with T1 (1.544 mbps) bandwidth rates on their
serial interfaces. Some routing protocols use the bandwidth of links to
determine the best route. The bandwidth setting is irrelevant with RIP
routing. Bandwidth is set with the bandwidth command and ranges from 1 -
10000000 kilobits per second.
Router3(config)#int s0
Router3(config-if)#bandwidth ?
<1-10000000> Bandwidth in kilobits

Router3(config-if)#bandwidth 10000000
Saving Changes

Any time you make changes and want them saved over the next reboot, you
need to copy the running-config to the startup-config in NVRAM. Use the
command:

Router3#copy run start


You can see either of the files by using the commands:
Router3#show run
Router3#show start
To erase the startup file use the command:
Router3#erase start

Show Controllers Tells you information about the physical interface itself, it
also gives you the cable type and whether it is a DTE or DCE interface. Syntax
is:
Router_2#show controllers s 1

*Note there is a space between the s and the 1.

What is NAT? NAT (Network Address Translation) is a technique for preserving


scarce Internet IP addresses

What is the real difference between NAT and PAT? NAT is a feature of a
router that will translate IP addresses. When a packet comes in, it will be
rewritten in order to forward it to a host that is not the IP destination. A router
will keep track of this translation, and when the host sends a reply, it will
translate back the other way.

PAT translates ports, as the name implies, and likewise, NAT translates
addresses. Sometimes PAT is also called Overloaded NAT

How do you configure NAT on Windows 2003? To configure the Routing and
Remote Access and the Network Address Translation components, your
computer must have at least two network interfaces: one connected to the
Internet and the other one connected to the internal network. You must also
configure the network translation computer to use Transport Control
Protocol/Internet Protocol (TCP/IP).

If you use dial-up devices such as a modem or an Integrated Services Digital


Network (ISDN) adapter to connect to the Internet, install your dial-up device
before you configure Routing and Remote Access.

Use the following data to configure the TCP/IP address of the network adapter
that connects to the internal network:

TCP/IP address: 192.168.0.1


Subnet mask: 255.255.255.0
No default gateway
Domain Name System (DNS) server: provided by your Internet service provider
(ISP)
Windows Internet Name Service (WINS) server: provided by your ISP
Use the following data to configure the TCP/IP address of the network adapter
that connects to the external network:
TCP/IP address: provided by your ISP
subnet mask: provided by your ISP
default gateway: provided by your ISP
DNS server: provided by your ISP
WINS server: provided by your ISP
Before you continue, verify that all your network cards or all your dial-up
adapters are functioning correctly.

Configure Routing and Remote Access


To activate Routing and Remote Access, follow these steps:

Click Start, point to All Programs, point to Administrative Tools, and then
click Routing and Remote Access.

Right-click your server, and then click Configure and Enable Routing and
Remote Access.

In the Routing and Remote Access Setup Wizard, click Next, click Network
address translation (NAT), and then click Next.

Click Use this public interface to connect to the Internet, and then click the
network adapter that is connected to the Internet. At this stage you have the
option to reduce the risk of unauthorized access to your network. To do so,
click to select the Enable security on the selected interface by setting up
Basic Firewall check box.

Examine the selected options in the Summary box, and then click Finish.

Configure dynamic IP address assignment for private network clients


You can configure your Network Address Translation computer to act as a
Dynamic Host Configuration Protocol (DHCP) server for computers on your
internal network. To do so, follow these steps:

Click Start, point to All Programs, point to Administrative Tools, and then
click Routing and Remote Access.

Expand your server node, and then expand IP Routing.


Right-click NAT/Basic Firewall, and then click Properties.

In the NAT/Basic Firewall Properties dialog box, click the Address Assignment
tab.

Click to select the Automatically assign IP addresses by using the DHCP


allocator check box. Notice that default private network 192.168.0.0 with the
subnet mask of 255.255.0.0 is automatically added in the IP address and the
Mask boxes. You can keep the default values, or you can modify these values to
suit your network.

If your internal network requires static IP assignment for some computers --


such as for domain controllers or for DNS servers -- exclude those IP addresses
from the DHCP pool. To do this, follow these steps:

Click Exclude.

In the Exclude Reserved Addresses dialog box, click Add, type the IP address,
and then click OK.

Repeat step b for all addresses that you want to exclude.

Click OK.

Configure name resolution


To configure name resolution, follow these steps:

Click Start, point to All Programs, point to Administrative Tools, and then
click Routing and Remote Access. Right-click NAT/Basic Firewall, and then
click Properties.

In the NAT/Basic Firewall Properties dialog box, click the Name Resolution
tab.

Click to select the Clients using Domain Name System (DNS) check box. If you
use a demand-dial interface to connect to an external DNS server, click to
select the Connect to the public network when a name needs to be resolved
check box, and then click the appropriate dial-up interface in the list.

How do you allow inbound traffic for specific hosts on Windows 2003 NAT?
You can use the Windows Server 2003 implementation of IPSec to compensate
for the limited protections provided by applications for network traffic, or as a
network-layer foundation of a defense-in-depth strategy. Do not use IPSec as a
replacement for other user and application security controls, because it cannot
protect against attacks from within established and trusted communication
paths. Your authentication strategy must be well defined and implemented for
the potential security provided by IPSec to be realized, because authentication
verifies the identity and trust of the computer at the other end of the
connection.

What is VPN? What types of VPN does Windows 2000 and beyond work with
natively? The virtual private network (VPN) technology included in Windows
Server 2003 helps enable cost-effective, secure remote access to private
networks. VPN allows administrators to take advantage of the Internet to help
provide the functionality and security of private WAN connections at a lower
cost. In Windows Server 2003, VPN is enabled using the Routing and Remote
Access service. VPN is part of a comprehensive network access solution that
includes support for authentication and authorization services, and advanced
network security technologies.

There are two main strategies that help provide secure connectivity between
private networks and enabling network access for remote users.

1.1.1.1.1 Dial-up or leased line connections


A dial-up or leased line connection creates a physical connection to a port on a
remote access server on a private network. However, using dial-up or leased
lines to provide network access is expensive when compared to the cost of
providing network access using a VPN connection.

1.1.1.1.2 VPN connections


VPN connections use either Point-to-Point Tunneling Protocol (PPTP) or Layer
Two Tunneling Protocol/Internet Protocol security (L2TP/IPSec) over an
intermediate network, such as the Internet. By using the Internet as a
connection medium, VPN saves the cost of long-distance phone service and
hardware costs associated with using dial-up or leased line connections. A VPN
solution includes advanced security technologies such as data encryption,
authentication, authorization, and Network Access Quarantine Control.

Note

Network Access Quarantine Control is used to delay remote access to a private


network until the configuration of the remote access computer has been
examined and validated.

Using VPN, administrators can connect remote or mobile workers (VPN clients)
to private networks. Remote users can work as if their computers are physically
connected to the network. To accomplish this, VPN clients can use a
Connection Manager profile to initiate a connection to a VPN server. The VPN
server can communicate with an Internet Authentication Service (IAS) server to
authenticate and authorize a user session and maintain the connection until it
is terminated by the VPN client or by the VPN server. All services typically
available to a LAN-connected client (including file and print sharing, Web
server access, and messaging) are enabled by VPN.

VPN clients can use standard tools to access resources. For example, clients
can use Windows Explorer to make drive connections and to connect to
printers. Connections are persistent: Users do not need to reconnect to
network resources during their VPN sessions. Because drive letters and
universal naming convention (UNC) names are fully supported by VPN, most
commercial and custom applications work without modification.

VPN Scenarios
Virtual private networks are point-to-point connections across a private or
public network such as the Internet. A VPN client uses special TCP/IP-based
protocols, called tunneling protocols, to make a virtual call to a virtual port on
a VPN server. In a typical VPN deployment, a client initiates a virtual point-to-
point connection to a remote access server over the Internet. The remote
access server answers the call, authenticates the caller, and transfers data
between the VPN client and the organization’s private network.

To emulate a point-to-point link, data is encapsulated, or wrapped, with a


header. The header provides routing information that enables the data to
traverse the shared or public network to reach its endpoint. To emulate a
private link, the data being sent is encrypted for confidentiality. Packets that
are intercepted on the shared or public network are indecipherable without the
encryption keys. The link in which the private data is encapsulated and
encrypted is known as a VPN connection.

A VPN Connection

There are two types of VPN connections:


Remote access VPN

Site-to-site VPN

Remote Access VPN


Remote access VPN connections enable users working at home or on the road to
access a server on a private network using the infrastructure provided by a
public network, such as the Internet. From the user’s perspective, the VPN is a
point-to-point connection between the computer (the VPN client) and an
organization’s server. The exact infrastructure of the shared or public network
is irrelevant because it appears logically as if the data is sent over a dedicated
private link.

Site-to-Site VPN
Site-to-site VPN connections (also known as router-to-router VPN connections)
enable organizations to have routed connections between separate offices or
with other organizations over a public network while helping to maintain
secure communications. A routed VPN connection across the Internet logically
operates as a dedicated WAN link. When networks are connected over the
Internet, as shown in the following figure, a router forwards packets to another
router across a VPN connection. To the routers, the VPN connection operates as
a data-link layer link.

A site-to-site VPN connection connects two portions of a private network. The


VPN server provides a routed connection to the network to which the VPN
server is attached. The calling router (the VPN client) authenticates itself to
the answering router (the VPN server), and, for mutual authentication, the
answering router authenticates itself to the calling router. In a site-to site VPN
connection, the packets sent from either router across the VPN connection
typically do not originate at the routers.

VPN Connecting Two Remote Sites Across the Internet

VPN Connection Properties


PPTP-based VPN and L2TP/IPSec-based VPN connection properties are
described in the following sections.

Encapsulation
VPN technology provides a way of encapsulating private data with a header
that allows the data to traverse the network.
Authentication
There are three types of authentication for VPN connections:

1.1.1.1.3 User authentication


For the VPN connection to be established, the VPN server authenticates the
VPN client attempting the connection and verifies that the VPN client has the
appropriate permissions. If mutual authentication is being used, the VPN client
also authenticates the VPN server, providing protection against masquerading
VPN servers.

The user attempting the PPTP or L2TP/IPSec connection is authenticated using


Point-to-Point (PPP)-based user authentication protocols such as Extensible
Authentication Protocol-Transport Layer Security (EAP-TLS), Microsoft
Challenge-Handshake Authentication Protocol (MS-CHAP), Microsoft Challenge-
Handshake Authentication Protocol version 2 (MS-CHAP v2), Shiva Password
Authentication Protocol (SPAP), and Password Authentication Protocol (PAP).
For PPTP connections, you must use EAP-TLS, MS-CHAP, or MS-CHAP v2. EAP-
TLS using smart cards or MS-CHAP v2 is highly recommended, as they provide
mutual authentication and are the most secure methods of exchanging
credentials.

1.1.1.1.4 Computer authentication with L2TP/IPSec


By performing computer-level authentication with IPSec, L2TP/IPSec
connections also verify that the remote access client computer is trusted.

1.1.1.1.5 Data authentication and integrity


To verify that the data being sent on an L2TP/IPSec VPN connection originated
at the other end of the connection and was not modified in transit, L2TP/IPSec
packets include a cryptographic checksum based on an encryption key known
only to the sender and the receiver.

Data Encryption

Data can be encrypted for protection between the endpoints of the VPN
connection. Data encryption should always be used for VPN connections where
private data is sent across a public network such as the Internet. Data that is
not encrypted is vulnerable to unauthorized interception. For VPN connections,
Routing and Remote Access uses Microsoft Point-to-Point Encryption (MPPE)
with PPTP and IPSec encryption with L2TP.

Address and Name Server Allocation


When a VPN server is configured, it creates a virtual interface that represents
the interface on which all VPN connections are made. When a VPN client
establishes a VPN connection, a virtual interface is created on the VPN client
that represents the interface connected to the VPN server. The virtual
interface on the VPN client is connected to the virtual interface on the VPN
server, creating the point-to-point VPN connection.

The virtual interfaces of the VPN client and the VPN server must be assigned IP
addresses. The assignment of these addresses is done by the VPN server. By
default, the VPN server obtains IP addresses for itself and VPN clients using the
Dynamic Host Configuration Protocol (DHCP). Otherwise, a static pool of IP
addresses can be configured to define one or more address ranges, with each
range defined by an IP network ID and a subnet mask or start and end IP
addresses.

Name server assignment, the assignment of Domain Name System (DNS) and
Windows Internet Name Service (WINS) servers to the VPN connection, also
occurs during the process of establishing the VPN connection.

Tunneling Overview
Tunneling is a method of using a network infrastructure to transfer data for one
network over another network. The data (or payload) to be transferred can be
the frames (or packets) of another protocol. Instead of sending a frame as it is
produced by the originating node, the tunneling protocol encapsulates the
frame in an additional header. The additional header provides routing
information so that the encapsulated payload can traverse the intermediate
network.

The encapsulated packets are then routed between tunnel endpoints over the
network. The logical path through which the encapsulated packets travel
through the network is called a tunnel. After the encapsulated frames reach
their destination on the network, the frame is de-encapsulated (the header is
removed) and the payload is forwarded to its final destination. Tunneling
includes this entire process (encapsulation, transmission, and de-encapsulation
of packets).

Tunneling

Tunneling Protocols
Tunneling enables the encapsulation of a packet from one type of protocol
within the datagram of a different protocol. For example, VPN uses PPTP to
encapsulate IP packets over a public network such as the Internet. A VPN
solution based on either PPTP or L2TP can be configured.

PPTP and L2TP depend heavily on the features originally specified for PPP. PPP
was designed to send data across dial-up or dedicated point-to-point
connections. For IP, PPP encapsulates IP packets within PPP frames and then
transmits the encapsulated PPP-packets across a point-to-point link. PPP was
originally defined as the protocol to use between a dial-up client and a network
access server (NAS).
PPTP
PPTP allows multiprotocol traffic to be encrypted and then encapsulated in an
IP header to be sent across an organization’s IP network or a public IP network
such as the Internet. PPTP encapsulates Point-to-Point Protocol (PPP) frames in
IP datagrams for transmission over the network. PPTP can be used for remote
access and site-to-site VPN connections. PPTP is documented in RFC 2637 in the
IETF RFC Database.

PPTP uses a TCP connection for tunnel management and a modified version of
Generic Routing Encapsulation (GRE) to encapsulate PPP frames for tunneled
data. The payloads of the encapsulated PPP frames can be encrypted,
compressed, or both. The following figure shows the structure of a PPTP packet
containing an IP datagram.

Structure of a PPTP Packet Containing an IP Datagram

When using the Internet as the public network for VPN, the PPTP server is a
PPTP-enabled VPN server with one interface on the Internet and a second
interface on the intranet.

L2TP
L2TP allows multiprotocol traffic to be encrypted and then sent over any
medium that supports point-to-point datagram delivery, such as IP, X.25, frame
relay, or asynchronous transfer mode (ATM). L2TP is a combination of PPTP and
Layer 2 Forwarding (L2F), a technology developed by Cisco Systems, Inc. L2TP
represents the best features of PPTP and L2F. L2TP encapsulates PPP frames to
be sent over IP, X.25, frame relay, or ATM networks. When configured to use IP
as its datagram transport, L2TP can be used as a tunneling protocol over the
Internet. L2TP is documented in RFC 2661 in the IETF RFC Database.

L2TP over IP networks uses User Datagram Protocol (UDP) and a series of L2TP
messages for tunnel management. L2TP also uses UDP to send L2TP-
encapsulated PPP frames as tunneled data. The payloads of encapsulated PPP
frames can be encrypted, compressed, or both, although the Microsoft
implementation of L2TP does not use MPPE to encrypt the PPP payload. The
following figure shows the structure of an L2TP packet containing an IP
datagram.

Structure of an L2TP Packet Containing an IP Datagram


L2TP with IPSec (L2TP/IPSec)
In the Microsoft implementation of L2TP, IPSec Encapsulating Security Payload
(ESP) in transport mode is used to encrypt L2TP traffic. The combination of
L2TP (the tunneling protocol) and IPSec (the method of encryption) is known as
L2TP/IPSec. L2TP/IPSec is described in RFC 3193 in the IETF RFC Database.

The result after applying ESP to an IP packet containing an L2TP message is


shown in the following figure.

Encryption of L2TP Traffic with IPSec ESP

Routing for VPN


Routing for remote access and site-to-site VPN connections is described in the
following sections.

Routing for Remote Access VPN Connections


Conventional routing occurs between routers over either LAN-based shared
access technologies, such as Ethernet or Token Ring, or WAN-based point-to-
point technologies, such as T1 or frame relay.

Default Routing
The preferred method for directing packets to a remote network is to create a
default route on the remote access client that directs packets to the remote
network (the default configuration for VPN remote access clients). Any packet
that is not intended for the neighboring LAN segment is sent to the remote
network. When a connection is made, the remote access client, by default,
adds a default route to its routing table and increases the metric of the
existing default route to ensure that the newest default route is used. The
newest default route points to the new connection, which ensures that any
packets that are not addressed to the local LAN segment are sent to the
remote network.
Under this configuration, when a VPN client connects and creates a new
default route, Internet sites that have been accessible are no longer accessible
(unless Internet access is available through the organization’s intranet). This
poses no problem for remote VPN clients that require access only to the
organization’s network. However, it is not acceptable for remote clients that
need access to the Internet while they are connected to the organization’s
network.

Split Tunneling
Split tunneling enables remote access VPN clients to route corporate-based
traffic over the VPN connection while sending Internet-based traffic using the
user’s local Internet connection. This prevents the use of corporate bandwidth
for access to Internet sites.

However, a split tunneling implementation can introduce a security issue. If a


remote access client has reachability to both the Internet and a private
organization network simultaneously, the possibility exists that the Internet
connection could be exploited to gain access to the private organization
network through the remote access client. Security-sensitive companies can
choose to use the default routing model to help ensure that all VPN client
communications are protected by the corporate firewall.

Routing for Site-to-Site VPN Connections


With conventional WAN technologies, IP packets are forwarded between two
routers over a physical or logical point-to-point connection. This connection is
dedicated to the customer across a private data network that is provided by
the WAN service provider.

With the advent of the Internet, packets can now be routed between routers
that are connected to the Internet across a virtual connection that emulates
the properties of a dedicated, private, point-to-point connection. This type of
connection is known as a site-to-site VPN connection. Site-to-site VPN
connections can be used to replace expensive long-haul WAN links with short-
haul WAN links to a local Internet service provider (ISP).

A site-to-site VPN connection connects two portions of a private network. The


VPN server provides a routed connection to the network to which the VPN
server is attached. On a site-to-site VPN connection, the packets sent from
either router across the VPN connection typically do not originate at the
routers.

To facilitate routing between the sites, each VPN server and the routing
infrastructure of its connected site must have a set of routes that represent the
address space of the other site. These routes can be added manually, or
routing protocols can be used to automatically add and maintain a set of
routes.

Site-to-Site Routing Protocols


There are two routing protocols that can be used in a site-to-site VPN
deployment:

Routing Information Protocol (RIP)


Open Shortest Path First (OSPF)

1.1.1.1.6 RIP
RIP is designed for exchanging routing information within a small to medium-
size network. RIP routers dynamically exchange routing table entries.

The Windows Server 2003 implementation of RIP has the following features:

The ability to select which RIP version to run on each interface for incoming
and outgoing packets.

Split-horizon, poison-reverse, and triggered-update algorithms that are used to


avoid routing loops and speed recovery of the network when topology changes
occur.

Route filters for choosing which networks to announce or accept.

Peer filters for choosing which router’s announcements are accepted.

Configurable announcement and route-aging timers.

Simple password authentication support.

The ability to disable subnet summarization.

1.1.1.1.7 OSPF
OSPF is designed for exchanging routing information within a large or very large
network. Instead of exchanging routing table entries like RIP routers, OSPF
routers maintain a map of the network that is updated after any change to the
network topology. This map, called the link state database, is synchronized
between all the OSPF routers and is used to compute the routes in the routing
table. Neighboring OSPF routers form an adjacency, which is a logical
relationship between routers to synchronize the link state database.

VPN and Firewalls Overview


The routing service supports a variety of inbound and outbound packet-filtering
features that block certain types of traffic. The filtering options include the
following: TCP port, UDP port, IP protocol ID, Internet Control Message
Protocol (ICMP) type, ICMP code, source address, and destination address. A
VPN server can be placed behind a firewall or in front of a firewall. These two
approaches are described in the following sections.

VPN Server Behind a Firewall


In the most common configuration, the firewall is connected to the Internet,
and the VPN server is an intranet resource that is attached to the perimeter
network. The VPN server has an interface on both the perimeter network and
the intranet. In this scenario, the firewall must be configured with input and
output filters on its Internet interface that allow tunnel maintenance traffic
and tunneled data to pass to the VPN server. Additional filters can allow traffic
to pass to Web, FTP, and other types of servers on the perimeter network. For
an additional layer of security, the VPN server should also be configured with
PPTP or L2TP/IPSec packet filters on its perimeter network interface.

VPN Server in Front of a Firewall


When the VPN server is in front of the firewall and connected to the Internet,
packet filters must be added to the VPN server’s Internet interface to allow
only VPN traffic to and from the IP address of that interface.

For inbound traffic, when the tunneled data is decrypted by the VPN server, it
is forwarded to the firewall. Through the use of its filters, the firewall allows
the traffic to be forwarded to intranet resources. Because the only traffic that
crosses the VPN server is generated by authenticated VPN clients, in this
scenario, firewall filtering can be used to prevent VPN users from accessing
specific intranet resources. Because Internet traffic allowed on the intranet
must pass through the VPN server, this approach also prevents the sharing of
FTP or Web intranet resources with non-VPN Internet users.

Technologies Related to VPN


Integrating VPN with the other network infrastructure components is an
important part of VPN design and implementation. VPN has to be integrated
with directory, authentication, and security services, as well as with IP address
assignment and name server assignment services. Without proper design, VPN
clients are unable to obtain proper IP addresses and resolve intranet names,
and packets cannot be forwarded between VPN clients and intranet resources.

VPN-related technologies are described in the following sections:

• Connection Manager
• DHCP
• EAP-RADIUS
• IAS
• Name Server Assignment (DNS and WINS)
• NAT

Connection Manager
Connection Manager is a service profile that can be used to provide customized
remote access to a network through a VPN connection. The advanced features
of Connection Manager are a superset of basic dial-up networking. Connection
Manager provides support for local and remote connections by using a network
of points of presence (POPs), such as those available worldwide through ISPs.
Windows Server 2003 includes a set of tools that enable a network manager to
deliver pre-configured connections to network users. These tools are:

The Connection Manager Administration Kit (CMAK)

Connection Point Services (CPS)


CMAK
A network administrator can tailor the appearance and behavior of a
connection made with Connection Manager by using CMAK. With CMAK, an
administrator can develop client dialer and connection software that allows
users to connect to the network by using only the connection features that the
administrator defines for them. Connection Manager supports a variety of
features that both simplify and enhance implementation of connection support,
most of which can be incorporated using the Connection Manager
Administration Kit Wizard.

CMAK enables administrators to build profiles that customize the Connection


Manager installation package so that it reflects an organization’s identity.
CMAK allows administrators to determine which functions and features to
include and how Connection Manager appears to end-users. Administrators can
do this by using the CMAK wizard to build custom service profiles.

CPS
Connection Point Services (CPS) automatically distributes and updates custom
phone books. These phone books contain one or more Point of Presence (POP)
entries, with each POP supplying a telephone number that provides dial-up
access to an Internet access point for VPN connections. The phone books give
users complete POP information, so when they travel they can connect to
different Internet POPs rather than being restricted to a single POP.

Without the ability to update phone books (a task CPS handles automatically),
users would have to contact their organization’s technical support staff to be
informed of changes in POP information and to reconfigure their client-dialer
software. CPS has two components:

Phone Book Administrator

Phone Book Service

1.1.1.1.8 Phone Book Administrator


Phone Book Administrator is a tool used to create and maintain the phone book
database and to publish new phone book information to the Phone Book
Service.

1.1.1.1.9 Phone Book Service


The Phone Book Service runs on an IIS server and responds to requests from
Connection Manager clients to verify the current version of subscribers’ or
corporate employees’ current phone books and, if necessary, downloads a
phone book update to the Connection Manager client.

DHCP
For both PPTP and L2TP connections, the data being tunneled is a PPP frame. A
PPP connection must be established before data can be sent. The VPN server
must have IP addresses available in order to assign them to a VPN server’s
virtual interface and to VPN clients during the IP Control Protocol (IPCP)
negotiation phase that is part of the process of establishing a PPP connection.
The IP address assigned to a VPN client is also assigned to the virtual interface
of that VPN client.

For Windows Server 2003-based VPN servers, the IP addresses assigned to VPN
clients are obtained through DHCP by default. A static IP address pool can also
be configured. DHCP is also used by remote access VPN clients to obtain
additional configuration settings after the PPP connection is established.

EAP-RADIUS
EAP-RADIUS is the passing of EAP messages of any EAP type by an authenticator
to a Remote Authentication Dial-In User Service (RADIUS) server for
authentication. For example, for a remote access server that is configured for
RADIUS authentication, the EAP messages sent between the remote access
client and remote access server are encapsulated and formatted as RADIUS
messages between the remote access server (the authenticator) and the
RADIUS server (the authenticator).

EAP-RADIUS is used in environments where RADIUS is the authentication


provider. An advantage of using EAP-RADIUS is that EAP types only need to be
installed at the RADIUS server, not at each remote access server. In the case of
an IAS server, only EAP types need to be installed.

In a typical use of EAP-RADIUS, a server running Routing and Remote Access is


configured to use EAP and to use an IAS server for authentication. When a
connection is made, the remote access client negotiates the use of EAP with
the remote access server. When the client sends an EAP message to the remote
access server, the remote access server encapsulates the EAP message as a
RADIUS message and sends it to its configured IAS server. The IAS server
processes the EAP message and sends a RADIUS-encapsulated EAP message back
to the remote access server. The remote access server then forwards the EAP
message to the remote access client. In this configuration, the remote access
server is only a pass-through device. All processing of EAP messages occurs at
the remote access client and the IAS server.

Routing and Remote Access can be configured to authenticate locally or to a


RADIUS server. If Routing and Remote Access is configured to authenticate
locally, all EAP methods will be authenticated locally. If Routing and Remote
Access is configured to authenticate to a RADIUS server, then all EAP messages
will be forwarded to the RADIUS server with EAP-RADIUS.

IAS
The VPN server can be configured to use either Windows or RADIUS as an
authentication provider. If Windows is selected as the authentication provider,
the user credentials sent by users attempting VPN connections are
authenticated using typical Windows authentication mechanisms, and the
connection attempt is authorized using local remote access policies.

If RADIUS is selected and configured as the authentication provider on the VPN


server, user credentials and parameters of the connection request are sent as
RADIUS request messages to a RADIUS server.
The RADIUS server receives a user-connection request from the VPN server and
authenticates and authorizes the connection attempt. In addition to a yes or no
response to an authentication request, RADIUS can inform the VPN server of
other applicable connection parameters for this user such as maximum session
time, static IP address assignment, and so on.

RADIUS can respond to authentication requests based on its own user account
database, or it can be a front end to another database server, such as a
Structured Query Language (SQL) server or a Windows domain controller (DC).
The DC can be located on the same computer as the RADIUS server, or
elsewhere. In addition, a RADIUS proxy can be used to forward requests to a
remote RADIUS server.

IAS is the Windows implementation of a RADIUS server and proxy.

Name Server Assignment (DNS and WINS)


Name server assignment, the assignment of Domain Name System (DNS) and
Windows Internet Name Service (WINS) servers, occurs during the process of
establishing a VPN connection. The VPN client obtains the IP addresses of the
DNS and WINS servers from the VPN server for the intranet to which the VPN
server is attached.

The VPN server must be configured with DNS and WINS server addresses to
assign to the VPN client during IPCP negotiation. For NetBIOS name resolution,
you do not have to use WINS and can enable the NetBIOS over TCP/IP (NetBT)
proxy on the VPN server.

NAT
A network address translator (NAT) translates the IP addresses and
Transmission Control Protocol/User Datagram Protocol (TCP/UDP) port numbers
of packets that are forwarded between a private network and the Internet. The
NAT on the private network can also provide IP address configuration
information to the other computers on the private network.

PPTP-based VPN clients can be located behind a NAT if the NAT includes an
editor that can translate PPTP packets. PPTP-based VPN servers can be located
behind a NAT if the NAT is configured with static mappings for PPTP traffic. If
the L2TP/IPSec-based VPN clients or servers are positioned behind a NAT, both
client and server must support IPSec NAT traversal (NAT-T).

L2TP (layer 2 tunneling protocol)


VPN server is also known as L2TP server in native mode & in PPTP in mixed
mode

What is IAS? In what scenarios do we use it? Internet Authentication Service


IAS is deployed in these common scenarios:

• Dial-up corporate access


Outsourced corporate access through service providers
Internet access
What's the difference between Mixed mode and Native mode in AD when
dealing with RRAS? The Mixed mode is for networks that have Windows 98/ME
in addition to Windows 2000/XP/2003 clients. Mixed mode requires the RAC
(Remote Application Client) to be installed for proper communication with the
clients. The Native mode is for networks that consist only of Windows
2000/XP/2003 clients. The CMS server communicates natively with the clients
using Windows networking features that aren't available in 98/ME clients. The
RAC program is not needed. If you have no or few 98/ME clients, choose this
option.

What are Conditions and Profile in RRAS Policies? Remote access policies are
an ordered set of rules that define whether remote access connection attempts
are either authorized or rejected. Each rule includes one or more conditions
(which identifies the criteria), a set of profile settings (to be applied on the
connection attempt), and a permission setting (grant or deny) for remote
access. This can be compared like a brain of the door-keeper (VPN server)
which allows entry to your network from outside. Remote access policy decides
who can access what resources from where using what tunnel settings. So
configuring proper set of policies are important.

How does SSL work? Secure Sockets Layer uses a cryptographic system that
encrypts data with two keys.

When a SSL Digital Certificate is installed on a web site, users can see a
padlock icon at the bottom area of the navigator. When an Extended Validation
Certificates is installed on a web site, users with the latest versions of Firefox,
Internet Explorer or Opera will see the green address bar at the URL area of
the navigator.

How does IPSec work? IPSec is an Internet Engineering Task Force (IETF)
standard suite of protocols that provides data authentication, integrity, and
confidentiality as data is transferred between communication points across IP
networks. IPSec provides data security at the IP packet level. A packet is a data
bundle that is organized for transmission across a network, and it includes a
header and payload (the data in the packet). IPSec emerged as a viable
network security standard because enterprises wanted to ensure that data
could be securely transmitted over the Internet. IPSec protects against possible
security exposures by protecting data while in transit

How do I deploy IPSec for a large number of computers? Just use this
program Server and Domain Isolation Using IPsec and Group Policy

What types of authentication can IPSec use? Deploying L2TP/IPSec-based


Remote Access

Deploying L2TP-based remote access VPN connections using Windows Server


2003 consists of the following:

* Deploy certificate infrastructure

* Deploy Internet infrastructure


* Deploy AAA infrastructure

* Deploy VPN servers

* Deploy intranet infrastructure

* Deploy VPN clients

Implantando L2TP/IPSec-based Acesso Remoto


Implantando L2TP com base em conexões VPN de acesso remoto usando o
Windows Server 2003 é constituída pelos seguintes elementos:

* Implantar certificado infra-estrutura


* Implantar infra-estrutura Internet
* Implantar infra-estrutura AAA
* Implementar VPN servidores
* Implantar intranet infra-estrutura
* Implementar clientes VPN

What is PFS (Perfect Forward Secrecy) in IPSec? In an authenticated key-


agreement protocol that uses public key cryptography, perfect forward
secrecy (or PFS) is the property that ensures that a session key derived from a
set of long-term public and private keys will not be compromised if one of the
(long-term) private keys is compromised in the future.

Forward secrecy has been used as a synonym for perfect forward secrecy [1],
since the term perfect has been controversial in this context. However, at least
one reference [2] distinguishes perfect forward secrecy from forward secrecy
with the additional property that an agreed key will not be compromised even
if agreed keys derived from the same long-term keying material in a
subsequent run are compromised.

How do I monitor IPSec? To test the IPSec policies, use IPSec Monitor. IPSec
Monitor (Ipsecmon.exe) provides information about which IPSec policy is active
and whether a secure channel between computers is established.

Looking at IPSec-encrypted traffic with a sniffer, What packet types do I


see? You can see the packages to pass, but you cannot see its contents

IPSec Packet Types


IPSec packet types include the authentication header (AH) for data integrity
and the encapsulating security payload (ESP) for data confidentiality and
integrity.
The authentication header (AH) protocol creates an envelope that provides
integrity, data origin identification and protection against replay attacks. It
authenticates every packet as a defense against session-stealing attacks.
Although the IP header itself is outside the AH header, AH also provides limited
verification of it by not allowing changes to the IP header after packet creation
(note that this usually precludes the use of AH in NAT environments, which
modify packet headers at the point of NAT). AH packets use IP protocol 51.
The encapsulating security payload (ESP) protocol provides the features of AH
(except for IP header authentication), plus encryption. It can also be used in a
null encryption mode that provides the AH protection against replay attacks
and other such attacks, without encryption or IP header authentication. This
can allow for achieving some of the benefits of IPSec in a NAT environment
that would not ordinarily work well with IPSec. ESP packets use IP protocol 50.

What can you do with NETSH? Netsh is a command-line scripting utility that
allows you to, either locally or remotely, display, modify or script the
network configuration of a computer that is currently running.

Usage: netsh [-a AliasFile] [-c Context] [-r RemoteMachine]


[Command | -f ScriptFile]

The following commands are available:

Commands in this context:


? - Displays a list of commands.
add - Adds a configuration entry to a list of entries.
delete - Deletes a configuration entry from a list of entries.
dump - Displays a configuration script.
exec - Runs a script file.
help - Displays a list of commands.
interface - Changes to the `interface' context.
ras - Changes to the `ras' context.
routing - Changes to the `routing' context.
set - Updates configuration settings.
show - Displays information.

The following subcontexts are available:


routing interface ras

To view help for a command, type the command, followed by a space, and
then type?

How do I look at the open ports on my machine? Windows: Open a command


prompt (Start button -> Run-> type "cmd"), and type:
netstat -a

Linux: Open an SSH session and type:


netstat -an

What is the different between Workgroup and Domain?


A workgroup is an interconnection of a number of systems that share resources
such as files &printers without a dedicated server .Each workgroup maintains a
local database for user accounts, security etc. A domain, on the otherhand is
an interconnection of systems that share resources with one or more dedicated
server, which can be used to control security and permissions for all users in
the domain. Domain maintains a centralized database and hence a centralized
management of user accounts, policies etc are established. If you have a user
account on domain then you can log on to any system without user account on
that particular system.
How will assign Local Administrator rights for domain user?
To assign a domain user with local administrative right in any client of domain
we should log in to the respected client system then, Start->control panel-
>user accounts->give username, password and name of domain->add-
>advanced->locations->find now->select others(in that select administrator
user)->ok->next->ok.

How will you restrict user logon timing in domain?


Start->dsa.msc->double click on users->right click on any users->properties-
>click on account->click on logon hours->logon denied->select time (by
dragging mouse)->click on logon permission->ok.

What is the purpose of sysvol?


The sysvol folder stores the server’s copy of the domain’s public files. The
contents such as group policy, users etc of the sysvol folder are replicated to
all domain controllers in the domain. The sysvol folder must be located on an
NTFS volume.

What is OU? Explain its Uses.


An object is a set of attributes that represents a network resource, say a user,
a computer, a group policy, etc and object attributes are characteristics of
that object stored in the directory. Organizational units act as a container for
objects. Objects can be arranged according to security and administrative
requirement in an organization. You can easily manage and locate objects after
arranging them into organizational units. Administrator can delegate the
authority to manage different organizational units and it can be nested to
other organizational units. Create an OU if you want to:
* Create a company’s structure and organization within a domain – Without
OUs, all users are maintained and
displayed in a single list, the Users container, regardless of a user’s
department, location, or role.
* Delegate administrative control – Grant administrative permissions to users or
groups of users at the OU level.
* Accommodate potential changes in a company’s organizational structure –
Users can easily be reorganized between
OUs, while reorganizing users between domains generally requires more time
and effort.
* Group objects with similar network resources – This way it is easy to perform
any administrative tasks. For example,
all user accounts for temporary employees can be grouped in an OU.

* Restrict visibility – Users can view only the objects for which they have
access.

Explain different edition of windows 2003 Server?


*Windows Server 2003, Web Edition :- is mainly for building and hosting Web
applications, Web pages, and XML Web Services.
* Windows Server 2003, Standard Edition :- is aimed towards small to medium
sized businesses. Flexible yet versatile, Standard Edition supports file and
printer sharing, offers secure Internet connectivity, and allows centralized
desktop application deployment
* Windows Server 2003, Enterprise Edition :- is aimed towards medium to large
businesses. It is a full-function server operating system that supports up to
eight processors and provides enterprise-class features such as eight-node
clustering using Microsoft Cluster Server (MSCS) software and support for up to
32 GB of memory.
* Windows Server 2003, Datacenter Edition:- is the flagship of the Windows
Server line and designed for immense infrastructures demanding high security
and reliability.
* Windows Server 2003, Compute Cluster Edition:- is designed for working with
the most difficult computing problems that would require high performance
computing clusters.
* Windows Storage Server 2003:- is optimised to provide dedicated file and
print sharing services. It is only available through OEMs when purchased pre-
configured with network attached storage devices.

What is DNS Server?


Domain Name System (or Service or Server), a service that resolves domain
names into IP addresses and vice versa. Because domain names are alphabetic,
they’re easier to remember.The Internet however, is really based on ip
addresses. Every time you use a domain name, therefore, a DNS service must
translate the name into the corresponding IP address. For example, the domain
name www.example.com might translate to 198.105.232.4.

The DNS system is, in fact, its own network. If one DNS server doesn’t know
how to translate a particular domain name, it asks another one, and so on,
until the correct IP address is returned.

Why DNS server is required for Active Directory?


The key reason for integrating DNS and AD is efficiency. This is particularly true
where you have lots of replication traffic. You can’t resolve host names. You
can’t find services, like a domain controller.

What is the Purpose of A and PTR Record?


A (Host) record is used to resolve name to ip address while PTR (pointer) record
is used to resolve ip address to name.

What is the purpose of DHCP Server?


A DHCP server is the server that is responsible for assigning unique IP address
to the computers on a network. No two computers (actually, no two network
cards1 [even if two are in one computer]) can have the same IP address on a
network at the same time or there will be conflicts. To that end, DHCP servers
will take a request from a computer that has just been added (or is renewing)
to the network and assign it a unique IP address that is available. These
assignments typically only last for a limited time (an hour to a week usually)
and so you are never guaranteed that the IP address for a particular computer
will remain the same when using a DHCP (some DHCP servers allow you to
specify that a computer gets the same address all the time however).

Explain about Group Scopes?


A DHCP scope is a valid range of IP addresses which are available for
assignments or lease to client computers on a particular subnet. In a DHCP
server, you configure a scope to determine the address pool of ip which the
server can provide to DHCP clients.
Scopes determine which IP addresses are provided to the clients. Scopes should
be defined and activated before DHCP clients use the DHCP server for its
dynamic IP configuration. You can configure as many scopes on a DHCP server
as is required in your network environment

How will you backup DNS Server?


If you are using Active Directory-integrated DNS, then your DNS information is
stored in Active Directory itself, and you’ll need to back up the entire system
state. If not, however, The Backup directory in the %SystemRoot
%\System32\Dns folder contains backup information for the DNS configuration
and the DNS database.

How will backup DHCP Server?


The Backup directory in the %SystemRoot%\System32\DHCP folder contains
backup information for the DHCP configuration and the DHCP database. By
default, the DHCP database is backed up every 60 minutes automatically. To
manually back up the DHCP database at any time, follow these steps:

1. In the DHCP console, right-click the server you want to back up, and then
click Backup.

2. In the Browse For Folder dialog box, select the folder that will contain the
backup DHCP database, and then click OK.

Explain APIPA.
A Windows-based computer that is configured to use DHCP can automatically
assign itself an Internet Protocol (IP) address if a DHCP server is not available
or does not exist. The Internet Assigned Numbers Authority (IANA) has reserved
169.254.0.0-169.254.255.255 for Automatic Private IP Addressing(APIPA).

Explain about AD Database.


Windows 2003 Active Directory data store, the actual database file, is
%SystemRoot%\ntds\NTDS.DIT. The ntds.dit file is the heart of Active Directory
including user accounts. Active Directory’s database engine is the Extensible
Storage Engine ( ESE ) which is based on the Jet database used by Exchange 5.5
and WINS. The ESE has the capability to grow to 16 terabytes which would be
large enough for 10 million objects.Only the Jet database can manipulate
information within the AD datastore.

Explain about Group Policy.


Group policies are used by administrators to configure and control user
environment settings. Group Policy Objects (GPOs) are used to configure group
policies which are applied to sites, domains, and organizational units (OUs).
Group policy may be blocked or set so it cannot be overridden. The default is
for subobjects to inherit the policy of their parents. There is a maximum of
1000 applicable group policies.

Group policies are linked to domains, organizational units, or sites in Active


Directory. A policy must be linked to a container object in Active Directory to
be effective. They are stored in any domain for storage but can be linked to
other domains to make them effective there also. The policy must be linked to
the container (site, domain, or OU) that it is stored in to be effective in that
container. One policy object can be linked to several containers. Several policy
objects can be linked to one container.

What is the default time for group policy refresh interval time?
The default refresh interval for policies is 90 minutes. The default refresh
interval for domain controllers is 5 minutes. Group policy object’s group policy
refresh intervals may be changed in the group policy object.

Explain Hidden Share.


Using hidden shares on your network is useful if you do not want a shared
folder or drive on the network to be easily accessible. Hidden shares can add
another layer of protection for shared files against unauthorized people
connecting to your network. Using hidden shares helps eliminate the chance for
people to guess your password (or be logged into an authorized Windows
account) and then receive access to the shared resource.

Windows automatically shares hard drives by default for administrative


purposes. They are hidden shares named with the drive letter followed by a
dollar sign (e.g., C$) and commented as Default Share. Thus, certain
networking and administrator functions and applications can work properly.
Not that preventing Windows from creating these hidden or administrative
shares by default each time your computer boots up takes a registry change.

What ports are used by DHCP and the DHCP clients?


Requests are on UDP port 68, Server replies on UDP 67.

How do I configure a client machine to use a specific IP Address?


Reservation using mac address in DHCP.

Name 3 benefits of using AD-integrated zones.


1. We can give easy name resolution to your clients.
2. By creating AD- integrated zone you can also trace hacker and spammer by
creating reverse zone.
3. AD integrated zoned all for incremental zone transfers which on transfer
changes and not the entire zone. This reduces zone transfer traffic.
4. AD Integrated zones support both secure and dynamic updates.
5. AD integrated zones are stored as part of the active directory and support
domain-wide or forest-wide replication through application partitions in AD.

How do you backup & Restore AD?


You can backup Active Directory by using the NTBACKUP tool that comes built-
in with Windows Server 2003. Backing up the Active Directory is done on one or
more of your Active Directory domain Controllers, and is performed by backing
up the System State on those servers. The System State contains the local
Registry, COM+ Class Registration Database, the System Boot Files, certificates
from Certificate Server (if it’s installed), Cluster database (if it’s installed),
NTDS.DIT, and the SYSVOL folder. the tombstone is 60 days (Windows
2000/2003 DCs), or 180 days (Windows Server 2003 SP1 DCs).

You can use one of the three methods to restore Active Directory from
backup media: Primary Restore, Normal Restore (i.e. Non Authoritative), and
Authoritative Restore.
Primary Restore: This method rebuilds the first domain controller in a domain
when there is no other way to rebuild the domain. Perform a primary restore
only when all the domain controllers in the domain are lost, and you want to
rebuild the domain from the backup. Members of the Administrators group can
perform the primary restore on local computer. On a domain controller, only
members of the Domain Admins group can perform this restore.

Normal Restore: This method reinstates the Active Directory data to the state
before the backup, and then updates the data through the normal replication
process. Perform a normal restore for a single domain controller to a previously
known good state.

Authoritative Restore: You perform this method in tandem with a normal


restore. An authoritative restore marks specific data as current and prevents
the replication from overwriting that data. The authoritative data is then
replicated through the domain. Perform an authoritative restore for individual
object in a domain that has multiple domain controllers. When you perform an
authoritative restore, you lose all changes to the restore object that occurred
after the backup. You need to use the NTDSUTIL command line utility to
perform an authoritative restore. You need to use it in order to mark Active
Directory objects as authoritative; so that they receive a higher version
recently changed data on other domain controllers does not overwrite System
State data during replication.

How do you change the DS Restore admin password? Microsoft Windows 2000
uses the Setpwd utility to reset the DS Restore Mode password. In Microsoft
Windows Server 2003, that functionality has been integrated into the NTDSUTIL
tool. Note that you cannot use the procedure if the target server is running in
DSRM.

How can you forcibly remove AD from a server? In run use the command
->dcpromo /forceremoval

What is the SYSVOL folder? The sysvol folder stores the server’s copy of the
domain’s public files. The contents such as group policy, users etc of the sysvol
folder are replicated to all domain controllers in the domain. The sysvol folder
must be located on an NTFS volume

What is the entire problem if DNS Server fails? If your DNS server fails, you
can’t resolve host names. You can’t resolve domain controller IP Address.

How can you restrict running certain applications on a machine? The Group
Policy Object Editor and the Software Restriction Policies extension of Group
Policy Object Editor are used to restrict running certain applications on a
machine. For Windows XP computers that are not participating in a domain,
you can use the Local Security Settings snap-in to access Software Restriction
Policies.

What can you do to promote a server to DC? Start->Run->DCPROMO

How will map a folder through AD? Navigate domain user properties->give
path in profile tab in the format \\servername\sharename.
Explain Quotas. Disk Quota is a feature or service of NTFS which helps to
restrict or manage the disk usage from the normal user. It can be implemented
per user user per volume basis.By default it is disabled. Administrative
privilege is required to perform the task. In 2003server we can control only
drive but in 2008server we can establish quota in folder level.

Explain Backup Methodology. The different types of backup methodologies


are:

* Normal Backup:-This is default backup in which all files are backed up even if
it was backed up before.
*Incremental Backup:-In this type of backup only the files that haven’t been
backed up are taken care of or backed up.
*Differential Backup:-This backup is similar to incremental backup because it
does not take backup of those files backed up by normal
backup but different from incremental because it will take backup of
differentially backed up files at next time of differential backup.
*Copy Backup:-This type of backup is which is used during system state backup
and asr backup. It is used in special conditions only.
*Daily Backup:-This type of backup takes backup of only those files that are
created on that particular day.
*System Backup:-This type of backup takes backup of files namely, Boot file,
COM+Class Registry, Registry. But in server it takes
backup of ads.
*ASR Backup:-This type of backup takes backup of entire boot partition
including OS and user data. This should be the last
troubleshooting method to recover an os from disaster.

Explain how to publish printer through AD.


The group policy setting ‘Automatically publish new printers in AD’ when
disabled, prevents the Add Printer Wizard from automatically publishing shared
printers. In addition, Group policy setting ‘Allow printers to be published’
should be enabled(default) for printers to be published on that computers.

Explain the functionality of FTP Server?


The FTP server is to accept incoming FTP requests. Copy or move the files that
you want to make available to the FTP publishing folder for access. The default
folder is drive:\Inetpub\Ftproot, where drive is the drive on which IIS is
installed
In the client-server model, a file server is a computer responsible for the
central storage and management of data files so that other computers on the
same network can access the files. A file server allows users to share
information over a network without having to physically transfer files by floppy
diskette or some other external storage device.

Specify the Port Number for AD, DNS, DHCP, HTTP, HTTPS, SMTP, POP3 &
FTP
AD- uses LDAP Udp 389 and UDP 135,DNS- 53,DHCP-67,68,HTTP-
80,HTTPS-,SMTP-25,POP3-110 & FTP-20,21.

Explain Virtual Directory in IIS?


A virtual server can have one home directory and any number of other
publishing directories. These other publishing directories are referred to as
virtual directories.

What is Exclusion Range in DHCP Server?


Exclusion Range is used to reserve a bank of ip addresses so computer that
require only static ip address such as DNS servers, legacy printers can use
reserved assigned addresses .These are not assigned by DHCP server.

Explain SOA Record.


Start Of Authority(SOA) Records indicate that NameServer is authoritative
server for the domain.

What must be done to an AD forest before Exchange can be deployed?


Setup.exe /forestprep

What Exchange process is responsible for communication with AD?


DSACCESS

What 3 types of domain controller does Exchange access?


Normal Domain Controller, Global Catalog, Configuration Domain Controller

What connector type would you use to connect to the Internet, and what
are the two methods of sending mail over that connector?
SMTP Connector: Forward to smart host or use DNS to route to each address

How would you optimize Exchange 2003 memory usage on a Windows


Server 2003 server with more than 1 GB of memory?
Add /3 GB switch to boot.ini

Name the process names for the following:


System Attendant? MAD.EXE, Information Store – STORE.EXE,
SMTP/POP/IMAP/OWA – INETINFO.EXE

What is the maximum amount of databases that can be hosted on Exchange


2003 Enterprise?
20 databases 4 SGs x 5 DBs

What are the standard port numbers for SMTP, POP3, IMAP4, RPC, LDAP and
Global Catalog?

- 25 SMTP
- 110 POP3
- 143 IMAP4
- 135 RPC
- 389 LDAP
- 636 LDAP (SSL)
- 3268 Global Catalog
- 465 SMTP/SSL,
- 993 IMAP4/SSL
- 563 IMAP4/SSL
- 53 DNS ,
- 80 HTTP
- 88 Kerberos

- 110 POP3
- 119 NNTP

What are the prequisite for installation of Exchange Server ?

The pre requsite are

IIS, SMTP, WWW service ,NNTP, W3SVC NET Framework

ASP.NET

Then run Forestprep

The run domainprep.

Which protocol is used for Public Folder? NNTP

What is the use of NNTP with exchange? This protocol is used the news group
in exchange

Disaster Recovery Plan? Ans: Deals with the restoration of computer system
with all attendent software and connections to full functionality under a
variety of damaging or interfering external condtions.

About the new features in Exchange 2003:

• Updated Outlook Web Access.


• Updated VSAPI (Virus Scanning Application Programming Interface)

• but in Exchange Server 2003 Enterprise, there are Specific Features


which is Eight-node Clustering using the Windows Clustering service in
Windows Server
• Multiple storage groups.
• .X.400 connectors which supports both TCP/IP and X.25.

What would a rise in remote queue length generally indicate? This means
mail is not being sent to other servers. This can be explained by outages or
performance issues with the network or remote servers.

What would a rise in the Local Delivery queue generally mean? This indicates
a performance issue or outage on the local server. Reasons could be slowness
in consulting AD, slowness in handing messages off to local delivery or SMTP
delivery. It could also be databases being dismounted or a lack of disk space.
What are the disadvantages of circular logging? In the event of a corrupt
database, data can only be restored to the last backup.

What is the maximum storage capacity for Exchange standard version? What
would you do if it reaches maximum capacity?” 16GB.Once the store
dismounts at the 16GB limit the only way to mount it again is to use the 17GB
registry setting. And even this is a temporary solution. if you apply Exchange
2003 SP2 to your Standard Edition server, the database size limit is initially
increased to 18GB. Whilst you can go on to change this figure to a value up to
75GB, it’s important to note that 18GB is the default setting
HKLM\System\CurrentControlSet\Services\MSExchangeIS\{server name}\Private-
{GUID It therefore follows that for registry settings that relate to making
changes on a public store, you’ll need to work in t he following registry key:

HKLM\System\CurrentControlSet\Services\MSExchangeIS\{server name}\Public-
{GUID}

Under the relevant database, create the following registry information: Value
type: REG_DWORD

Value name: Database Size Limit in GB

Set the value data to be the maximum size in gigabytes that the database is
allowed to grow to. For the Standard Edition of Exchange, you can enter
numbers between 1 and 75. For the Enterprise Edition, you can enter numbers
between 1 and 8000. Yes, that’s right, between 1GB and 8000GB or 8TB.
Therefore, even if you are running the Enterprise Edition of Exchange, you can
still enforce overall database size limits of, say, 150GB if you so desire..

What is MIME & MAPI?

MIME = Multipurpose Internet Mail Extensions It defines non-ASCII message


formats. It is a coding standard that defines the structure of E-Mails and other
Internet messages. MIME is also used for declaration of content from other
Internet protocols like HTTP, Desktop environments like KDE, Gnome or Mac OS
X Aqua. The standard is defined in RFC 2045.

With MIME it is possible to exchange information about the type of messages


(the content type) between the sender and the recipient of the message. MIME
also defines the art of coding (Content-Transfer-Encoding). These are different
coding methods defined for the transportation of non ASCII characters in plain
text documents and non text documents like Images, Voice and Video for
transportation through text based delivery systems like e-mail or the Usenet.

The non text elements will be encoded from the sender of the message and
will be decoded by the message recipient. Coding of non ASCII characters is
often based on “quoted printable” coding, binary data typically using Base64-
coding.

There is an extension of this Standard called S/MIME (Secure Multipurpose


Internet Mail Extensions) that allows the signing and encryption of messages.
There are other e-mail encryption solutions like PGP/MIME (RFC 2015 and
3156).

MAPI = Messaging Application Programming Interface It’s the programming


interface for email. It is a Microsoft Windows program interface that enables
you to send e-mail from within a Windows application and attach the
document you are working on to the e-mail note. Applications that take
advantage of MAPI include word processors, spreadsheets, and graphics
applications. MAPI-compatible applications typically include a Send Mail or
Send in the File pulldown menu of the application. Selecting one of these
sends a request to a MAPI server.

List the services of Exchange Server 2003? There are several services
involved with Exchange Server, and stopping different services will accomplish
different things. The services are interdependent, so when you stop or start
various services you may see a message about having to stop dependent
services. If you do stop dependent services, don’t forget to restart them again
when you restart the service that you began with.

To shut down Exchange completely on a given machine, you need to stop all of
the following services:

Microsoft Exchange Event (MSExchangeES) :-This service was used for


launching event-based scripts in Exchange 5.5 when folder changes were
detected. Exchange 2000 offered the ability to create Event Sinks directly, so
this use of this service has decreased. This service is not started by default.

Microsoft Exchange IMAP4 (IMAP4Svc):-This service supplies IMAP4 protocol


message server functionality. This service is disabled by default. To use IMAP4
you must enable this service, configure it to auto-start, and start the service.

Microsoft Exchange Information Store (MSExchangeIS) :-This service is used to


access the Exchange mail and public folder stores. If this service is not running,
users will not be able to use Exchange. This service is started by default.

Microsoft Exchange Management (MSExchangeMGMT):-This service is


responsible for various management functions available through WMI, such as
message tracking. This service is started by default.

Microsoft Exchange MTA Stacks (MSExchangeMTA):-This service is used to


transfer X.400 messages sent to and from foreign systems, including Exchange
5.5 Servers. This service was extremely important in Exchange 5.5, which used
X.400 as the default message transfer protocol. Before stopping or disabling
this service, review MS KB 810489. This service is started by default.

Microsoft Exchange POP3 (POP3Svc):-This service supplies POP3 protocol


message server functionality. This service is disabled by default. To use POP3
you must enable this service, configure it to auto-start, and start the service.

Microsoft Exchange Routing Engine (RESvc):-This service is used for routing and
topology information for routing SMTP based messages. This service is started
by default.
Microsoft Exchange System Attendant (MSExchangeSA):-This service handles
various cleanup and monitoring functions. One of the most important functions
of the System Attendant is the Recipient Update Service (RUS), which is
responsible for mapping attributes in Active Directory to the Exchange
subsystem and enforcing recipient policies. When you create a mailbox for a
user, you simply set some attributes on a user object. The RUS takes that
information and does all of the work in the background with Exchange to really
make the mailbox. If you mailbox-enable or mail-enable objects and they don’t
seem to work, the RUS is

One of the first places you will look for an issue. If you need to enable
diagnostics for the RUS, the parameters are maintained in a separate service
registry entry called MSExchangeAL. This isn’t a real service; it is simply the
supplied location to modify RUS functionality. This service is started by
default.

Microsoft Exchange Site Replication Service (MSExchangeSRS):-This service is


used in Organizations that have Exchange 5.5 combined with Exchange
2000/2003. This service is not started by default.

Network News Transfer Protocol (NntpSvc) :-This service is responsible for


supplying NNTP Protocol Server functionality. This service is started by default.

Simple Mail Transfer Protocol (SMTPSVC):-This service is responsible for


supplying SMTP Protocol Server functionality. This service is started by default.

How can you recover a deleted mail box? In Exchange, if you delete a
mailbox, it is disconnected for a default period of 30 days (the mailbox
retention period), and you can reconnect it at any point during that time.
Deleting a mailbox does not mean that it is permanently deleted (or purged)
from the information store database right away, only that it is flagged for
deletion. At the end of the mailbox retention period, the mailbox is
permanently deleted from the database. You can also permanently delete the
mailbox by choosing to purge it at any time.

This also means that if you mistakenly delete a mail-enabled user account, you
can recreate that user object, and then reconnect that mailbox during the
mailbox retention period.

Configure the deleted mailbox retention period at the mailbox store object
level.

To Delete a Mailbox in Exchange

1. Right-click the user in Active Directory Users and Computers.

2. Click Exchange Tasks.

3. Click Next on the Welcome page of the Exchange Task Wizard.

4. Click Delete Mailbox.


5. Click Next, click Next, and then click Finish.

The mailbox is now flagged for deletion and will be permanently deleted at the
end of the mailbox retention period unless you recover it.

To Reconnect (or Recover) a Deleted Mailbox

1. In Exchange System Manager, locate the mailbox store that contains the
disconnected mailbox.

2. Click the Mailboxes object under the mailbox store.

3. If the mailbox is not already marked as disconnected (the mailbox icon


appears with a red X), right-click the Mailboxes object, and then click Cleanup
Agent.

4. Right-click the disconnected mailbox, click Reconnect, and then select the
appropriate user from the dialog box that appears.

5. Click OK.

Note Only one user may be connected to a mailbox because all globally unique
identifiers (GUIDs) are required to be unique across an entire forest

To Reconnect a Deleted Mailbox to a New User Object

1. In Active Directory Users and Computers, create a new user object. When
you create the new user object, click to clear the Create an Exchange Mailbox
check box.

You will connect this user account to an already existing mailbox.

2. Follow steps 1 through 4 in the preceding “To Reconnect (or Recover) a


Deleted Mailbox” section.

To Configure the Mailbox Retention Period

1. Right-click the mailbox store, and then click Properties.

2. On the Limits tab, change the Keep deleted mailboxes for (days) default
setting of 30 to the number of days you want.

3. Click OK.

What is the use of ESUtil.exe? Repair the database. ESEUTIL is a tool to


defragment your exchange databases offline, to check their integrity and to
repair a damaged/lost database.

ESEUTIL is located in the \EXCHSRVR\BIN directory. This directory is not in the


system path so you must open the tool in the BIN directory or enhance the
system path with the \EXCHSRVR\BIN directory.
You can use the Eseutil utility to defragment the information store and
directory in Microsoft Exchange Server 5.5 and to defragment the information
store in Microsoft Exchange 2000 Server and in Microsoft Exchange Server 2003.
Eseutil examines the structure of the database tables and records (which can
include reading, scanning, repairing, and defragmenting) the low level of the
database (Ese.dll). Eseutil is located in the Winnt\System32 folder in Exchange
Server 5.5 and in the Exchsrvr/Bin folder in Exchange 2000 and in Exchange
2003. The utility can run on one database at a time from the command line.

If you have deleted the user, after you recreated the same user. How you
will give the access of previous mail box? Reconnect the Deleted user’ s
mailbox to the recreated user. Provided the recreated user doesn’t have
mailbox

Which protocol is used for Public Folder? NNTP Network News Transfer
Protocol, both nntp and imap helps clients to access the public folder. But
actually, Smtp send the mails across the public folder.

What is latest service pack Exchange 2003? SP2

What is latest service pack Exchange 2000? SP4

What is the name of Exchange Databases? priv1.edb

How many databases in Standard Exchange version? 1

How many databases in Enterprise Exchange version? 20

New Features of windows2003 ACTIVE DIRECTORY

• Easier Deployment and Management


• ADMT version 2.0—migrates password from NT4 to 2000 to 20003 or
from 2000 to 2003
• Domain Rename— supports changing Domain Name System and/or
NetBios name
• Schema Redefine— Allows deactivation of attributes and class
definitions in the Active directory schema
• AD/AM— Active directory in application mode is a new capability of AD
that addresses certain deployment scenarios related to directory
enabled applications
• Group Policy Improvements—-introduced GPMC tool to manage group
policy
• UI—Enhanced User Interface
• Grater Security
• Cross-forest Authentication
• Cross-forest Authorization
• Cross-certification Enhancements IAS and Cross-forest authentication
Credential Manager
• Software Restriction Policies
• Improved Performance and Dependability
• Easier logon for remote offices
• Group Membership replication enhancements
• Application Directory Partitions
• Install Replica from media
• Dependability Improvements— updated Inter-Site Topology Generator
(ISTG) that scales better by supporting forests with a greater number of
sites than Windows 2000.

FILE AND PRINT SERVICES

1. Volume shadow copy service


2. NTFS journaling file system
3. EFS
4. Improved CHDSK Performance
5. Enhanced DFS and FRS Shadow copy of shared folders Enhanced folder
redirection
6. Remote document sharing (WEBDAV)

IIS

Fault-tolerant process architecture—– The IIS 6.0 fault-tolerant process


architecture isolates Web sites and applications into self-contained units called
application pools

Health Monitoring—- IIS 6.0 periodically checks the status of an application


pool with automatic restart on failure of the Web sites and applications within
that application pool, increasing application availability. IIS 6.0 protects the
server, and other applications, by automatically disabling Web sites and
applications that fail too often within a short amount of time

Automatic Process Recycling— IIS 6.0 automatically stops and restarts faulty
Web sites and applications based on a flexible set of criteria, including CPU
utilization and memory consumption, while queuing requests

Rapid-fail Protection—- If an application fails too often within a short amount


of time, IIS 6.0 will automatically disable it and return a “503 Service
Unavailable” error message to any new or queued requests to the application.

Edit-While-Running

Difference between NT & 2000

• NT SAM database is a flat database. Where as in windows 2000 active


directory database is a hierarchical database.
• In windows NT only PDC is having writable copy of SAM database but the
BDC is only read only database. In case of Windows 2000 both DC and
ADC is having write copy of the database
• Windows NT will not support FAT32 file system. Windows 2000 supports
FAT32
• Default authentication protocol in NT is NTLM (NT LAN manager). In
windows 2000 default authentication protocol is Kerberos V5.
• Windows 2000 depends and Integrated with DNS. NT user Netbios names
• Active Directory can be backed up easily with System state data.

Difference between 2000 & 2003

• Application Server mode is introduced in windows 2003.


• Possible to configure stub zones in windows 2003 DNS
• Volume shadow copy services is introduced
• Windows 2003 gives an option to replicate DNS data b/w all DNS servers
in forest or All DNS servers in the domain.

Difference between PDC & BDC PDC contains a write copy of SAM database
where as BDC contains read only copy of SAM database. It is not possible to
reset a password or create objects without PDC in Windows NT.

Difference between DC & ADC There is no difference between in DC and ADC


both contains write copy of AD. Both can also handles FSMO roles (If transfers
from DC to ADC). It is just for identification. Functionality wise there is no
difference.

What is DNS & WINS? DNS is a Domain Naming System, which resolves Host
names to IP addresses. It uses fully qualified domain names. DNS is a Internet
standard used to resolve host names

WINS is a Windows Internet Name Service, which resolves Netbios names to IP


Address. This is proprietary for Windows.

What is the process of DHCP for getting the IP address to the client?

There is a four way negotiation process b/w client and server

• DHCP Discover (Initiated by client)


• DHCP Offer (Initiated by server)
• DHCP Request (Initiated by Client)
• DHCP Acknowledgement (Initiated by Server)

In Short From We Can Say DORA

What are the port numbers for FTP, Telnet, HTTP, DNS FTP-21, Telnet – 23,
HTTP-80, DNS-53, Kerberos-88, LDAP- 389

What is the database files used for Active Directory? The key AD database
files—edb.log, ntds.dit, res1.log, res2.log, and edb.chk—all of which reside in \
%systemroot%\ntds on a domain controller (DC) by default. During AD
installation, Dcpromo lets you specify alternative locations for these log files
and database file NTDS.DIT.

What is the location of AD Database? %System root%/NTDS/NTDS>DIT

What is the authentication protocol used in NT NTLM (NT LAN Manager)


What is subnetting and supernetting? Subnetting is the process of borrowing
bits from the host portion of an address to provide bits for identifying
additional sub-networks.

Supernetting merges several smaller blocks of IP addresses (networks) that are


continuous into one larger block of addresses. Borrowing network bits to
combine several smaller networks into one larger network does supernetting.

What is the use of terminal services Terminal services can be used as Remote
Administration mode to administer remotely as well asApplication Server Mode
to run the application in one server and users can login to that server to user
that application.

What is the protocol used for terminal services RDP

What is the port number for RDP 3389

What is the difference between Authorized DHCP and Non Authorized


DHCP To avoid problems in the network causing by mis-configured DHCP
servers, server in windows 2000 must be validate by AD before starting service
to clients. If an authorized DHCP finds any DHCP server in the network it stop
serving the clients

Difference between inter-site and intra-site replication? Protocols using for


replication. Intra-site replication can be done between the domain controllers
in the same site. Inter-site replication can be done between two different sites
over WAN links BHS (Bridge Head Servers) is responsible for initiating
replication between the sites. Inter-site replication can be done B/w BHS in
one site and BHS in another site. We can use RPC over IP or SMTP as a
replication protocols where as Domain partition is not possible to replicate
using SMTP

How to monitor replication We can user Replmon tool from support tools

What are the different backup strategies are available

• Normal Backup
• Incremental Backup
• Differential Backup
• Daily Backup
• Copy Backup

What is a global catalog? Global catalog is a role, which maintains Indexes


about objects. It contains full information of the objects in its own domain and
partial information of the objects in other domains. Universal Group
membership information will be stored in global catalog servers and replicate
to all GC’s in the forest.

What is Active Directory and what is the use of it Active directory is a


directory service, which maintains the relationship between resources and
enabling them to work together. Because of AD hierarchal structure windows
2000 is more scalable, reliable. Active directory is derived from X.500
standards where information is stored is hierarchal tree like structure. Active
directory depends on two Internet standards one is DNS and other is LDAP.
Information in Active directory can be queried by using LDAP protocol

what is the physical and logical structure of AD Active directory physical


structure is a hierarchal structure which fallows Forests—Trees—Domains—
Child Domains—Grand Child—etc Active directory is logically divided into 3
partitions

• 1.Configuration partition
• 2. Schema Partition
• 3. Domain partition
• 4. Application Partition (only in windows 2003 not available in windows
2000)

Out of these Configuration, Schema partitions can be replicated between the


domain controllers in the in the entire forest. Whereas Domain partition can be
replicated between the domain controllers in the same domain.

What is the process of user authentication (Kerberos V5) in windows


2000 after giving logon credentials an encryption key will be generated which
is used to encrypt the time stamp of the client machine. User name and
encrypted timestamp information will be provided to domain controller for
authentication. Then Domain controller based on the password information
stored in AD for that user it decrypts the encrypted time stamp information. If
produces time stamp matches to its time stamp. It will provide logon session
key and Ticket granting ticket to client in an encryption format. Again client
decrypts and if produced time stamp information is matching then it will use
logon session key to logon to the domain. Ticket granting ticket will be used to
generate service granting ticket when accessing network resources

What are the port numbers for Kerberos, LDAP and Global Catalog? Kerberos
– 88, LDAP – 389, Global Catalog – 3268

What is the use of LDAP (X.500 standard?) LDAP is a directory access


protocol, which is used to exchange directory information from server to
clients or from server to servers

What are the problems that are generally come across DHCP? Scope is full
with IP addresses no IP’s available for new machines If scope options are not
configured properly eg default gateway Incorrect creation of scopes etc

What is the role responsible for time synchronization PDC Emulator is


responsible for time synchronization. Time synchronization is important
because Kerberos authentication depends on time stamp information

What is TTL & how to set TTL time in DNS TTL is Time to Live setting used for
the amount of time that the record should remain in cache when name
resolution happened. We can set TTL in SOA (start of authority record) of DNS.

What is recovery console? Recovery console is a utility used to recover the


system when it is not booting properly or not at all booting. We can perform
fallowing operations from recovery console We can copy, rename, or replace
operating system files and folders Enable or disable service or device startup
the next time that start computer Repair the file system boot sector or the
Master Boot Record Create and format partitions on drives

What is RIS and what are its requirements? RIS is a remote installation
service, which is used to install operation system remotely.

Client requirements

• PXE DHCP-based boot ROM version 1.00 or later NIC, or a network


adapter that is supported by the RIS boot disk.
• Should meet minimum operating system requirements

Software Requirements

• Below network services must be active on RIS server or any server in the
network
• Domain Name System (DNS Service)
• Dynamic Host Configuration Protocol (DHCP)
• Active directory “Directory” service

What is FSMO Roles? Flexible single master operation (FSMO) roll are

• Domain Naming Master


• Schema Master
• PDC Emulator
• Infrastructure Master
• RID Master

Brief all the FSMO Roles

Domain Naming master and schema master are forest level roles. PDC
emulator, Infrastructure master and RID master are Domain level roles; First
server in the forest performs all 5 roles by default. Later we can transfer the
roles.

Domain Naming Master: Domain naming master is responsible for maintaining


the relation ship between the domains. With out this role it is not possible to
add or remove any domain.

Schema Master: Schema contains set of classes and attributes. eg User,


computer, printer are the objects in AD which are having their own set of
attributes.. Schema master is responsible for maintaining this schema. Changes
to the schema will affect entire forest.

PDC Emulator: Server, which is performing this role, acts as a PDC in a mixed
mode to synchronize directory information between windows 2000 DC to
Windows NT BDC. Server, which is performing thisrole, will contain latest
password information. This role is also responsible for time synchronization in
the forest.
Infrastructure Master: It is responsible for managing group membership
information in the domain. This role is responsible for updating DN when name
or location of the object is modified.

RID Master: Server, which is performing this role, will provide pool of RID to
other domain controllers in the domain. SID is the combination of SID and RID
SID=SID+RID where SID is Security identifier common for all objects in the
domain and RID is relative identifier unique for each object

How to manually configure FSMO Roles to separate DC’s We can configure


manually by two ways:-

Through MMC
We can configure Domain Naming Master role through Active directory domains
and trusts we can configure Schema Master Role through Active Directory
schema Other Three roles we can configure by Active directory users and
computers.

Through command prompt


By using command NTDSUTIL—type ROLES—type CONNECTIONS—CONNECT TO
SERVER SERVERNAME where server name is the name of the domain controller
that you want to assign role--– Type transfer role, where role is the role that
you want to transfer. For a list of roles that you can transfer, type ? at the
fsmo maintenance prompt, and then press ENTER, or see the list of roles at
the start of this article. For example, to transfer the RID master role, type
transfer rid master. The one exception is for the PDC emulator role, whose
syntax is transfer pdc, not transfer pdc emulator.

What is the difference between authoritative and non-authoritative restore


In authoritative restore, Objects that are restored will be replicated to all
domain controllers in the domain. This can be used specifically when the entire
OU is disturbed in all domain controllers or specifically restore a single object,
which is disturbed in all DC’s In non-authoritative restore, Restored directory
information will be updated by other domain controllers based on the latest
modification time.

What is Active Directory De-fragmentation De-fragmentation of AD means


separating used space and empty space created by deleted objects and reduces
directory size (only in offline De-fragmentation)

Difference between online and offline de-fragmentation? Online De-


fragmentation will be performed by garbage collection process, which runs for
every 12 hours by default which separate used space and white space (white
space is the space created because of object deletion in AD eg User) and
improves the efficiency of AD when the domain controller up and running

Offline defragmentation can be done manually by taking domain controller


into Restoration mode. We can only reduce the file size of directory database
where as the efficiency will be same as in online defragmentation.
What is tombstone period? Tombstones are nothing but objects marked for
deletion. After deleting an object in AD the objects will not be deleted
permanently. It will be remain 60 days by default (which can be configurable)
it adds an entry as marked for deletion on the object and replicates to all DC’s.
After 60 days object will be deleted permanently from all Dc’s.

How to deploy the patches and what are the software’s used for this
process Using SUS (Software update services) server we can deploy patches to
all clients in the network. We need to configure an option called “Synchronize
with Microsoft software update server” option and schedule time to
synchronize in server. We need to approve new update based on the
requirement. Then approved update will be deployed to clients we can
configure clients by changing the registry manually or through Group policy by
adding WUAU administrative template in group policy.

What is Clustering? Briefly define & explain it? Clustering is a technology,


which is used to provide High Availability for mission critical applications. We
can configure cluster by installing MCS (Microsoft cluster service) component
from Add remove programs, which can only available in Enterprise Edition and
Data center edition.

In Windows we can configure two types of clusters

NLB (network load balancing) cluster for balancing load between servers. This
cluster will not provide any high availability. Usually preferable at edge servers
like web or proxy.

Server Cluster: This provides High availability by configuring active-active or


active-passive cluster. In 2 node active-passive cluster one node will be active
and one node will be stand by. When active server fails the application will
FAILOVER to stand by server automatically. When the original server backs we
need to FAILBACK the application

Quorum: A shared storage need to provide for all servers which keeps
information about clustered application and session state and is useful in
FAILOVER situation. This is very important if Quorum disk fails entire cluster
will fails.

Heartbeat: Heartbeat is a private connectivity between the servers in the


cluster, which is used to identify the status of other servers in cluster.

How to configure SNMP SNMP can be configured by installing SNMP from


Monitoring and Management tools from Add and Remove programs. For SNMP
programs to communicate we need to configure common community name for
those machines where SNMP programs (eg DELL OPEN MANAGER) running. This
can be configured from services.msc— SNMP service — Security.

Is it possible to rename the Domain name & how? In Windows 2000 it is not
possible. In windows 2003 it is possible. On Domain controller by going to
MYCOMPUTER properties we can change
What is SOA Record SOA is a Start of Authority record, which is a first record
in DNS, which controls the startup behavior of DNS. We can configure TTL,
refresh, and retry intervals in this record.

What is a Stub zone and what is the use of it. Stub zones are a new feature of
DNS in Windows Server 2003 that can be used to streamline name resolution,
especially in a split namespace scenario. They also help reduce the amount of
DNS traffic on your network, making DNS more efficient especially over slow
WAN links.

What is ASR (Automated System Recovery) and how to implement it? ASR is a
two-part system; it includes ASR backup and ASR restore. The ASR Wizard,
located in Backup, does the backup portion. The wizard backs up the system
state, system services, and all the disks that are associated with the operating
system components. ASR also creates a file that contains information about the
backup, the disk configurations (including basic and dynamic volumes), and
how to perform a restore.

You can access the restore portion by pressing F2 when prompted in the text-
mode portion of setup. ASR reads the disk configurations from the file that it
creates. It restores all the disk signatures, volumes, and partitions on (at a
minimum) the disks that you need to start the computer. ASR will try to restore
all the disk configurations, but under some circumstances it might not be able
to. ASR then installs a simple installation of Windows and automatically starts a
restoration using the backup created by the ASR Wizard.

What are the different levels that we can apply Group Policy? We can apply
group policy at SITE level—Domain Level—OU level

What is Domain Policy, Domain controller policy, Local policy and Group
Policy? Domain Policy will apply to all computers in the domain, because by
default it will be associated with domain GPO, Where as Domain controller
policy will be applied only on domain controller. By default domain controller
security policy will be associated with domain controller GPO. Local policy will
be applied to that particular machine only and effects to that computer only

What is the use of SYSVOL FOLDER? Policies and scripts saved in SYSVOL
folder will be replicated to all domain controllers in the domain. FRS (File
replication service) is responsible for replicating all policies and scripts.

What is folder redirection? Folder Redirection is a User group policy. Once you
create the group policy and link it to the appropriate folder object, an
administrator can designate which folders to redirect and where To do this, the
administrator needs to navigate to the following location in the Group Policy
Object:

User Configuration\Windows Settings\Folder Redirection

In the Properties of the folder, you can choose Basic or Advanced folder
redirection and you can designate the server file system path to which the
folder should be redirected.
The %USERNAME% variable may be used as part of the redirection path, thus
allowing the system to dynamically create a newly redirected folder for each
user to whom the policy object applies

Features of windows2003

Automated System Recovery (ASR) provides a facility to get Windows Server


2003 systems back up and running quickly after a failure occurs.

Internet Information Service 6.0 (By default will not install) Highly secured and
locked down by default, new architectural model that includes features such as
process isolation and a met abase stored in XML format.

Saved Queries: Active Directory Users and Computers now includes a new node
named Saved Queries, which allows an administrator to create a number of
predefined queries that are saved for future access.

Group Policy Management Console (GPMC) is a new a new tool for managing
Group Policy in Windows Server 2003. While Group Policy–related elements
have typically been found across a range of tools—such as Active Directory
Users And Computers, the Group Policy MMC snap-in, and others—GPMC acts as
a single consolidated environment for carrying out Group Policy–related tasks.

RSoP tool, the administrator could generate a query that would process all the
applicable Group Policy settings for that user for the local computer or another
computer on the network. After processing the query, RSoP would present the
exact Group Policy settings that apply to that user, as well as the source Group
Policy object that was responsible for the setting.

Remote Desktop: In Windows Server 2003, Terminal Services Remote


Administration mode is known as Remote Desktop. Remote Desktop connections
are enabled via the Remote tab in the System applet in Control Panel. When
connecting to a terminal server using an RDP 5.1 client, many of the local
resources are available within the remote session, including the client file
system, smart cards, audio (output), serial ports, printers (including network),
and the clipboard.

Cross-Forest Trust Relationships : Windows Server 2003 supports cross-forest


transitive trust relationships to allow users in one forest to access resources in
any domain in another, and vice versa.

Domain Renaming & Domain Controller renaming is possible.

Universal Group Membership Caching: Windows Server 2003 introduces a new


feature aimed at reducing the need for global catalog server’s at all remote
locations. Universal group membership caching is a new feature that can be
enabled on selected domain controllers, making them capable of caching
universal group information locally without being a full-fledged global catalog
server.
Volume shadow copies of shared folders feature makes point-in-time backups
of user data to ensure that previous versions are easily accessible in cases
where a user has accidentally deleted a file.

Application Directory Partitions: Active Directory forest has a copy of the


schema partition, which defines the object types that can be created, and
their associated properties. Similarly, all domain controllers in the forest hold
a copy of the configuration partition, which holds information about sites and
services. Within a domain, all domain controllers hold a copy of the domain
partition, which includes information about the objects
within that particular domain only.

Application directory partition. This new partition is unique in that it allows


directory information to be replicated to certain domain controllers only, on an
as-necessary basis. Specifically designed for directory- enabled applications
and services, application directory partitions can contain any type of object,
with the exception of security principals such as users, computers, or security
group accounts.

Distributed File System: DFS is enhanced for Windows Server 2003, Enterprise
Edition and Windows Server, Datacenter Edition by allowing multiple DFS roots
on a single server. You can use this feature to host multiple DFS roots on a
single server, reducing administrative and hardware costs of managing multiple
namespaces and multiple replicated namespaces.

Improvements in Clustering:
In Datacenter Edition, the maximum supported cluster size has been increased
from 4-nodes in Windows 2000, to 8-nodes in Windows Server 2003.
In Enterprise Edition, the maximum supported cluster size has been increased
from 2-nodes in Windows 2000 Advanced Server to 8-nodes in Windows Server
2003.

Server clusters running Windows Server 2003, Enterprise Edition or Datacenter


Edition integrate with the Microsoft Active Directory® service.
This integration ensures that a “virtual” computer object is registered in Active
Directory. This allows applications to use Kerberos authentication and
delegation to highly available services running in a cluster. The computer
object also provides a default location for Active Directory-aware services to
publish service control points.

Server clusters are fully supported on computers running the 64-bit versions of
Windows Server 2003. Windows Server 2003 supports Encrypting File System
(EFS) on clustered (shared) disks.

RIS server supports to deploy all editions of Windows 2000, Windows XP


Professional, and all editions of Windows Server 2003 (except Windows 2000
Datacenter Server and Windows Server 2003, Datacenter Edition.) In addition,
administrators can use RIS servers using Risetup to deploy Windows XP 64-bit
Edition and the 64- bit versions of Windows Server 2003.

Point-to-PointProtocoloverEthernet(PPPoE) : Windows Server 2003 delivers a


native PPPoE driver for making broadband connections to certain Internet
service providers (ISPs) without the need for additional software.
Small businesses or corporate branch offices may also utilize PPPoE’s demand
dial capabilities to integrate with the Routing and Remote Access service and
NAT.

Internet Connection Firewall (ICF): ICF, designed for use in a small business,
provides basic protection on computers directly connected to the Internet or
on local area network (LAN) segments. ICF is available for LAN, dial-up, VPN, or
PPPoE connections. ICF integrates with ICS or with the Routing and Remote
Access service.

Open File Backup: The backup utility included with Windows Server 2003 now
supports “open file backup”. In Windows 2000, files had to be closed before
initiating backup operations. Backup now uses shadow copies to ensure that
any open files being accessed by users are also backed up.(Need to modify
some registry keys)

Stub Zones: This is introduced in windows 2003 DNS. A stub zone is like a
secondary zone in that it obtains its resource records from other name servers
(one or more master name servers). A stub zone is also read-only like a
secondary zone, so administrators can’t manually add, remove, or modify
resource records on it. First, while secondary zones contain copies of all the
resource records in the corresponding zone on the master name server, stub
zones contain only three kinds of resource records:
a. A copy of the SOA record for the zone.
b. Copies of NS records for all name servers authoritative for the zone.
c. Copies of (glue)A records for all name servers authoritative for the zone.

That’s it–no CNAME records, MX records, SRV records, or A records for other
hosts in the zone. So while a secondary zone can be quite large for a big
company’s network, a stub zone is always very small, just a few records. This
means replicating zone information from master to stub zone adds almost nil
DNS traffic to your network as the records for name servers rarely change
unless you decommission an old name server or deploy a new one.
Difference between NT & 2000

Windows NT SAM database is a flat database. And windows 2000 active


directory database is a hierarchical database.

In Windows NT only PDC is having writable copy of SAM database but the BDC is
only having read only database. In case of Windows 2000 both DC and ADC is
having write copy of the database.

Windows NT will not support FAT32 file system. Windows 2000 supports FAT32.
Default authentication protocol in NT is NTLM (NT LAN manager). In windows
2000 default authentication protocol is Kerberos V5.

Features introduced in windows 2000, those are not in Windows NT.


NTFS v5 supports Disk quotas.
Remote Installation Service
Built in VPN & NAT support
IPv6 supports.
USB support.
Distributed File System.
Clustering support.
ICS (Internet Connection Sharing)

Difference between PDC & BDC PDC contains a write copy of SAM database
where as BDC contains read only copy of SAM database. It is not possible to
reset a password without PDC in Windows NT. But both can participate in the
user authentication. If PDC fails, we have to manually promote BDC to PDC
from server manger.

Difference between DC & ADC There is no difference between in DC and ADC


both contains write copy of AD. Both can also handles FSMO roles (If transfers
from DC to ADC). Functionality wise there is no difference. ADC just require for
load balancing & redundancy. If two physical sites are segregated with WAN
link come under same domain, better to keep one ADC in other site, and act as
a main domain controller for that site. This will reduce the WAN traffic and
also user authentication performance will increase.

What is DNS & WINS DNS is a Domain Naming System/Server, use for resolve
the Host names to IP addresses and also do the IP address to host name. It uses
fully qualified domain names. DNS is a Internet standard used to resolve host
names. Support up to 256 characters.

WINS is a Windows Internet Name Service, which resolves NetBIOS names to IP


Address and also resolve the IP address to NetBIOS names. This is proprietary of
Microsoft and meant for windows only. Support up to 15 characters.

If DHCP server is not available what happens to the client First time client is
trying to get IP address DHCP server, If DHCP server is not found. C IP address
from APIPA (Automatic Private I P Address) range 169.254.0.0 -169.254.255.255
If client already got the IP and having lease duration it use the IP till the lease
duration expires.

What are the different types of trust relationships?

Implicit Trusts —– Establish trust relationship automatically.


Explicit Trusts —– We have to build manually trust relationship .NT to Win2k or
Forest to Forest
Transitive —– If A B C then A C
Non-Transitive —– If A B C then A is not trusting C One way —– One side
Two way —– two sides

Windows Server 2003 Active Directory supports the following types of trust
relationships:
Tree-root trust Tree-root trust relationships are automatically established
when you add a new tree root domain to an existing forest. This trust
relationship is transitive and two-way.

Parent-child trust Parent-child trust relationships are automatically established


when you add a new child domain to an existing tree. This trust relationship is
also transitive and two-way.
Shortcut trust Shortcut trusts are trust relationships that are manually created
by systems administrators. These trusts can be defined between any two
domains in a forest, generally for the purpose of improving user logon and
resource access performance. Shortcut trusts can be especially useful in
situations where users in one domain often need to access resources in
another, but a long path of transitive trusts separates the two domains. Often
referred to as cross-link trusts, shortcut trust relationships are transitive and
can be configured as one-way or two-way as needs dictate.
Realm trust Realm trusts are manually created by systems administrators
between a non–Windows
Kerberos realm and a Windows Server 2003 Active Directory domain. This type
of trust relationship provides cross-platform interoperability with security
services in any Kerberos version 5 realm, such as a UNIX implementation.
Realm trusts can be either transitive or non-transitive, and one-way or two-way
as needs dictate.
External trust External trusts are manually created by systems administrators
between Active Directory domains that are in different forests, or between a
Windows Server 2003 Active Directory domain and a Windows NT 4.0 domain.
These trust relationships provide backward compatibility with Windows NT 4.0
environments, and communication with domains located in other forests that
are not con-figured to use forest trusts. External trusts are nontransitive and
can be configured as either one-way or two-way as needs dictate.
Forest trust Forest trusts are trust relationships that are manually created by
systems administrators between forest root domains in two separate forests. If
a forest trust relationship is two-way, it effectively allows authentication
requests from users in one forest to reach another, and for users in either
forest to access resources in both. Forest trust relationships are transitive
between two forests only and can be configured as either one-way or two-way
as needs dictate.

By default implicit two way transitive trust relationships establish between all
domains in the windows 2000/2003 forest.

What is the process of DHCP for getting the IP address to the client?

Discover —– Client broadcast the packets to find the DHCP server


Offer —– Server offers
Request for IP address —- Client request for IP address to the offered server.
Acknowledge —– Server sends the Acknowledgement to the client

NACK ——– If client not get the IP address after server given offer, then Server
sends the Negative
Acknowledgement.

DHCP Server uses port no.: 67


DHCP Client uses port no.: 68

Brief explanation of RAID Levels

A volume is a storage unit made from free space on one or more disks. It can
be formatted with a file system and assigned a drive letter. Volumes on
dynamic disks can have any of the following layouts: simple, spanned,
mirrored, striped, or RAID-5.

A simple volume uses free space from a single disk. It can be a single region
on a disk or consist of multiple, concatenated regions. A simple volume can be
extended within the same disk or onto additional disks. If a simple volume is
extended across multiple disks, it becomes a spanned volume.

A spanned volume is created from free disk space that is linked together from
multiple disks. You can extend a spanned volume onto a maximum of 32 disks.
A spanned volume cannot be mirrored and is not fault-tolerant.

A striped volume is a volume whose data is interleaved across two or more


physical disks. The data on this type of volume is allocated alternately and
evenly to each of the physical disks. A striped volume cannot be mirrored or
extended and is not fault-tolerant. Striping is also known as RAID-0.

A mirrored volume is a fault-tolerant volume whose data is duplicated on two


physical disks. All of the data on one volume is copied to another disk to
provide data redundancy. If one of the disks fails, the data can still be
accessed from the remaining disk. A mirrored volume cannot be extended.
Mirroring is also known as RAID-1.

A RAID-5 volume is a fault-tolerant volume whose data is striped across an


array of three or more disks. Parity (a calculated value that can be used to
reconstruct data after a failure) is also striped across the disk array. If a
physical disk fails, the portion of the RAID-5 volume that was on that failed disk
can be re-created from the remaining data and the parity. A RAID-

The system volume contains the hardware-specific files that are needed to
load Windows (for example, Ntldr, Boot.ini, and Ntdetect.com). The system
volume can be, but does not have to be, the same as the boot volume.

The boot volume contains the Windows operating system files that are
located in the

%Systemroot% and %Systemroot%\System32 folders. The boot volume can be,


but does not have to be, the same as the system volume.

RAID 0 – Striping

RAID 1- Mirroring (minimum 2 HDD required)

RAID 5 – Striping With Parity (Minimum 3 HDD required)

RAID levels 1 and 5 only gives redundancy

What is the process of user authentication (Kerberos V5) in windows 2000?


After giving logon credentials an encryption key will be generated this is used
to encrypt the time stamp of the client machine. User name and encrypted
timestamp information will be provided to domain controller for
authentication. Then Domain controller based on the password information
stored in AD for that user it decrypts the encrypted time stamp information. If
produces time stamp matches to its time stamp. It will provide logon session
key account information.

What is Global Catalog Server?


Global Catalog server is the server which keeps the stores the details of each
object created in the forest. Global Catalog is the master searchable index to
all objects in forest

Can GC Server and Infrastructure place in single server? If not explain why?
No, As Infrastructure master does the same job as the GC. It does not work
together.

What is the size of log file which created before updating into ntds.dit and
the total number of files?
Three Log files Names
Edb.log
Res1.log
Res2.log
Each initially 10 MB

What does SYSVOL contains? SysVol Folder contains the public information of
the domain & the information for replication
Ex: Group policy object & scripts can be found in this directory.

Which is service in your windows is responsible for replication of Domain


controller to another domain controller.
KCC generates the replication topology.
Use SMTP / RPC to replicate changes.

How data will travel between sites in ADS replication?


As determined in the site connectors

What is the port number for SMTP, Kerberos, LDAP, and GC Server??
SMTP 25, Kerberos 88, GC 3128, LDAP 53

What Intrasite and Intersite Replication?


Intrasite is the replication within the same site & intersite the replication
between sites

What is lost & found folder in ADS?


It’s the folder where you can find the objects missed due to conflict.
Ex: you created a user in OU which is deleted in other DC & when replication
happed ADS didn’t find the OU then it will put that in Lost & Found Folder.

What is Garbage collection?


Garbage collection is the process of the online defragmentation of active
directory. It happens every 12 Hours.

What System State data contains?


Contains Startup files,
Registry
Com + Registration Database
Memory Page file
System files
AD information
Cluster Service information
SYSVOL Folder

How do you restore a particular OU which deleted by accidentally?


Go authoritative restore

What is IPSec Policy?


IPSec provides secure gateway-to-gateway connections across outsourced
private wide area network (WAN) or Internet-based connections using
L2TP/IPSec tunnels or pure IPSec tunnel mode.
IPSec Policy can be deployed via Group policy to the Windows Domain
controllers 7 Servers.

What is the order of applying Group Policy?


Local Policy.
Site Policy.
Domain Policy.
OU Policy.

What are the new features in Windows 2003 related to ADS, Replication,
and Trust? ADS: Can more than 5000 users in the groups

How to edit the Schema in ADS? ADSI Edit

What is Domain Local, Global Group, Universal group?


Domain Local Only Users with in Domain
Global groups are used to grant permissions to objects in any domain in the
domain tree or forest. Members of global groups can include only accounts and
groups from the domain in which they are defined.
Universal groups are used to grant permissions on a wide scale throughout a
domain tree or forest. Members of global groups include accounts and groups
from any domain in the domain tree or forest.

What are the different types of Terminal Services? User Mode & Application
Mode

What does mean by root DNS servers? Public DNS servers Hosted in the
Internet which registers the DNS

What is a SOA record?


Start of authority authorized DNS in the domain

How does the down level clients register it names with DNS server?
Enable the WINS integration with DNS.

What is RsOP?
RsOP is the resultant set of policy applied on the object (Group Policy)
What is default lease period for DHCP Server? 8 days Default

What is the process of DHCP clients for getting the ip address?


Discover - Order - Receive - Acknowledge

What is multicast? Multicast scopes enable you to lease Class D IP addresses to


clients for participation in multicast transmissions, such as streaming video and
audio transmissions.

What is superscope? Superscopes enable you to group several standard DHCP


scopes into a single administrative group without causing any service disruption
to network clients.

What is the System Startup process? Windows 2K boot process on a Intel


architecture.

• Power-On Self Tests (POST) is run.


• The boot device is found, the Master Boot Record (MBR) is loaded into
memory, and its program is run.
• The active partition is located, and the boot sector is loaded.
• The Windows 2000 loader (NTLDR) is then loaded.

The boot sequence executes the following steps:

• The Windows 2000 loader switches the processor to the 32-bit flat
memory model.
• The Windows 2000 loader starts a mini-file system.
• The Windows 2000 loader reads the BOOT.INI file and displays the
operating system selections (boot loader menu).
• The Windows 2000 loader loads the operating system selected by the
user. If Windows 2000 is selected, NTLDR runs NTDETECT.COM. For other
operating systems, NTLDR loads BOOTSECT.DOS and gives it control.
• NTDETECT.COM scans the hardware installed in the computer, and
reports the list to NTLDR for inclusion in the Registry under the
HKEY_LOCAL_MACHINE_HARDWARE hive.
• NTLDR then loads the NTOSKRNL.EXE, and gives it the hardware
information collected by NTDETECT.COM. Windows NT enters the
Windows load phases.

What is WINS hybrid & mixed mode? Systems that are configured to use WINS
are normally configured as a hybrid (H-node) client, meaning they attempt to
resolve NetBIOS names via a WINS server and then try a broadcast (B-node) if
WINS is unsuccessful. Most systems can be configured to resolve NetBIOS names
in one of four modes:

Broadcast (B-node) - Clients use a broadcast only to resolve names. An


enhanced B-node setting has the client use an LMHOST file as well. The hex
value for this setting is 0×1.
Peer-to-Peer (P-node) - Clients use WINS only to resolve names. The hex value
for this setting is 0×2.
Mixed (M-node) - Clients first use a broadcast in an attempt to resolve NetBIOS
names. If this fails, they attempt the resolution via the WINS server. The hex
value for this setting is 0×4.
Hybrid (H-node) - Clients first use the WINS service in an attempt to resolve
NetBIOS names. If this fails, they attempt the resolution via broadcast. The hex
value for this setting is 0×8.

What is Disk Quota? Disk Quota is the specifying the limits of usage on the
disks.

What is the port number for SMTP, Kerberos, LDAP, and GC Server? SMTP 25,
Kerberos 88, GC 3268, LDAP 389

What are some of the new tools and features provided by Windows Server
2008?
Windows Server 2008 now provides a desktop environment similar to Microsoft
Windows Vista and includes tools also found in Vista, such as the new backup
snap-in and the BitLocker drive encryption feature. Windows Server 2008 also
provides the new IIS7 web server and the Windows Deployment Service.

What are the different editions of Windows Server 2008? The entry-level
version of Windows Server 2008 is the Standard Edition. The Enterprise Edition
provides a platform for large enterprisewide networks. The Datacenter Edition
provides support for unlimited Hyper-V virtualization and advanced clustering
services. The Web Edition is a scaled-down version of Windows Server 2008
intended for use as a dedicated web server. The Standard, Enterprise, and
Datacenter Editions can be purchased with or without the Hyper-V
virtualization technology.

What two hardware considerations should be an important part of the


planning process for a Windows Server 2008 deployment? Any server on
which you will install Windows Server 2008 should have at least the minimum
hardware requirement for running the network operating system. Server
hardware should also be on the Windows Server 2008 Hardware Compatibility
List to avoid the possibility of hardware and network operating system
incompatibility.

How does the activation process differ on Windows Server 2008 as


compared to Windows Server 2003? You can select to have activation happen
automatically when the Windows Server 2008 installation is complete. Make
sure that the Automatically Activate Windows When I’m online check box is
selected on the Product Key page.

What are the options for installing Windows Server 2008?


You can install Windows Server 2008 on a server not currently configured with
NOS, or you can upgrade existing servers running Windows 2000 Server and
Windows Server 2003.

How do you configure and manage a Windows Server 2008 core installation?
This stripped-down version of Windows Server 2008 is managed from the
command line.
Which Control Panel tool enables you to automate the running of server
utilities and other applications?
The Task Scheduler enables you to schedule the launching of tools such as
Windows Backup and Disk Defragmenter.

What are some of the items that can be accessed via the System Properties
dialog box?
You can access virtual memory settings and the Device Manager via the System
Properties dialog box.

Which Windows Server utility provides a common interface for tools and
utilities and provides access to server roles, services, and monitoring and
drive utilities?
The Server Manager provides both the interface and access to a large number
of the utilities and tools that you will use as you manage your Windows server.

How are local user accounts and groups created?


Local user accounts and groups are managed in the Local Users and Groups
node in the Server Manager. Local user accounts and groups are used to provide
local access to a server.

When a child domain is created in the domain tree, what type of trust
relationship exists between the new child domain and the tree’s root
domain?
Child domains and the root domain of a tree are assigned transitive trusts. This
means that the root domain and child domain trust each other and allow
resources in any domain in the tree to be accessed by users in any domain in
the tree.

What is the primary function of domain controllers?


The primary function of domain controllers is to validate users to the network.
However, domain controllers also provide the catalog of Active Directory
objects to users on the network.

What are some of the other roles that a server running Windows Server
2008 could fill on the network?
A server running Windows Server 2008 can be configured as a domain
controller, a file server, a print server, a web server, or an application server.
Windows servers can also have roles and features that provide services such as
DNS, DHCP, and Routing and Remote Access.

Which Windows Server 2008 tools make it easy to manage and configure a
server’s roles and features?
The Server Manager window enables you to view the roles and features
installed on a server and also to quickly access the tools used to manage these
various roles and features. The Server Manager can be used to add and remove
roles and features as needed.

What Windows Server 2008 service is used to install client operating


systems over the network? Windows Deployment Services (WDS) enables you
to install client and server operating systems over the network to any computer
with a PXE-enabled network interface.
What domain services are necessary for you to deploy the Windows
Deployment Services on your network?
Windows Deployment Services requires that a DHCP server and a DNS server be
installed in the domain.

How is WDS configured and managed on a server running Windows Server


2008?
The Windows Deployment Services snap-in enables you to configure the WDS
server and add boot and install images to the server.

What utility is provided by Windows Server 2008 for managing disk drives,
partitions, and volumes?
The Disk Manager provides all the tools for formatting, creating, and managing
drive volumes and partitions.

What is the difference between a basic and dynamic drive in the Windows
Server 2008 environment?
A basic disk embraces the MS-DOS disk structure; a basic disk can be divided
into partitions (simple volumes).
Dynamic disks consist of a single partition that can be divided into any number
of volumes. Dynamic disks also support Windows Server 2008 RAID
implementations.

What is RAID? RAID, or Redundant Array of Independent Disks, is a strategy for


building fault tolerance into your file servers. RAID enables you to combine one
or more volumes on separate drives so that they are accessed by a single drive
letter. Windows Server 2008 enables you to configure RAID 0 (a striped set),
RAID 1 (a mirror set), and RAID 5 (disk striping with parity).

What is the most foolproof strategy for protecting data on the network?
A regular backup of network data provides the best method of protecting you
from data loss.

What conceptual model helps provide an understanding of how network


protocol stacks such as TCP/IP work?
The OSI model, consisting of the application, presentation, session, transport,
network, data link, and physical layers, helps describe how data is sent and
received on the network by protocol stacks.

What protocol stack is installed by default when you install Windows Server
2008 on a network server?
TCP/IP (v4 and v6) is the default protocol for Windows Server 2008. It is
required for Active Directory implementations and provides for connectivity on
heterogeneous networks.

When TCP/IP is configured on a Windows server (or domain client), what


information is required?
You must provide at least the IP address and the subnet mask to configure a
TCP/IP client for an IPv4 client, unless that client obtains this information from
a DHCP server. For IPv6 clients, the interface ID is generated automatically
from the MAC hardware address on the network adapter. IPv6 can also use
DHCP as a method to configure IP clients on the network.
What are two command-line utilities that can be used to check TCP/IP
configurations and IP connectivity, respectively?
The ipconfig command can be used to check a computer’s IP configuration and
also renew the client’s IP address if it is provided by a DHCP server. ping can
be used to check the connection between the local computer and any
computer on the network, using the destination computer’s IP address.

What term is used to refer to the first domain created in a new Active
Directory tree?
The first domain created in a tree is referred to as the root domain. Child
domains created in the tree share the same namespace as the root domain.

How is a server running Windows Server 2008 configured as a domain


controller, such as the domain controller for the root domain or a child
domain?
Installing the Active Directory on a server running Windows Server 2008
provides you with the option of creating a root domain for a domain tree or of
creating child domains in an existing tree. Installing Active Directory on the
server makes the server a domain controller.

What are some of the tools used to manage Active Directory objects in a
Windows Server 2008 domain?
When the Active Directory is installed on a server (making it a domain
controller), a set of Active Directory snap-ins is provided. The Active Directory
Users and Computers snap-in is used to manage Active Directory objects such as
user accounts, computers, and groups. The Active Directory Domains and Trusts
snap-in enables you to manage the trusts that are defined between domains.
The Active Directory Sites and Services snap-in provides for the management of
domain sites and subnets.

How are domain user accounts created and managed?


The Active Directory Users and Computers snap-in provides the tools necessary
for creating user accounts and managing account properties. Properties for
user accounts include settings related to logon hours, the computers to which a
user can log on, and the settings related to the user’s password.

What type of Active Directory objects can be contained in a group?


A group can contain users, computers, contacts, and other nested groups.

What type of group is not available in a domain that is running at the mixed-
mode functional level?
Universal groups are not available in a mixed-mode domain. The functional
level must be raised to Windows 2003 or Windows 2008 to make these groups
available.

What types of Active Directory objects can be contained in an


Organizational Unit?
Organizational Units can hold users, groups, computers, contacts, and other
OUs. The Organizational Unit provides you with a container directly below the
domain level that enables you to refine the logical hierarchy of how your users
and other resources are arranged in the Active Directory.
What are Active Directory sites?
Active Directory sites are physical locations on the network’s physical topology.
Each regional domain that you create is assigned to a site. Sites typically
represent one or more IP subnets that are connected by IP routers. Because
sites are separated from each other by a router, the domain controllers on
each site periodically replicate the Active Directory to update the Global
Catalog on each site segment.

How can client computer accounts be added to the Active Directory?


Client computer accounts can be added through the Active Directory Users and
Computers snap-in. You can also create client computer accounts via the client
computer by joining it to the domain via the System Properties dialog box. This
requires a user account that has administrative privileges, such as members of
the Domain Administrator or Enterprise Administrator groups.

What firewall setting is required to manage client computers such as Vista


clients and Windows 2008 member servers?
The Windows Firewall must allow remote administration for a computer to be
managed remotely.

Can servers running Windows Server 2008 provide services to clients when
they are not part of a domain?
Servers running Windows Server 2008 can be configured to participate in a
workgroup. The server can provide some services to the workgroup peers but
does not provide the security and management tools provided to domain
controllers.

What does the use of Group Policy provide you as a network administrator?
Group Policy provides a method of controlling user and computer configuration
settings for Active Directory containers such as sites, domains, and OUs. GPOs
are linked to a particular container, and then individual policies and
administrative templates are enabled to control the environment for the users
or computers within that particular container.

What tools are involved in managing and deploying Group Policy?


GPOs and their settings, links, and other information such as permissions can
be viewed in the Group Policy Management snap-in.

How do you deal with Group Policy inheritance issues?


GPOs are inherited down through the Active Directory tree by default. You can
block the inheritance of settings from up line GPOs (for a particular container
such as an OU or a local computer) by selecting Block Inheritance for that
particular object. If you want to enforce a higher-level GPO so that it overrides
directly linked GPOs, you can use the Enforce command on the inherited (or up
line) GPO.

How can you make sure that network clients have the most recent Windows
updates installed and have other important security features such as the
Windows Firewall enabled before they can gain full network access?
You can configure a Network Policy Server (a service available in the Network
Policy and Access Services role). The Network Policy Server can be configured
to compare desktop client settings with health validators to determine the
level of network access afforded to the client.

What is the purpose of deploying local DNS servers?


A domain DNS server provides for the local mapping of fully qualified domain
names to IP addresses. Because the DNS is a distributed database, the local DNS
servers can provide record information to remote DNS servers to help resolve
remote requests related to fully qualified domain names on your network.

What types of zones would you want to create on your DNS server so that
both queries to resolve hostnames to IP addresses and queries to resolve IP
addresses to hostnames are handled successfully?
You would create both a forward lookup zone and a reverse lookup zone on
your Windows Server 2008 DNS server.

What tool enables you to manage your Windows Server 2008 DNS server?
The DNS snap-in enables you to add or remove zones and to view the records in
your DNS zones. You can also use the snap-in to create records such as a DNS
resource record.

In terms of DNS, what is a caching-only server? caching-only DNS server


supplies information related to queries based on the data it contains in its DNS
cache. Caching-only servers are often used as DNS forwarders. Because they
are not configured with any zones, they do not generate network traffic
related to zone transfers.

How the range of IP addresses is defined for a Windows Server 2008 DHCP
server?
The IP addresses supplied by the DHCP server are held in a scope. A scope that
contains more than one subnet of IP addresses is called a superscope. IP
addresses in a scope that you do not want to lease can be included in an
exclusion range.

What TCP/IP configuration parameters can be provided to a DHCP client?


The DHCP server can supply a DHCP client an IP address and subnet mask. It
also can optionally include the default gateway address, the DNS server
address, and the WINS server address to the client.

How can you configure the DHCP server so that it provides certain devices
with the same IP address each time the address is renewed?
You can create a reservation for the device (or create reservations for a
number of devices). To create a reservation, you need to know the MAC
hardware address of the device. You can use the ipconfig or nbstat command-
line utilities to determine the MAC address for a network device such as a
computer or printer.

To negate rogue DHCP servers from running with a domain, what is required
for your DHCP server to function?
The DHCP server must be authorized in the Active Directory before it can
function in the domain.
What is DHCP? DHCP stands for "Dynamic Host Configuration Protocol". DHCP
(Dynamic Host Configuration Protocol) is a communications protocol that lets
network administrators centrally manage and automate the assignment of
Internet Protocol (IP) addresses in an organization's network.
DHCP assigns IP address to computers and other devices that are enabled as
DHCP Clients. Deploying DHCP servers on the network automatically provides
computers and other TCP/IP based network devices with valid IP addresses and
the additional configuration parameters these devices need, called DHCP
options, which allow them to connect to other network resources, such as DNS
Servers, WINS servers and routers. Dynamic Host Configuration Protocol (DHCP)
automatically assigns IP addresses and other network configuration information
(subnet mask, broadcast address, etc) to computers on a network. A client
configured for DHCP will send out a broadcast request to the DHCP server
requesting an address. The DHCP server will then issue a "lease" and assign it to
that client. The time period of a valid lease can be specified on the server.
DHCP reduces the amount of time required to configure clients and allows one
to move a computer to various networks and be configured with the ppropriate
IP address, gateway and subnet mask.

Who Created It? How Was It Created?


DHCP was created by the Dynamic Host Configuration Working Group of the
Internet Engineering Task Force (IETF; a volunteer organization which defines
protocols for use on the Internet). As such, its definition is recorded in an
Internet RFC and the Internet Activities Board (IAB) is asserting its status as to
Internet Standardization. As of this writing (June 1998), DHCP is an Internet
Draft Standard Protocol and is Elective. BOOTP is an Internet Draft Standard
Protocol and is recommended.

At what layer of OSI it functions? DHCP works at Data link Layer. (Layer 2)

What is DORA? Finally, the chosen DHCP server sends the lease information
(the IP address, potentially a subnet mask, DNS server, WINS server, WINS node
type, domain name, and default gateway) to the workstation in a message
called the DHCP ACK (data communications jargon for acknowledge). You can
remember the four parts of a DHCP message by the mnemonic DORA - Discover,
Offer, Request, and ACK.

What is the default Lease Period in DHCP Client/Server communication?


The default lease is 8 days, after which a computer has to renew their use of
the address they've been leased by your DHCP server.

There are certain situations however when you might want to lengthen this
lease period to several weeks or months or even longer. These situations
include (a) when you have a stable network where computers neither join or
are removed or relocated; (b) when you have a large pool of available IP
addresses to lease from; or (c) when your network is almost saturated with
very little available bandwidth and you want to reduce DHCP traffic to increase
available bandwidth (not by much, but sometimes every little bit helps).

How can you backup configuration file of DHCP server?


DHCP database backs itself up automatically every 60 minutes to the
%SystemRoot%\System32\Dhcp\Backup\Jet directory. This interval can be
changed:
1. Start the registry editor
2. Move to
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\DHCPServer\Parame
ters\BackupInterval
3. Double click on BackupInterval and set to the number of minutes you want
the backup to be performed. Click OK
4. Close the registry editor
5. Stop and restart the DHCP server service (Start - Settings - Control Panel -
Services – DHCP Server - Start and Stop)
You could backup the %SystemRoot%\System32\Dhcp\Backup\Jet directory if
you wish.

Had you maintained/created any technical reference documentation on


DHCP Server/Client? Yes.

What is TCP/IP port no. used for DHCP service? DHCP uses the same two IANA
assigned ports as BOOTP: 67/udp for the server side, and 68/udp for the client
side.

What is VLAN?
A virtual LAN, commonly known as a vLAN or as a VLAN, is a method of
creating independent logical networks within a physical network.
A VLAN consists of a network of computers that behave as if connected to the
same wire – even though they may actually be physically connected to different
segments of a LAN. Network administrators configure VLANs through software
rather than hardware, which make them extremely flexible.

How is it different than VLANs?


DHCP and VLANs, which are very different in concept, are sometimes cited as
different solutions to the same problem. While they have a goal in common
(easing moves of networked computers), VLANs represent a more revolutionary
change to a LAN than DHCP. A DHCP server and forwarding agents can allow
you to set things up so that you can unplug a client computer from one network
or subnet and plug it into another and have it come alive immediately, it
having been reconfigured automatically. In conjunction to Dynamic DNS, it
could automatically be given its same name in its new place. VLAN-capable LAN
equipment with dynamic VLAN assignment allows you to configure things so a
client computer can be plugged into any port and have the same IP number (as
well as name) and be on the same subnet. The VLAN-capable network either
has its own configuration that lists which MAC addresses are to belong to each
VLAN, or it makes the determination from the source IP address of the IP
packets that the client computer sends. Some differences in the two
approaches:

 DHCP handles changes by reconfiguring the client while a VLAN-capable


network handles it by reconfiguring the network port the client is moved to.
 DHCP dynamic reconfiguration requires a DHCP server, forwarding agent in
each router, and DHCP capability in each client's TCP/IP support. The
analogous capability in VLANs requires that all hubs throughout the network be
VLAN-capable, supporting the same VLAN scheme. To this point VLAN support is
proprietary with no vendor interoperability, but standards are being developed.
 DHCP can configure a new client computer for you while a VLAN-capable
network can't.
 DHCP is generally aimed at giving "easy moves" capability to networks that
are divided into subnets on a geographical basis, or on separate networks.
VLANs are generally aimed at allowing you to set up subnets on some basis
other than geographical, e.g. instead of putting everyone in one office on the
same subnet, putting each person on a subnet that has access to the servers
that that person requires. There is an issue with trying to use DHCP (or BOOTP)
and VLANs at the same time, in particular, with the scheme by which the VLAN-
capable network determines the client's VLAN based upon the client computer's
source IP address. Doing so assumes the client computer is already configured,
which precludes the use of network to get the configuration information from a
DHCP or BOOTP server.

What is DHCP relay Agent?


DHCP Relay Agent component is a Bootstrap Protocol (BOOTP) relay agent that
relays Dynamic Host Configuration Protocol (DHCP) messages between DHCP
clients and DHCP servers on different IP networks.

How does DHCP relay agent work?


A DHCP relay agent is an agent program or component responsible for relaying
DHCP & BOOTP (Bootstrap Protocol) broadcast messages between a DHCP
server and a client across an IP router. A DHCP relay agent supports
DHCP/BOOTP message relay as defined in RFC (Request for Comment) 1541 &
2131. The DHCP relay agent service is managed using Routing & Remote
Service.

DHCP User Class and Vendor Class Options


DHCP provides support for a host of new features. The user-specified and
vendor-specified DHCP options—features that let administrators assign separate
options to clients with similar configuration requirements. For example, if
DHCP-aware clients in your human resources (HR) department require a
different default gateway or DNS server than the rest of your clients, you can
configure DHCP Class IDs to distribute these options to HR clients. The options
that Class IDs provide override any scope or global default options that the
DHCP server typically assigns.

Option Classes
The two option class types: User Class and Vendor Class. User Classes assign
DHCP options to a group of clients that require similar configuration; Vendor
Classes typically assign vendor-specific options to clients that share a common
vendor type. For example, with Vendor Classes you can assign all Dell
computers DHCP options that are common to those machines. The purpose of
option classes is to group DHCP options for similar clients within a DHCP scope.

What is Super scope?


A range of IP addresses that span several subnets. The DHCP server can assign
these addresses to clients that are on several subnets.
A super-scope is actually a collection of individual scopes. When you group
different scopes together into a single superscope, you can do the following:
· Place DHCP clients from multiple network IDs on the same physical segment
· Allow remote DCHP clients from multiple network IDs to obtain an address
from a DHCP Server
· Place multiple DHCP Servers on the same physical segment, with each DCHP
Server being responsible for a different scope.
The superscope will allow the DHCP Server to answer requests from DHCP
clients from different network IDs.

What is Multicast?
A range of class D addresses from 224.0.0.0 to 239.255.255.255 that can be
assigned to computers when they ask for them. A multicast group is assigned to
one IP address. Multicasting can be used to send messages to a group of
computers at the same time with only one copy of the message.
The Multicast Address Dynamic Client Allocation Protocol (MADCAP) is used to
request a multicast address from a DHCP server.

What is a DHCP lease?


A DHCP lease is the amount of time that the DHCP server grants to the DHCP
client permission to use a particular IP address. A typical server allows its
administrator to set the lease time.

What is WSUS?
It is Microsoft Software Update Server, and it is designed to automate the
process of distributing Windows operating system patches. It works by
controlling the Automatic Updates applet already present on all Windows
machines. Instead of many machines at UVA all going to Microsoft's website to
download updates, the SUS server downloads all updates to an ITC-owned
server and workstations then look there for updates.

What is the Minimum Free Disk Space required?


Minimum of 6 GB free disk space is recommended to store the WSUS content.

How WSUS Works?


WSUS is an update component of Windows Server and offers an effective and
quick way to help keep systems up-to-date. WSUS provides a management
infrastructure consisting of the following:
Microsoft Update: The Microsoft Web site to which WSUS components connect
for updates of Microsoft products.
Windows Server Update Services server: The server component that is
installed on a computer running a Microsoft Windows 2000 Server with Service
Pack 4 (SP4) or Windows Server 2003 operating system inside the corporate
firewall. WSUS server provides the features that administrators need to manage
and distribute updates through a Web-based tool, which can be accessed from
Internet Explorer on any Windows computer in the corporate network. In
addition, a WSUS server can be the update source for other WSUS servers.
Automatic Updates: The client computer component built into Microsoft
Windows Server 2003, Windows XP, and Windows 2000 with SP3 operating
systems. Automatic Updates enables both server and client computers to
receive updates from Microsoft Update or from a server running WSUS.

What are the basic requirements (Hardware/Software) to implement the


Windows SUS server?
Server Hardware Requirements:
WSUS requires a single server for basic operation, although you can scale your
WSUS implementation to larger numbers of servers if you wish. For a basic
implementation of up to 500 users, hardware requirements, per Microsoft, are:
· 1GHz CPU
· 1GB RAM
You also need a network card, and around free disk space (described below)
Server Software Requirements:
You need the following software components:
· A supported Windows Server operating system - Windows Server 2003 is the
preferred OS, but Windows 2000 is also supported. WSUS is supported on all
editions of Windows Server 2003, but there are some restrictions of you use the
Web Edition (See [WUS Restrictions With2k3 Web].
· IIS - WUS is operated via IIS, so your WUS Server needs to have IIS loaded. You
need at least IIS 5.0.
· .NET Framework 1.1 SP1 - get this 7.982MB download from the Microsoft
download site. The .NET Framework 1.1 SP1 is delivered as a hot fix
installation file (see KB article KB867460 for details). This expands to 55.6 MB
(58,335,654 bytes) on disk prior to installation. The installation of this hot fix
also stops IIS, and requires a reboot.
· Background Intelligent Transfer Service 2.0 (BITS 2.0 English.zip) - this is a
new version of BITS, at present only available to beta testers, or those on the
OEP. This is a 1.34MB download.
· WSUS Setup (WSUSSetup.exe) - Like BITS V2, this is available only to beta
testers or members of the OEP at present. This is download is over 100mb.
· SQL Database server. For Windows Server 2003 MSDE is installed during setup.
For Windows 2000 it is not and MSDE or SQL server must be installed prior WUS
setup.
Server Disk Space Requirements:
WUS Server disk space requirements fall into three categories: the WUS
service, WUS updates and the WUS data base.
Microsoft recommends that you have at least 6GB free disk space to store WUS
content. At present, typical usage is around 1-2GB/language, although this
does depend on what updates you specify and is likely to grow over time. The
WSUS service installs (by default) into C:\Program Files\Update Services\. This
folder takes up 365MB (371MB on disk) after the initial installation. The WSUS
Database is managed by MDSE, and is installed by default into
C:\WSUS\MSSQL$WSUS. This folder takes up 216 MB after the initial install,
synchronize and with only 2 clients. The size of the DB grows as you add more
computers, and as you manage more updates.

What is TCP/IP port no. used for Windows SUS services?


WSUS uses 8530 port.

What is essential application used for WSUS database report?


WSUS database stores update information, event information about update
actions on client computers, and WSUS server settings.
Administrators have the following options for the WSUS database:
1. The Microsoft SQL Server 2000 Desktop Engine (Windows) (WMSDE) database
that WSUS can install during setup on Windows Server 2003
2. An existing Microsoft® SQL Server™ 2000 database
3. An existing Microsoft Data Engine 2000 (MSDE) with Service Pack 3 (SP3) or
Later.

What are essential settings required at the end of WSUS client?


On the client side we have to enable Automatic update from security setting.
Also we can enable automatic update from registry.
Registry Key:
KEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\WindowsUpdate\
Type: Reg_DWORD
· 0 - Disabled.
· 1 - Enable the Automatic Update client to use the SUS Server specified by the
"WUServer" value.
If you have domain login on client, then we also enable auto update on client
side through group policy.

What is DNS?
DNS stands for Domain Naming System which provides name resolution for
TCP/IP network. In addition it is a distributed database and hierarchal
structure which ensures that each hostname is unique across a local and wide
area network.
DNS is the name resolution system of the Internet. Using DNS allows clients to
resolve names of hosts to IP addresses so that communication can take place.
DNS is the foundation upon which Active Directory is built.

How DNS Works?


A. DNS uses a client/server model in which the DNS server maintains a static
database of domain names mapped to IP addresses. The DNS client, known as
the resolver, performs queries against the DNS servers. DNS resolves domain
names to IP address using these steps
Step 1: A client (or “resolver”) passes its request to its local name server. For
example, the URL term www.idgbooks.com typed into Internet Explorer is
passed to the DNS server identified in the client TCP/IP configuration. This DNS
server is known as the local name server.
Step 2: If, as often happens, the local name server is unable to resolve the
request, other name servers are queried so that the resolver may be satisfied.
Step 3: If all else fails, the request is passed to more and more, higher-level
name servers until the query resolution process starts with far-right term (for
instance, com) or at the top of the DNS tree with root name servers

What is the TCP/IP port no. used for DNS services?


53/TCP, UDP is used for DNS services.

What are the basic requirements (Hardware/Software) to implement the


Windows DNS server?
Server Hardware Requirements:
Microsoft's suggested minimum hardware requirements (and some Microsoft
recommendations) for
Windows Server 2003 (Standard) is listed here:
· CPU speed: 133MHz (550MHz recommended)
· RAM: 128MB (256MB recommended; 4GB maximum on Standard Server)
· Disk space for setup: 1.5GB
· CD-ROM drive: 12X
· Monitor: Super VGA capable of providing 800 x 600 resolutions

Explain DNS Zones?


A zone is simply a contiguous section of the DNS namespace. Records for a zone
are stored and managed together. Often, sub-domains are split into several
zones to make manageability easier.
For example, support.microsoft.com and msdn.microsoft.com are separate
zones, where support and msdn are sub-domains within the Microsoft.com
domain.

Explain zone file?


The database in a DNS server that contains the translations (mappings)
between domain names and IP addresses. A zone file is made up of "resource
records," which are lines of text that define the forward lookup of domains to
IP, the reverse lookup of IP to domains as well as the names of DNS and mail
servers. Records for aliases and other related information.

What is Primary DNS Zone?


A primary DNS server holds the "master copy" of the data for a zone, and
secondary servers have copies of this data which they synchronize with the
primary through zone transfers at intervals or when prompted by the primary.

What is Standard Primary DNS Server?


Standard primary zone holds a master copy of a zone and can replicate it to all
configured secondary zones in standard text format. Any changes that must be
made to the zone are made on the copy stored on the primary.

What is Active Directory Integrated DNS server?


Active Directory–integrated zones are available only on Windows 2000 and 2003
DNS servers in an Active Directory domain. The zone information is contained
within the Active Directory database and is replicated using Active Directory
replication. Active Directory–integrated zones provide an increased level of
replication flexibility as well as security. Active Directory–integrated zones also
operate in a multi-master arrangement because they are hosted within Active
Directory itself; this way, any DNS server (domain controller) hosting the Active
Directory–integrated zone can update the zone data.

What is Secondary DNS Zone?


A standard secondary zone holds a read-only copy of the zone information in
standard text format.
Secondary zones are created to increase performance and resilience of the DNS
configuration.
Information is transferred from the primary zone to the secondary zones.

What is STUB Zone?


Microsoft has introduced support for stub zones for the first time in Windows
Server 2003. A stub zone contains only those resource records that are
necessary to identify the authoritative DNS servers for that zone. Those
resource records include Name Server (NS), Start of Authority (SOA), and
possibly glue host (A) records. (Glue host records provide A record pointers to
ensure that the master zone has the correct name server information for the
stub zone.)
Why Use Stub Zones?
The idea behind stub zones is to speed up name resolution and reduce network
traffic. This is a benefit for every network where you are able to use them.

What is Forward Lookup?


Forward Lookup – resolves hostname to IP address. Forward Lookup zones
supply the main DNS mechanism for finding Hosts (A), Name Servers (NS) or
Service (_gc).

What is Reverse Lookup?


Reverse Lookup – resolves IP address to hostname. I think of Reverse Lookup as
a hacker’s tool, they can PING a server's IP address and then they use a Reverse
Lookup query to discover the hostname. In truth, Reverse Lookup is required by
NSLookup, DNSLint and other utilities.

What's the difference between a zone and a domain?


Although the two terms can seem as if they are used interchangeably, there is
a difference. A DNS domain is a segment of the DNS namespace. A zone, on the
other hand, can contain multiple contiguous domains.
For example, quepublishing.com is a DNS domain. It contains all the
information for that specific portion of the DNS namespace.
sales.quepublishing.com is another example of a domain, which is contiguous
with the quepublishing.com domain; in other words, the two domains "touch."
So, if you were to create a DNS forward lookup zone on your DNS server, it
could contain records for both domains. Zones allow for the logical grouping
and management of domains and resource records on your DNS servers.

DNS resource records


DNS zone database is made up of a collection of resource records. Each
resource record specifies information about a particular object. For example,
address mapping (A) records map a host name to an IP address, and reverse-
lookup pointer (PTR) records map an IP address to a host name. The server uses
these records to answer queries for hosts in its zone. For more information, use
the table to view DNS resource records.
NS: Name server resource record specifies the authoritative DNS server for the
particular zone.
SOA: This resource record specifies the DNS server providing authoritative
information about the zone.
A: Standard hostname resource record contains hostname to IP Address
mapping.
CNAME: This resource record allows you to use more than one name to point a
single host.
MX: This resource record is used by e-mail applications to locate a mail server
within a zone.
PTR: Used to map IP address to their associated hostnames. These records are
only used in reverse lookup zones.
SRV: This resource records is used to specify the location of specific services in
a domain.

DNS with Active Directory


Active Directory uses the same hierarchal naming convention as DNS. Because
of this, the client computer uses DNS servers to locate Active Directory domain
controllers and other Active Directory resources on the network.
Without DNS, Active Directory couldn’t function, because client computers
wouldn’t be able to locate these domain controllers and resources.
Bottom line is, Active Directory is dependent on DNS. Active Directory can’t be
implemented until the DNS server service is installed.

What is WINS?
WINS (Windows Internet Naming Service) resolves’ Windows network computer
names (also known as NetBIOS names) to Internet IP addresses, allowing
Windows computers on a network to easily find and communicate with each
other.

How WINS Works?


By default, when a computer running Microsoft® Windows® 2000, Windows XP,
or a Windows Server 2003 operating system is configured with WINS server
addresses (either manually or through DHCP) for its name resolution, it uses
hybrid node (h-node) as its node type for NetBIOS name registration unless
another NetBIOS node type is configured. For NetBIOS name query and
resolution, it also uses h-node behavior, but with a few differences.
For NetBIOS name resolution, a WINS client typically performs the following
general sequence of steps to resolve a name:
1. Client checks to see if the name queried is its local NetBIOS computer name,
which it owns.
2. Client checks its local NetBIOS name cache of remote names. Any name
resolved for a remote client is placed in this cache where it remains for 10
minutes.
3. Client forwards the NetBIOS query to its configured primary WINS server. If
the primary WINS server fails to answer the query--either because it is not
available or because it does not have an entry for the name--the client will try
to contact other configured WINS servers in the order they are listed and
configured for its use.
4. Client broadcasts the NetBIOS query to the local subnet.
5. Client checks the Lmhosts file for a match to the query, if it is configured to
use the Lmhosts file.
6. Client tries the Hosts file and then a DNS server, if it is configured for one

What is the TCP/IP port no. used for WINS services? 137

What are the basic requirements (Hardware/Software) to implement the


Windows WINS server?
Hardware Requirement:
 Pentium 4 - 2.8 GHz with 2 GB RAM
 80 GB Hard drive/7200RPM
Recommended hard drive division: 20 GB System Partition and 60 GB Data
partition
 100 Mbps Network adaptor or better
 Screen Resolution: - 1024 X 768 pixels, 256 colours (65,536 colours
recommended)
Software Requirement:
 Windows® Server 2003 Standard Edition SP1 or higher installed.
 Application Server Role installed:
 Internet Information Server 6.0
 ASP.NET
What is Primary & Secondary WINS Server?
WINS servers can act as either a primary WINS server or a secondary WINS
server to a client. The difference between primary and secondary WINS servers
is simply the priority in which clients contact them. A primary WINS server is
the first server a client contacts to perform its NetBIOS name service
operations. A client contacts a secondary WINS server only when a primary
WINS server is unable to fulfill the request, for example if it is unavailable
when the client makes the request or unable to resolve a name for the client.
If a primary WINS server fails to fulfill a request, the client makes the same
request of its secondary WINS server. If more than two WINS servers are
configured for the client, the client tries the additional secondary WINS servers
until the list is exhausted or one of the WINS servers successfully responds to
the request. After a client uses a secondary WINS server, it periodically tries to
switch back to its primary WINS server for future name service requests.

How DNS does relate with ADS?


Active Directory, which is an essential component of the Windows 2003
architecture, presents organizations with a directory service designed for
distributed computing environments. Active Directory allows organizations to
centrally manage and share information on network resources and users while
acting as the central authority for network security. In addition to providing
comprehensive directory services to a Windows environment, Active Directory
is designed to be a consolidation point for isolating, migrating, centrally
managing, and reducing the number of directories that companies require.
You must have DNS to run Active Directory but don't need Active Directory to
run DNS in a Windows 2000/20003 environment. AD relies heavily on DNS.

What is Host File?


The "Hosts" file in Windows and other operating systems is used to associate
host names with IP addresses. Host names are the www.yahoo.com addresses
that you see every day. IP addresses are numbers that mean the same thing as
the www words - the computers use the numbers to actually find the sites, but
we have words like www.yahoo.com so humans do not need to remember the
long strings of numbers when they want to visit a site.
We can put names and addresses into the Hosts file so your computer does not
have to ask a DNS server to translate the domain name into an IP number. This
speeds up access to the host site you want to see because your computer no
longer has to query other systems on the Internet for the address translation

What is LM Host File?


A text file in a windows network that provides name resolution of NetBIOS host
names to IP addresses. The LMHOSTS files were the Windows counterpart to the
HOSTS files in UNIX, but have long since given way to the WINS naming system.
LM stands for "LAN Manager," the name of Microsoft's earlier network operating
system (NOS).

What is Firewall? What are the essential settings are used in Firewall?
A system designed to prevent unauthorized access to or from a private
network. Firewalls can be implemented in both hardware and software, or a
combination of both. Firewalls are frequently used to prevent unauthorized
internet users from accessing private networks connected to the internet,
especially intranets. All messages entering or leaving the intranet pass through
the firewall, which examines each message and blocks those that do not meet
the specified security criteria.

There are several types of firewall techniques; the 3 basic are as given below:
· Packets filter: Looks at each packet entering or leaving the network and
accepts or rejects it based on user-defined rules. Packet filtering is fairly
effective and transparent to users, but it is difficult to configure. In addition, it
is susceptible to IP spoofing.
· Application gateway: Applies security mechanisms to specific applications,
such as FTP and Telnet servers. This is very effective, but can impose
performance degradation.
· Circuit-level gateway: Applies security mechanisms when a TCP or UDP
connection is established. Once the connection has been made, packets can
flow between the hosts without further checking.
· Proxy server: Intercepts all messages entering and leaving the network. The
proxy server effectively hides the true network addresses.

What is Proxy server?


In an enterprise that uses the Internet, a proxy server is a server that acts as
an intermediary between a workstation user and the Internet so that the
enterprise can ensure security, administrative control, and caching service. A
proxy server is associated with or part of a gateway server that separates the
enterprise network from the outside network and a firewall server that
protects the enterprise network from outside intrusion.

What is VPN?
VPN gives extremely secure connections between private networks linked
through the Internet. It allows remote computers to act as though they were on
the same secure, local network.

What are the types of protocols used in VPN?


There are two types of protocols used in VPN those are PPTP & L2TP.
PPTP: Point-to-Point Tunneling Protocol (PPTP) is a network protocol that
enables the secure transfer of data from a remote client to a private enterprise
server by creating a virtual private network (VPN) across TCP/IP-based data
networks. PPTP supports on-demand, multi-protocol, virtual private networking
over public networks, such as the Internet.
L2TP: Layer 2 Tunneling Protocol is an emerging Internet Engineering Task
Force (IETF) standard that combines the features of two existing tunneling
protocols: Cisco's Layer 2 Forwarding and Microsoft's Point-to-Point Tunneling
Protocol. L2TP is an extension to the Point-to-Point Protocol (PPP).

What is Terminal Services?


Terminal Services is a component of Microsoft Windows operating systems (both
client and server versions) that allows a user to access applications or data
stored on a remote computer over a network connection. Terminal Services is
Microsoft's take on server centric computing, which allows individual users to
access network resources easily.
What is Directory Service?
Directory service is a software application that stores and organizes
information of networked computers, users, and network resources, and that
allows network administrators to manage users’ access the resources.

What is Active Directory?


Active Directory is an implementation of LDAP directory services. Active
Directory allows administrators to assign enterprise-wide policies, deploy
programs to many computers, and apply critical updates to an entire
organization. Active Directory stores information and settings related to an
organization in a central, organized, accessible database. Active Directory
networks can vary from a small installation with a few hundred objects, to a
large installation with millions of objects.

What is Active Directory Services?


Active Directory is a directory service used to store information about the
network resources across a domain.

What are components of Active Directory (Hierarchy)?


Components of Active Directory are Domain, Forest, Tree, Organizational Unit,
Schema, Group Policy Objects and Global Catalog.

What is Tree (Logical Component)?


Domain trees are a hierarchical grouping of one or more domains that share a
single DNS namespace & have one or more child domain and are connected by
transitive trust relationship. Example: ttsl.com is root and mah.ttsl.com is
child.

What is Forest (Logical Component)?


A forest is a group of one or more domain trees which share a common schema
and global catalog.
There is always at least one forest on a network, and it is created when the
first Active Directory (domain controller) installed on a network.
This first domain in a forest, called the forest root domain, is special because it
holds the schema and controls domain naming for the entire forest. It cannot
be removed from the forest without removing the entire forest itself. Also, no
other domain can ever be created above the forest root domain in the forest
domain hierarchy.

What is Domain (Logical Component)?


A Domain is a logical grouping of networked computers in which more than one
computer has shared resources. (Domains are the fundamental units that make
up Active Directory).

What is OU (Logical Component)?


OU is administrative-level container object in ADS that organize users,
computers, groups and other organizational units together so that any changes,
security privileges or any other administrative tasks could be accomplished
more efficiently.

What is Domain Controller (Physical Component)?


Domain Controllers are the physical storage location for the Active Directory
Services Database.

What is Sites (Physical Component)?


A Site is a physical component of Active Directory that is used to define and
represent the physical topology of a network.

What is Object?
Active Directory objects are the entities that make up a network. An object is a
distinct, named set of attributes that represents something concrete, such as a
user, a printer, or an application. For example, when we create a user object,
Active Directory assigns the globally unique identifier (GUID), and we provide
values for such attributes as the user's given name, surname, the logon
identifier, and so on.

What is Schema?
The schema defines the type of objects and the attributes that each object
has. The schema is what defines a user account for example. A user account
must have a name, a password, and a unique SID. A user account can also have
many additional attributes, such as location, address, phone number, e-mail
addresses, terminal services profiles, and so on.

What is Schema Class & Attributes?


Every directory object you create is an instance of an object class contained in
the schema. Each object class contains a list of associated attributes that
determine the information the object can contain. Classes and attributes are
defined independently, so that a single attribute can be associated with
multiple classes. All schema classes and attributes are defined by the
classSchema and attributeSchema objects, respectively.

What is Global Catalog?


Global catalog is a domain controller that stores a copy of all Active Directory
objects in a forest. The global catalog stores a full copy of all objects in the
directory for its host domain and a partial copy of all objects for all other
domains in the forest.

What is Universal Group Membership Cache?


In a forest that has more than one domain, in sites that have domain users but
no global catalog server, Universal Group Membership Caching can be used to
enable caching of logon credentials so that the global catalog does not have to
be contacted for subsequent user logons.

What is LDAP?
LDAP stands for Lightweight Directory Access Protocol is a networking protocol
for querying and modifying directory services running over TCP/IP. And the TCP
port for LDAP is 389. LDAP Version 5.

What are IIS services?


IIS services are used to publish web based applications.

What is TCP/IP port no for Global Catalog? 3268


What is TCP/IP port no for LDAP? 389
What is TCP/IP port no for RDP? 3389
What is the TCP/IP port no for SNMP? 161,162
What is the TCP/IP port no for SMTP? 25
What is the TCP/IP port no for POP3? 110
What is the TCP/IP port no for IMAP? 143
What is the TCP/IP port no for HTTP? 80
What is the TCP/IP port no for HTTPS? 443
What is TCP/IP port no for TELNET? 23

What are important operations roles in Active Directory?


In a forest, there are at least five FSMO roles that are assigned to one or more
domain controllers.
The five FSMO roles are:
• Schema Master: The schema master domain controller controls all updates
and modifications to the schema. To update the schema of a forest, you must
have access to the schema master. There can be only one schema master in the
whole forest.
• Domain Naming Master: The domain naming master domain controller
controls the addition or removal of domains in the forest. There can be only
one domain naming master in the whole forest.
• Infrastructure Master: Responsible for maintaining all inter-domain object
references. In other words, the infrastructure master informs certain objects
(such as groups) that other objects (such as users in another domain) have been
moved, changed, or otherwise modified. This update is needed only in a
multiple-domain environment.
• Relative ID (RID) Master: The RID master is responsible for processing RID
pool requests from all domain controllers in a particular domain. At any one
time, there can be only one domain controller acting as the RID master in the
domain.
• PDC Emulator: Used whenever a domain contains non–Active Directory
computers. It acts as a Windows NT primary domain controller (PDC) for legacy
client operating systems, as well as for Windows NT backup domain controllers
(BDCs). The PDC emulator also processes password changes and receives
preferential treatment within the domain for password updates. If another
domain controller is unable to authenticate a user because of a bad password,
the request is forwarded to the PDC emulator. The PDC emulator performs this
additional (and important) operations master role whether or not there are any
BDCs in the domain.
You can transfer FSMO roles by using the Ntdsutil.exe command-line utility or
by using an MMC snap-in tool

How can we view All FSMO roles using command prompt?


Ntdsutil.exe

How can we transfer Schema Master Role?


Transfer the Schema Master Role
Use the Active Directory Schema Master snap-in to transfer the schema master
role. Before you can use this snap-in, you must register the Schmmgmt.dll file.
Register Schmmgmt.dll
1. Click Start, and then click Run.
2. Type regsvr32 schmmgmt.dll in the Open box, and then click OK.
3. Click OK when you receive the message that the operation succeeded.
Transfer the Schema Master Role
1. Click Start, click Run, type mmc in the Open box, and then click OK.
2. On the File, menu click Add/Remove Snap-in.
P a g e | 17
3. Click Add.
4. Click Active Directory Schema, click Add, click Close, and then click OK.
5. In the console tree, right-click Active Directory Schema, and then click
Change Domain Controller.
6. Click Specify Name, type the name of the domain controller that will be the
new role holder, and then click OK.
7. In the console tree, right-click Active Directory Schema, and then click
Operations Master.
8. Click Change.
9. Click OK to confirm that you want to transfer the role, and then click Close.

How can we transfer Domain naming Master?


Transfer the Domain Naming Master Role
1. Click Start, point to Administrative Tools, and then click Active Directory
Domains and Trusts.
2. Right-click Active Directory Domains and Trusts, and then click Connect to
Domain Controller.
NOTE: You must perform this step if you are not on the domain controller to
which you want to transfer the role. You do not have to perform this step if
you are already connected to the domain controller whose role you want to
transfer.
3. Do one of the following:
In the Enter the name of another domain controller box, type the name of
the domain controller that will be the new control
4. In the console tree, right-click Active Directory Domains and Trusts, and
then click Operations Master.
5. Click Change.
6. Click OK to confirm that you want to transfer the role, and then click Close.

How can we transfer PDC Emulator, RID Master, Infrastructure Master?


Transfer the RID Master, PDC Emulator, and Infrastructure Master Roles
1. Click Start, point to Administrative Tools, and then click Active Directory
Users and Computers.
2. Right-click Active Directory Users and Computers, and then click Connect
to Domain Controller.
NOTE: You must perform this step if you are not on the domain controller to
which you want to transfer the role. You do not have to perform this step if
you are already connected to the domain controller whose role you want to
transfer.
3. Do one of the following:
In the Enter the name of another domain controller box, type the name of
the domain controller that will be the new control
4. In the console tree, right-click Active Directory Users and Computers, point
to All Tasks, and then click Operations Master.
5. Click the appropriate tab for the role that you want to transfer (RID, PDC, or
Infrastructure), and then click Change.
6. Click OK to confirm that you want to transfer the role, and then click Close.
What will happen if Schema Master fails?
No updates to the Active Directory schema will be possible. Since schema
updates are rare (usually done by certain applications and possibly an
Administrator adding an attribute to an object), then the malfunction of the
server holding the Schema Master role will not pose a critical problem.

What will happen if Domain Naming Master fails?


Domain Naming Master must be available when adding or removing a domain
from the forest (i.e. running DCPROMO). If it is not, then the domain cannot be
added or removed. It is also needed when promoting or demoting a server
to/from a Domain Controller. Like the Schema Master, this functionality is only
used on occasion and is not critical unless you are modifying your domain or
forest structure.

What will happen if RID Master fails?


RID Master provides RIDs for security principles (users, groups, computer
accounts). The failure of this FSMO server would have little impact unless you
are adding a very large number of users or groups.
Each DC in the domain has a pool of RIDs already, and a problem would occur
only if the DC you adding the users/groups on ran out of RIDs.

What will happen if PDC Emulator fails?


The server holding the PDC emulator role will cause the most problems if it is
unavailable. This would be most noticeable in a mixed mode domain where you
are still running NT 4 BDCs and if you are using down-level clients (NT and
Win9x). Since the PDC emulator acts as a NT 4 PDC, then any actions that
depend on the PDC would be affected (User Manager for Domains, Server
Manager, changing passwords, browsing and BDC replication).
In a native mode domain the failure of the PDC emulator isn't as critical
because other domain controllers can assume most of the responsibilities of the
PDC emulator.

What will happen if Infrastructure Master fails?


This FSMO server is only relevant in a multi-domain environment. If you only
have one domain, then the Infrastructure Master is irrelevant. Failure of this
server in a multi-domain environment would be a problem if you are trying to
add objects from one domain to another.

What are the basic requirements (Hardware/Software) to implement the


Windows ADS server?
Minimum requirements:
Processor: Single 550 MHz PIII or comparable
Memory: 512 MB of RAM
Hard Disks: Two 9 GB - Mirrored
Network: 100 Megabit Ethernet
Systems: 2 Windows 2000 SP4 Servers- Redundancy
Recommended requirement Processor: Dual Intel Xeon or comparable
Memory: 1 GB of RAM
Hard Disks: Three 9 GB - RAID5
Network: 100 Megabit Ethernet
Systems: 2 Windows 2000 SP4 Servers- Redundancy
Desktop/Member Server Requirements:
Windows desktop OS should be at least Windows 2000 and have hardware to
support such to receive benefit from the GTAD service.
Windows member servers should be at the Windows 2000 level and have
hardware to support such.

What is the difference between Intersite & Intrasite Replication?


There are two types of replication traffic in Active Directory, intrasite and
intersite. Intrasite replication traffic is between domain controllers within the
same site. Intersite replication traffic is between domain controllers in
different sites. The KCC tunes intrasite replication to minimize replication
latency, whereas it tunes intersite replication to minimize bandwidth usage.
Intrasite Intersite
Traffic is uncompressed. Traffic is compressed (to save bandwidth).
Replication partners notify each other when changes must be replicated (to
reduce latency).
Replication partners do not notify each other (to save bandwidth).
Replication partners poll one another periodically.
Replication partners poll one another during scheduled intervals only.
RCP over IP transport only. RCP over IP or SMTP over IP transports.
Replication connections can be created between any two domain controllers in
the same site.
Replication connections can only be created between bridgehead servers. A
bridgehead server is designated by the KCC. A bridgehead server is a domain
controller that has been designated to perform all intersite replication for a
particular site.

What is GROUPS?
Groups are Active Directory (or local computer) objects that can contain users,
contacts, computers, and other groups. In Windows 2003, groups are created in
domains, using the Active Directory Users and Computers tool. You can create
groups in the root domain, in any other domain in the forest, in any
organizational unit, or in any container class object (such as the default Users
container). Like user and computer accounts, groups are Windows 2000 security
principals; they are directory objects to which SID’s are assigned at creation.

What is Distribution Group? (Group Type)


These are used for non-security purposes by applications other than Windows.
One of the primary uses is within an e-mail.
As with user accounts, there are both local and domain-level groups. Local
groups are stored in a local computer’s security database and are intended to
control resource access on that computer.
Domain groups are stored in Active Directory and let you gather users and
control resource access in a domain and on domain controllers.

What is Security Groups? (Group Type)


Security groups are used to group domain users into a single administrative
unit. Security groups can be assigned permissions and can also be used as e-
mail distribution lists. Users placed into a group inherit the permissions
assigned to the group for as long as they remain members of that group.
Windows itself uses only security groups.

What is Global Group? (Group Scope)


This group’s permissions and rights exist in the group’s domain and domains
that have a trust relationship with the group’s domain. Global groups may be
given rights and permissions of local groups.

What is Domain Local Group? (Group Scope)


Created on Active Directory controllers and are used manage access to
resources in the domain.

What is Universal Group? (Group Scope)


Users from multiple domains that perform similar tasks or share resources
across the domains. Any group & user in any domain can be a member of the
universal group.

What is GROUP Policy?


Group Policies are configuration settings applied to computers or users as they
are initialized. All Group Policy settings are contained in Group Policy Objects
(GPO’s) applied to Active Directory sites, domains, or organizational units.
Group policy is an administrative tool for managing users’ settings and
computer setting across domain network.

What is Group Policy Object?


Group Policy Object (GPO) is a collection of settings that define what a system
will look like and how it will behave for a defined group of users.

What are three types of Group Policy Objects?


How Group Policy Inheritance Work?
What is LSDO?
LSDO - Local policies first, then Site based policies, then Domain level policies,
then OU polices, then nested OU polices (OUs within OUs). Group polices
cannot be linked to a specific user or group, only container objects.

What is the difference between FAT, FAT32 & NTFS & what is it?
Following are Microsoft's Windows Glossary definitions for each of the 3 file
systems:
1. File Allocation Table (FAT): A file system used by MS-DOS and other
Windows-based operating systems to organize and manage files. The file
allocation table (FAT) is a data structure that Windows creates when you
format a volume by using the FAT or FAT32 file systems. Windows stores
information about each file in the FAT so that it can retrieve the file later.
2. FAT32: A derivative of the File Allocation Table (FAT) files system. FAT32
supports smaller cluster sizes and larger volumes than FAT, which results in
more efficient space allocation on FAT32 volumes.
3. NTFS: An advanced file system that provides performance, security,
reliability, and advanced features that are not found in any version of FAT. For
example, NTFS guarantees volume consistency by using standard transaction
logging and recovery techniques. If a system fails, NTFS uses its log file and
checkpoint information to restore the consistency of the file system. In
Windows 2000 and Windows XP, NTFS also provides advanced features such as
file and folder permissions, encryption, disk quotas, and compression.
NTFS File System:
1. NTFS is the best file system for large drives. Unlike FAT and FAT32,
performance with NTFS isn't corrupted as drive size increases.
2. One of the major security features in NTFS is encryption or, in other words,
the process of disguising a message or data in such a way as to hide its
substance.
3. Another feature in NTFS is disk quotas. It gives you the ability to monitor
and control the amount of disk space used by each user.
4. Using NTFS, you can keep access control on files and folders and support
limited accounts. In
FAT and FAT32, all files and folders are accessible by all users no matter what
their account type is.
5. Domains can be used to tweak security options while keeping administration
simple.
6. Compression available in NTFS enables you to compress files, folders, or
whole drives when you're running out of disk space.
7. Removable media (such as tapes) are made more accessible through the
Remote Storage feature.
8. Recovery logging helps you restore information quickly if power failures or
other system problems occur.
9. In NTFS we can convert the file system through:
1. Back up all your data before formatting:
So you want to start with a 'clean' drive but can't afford losing your precious
files? Very simple, all you need to do is back up your files to an external hard-
drive or a partition other than the one you want to convert, or burn the data
onto CDs. After you're done you can format a drive with NTFS.
2. Use the convert command from command prompt:
This way, you don't need to back up. All files are preserved as they are.
However, I recommend a backup. You don't know what might go wrong and
besides what would you lose if you do back-up? When I converted to NTFS using
convert.exe, everything went smooth. Chances are your conversion will be
equally smooth.
IMPORTANT NOTE: This is a one-way conversion. Once you've converted to
NTFS, you can't go back to FAT or FAT32 unless you format the drive.
1. Open Command Prompt
Start | All Programs | Accessories | Command Prompt
OR
Start | Run | type "cmd" without quotes | OK
2. Type "convert drive letter: /fs:ntfs" and press Enter. For example, type
"convert C:
/fs:ntfs" (without quotes) if you want to convert drive C.
2. If you're asked whether you want to dismount the drive, agree.

What are Permissions?


Permissions are a key component of the Windows Server 2003 security
architecture that you can use to manage the process of authorizing users,
groups, and computers to access objects on a network.

What is Backup?
To copy files to a second medium (a disk or tape) as a precaution in case the
first medium fails.

What are the types of Backup?


There are 5 types of backup in windows 2003 and are as follows: Copy, Normal,
Incremental, Daily and Differential.
Explain Difference between Incremental & Differential Backup?
Differential backup backs up only the files that changed since the last full
back. For example, suppose you do a full backup on Sunday. On Monday you
back up only the files that changed since Sunday, on Tuesday you back up only
the files that changed since Sunday, and so on until the next full backup.
Differential backups are quicker than full backups because so much less data is
being backed up. But the amount of data being backed up grows with each
differential backup until the next full back up. Differential backups are more
flexible than full backups, but still unwieldy to do more than about once a day,
especially as the next full backup approaches.
Incremental backups also back up only the changed data, but they only back
up the data that has changed since the last backup — be it a full or incremental
backup. They are sometimes called "differential incremental backups," while
differential backups are sometimes called "cumulative incremental backups."
Confused yet? Don't be.

How can we take the backup for ADS?


We can take the ADS backup through ntbackup and select the system state
backup.

How to restore an ADS Backup?


Restoring Windows Server 2003 system state and system services
Tivoli Storage Manager supports the Microsoft Volume Shadow copy Service
(VSS) on Windows Server 2003. Tivoli Storage Manager uses VSS to restore all
system state components as a single object, to provide a consistent point-in-
time snapshot of the system state. You can restore all system service
components (the default) or individual components.
System state components include the following:
· Active Directory (domain controller only)
· Windows Server 2003 system volume
· Certificate Server Database
· COM+ database
· Windows Registry
· System and boot files
Attention: Restoring system state in a situation other than system recovery is
not recommended.
You must have administrative authority to restore System State information. To
restore the Windows
Server 2003 system state using the GUI:
1. Click Restore from the GUI main window. The Restore window appears.
2. Expand the directory tree by clicking the plus sign +. To display files in a
folder, click the folder icon.
3. Locate the System State node in the directory tree. You can expand the
System State node to display the components.
4. Click the selection box next to the System State node to restore the entire
system state. You can restore the System State node only as a single entity
because of dependencies among the system state components. By default, all
components are selected; you cannot back up individual system state
components.
5. Click Restore. The Task List window displays the restore processing status.
On the command line, use the restore system state command to restore a
backup of a system state. See Restore System state for more information.
Considerations:
· You can restore System State data to an alternate machine.
· If you are upgrading from a Windows 2000 machine to a Windows Server 2003
machine, you cannot restore the Windows 2000 system objects that were
backed up to the server.
· Your Windows Server 2003 client must be connected to a Tivoli Storage
Manager Version 5.2.0 or higher server.
· If Active Directory is installed, you must be in Active Directory restore mode.
· See Performing a Windows XP or Windows Server 2003 system recovery for
procedures on how to perform the following tasks:
Your operating system is still functioning, but a complete system restore is
required.
A complete recovery is required, including an operating system re-installation.
System services components include the following:
· Background Intelligent Transfer Service (BITS)
· Event logs
· Removable Storage Management Database (RSM)
· Cluster Database (cluster node only)
· Remote Storage Service
· Terminal Server Licensing
· Windows Management Instrumentation (WMI)
· Internet Information Services (IIS) metabase
· DHCP database
· Wins database
To restore the system services using the GUI:
1. Click Restore from the GUI main window. The Restore window appears.
2. Expand the directory tree by clicking the plus sign +. To display files in a
folder, click the folder icon.
3. Locate the System Services node in the directory tree. You can expand the
System Services node to display the components.
4. Click the selection box next to the system services component(s) that you
want to restore.
5. Click Restore. The Task List window displays the backup processing status.
On the command line, use the restore system services command to restore a
backup of the system services. See Restore System services for more
information.

What is a Cluster?
A cluster is a group of independent computers that work together to run a
common set of applications and provide the image of a single system to the
client and application. The computers are physically connected by cables and
programmatically connected by cluster software. These connections allow
computers to use problem-solving features such as failover in Server clusters
and load balancing in Network Load Balancing (NLB) clusters.

What is the definition for Additional Domain Controller?


As name suggest its additional domain controller ...can play any of the FSMO
roles at any given instance and provide SRV services to clients

What is Domain Controller?


A domain controller is a server in which Active Directory Service is installed.
Domain controllers are used to administer domain objects, such as user
accounts and groups.

What is Proxy Server?


In an enterprise that uses the Internet, a proxy server is a server that acts as
an intermediary between a workstation user and the Internet so that the
enterprise can ensure security, administrative control, and caching service. A
proxy server is associated with or part of a gateway server that separates the
enterprise network from the outside network and a firewall server that
protects the enterprise network from outside intrusion.

What is Basic Disk?


A standard disk with standard partitions (primary and extended)

What is Dynamic Disk?


Disks that have dynamic mounting capability to add additional local or remote
partitions or directories to a disk drive. These are called dynamic volumes. This
is new with the Windows 2000 operating system and is not supported by any
other operating systems. Any volume that is on more than one hard drive must
be created with dynamic disks. A disk can only be converted from dynamic to
basic by first deleting all the volumes in the dynamic disk.

What is RAID?
RAID (Redundant Array of Independent Disks). A collection of disk drives that
offers increased performance and fault tolerance. There are a number of
different RAID levels. The three most commonly used are 0, 1, and 5: Level 0:
striping without parity (spreading out blocks of each file across multiple disks).
Level 1: disk mirroring or duplexing. Level 2: bit-level striping with parity Level
3: byte-level striping with dedicated parity.

What is Simple Volume?


Simple volumes are the most common volumes and the type of volume that you
will create most often. If you are using a single disk configuration, a simple
volume is the only volume type that you can create.

What is Spanned Volume?


Spanned volumes are created by combining disk space from two or more hard
disks. Spanned volumes can be created by using different amounts of space
from different hard disks. For example, a 10GB spanned volume can be created
from 6GB of unallocated space on hard drive 0, 3GB of unallocated space on
hard drive 1, and 1GB of space on hard drive 2. A spanned volume cannot be
extended, and there is no fault tolerance in using a spanned volume. If any of
the drives fail, the data on the volume is lost and must be restored from
backup (tape). Spanned volumes can be created from two physical disks and
can contain up to 32 physical disks.

What is Mirrored Volume?


Mirrored volumes are created using two physical disks. A mirrored volume
requires same amount of unallocated space on each of the physical disk used.
When data is written to a mirrored volume, the data is written to disk and then
synchronized on the second disk. An exact copy of the data is available on both
physical disks.

What is Stripped Volume?


A striped volume is created using a minimum of two and a maximum of 32
physical drives to create a single volume. A striped volume is created by using
an equal amount of unallocated space on all the physical disks.
The data is written across all physical disks in the volume in equal parts,
thereby creating a stripe pattern. When data is written to the volume, it is
divided into 64KB parts and each part is written to a separate disk. Chopping
the data into pieces allows each physical disk to be performing a write
operation at almost exactly the same time, thereby increasing speed
dramatically. When data is read, it is read in the same way, in 64KB blocks at a
time. Striped volumes provide the best read and write performance of all the
different types of volumes. A striped volume gets its name from how the data
is read and accessed on the drive.

What is Raid-0?
RAID Level 0 is not redundant, hence does not truly fit the "RAID" acronym. In
level 0, data is split across drives, resulting in higher data throughput. Since no
redundant information is stored, performance is very good, but the failure of
any disk in the array results in data loss. This level is commonly referred to as
striping.

What is RAID-1?
RAID Level 1 provides redundancy by writing all data to two or more drives.
The performance of a level 1 array tends to be faster on reads and slower on
writes compared to a single drive, but if either drive fails, no data is lost. This
is a good entry-level redundant system, since only two drives are required;
however, since one drive is used to store a duplicate of the data, the cost per
megabyte is high. This level is commonly referred to as mirroring.

What is RAID-5?
RAID Level 5 is similar to level 4, but distributes parity among the drives. This
can speed small writes in multiprocessing systems, since the parity disk does
not become a bottleneck. Because parity data must be skipped on each drive
during reads, however, the performance for reads tends to be considerably
lower than a level 4 array. The cost per megabyte is the same as for level 4.

What is IP?
The Internet Protocol (IP) is a data-oriented protocol used for communicating
data across a packet switched internet-work. IP is a network layer protocol in
the internet protocol suite and is encapsulated in a data link layer protocol
(e.g., Ethernet).

What is TCP?
Transmission Control Protocol, and pronounced as separate letters. TCP is one
of the main protocols in TCP/IP networks. Whereas the IP protocol deals only
with packets, TCP enables two hosts to establish a connection and exchange
streams of data. TCP guarantees delivery of data and also guarantees that
packets will be delivered in the same order in which they were sent.
What is UDP?
UDP, a connectionless protocol that, like TCP, runs on top of IP networks.
Unlike TCP/IP, UDP/IP provides very few error recovery services, offering
instead a direct way to send and receive datagram’s over an IP network. It's
used primarily for broadcasting messages over a network.

What is range of TCP/IP in Class A? 1 to 127

What is range of TCP/IP in Class B? 128 to 191

What is range of TCP/IP in Class C? 192 to 223

What are reserved IP ranges in Class A? 10.0.0.0 to 10.255.255.255

What are reserved IP ranges in Class B? 172.16.0.0 to 172.16.255.255

What are reserved IP ranges in Class C? 192.168.0.0 to 192.168.255.255

What is default IP range is broadcast by DHCP server if no scope is defined?


255.255.255.255

What is Loop back IP address? 127.0.0.1

How can we assign Static IP & dynamic IP using command prompt utility?
Yes. Through netsh command

What is Subnet Mask?


In computer networks, a subnetwork or subnet is a range of logical addresses
within the address space that is assigned to an organization. Subnetting is a
hierarchical partitioning of the network address space of an organization (and
of the network nodes of an autonomous system) into several subnets

What is Gateway?
A gateway is either hardware or software that acts as a bridge between two
networks so that data can be transferred between a numbers of computers.

What is Routed Protocol?


Routed protocols are routed by routers which use routing protocols to
communicate to other routers using routing protocols that have routed
protocols.

What is Routing Protocol?


Routing protocols distribute routing information throughout all routers on a
network. By knowing about all other routers connected to the network, each
router can determine the best path to use to deliver your traffic.

What is OSI Layer? Describe Each.


OSI (Open Systems Interconnection) is a standard description or "reference
model" for how messages should be transmitted between any two points in a
telecommunication network. Its purpose is to guide product implementers so
that their products will consistently work with other products. The reference
model defines seven layers of functions that take place at each end of a
communication. Although OSI is not always strictly adhered to in terms of
keeping related functions together in a well-defined layer, many if not most
products involved in telecommunication make an attempt to describe them in
relation to the OSI model.
Layer 7: The application layer...This is the layer at which communication
partners are identified, quality of service is identified, user authentication and
privacy are considered, and any constraints on data syntax are identified. (This
layer is not the application itself, although some applications may perform
application layer functions.)
Layer 6: The presentation layer...This is a layer, usually part of an operating
system, that converts incoming and outgoing data from one presentation
format to another (for example, from a text stream into a popup window with
the newly arrived text). Sometimes called the syntax layer.
Layer 5: The session layer...This layer sets up, coordinates, and terminates
conversations, exchanges, and dialogs between the applications at each end. It
deals with session and connection coordination.
Layer 4: The transport layer...This layer manages the end-to-end control (for
example, determining whether all packets have arrived) and error-checking. It
ensures complete data transfer.
Layer 3: The network layer...This layer handles the routing of the data
(sending it in the right direction to the right destination on outgoing
transmissions and receiving incoming transmissions at the packet level). The
network layer does routing and forwarding.
Layer 2: The data-link layer...This layer provides synchronization for the
physical level and does bit-stuffing for strings of 1's in excess of 5. It furnishes
transmission protocol knowledge and management.
Layer 1: The physical layer...This layer conveys the bit stream through the
network at the electrical and mechanical level. It provides the hardware means
of sending and receiving data on a carrier.

What is the difference between CIDR & VLSM?


BOTH are almost same with VLSM we can utilize the IP address space with CIDR
we can improve both address space utilization and routing scalability in the
internet. CIDR will be used in internet routers.
VLSM - Variable Length Subnet Masking. Several new methods of addressing
were created so that usage of IP space was more efficient. The first of these
methods is called Variable-Length Subnet Masking (VLSM). Sub-netting had long
been a way to better utilize address space. Subnets divide a single network
into smaller pieces. This is done by taking bits from the host portion of the
address to use in the creation n of a “sub” network. For example, take the
class B network 147.208.0.0. The default network mask is 255.255.0.0, and the
last two octets contain the host portion of the address. To use this address
space more efficiently, we could take all eight bits of the third octet for the
subnet. One drawback of sub-netting is that once the subnet mask has been
chosen, the number of hosts on each subnet is fixed. This makes it hard for
network administrators to assign IP space based on the actual number of hosts
needed. For example, assume that a company has been assigned 147.208.0.0
and has decided to subnet this by using eight bits from the host portion of the
address.
Assume that the address allocation policy is to assign one subnet per
department in an organization. This means that 254 addresses are assigned to
each department. Now, if one department only has 20 servers, then 234
addresses are wasted. Using variable-length subnet masks (VLSM) improves on
subnet masking. VLSM is similar to traditional fixed-length subnet masking in
that it also allows a network to be subdivided into smaller pieces. The major
difference between the two is that VLSM allows different subnets to have
subnet masks of different lengths. For the example above, a department with
20 servers can be allocated a subnet mask of 27 bits. This allows the subnet to
have up to 30 usable hosts on it.
CIDR: - Classless Inter-Domain Routing. CIDR is also called super-netting. It's
an IP addressing scheme that replaces the older system based on classes A, B,
and C. With CIDR, a single IP address can be used to designate many unique IP
addresses. A CIDR IP address looks like a normal IP address except that it ends
with a slash followed by a number, called the IP prefix. For example:
172.200.0.0/16.
The IP prefix specifies how many addresses are covered by the CIDR address,
with lower numbers covering more addresses. An IP prefix of /12, for example,
can be used to address 1,048,576 former Class C addresses.
CIDR addresses reduce the size of routing tables and make more IP addresses
available within organizations.
Comparing CIDR to VLSM
CIDR and VLSM both allow a portion of the IP address space to be recursively
divided into subsequently smaller pieces. The difference is that with VLSM, the
recursion is performed on the address space previously assigned to an
organization and is invisible to the global Internet. CIDR, on the other hand,
permits the recursive allocation of an address block by an Internet Registry to a
high-level ISP, a mid-level ISP, a low-level ISP, and a private organization’s
network.

What is Difference between Windows NT, Windows 2000 & Windows 2003?
The major difference between in NT, 2000 & 2003 are as follows:
1) In winnt server concept pdc and bdc but there is no concept in 2000.
2) In winnt server sam database r/w format in pdc and read only format in bdc,
but in 2000 domain and every domain controller sam database read/writer
format.
3) 2000 server can any time any moment become server or member of server
simple add/remove dcpromo. But in winnt you have to reinstall operating
system.
A) In 2000 we cannot rename domain whereas in 2003 we can rename Domain
B) In 2000 it supports of 8 processors and 64 GB RAM (In 2000 Advance Server)
whereas in 2003 supports up to 64 processors and max of 512GB RAM
C) 2000 Supports IIS 5.0 and 2003 Supports IIS6.0
D) 2000 doesn't support Dot net whereas 2003 Supports Microsoft .NET 2.0
E) 2000 has Server and Advance Server editions whereas 2003 has Standard,
Enterprise, Datacentre and Web server Editions.
F) 2000 doesn't have any 64 bit server operating system whereas 2003 has 64 bit
server operating systems (Windows Server 2003 X64 STD and Enterprise Edition)
G) 2000 has basic concept of DFS (Distributed File systems) with defined roots
whereas 2003 has Enhanced DFS support with multiple roots.
H) In 2000 there is complexality in administering Complex networks whereas
2003 is easy administration in all & Complex networks
I) in 2000 we can create 1 million users and in 2003 we can create 1 billion
users.
J) In 2003 we have concept of Volume shadow copy service which is used to
create hard disk snap shot which is used in Disaster recovery and 2000 doesn't
have this service.
K) In 2000 we don't have end user policy management, whereas in 2003 we
have a End user policy management which is done in GPMC (Group policy
management console).
L) In 2000 we have cross domain trust relation ship and 2003 we have Cross
forest trust relationship.
M) 2000 Supports 4-node clustering and 2003 supports 8-node clustering.
N) 2003 has High HCL Support (Hardware Compatibility List) issued by Microsoft
O) Code name of 2000 is Win NT 5.0 and Code name of 2003 is Win NT 5.1
P) 2003 has service called ADFS (Active Directory Federation Services) which is
used to communicate between branches with safe authentication.
In 2003 there is improved storage management using service File Server
Resource Manager (FSRM)
R) 2003 has service called Windows Share point Services (It is an integrated
portfolio of collaboration and communication services designed to connect
people, information, processes, and systems both within and beyond the
organizational firewall.)
S) 2003 has Improved Print management compared to 2000 server
T) 2003 has telnet sessions available.
U) 2000 supports IPV4 whereas 2003 supports IPV4 and IPV6
In windows 2003 support SHADOW COPIES. A NEW TOOLTO RECOVER FILES
Window 2003 server includes IIS server in it. That is the biggest advantage on
top of better file system management
In 2003 server u can change the domain name at any time without rebuilding
the domain where as in 2000 u have to rebuild the entire domain to change the
domain name
In windows 2000 support maximum 10 users’ access shared folder at a time
through network.
But in win2003 no limitation

How can we restore Windows XP/Windows 2000?


If Windows XP starts
1. Log on to Windows as Administrator.
2. Click Start, point to All Programs, point to Accessories, point to System
Tools, and then click System Restore. System Restore starts.
3. On the Welcome to System Restore page, click Restore my computer to an
earlier time (if it is not already selected), and then click Next.
4. On the Select a Restore Point page, click the most recent system
checkpoint in the on this list, click a restore point list, and then click Next. A
System Restore message may appear that lists configuration changes that
System Restore will make. Click OK.
5. On the Confirm Restore Point Selection page, click next. System Restore
restores the previous Windows XP configuration, and then restarts the
computer.
6. Log on to the computer as Administrator. The System Restore Restoration
Complete page appears.
7. Click OK.

What is the difference between Windows XP Home Edition & Professional


Edition?
Windows XP Home Edition:
· Contains basic support for security among multiple users.
· Built-in support for peer-to-peer networking, but only for up to five
computers.
· The backup utility is not installed by default, but is included on the CD.
Windows XP Professional Edition:
· Includes extended support for security between multiple users on the same
machine.
· Better support for peer-to-peer networking, plus support for joining a
"Windows NT domain."
· The backup utility is installed by default.
· The Professional edition includes the following components not found in the
Home edition:
• Administrative Tools (in the Start Menu and Control Panel)
• Automated System Recovery (ASR)
• Boot Configuration Manager
• DriverQuery
• Group Policy Refresh Utility
• Multi-lingual User Interface (MUI) add-on
• NTFS Encryption Utilitiy
• Offline Files and Folders
• OpenFiles
• Performance Log Manager
• Remote Desktop
• Scheduled Tasks Console
• Security Template Utility
• Taskkill
• Tasklist
• Telnet Administrator
· Provides support for multi-processor systems (2 or 4 CPUs), Dynamic Disks,
Fax.

What are transaction logs in Exchange?


Transaction logging is a robust disaster recovery mechanism that is designed to
reliably restore an Exchange database to a consistent state after any sudden
stop of the database.

What is Active Directory?


Active Directory stores information about objects on a network and makes this
information usable to users and network administrators. Active Directory gives
network users access to permitted resources anywhere on the network using a
single logon process. It provides net-work administrators with an intuitive,
hierarchical view of the network and a single point of administration for all
network objects.

What is domain?
A collection of computer, user, and group objects defined by the administrator.
These objects share a common directory database, security policies, and
security relationships with other domains.
What is forest?
One or more Active Directory domains that share the same class and attribute
definitions (schema), site, and replication information (configuration), and
forest-wide search capabilities (global catalog). Domains in the same forest are
linked with two-way, transitive trust relationships.

What is organizational unit (OU)?


An Active Directory container object used within domains. An OU is a logical
container into which users, groups, computers, and other OUs are placed. It
can contain objects only from its parent domain. An OU is the smallest scope to
which a GPO can be linked, or over which administrative authority can be
delegated.

What is site?
One or more well-connected (highly reliable and fast) TCP/IP subnets. A site
allows administrators to configure Active Directory access and replication
topology to take advantage of the physical network.

How is a directory service different from a directory?


A directory service differs from a directory in that it is both the source of the
information and the mechanism that makes the information available to the
users.

How is Active Directory scalable?


Active Directory enables you to scale the directory to meet business and
network requirements through the configuration of domains and trees, and the
placement of domain controllers. Active Directory allows millions of objects
per domain and uses indexing technology and advanced replication techniques
to speed performance.

What is multimaster replication?


Multimaster replication is a replication model in which any domain controller
accepts and replicates directory changes to any other domain controller.
Because multiple domain controllers are employed, replication continues, even
if any single domain controller stops working.

Name the Active Directory components used to represent an organization’s


logical structure?
The Active Directory components used to represent an organization’s logical
structure are domains, organizational units (OUs), trees, and forests.

Name the physical components of Active Directory.


The physical components of Active Directory are sites and domain controllers.

What is the function of the global catalog?


The global catalog has two main functions: (1) it enables a user to log on to a
network by providing universal group membership information to a domain
controller when a logon process is initiated, and (2) it enables finding directory
information regardless of which domain in the forest actually contains the
data.
List the four directory partitions of the Active Directory database.
The four directory partitions of the Active Directory database are schema
partition, configuration partition, domain partition, and application partition.

What is the function of the KCC?


The KCC is a built-in process that runs on all domain controllers. The KCC
configures connection objects between domain controllers. Within a site, each
KCC generates its own connections. For replication between sites, a single KCC
per site generates all connections between sites.

List the six types of trusts used in Active Directory.


The six types of trusts used in Active Directory are tree-root trust, parent-child
trust, shortcut trust, external trust, forest trust, and realm trust.

What is change and configuration management? What is IntelliMirror?


Change and configuration management is a set of Windows Server 2003
features that simplify computer management tasks. IntelliMirror is a set of
Windows Server 2003 features that assist with managing user and computer
information, settings, and applications. When IntelliMirror is used in both
server and client, the users’ data, applications, and settings follow them when
they move to another computer.

Explain the function of group policies.


Group policies are collections of user and computer configuration settings that
can be linked to computers, sites, domains, and OUs to modify computer
settings and specify the behavior of users’ desktops.

Define each of the following names: DN, RDN, GUID, UPN.


The distinguished name (DN) uniquely identifies the object and contains the
name of the domain that holds the object, as well as the complete path
through the container hierarchy to the object. The relative distinguished name
(RDN) is the part of an object’s DN that is an attribute of the object itself. The
globally unique identifier (GUID) is a 128-bit hexadecimal number that is
guaranteed to be unique within the enterprise. The user principal name (UPN)
consists of a user account name (sometimes referred to as the user logon
name) and a domain name identifying the domain in which the user account is
located.

What three tools are necessary to develop an effective Active Directory


infrastructure design?
The following tools are necessary to develop an effective Active Directory
infrastructure design: design team, business and technical analyses, and test
environment.

List the four stages in the Active Directory design process.


The stages in the design process are creating a forest plan, creating a domain
plan, creating an OU plan, and creating a site topology plan.

Why should you strive to create only one forest for your organization?
Using more than one forest requires administrators to maintain multiple
schemas, configuration containers, global catalogs, and trusts, and requires
users to take complex steps to use the directory.
Why should you try to minimize the number of domains in your
organization?
Adding domains to the forest increases management and hardware costs.

Why should you define the forest root domain with caution?
Define your forest root domain with caution; because once you’ve named the
forest root domain you cannot change it without renaming and reworking the
entire Active Directory tree.

What is the primary reason for defining an OU?


The primary reason for defining an OU is to delegate administration.

Which tool is used to install and remove Active Directory?


Active Directory Installation Wizard, and command line tools is dcpromo.exe

Which tool helps assign roles to a server, including the role of domain
controller?
Configure Your Server Wizard

What is domain name?


The name given by an administrator to a collection of networked computers
that share a common directory. Part of the DNS naming structure, domain
names consist of a sequence of name labels separated by periods.

What is forest root domain?


The first domain created in a new forest

What are the reasons to create more than one child domain under a
dedicated root domain?
The reasons to create more than one child domain under the dedicated root
are to meet required security policy settings, which are linked to domains; to
meet special administrative requirements, such as legal or privacy concerns; to
optimize replication traffic; to retain Windows NT domains; and to establish a
distinct namespace.

What is a forest root domain?


A forest root domain is the first domain you create in an Active Directory
forest. The forest root domain must be centrally managed by an IT organization
that is responsible for making domain hierarchy, naming, and policy decisions.

For best performance and fault tolerance, where should you store the
database and log files?
For best performance and fault tolerance, it’s recommended that you place the
database and the log file on separate hard disks that are NTFS drives, although
NTFS is not required.

What is the function of the shared system volume folder and where is the
default storage location of the folder?
The shared system volume folder stores public files that must be replicated to
other domain controllers, such as logon scripts and some of the GPOs, for both
the current domain and the enterprise. The default location for the shared
system volume folder is %Systemroot%\Sysvol. The shared system folder must
be placed on an NTFS drive.

Which of the following is not a valid reason for creating an additional


domain?
a. To meet SAM size limitations
b. To meet required security policy settings, which are linked to domains
c. To meet special administrative requirements, such as legal or privacy
concerns
d. To optimize replication traffic
The correct answer is a. In Windows NT, the SAM database had a limitation of
about 40,000 objects per domain. In Windows Server 2003, each domain can
contain more than 1 million objects, so it is no longer necessary to define a
new domain just to handle more objects.

What command must you use to install Active Directory using the Active
Directory Installation Wizard?
Use the Dcpromo command to install Active Directory using the Active
Directory Installation Wizard. 2-62 Chapter 2 Installing and Configuring Active
Directory

What items are installed when you use the Active Directory Installation
Wizard to install Active Directory?
The Active Directory Installation Wizard installs Active Directory, creates the
full domain name, assigns the NetBIOS name for the domain, sets the Active
Directory database and log folder location, sets the shared system volume
folder location, and installs DNS and a preferred DNS server if you requested
DNS installation.

Explain the two ways you can use an answer file to install Active Directory.
An answer file that is used to install Windows Server 2003 can also include the
installation of Active Directory. Or, you can create an answer file that installs
only Active Directory and is run after Windows Server 2003 Setup is complete
and you have logged on to the system.

What command must you use to install Active Directory using the network
or backup media?
Use the Dcpromo /adv command to install Active Directory using the network
or backup media.
Which of the following commands is used to demote a domain controller?
a. Dcdemote
b. Dcinstall
c. Dcpromo
d. Dcremove
The correct answer is c. You use the Dcpromo command to demote a domain
controller.

After Active Directory has been installed, how can you verify the domain
configuration?
You can verify the domain configuration in three steps by using the Active
Directory Users and Computers console. First, you verify that your domain is
correctly named by finding it in the con-sole tree. Second, you double-click the
domain, click the Domain Controllers container, and verify that your domain
controller appears and is correctly named by finding it in the details pane.
Third, you double-click the server and verify that all information is correct on
the tabs in the Properties dialog box for the server.

After Active Directory has been installed, how can you verify the DNS
configuration?
You can verify DNS configuration by viewing the set of default SRV resource
records on the DNS server in the DNS console.

After Active Directory has been installed, how can you verify DNS
integration with Active Directory?
You can verify DNS integration by viewing the Type setting and the Dynamic
Updates setting in the General tab in the Properties dialog box for the DNS
zone and the Load Zone Data on Startup setting in the Advanced tab in the
Properties dialog box for the DNS server.

After Active Directory has been installed, how can you verify installation of
the shared system volume?
You can verify installation of the shared system volume by opening
%Systemroot%\Sysvol or the location you specified during Active Directory
installation and verifying that the Sysvol folder contains a shared Sysvol folder
and that the shared Sysvol folder contains a folder for the domain, which
contains a shared Scripts and a Policies folder.

What information is recorded in the directory service log?


Active Directory records events, including errors, warnings, and information
that it generates, in the directory service log in Event Viewer.

How can you fix data left behind after an unsuccessful removal of Active
Directory?
First, you must remove the orphaned metadata—NTDS Settings objects—using
Ntdsutil. Then you must remove the domain controller object in the Active
Directory Sites And Services con-sole. You can safely delete the domain
controller object only after all services have been removed and no child
objects exist.

Which of the following tools are best used to evaluate network


connectivity? Choose all that apply.
a. Dcpromoui.log file
b. Dcpromo.log file
c. Ntdsutil
d. Netdiag
e. Dcdiag
The correct answers are d and e. Netdiag and Dcdiag are the tools best suited
to evaluate net-work connectivity. The Dcpromoui and Dcpromo log files log
events during the installation process, and Ntdsutil provides management
facilities for Active Directory.

What is authoritative restore?


In Backup, a type of restore operation performed on an Active Directory
domain controller in which the objects in the restored directory are treated as
authoritative, replacing (through replication) all existing copies of those
objects.

What is nonauthoritative restore?


A restore operation performed on an Active Directory domain controller in
which the objects in the restored directory are not treated as authoritative.
The restored objects are updated with changes held on other domain
controllers in the domain.

What is domain functional level?


The level on which a domain running Windows Server 2003 is running. The
functional level of a domain can be raised to enable new Active Directory
features that will apply to that domain only.

What is forest functional level?


The level on which a forest running Windows Server 2003 is running. The
functional level of a forest can be raised to enable new Active Directory
features that will apply to every domain in the forest.

What is UPN suffix?


The part of the UPN to the right of the @ character. The default UPN suffix for
a user account is the DNS domain name of the domain that contains the user
account. The UPN suffix is only used within the Active Directory forest, and it is
not required to be a valid DNS name.

What is the purpose of the Active Directory Domains And Trusts console?
The Active Directory Domains And Trusts console provides the interface to
manage domains and manage trust relationships between forests and domains.

What is the purpose of the Active Directory Sites And Services console?
The Active Directory Sites And Services console contains information about the
physical structure of your network.

What is the purpose of the Active Directory Users And Computers console?
The Active Directory Users And Computers console allows you to add, modify,
delete, and organize Windows Server 2003 user accounts, computer accounts,
security and distribution groups, and published resources in your organization’s
directory. It also allows you to manage domain controllers and OUs.

Why isn’t the Active Directory Schema snap-in provided automatically on


the Administrative Tools menu after you install Active Directory?
By default, the Active Directory Schema snap-in is not available on the
Administrative Tools menu and must be installed. This action is required to
ensure that the schema cannot be modified by accident.

Which Active Directory-specific Windows Support Tool enables you to


manage Windows Server 2003 domains and trust relationships?
a. Ntdsutl.exe
b. Netdom.exe
c. Active Directory Domains And Trusts console
d. Nltest.exe
The correct answer is b. The Netdom.exe tool enables you to manage Windows
Server 2003 domains and trust relationships. While the Active Directory
Domains And Trusts console also provides this capability, this tool is not an
Active Directory–specific Windows Support Tool.

What is the function of an MMC? Why is it necessary to create customized


MMCs?
The MMC is a tool used to create, save, and open collections of administrative
tools, which are called consoles. The console does not provide management
functions itself, but is the program that hosts management applications called
snap-ins. You create custom MMCs to perform a unique set of administrative
tasks.

What tasks should you complete before attempting to back up Active


Directory data?
Before attempting to back up Active Directory data, you must prepare the files
that you want to back up, and, if you are using a removable media device, you
must prepare the device.

What is system state data and why is it significant to backing up Active


Directory?
For the Windows Server 2003 operating system, the system state data
comprises the registry, COM+ Class Registration database, system boot files,
files under Windows File Protection, and the Certificate Services database (if
the server is a certificate server). If the server is a domain controller, Active
Directory and the Sysvol directory are also contained in the system state data.
To back up Active Directory, you must back up the system state data.

Can you restrict who can gain access to a completed backup file or tape? If
so, how?
You can restrict who can gain access to a completed backup file or tape by
selecting the Replace The Data On The Media With This Backup option and the
Allow Only The Owner And The Administrator Access To The Backup Data And
To Any Backups Appended To This Medium option on the Backup Options page
in the Backup Or Restore Wizard.

When you specify the items you want to back up in the Backup Or Restore
Wizard, which of the following should you select to successfully back up
Active Directory data?
a. System state data
b. Shared system volume folder
c. Database and log files
d. Registry
The correct answer is a. When you specify the items you want to back up in the
Backup Or Restore Wizard, you must specify system state data to successfully
back up Active Directory data.

Describe what happens in a nonauthoritative restore.


In a nonauthoritative restore, the distributed services on a domain controller
are restored from backup media and the restored data is then updated through
normal replication. Each restored directory partition is updated with that of its
replication partners.
Describe what happens in an authoritative restore.
An authoritative restore brings a domain or a container back to the state it was
in at the time of backup and overwrites all changes made since the backup.
Which method of restore should you use if you accidentally delete an OU?
Authoritative.

Which method of restore should you use if a domain controller has


completely failed due to hardware or software problems?
Nonauthoritative.

Which of the following Ntdsutil command parameters should you use if you
want to restore the entire directory?
a. Restore database
b. Restore subtree
c. Database restore
d. Subtree restore
The correct answer is a. Database restore and subtree restore are not Ntdsutil
command parameters. Restore subtree is used to restore a portion or a subtree
of the directory.

What is operations master?


A domain controller that has been assigned one or more special roles in an
Active Directory domain. The domain controllers assigned these roles perform
operations that are single-master (not permitted to occur at different places on
the network at the same time).

What is selective authentication?


A method of setting the scope of authentication differently for outgoing and
incoming external and forest trusts. Selective trusts allow you to make flexible
access control decisions between external domains in a forest.

What is trust relationship?


A logical relationship established between domains to allow pass-through
authentication, in which a trusting domain honors the logon authentications of
a trusted domain. User accounts and global groups defined in a trusted domain
can be given rights and permissions in a trusting domain, even though the user
accounts or groups don’t exist in the trusting domain’s directory

What is the main consequence of creating multiple domains and trees?


Adding domains and trees increases administrative and hardware costs.

Why would you need to create additional trees in your Active Directory
forest?
You might need to define more than one tree if your organization has more
than one DNS name.

What is a tree root domain?


A tree root domain is the highest-level domain in the tree; child and grandchild
domains are arranged under it. Typically, the domain you select for a tree root
should be the one that is most critical to the operation of the tree. A tree root
domain can also be the forest root domain.
What are the reasons for creating multiple forests in an organization?
Some of the reasons for creating multiple forests include to secure data and to
isolate directory replication.

Which of the following is not a reason for creating multiple domains?


a. To meet security requirements
b. To meet administrative requirements
c. To optimize replication traffic
d. To meet delegation requirements
e. To retain Windows NT domains
The correct answer is d. In Windows NT, domains were the smallest units of
administrative delegation. In Windows Server 2003, OUs allow you to partition
domains to delegate administration, eliminating the need to define domains
just for delegation.

Under what domain and forest functional levels can you rename or
restructure domains in a forest?
You can rename or restructure the domains in a forest only if all domain
controllers in the forest are running Windows Server 2003, all domain
functional levels in the forest have been raised to Windows Server 2003, and
the forest functional level has been raised to Windows Server 2003.

What utility is used to rename or restructure a domain in a forest?


You can use the domain rename utility (Rendom.exe) to rename or restructure
a domain.

Under what domain functional level can you rename a domain controller?
You can rename a domain controller only if the domain functionality of the
domain to which the domain controller is joined is set to Windows Server 2003.

What tool is used to rename a domain controller?


You rename a domain controller by using the Netdom.exe: Windows Domain
Manager command-line tool, included with the Windows Support Tools on the
Windows Server 2003 Setup CD-ROM. You use the Netdom Computername
command to manage the primary and alternate names for a computer.

What is the purpose of the operations master roles?


The domain controllers assigned operations master roles perform operations
that are single-master (not permitted to occur at different places in the
network at the same time).

Which operations master roles must be unique in each forest?


The schema master and the domain naming master roles must be unique in
each forest.

Which operations master roles must be unique in each domain?


The RID master, the PDC emulator, and the infrastructure master roles must be
unique in each domain.

When should you seize an operations master role?


Consider seizing an operations master role assignment when a server that is
holding a role fails and you do not intend to restore it. Before seizing the
operations master role, determine the cause and expected duration of the
computer or network failure. If the cause is a networking problem or a server
failure that will be resolved soon, wait for the role holder to become available
again. If the domain controller that currently holds the role has failed, you
must determine if it can be recovered and brought back online. In general,
seizing an operations master role is a drastic step that should be considered
only if the current operations master will never be available again.

Which of the following operations master roles should not be assigned to


the domain controller hosting the global catalog?
a. Schema master
b. Domain naming master
c. RID master
d. PDC emulator
e. Infrastructure master
The correct answer is e. The infrastructure master role should not be assigned
to the domain controller that is hosting the global catalog. If the infrastructure
master and global catalog are on the same domain controller, the
infrastructure master will not function. The infrastructure master will never
find data that is out of date, so it will never replicate any changes to the other
domain controllers in the domain.

Which type of trust provides transitive trusts between domains in two


forests? A forest trust.

What is the purpose of a shortcut trust?


A shortcut trust is a trust between two domains in a forest, created to improve
user logon times.

What is the purpose of an external trust?


An external trust is a trust between Windows Server 2003 domains in different
forests or between a Windows Server 2003 domain and a domain whose domain
controller is running Windows NT 4 or earlier. This trust is created to provide
backward compatibility with Windows NT environments or communications with
domains located in other forests not joined by forest trusts.

What preliminary tasks must you complete before you can create a forest
trust?
Before you can create a forest trust, you must
1. Configure a DNS root server that is authoritative over both forest DNS
servers that you want to form a trust with, or configure a DNS forwarder on
both of the DNS servers that are authoritative for the trusting forests.
2. Ensure that the forest functionality for both forests is Windows Server 2003.

Which of the following trust types are created implicitly? Choose all that
apply.
a. Tree-root
b. Parent-child
c. Shortcut
d. Realm
e. External
f. Forest
The correct answers are a and b. Shortcut, realm, external, and forest trusts
must all be created manually (explicitly).

What is application directory partition?


A directory partition that is replicated only to specific domain controllers. Only
domain controllers running Windows Server 2003 can host a replica of an
application directory partition. Applications and services can use application
directory partitions to store application-specific data.

What is preferred bridgehead server?


A domain controller in a site, designated manually by the administrator, that is
part of a group of bridgehead servers. Once designated, preferred bridgehead
servers are used exclusively to replicate changes collected from the site. An
administrator may choose to designate preferred bridgehead servers when
there is a lot of data to replicate between sites, or to create a fault-tolerant
topology. If one preferred bridgehead server is not available, the KCC
automatically uses one of the other preferred bridgehead servers. If no other
preferred bridgehead servers are available, replication does not occur to that
site.

What is universal group membership caching?


A feature in Windows Server 2003 that allows a site that does not contain a
global catalog server to be configured to cache universal group memberships
for users who log on to the domain controller in the site. This ability allows a
domain controller to process user logon requests without contacting a global
catalog server when a global catalog server is unavailable. The cache is
refreshed periodically as determined in the replication schedule.
What is a site?
A site is a set of IP subnets connected by a highly reliable and fast link (usually
a LAN).

Which directory partition replica type must be replicated to all domain


controllers within the domain?
The domain partition must be replicated to all domain controllers within the
domain.

Which type of replication compresses data to save WAN bandwidth?


Intersite replication compresses data to save WAN bandwidth.

What is the difference between a site link and a connection object?


Site links are used by the KCC to determine replication paths between two sites
and must be created manually. Connection objects actually connect domain
controllers and are created by the KCC, though you can also create them
manually if necessary.

Which of the following actions does not trigger replication?


a. Accessing an object
b. Creating an object
c. Deleting an object
d. Modifying an object
e. Moving an object
The correct answer is a. Creating, deleting, modifying, or moving an object
triggers replication between domain controllers.

What site is created automatically in the Sites container when you install
Active Directory on the first domain controller in a domain?
The Default-First-Site-Name site.

How many subnets must each site have? To how many sites can a subnet be
assigned?
Each site must have at least one subnet, but a subnet can be assigned to only
one site.

What is the minimum number of domain controllers you should place in a


site?
For optimum network response time and application availability, place at least
one domain con-troller for each domain available at each site.

What is the purpose of a site license server?


The site license server stores and replicates licensing information collected by
the License Logging service on each server in a site.

Which of the following administrative tools is used to configure sites?


a. Active Directory Users And Computers console
b. Active Directory Domains And Trusts console
c. Active Directory Sites And Services console
d. Licensing console
The correct answer is c. The Active Directory Sites And Services console is used
to configure sites.

What object is created automatically in the IP container when you install


Active Directory on the first DC in a domain?
The DEFAULTIPSITELINK site link

You specified a preferred bridgehead server for your network. It fails and
there are no other preferred bridgehead servers available. What is the
result?
If no other preferred bridgehead servers are specified or no other preferred
bridgehead servers are available, replication does not occur to that site even if
there are servers that can act as bridgehead servers.

Why is it seldom necessary to create site link bridges?


If site link transitivity is enabled, which it is by default, creating a site link
bridge has no effect. Therefore, it is seldom necessary to create site link
bridges.

Which type of replication does the connection schedule control?


Intrasite replication
Which of the following protocols should you use when network connections
are unreliable?
a. IP
b. SMTP
c. RPC
d. DHCP
The correct answer is b. Choose SMTP replication when network connections
are unreliable or not always available. SMTP site links communicate
asynchronously, meaning each replication transaction does not need to
complete before another can start, because the transaction can be stored until
the destination server is available.

You have a high-speed T1 link and a dial-up network connection in case the
T1 link is unavailable. You assign the T1 link to have a cost of 100. What
cost value should you assign to the dial-up link?
a. 0
b. 50
c. 100
d. 150
The correct answer is d. Higher costs are used for slow links (the dialup
connection), and lower costs are used for fast links (the T1 connection).
Because Active Directory always chooses the connection on a per-cost basis,
the less expensive connection (T1) is used as long as it is available.

What is the function of the global catalog?


The global catalog performs three key functions:
■ It enables users to log on to a network by providing universal group
membership information to a domain controller when a logon process is
initiated.
■ It enables finding directory information regardless of which domain in the
forest actually contains the data.
■ It resolves UPNs when the authenticating domain controller does not have
knowledge of the account.

What is a global catalog server?


A global catalog server is a domain controller that stores a full copy of all
objects in the directory for its host domain and a partial copy of all objects for
all other domains in the forest.

What must you do to allow a domain controller to process user logon


requests without contacting a global catalog server?
Enable the universal group membership caching feature using Active Directory
Sites And Services.

For optimum network response time, how many domain controllers in each
site should you designate as a global catalog server?
For optimum network response time and application availability, designate at
least one domain controller in each site as the global catalog server.

The universal group membership caching feature is set for which of the
following?
a. Forest
b. Domain
c. Site
d. Domain controller
The correct answer is c. The universal group membership caching feature must
be set for each site and requires a domain controller to run a Windows Server
2003 operating system.

What is an application directory partition?


An application directory partition is a directory partition that is replicated only
to specific domain controllers. Only domain controllers running Windows Server
2003 can host a replica of an application directory partition.

Name the benefits of using an application directory partition.


Using an application directory partition provides redundancy, availability, or
fault tolerance, by replicating data to a specific domain controller or any set of
domain controllers anywhere in the forest; it reduces replication traffic
because the application data is only replicated to specific domain controllers;
and applications or services that use LDAP can continue using it to access and
store their application data in Active Directory.

What is a security descriptor and how is it used in an application directory


partition?
A security descriptor is a set of access control information attached to a
container or object that controls the type of access allowed by users, groups,
and computers. When an object is created in an application directory partition,
a default security descriptor reference domain is assigned when the application
directory partition is created.

What considerations should you make before deleting an application


directory partition? Before deleting the application directory partition, you
must identify the applications that use it, determine if it is safe to delete the
last replica, and identify the partition deletion tool provided by the
application.

Which of the following tools can you use to delete an application directory
partition? (Choose all that apply.)
a. Ntdsutil command-line tool
b. Application-specific tools from the application vendor
c. Active Directory Installation Wizard
d. Active Directory Domains And Trusts console
e. Active Directory Sites And Services console
The correct answers are a, b, and c. To delete the application directory
partition, you can use the Active Directory Installation Wizard to remove all
application directory partition replicas from the domain controller, the tools
provided with the application, or the Ntdsutil command-line tool.

What is the function of Replmon.exe?


Replmon.exe, the Active Directory Replication Monitor, enables administrators
to view the low-level status of Active Directory replication, force
synchronization between domain controllers, view the topology in a graphical
format, and monitor the status and performance of domain con-troller
replication through a graphical interface.
What is the function of Repadmin.exe?
Repadmin.exe, the Replication Diagnostics Tool, allows you to view the
replication topology as seen from the perspective of each domain controller.
Repadmin.exe can be used in trouble-shooting to manually create the
replication topology (although in normal practice this should not be necessary),
to force replication events between domain controllers, and to view the
replication metadata and see how up-to-date a domain controller is.

What is the function of Dsastat.exe?


Dsastat.exe compares and detects differences between directory partitions on
domain controllers and can be used to ensure that domain controllers are up-
to-date with one another. The tool retrieves capacity statistics such as
megabytes per server, objects per server, and mega-bytes per object class, and
compares the attributes of replicated objects.

If replication of directory information has stopped, what should you check?


Site links. Make sure that a site link has been created from the current site to a
site that is connected to the rest of the sites in the network.

You received Event ID 1265 with the error “DNS Lookup Failure.” What are
some actions you might take to remedy the error? (Choose all that apply.)
a. Manually force replication.
b. Reset the domain controller’s account password on the PDC emulator
master.
c. Check the domain controller’s CNAME record.
d. Make sure ―Bridge All Site Links‖ is set correctly.
e. Check the domain controller’s A record.
The correct answers are c and e. This message is often the result of DNS
configuration problems. Each domain controller must register its CNAME record
for the DsaGuid._msdcs.Forestname. Each domain controller must register its A
record in the appropriate zone. So, by checking the domain controller’s CNAME
and A records, you may be able to fix the problem

What is access control list (ACL)?


The mechanism for limiting access to certain items of information or to certain
controls based on users’ identity and their membership in various predefined
groups. An ACL is typically used by system administrators for controlling user
access to network resources such as servers, directories, and files and is
typically implemented by granting permissions to users and groups for access to
specific objects.

What is nested OUs?


The creation of organizational units (OUs) within OUs

What is organizational unit (OU)?


An Active Directory container object used within a domain. An OU is a logical
container into which you can place users, groups, computers, and other OUs. It
can contain objects only from its parent domain. An OU is the smallest scope to
which you can apply a Group Policy or delegate authority.
What are the three reasons for defining an OU?
The three reasons for defining an OU are to delegate administration, to
administer Group Policy, or to hide objects.

What is “delegating administration”?


Delegating administration is the assignment of IT management responsibility for
a portion of the namespace, such as an OU, to an administrator, a user, or a
group of administrators or users.

What is the purpose of creating an OU to hide objects?


Although a user might not have the permission to read an object’s attributes,
the user can still see that the object exists by viewing the contents of the
object’s parent container. You can hide objects in a domain by creating an OU
for the objects and limiting the set of users who have the List Contents
permission for that OU.

Can you assign access permissions based on a user’s membership in an OU?


Why or why not?
No, you cannot assign access permissions based on a user’s membership in an
OU. OUs are not security principals. Access control is the responsibility of
global, domain local, or universal groups.

Which of the following is the primary reason for defining an OU?


a. To delegate administration
b. To hide objects
c. To administer Group Policy
d. To define the domain structure
The correct answer is a. Although hiding objects and administering Group
Policy are reasons for defining an OU, they are not the primary reason. You do
not define an OU to define the domain structure.

In what two locations can you create an OU?


You can create an OU within a domain or within another OU.

What tool do you use to create an OU?


The Active Directory Users And Computers console is used to create an OU.

What action must you take to be able to view the Security tab in the
Properties dialog box for an OU?
You must select Advanced Features from the View menu on the Active
Directory Users And Computers console.

How does the icon used for an OU differ from the icon used for a container?
The icon used for an OU is a folder with a book. The icon used for a container is
a folder.

What is the purpose of setting properties for an OU?


To provide additional information about the OU or to assist in finding the OU,
you might want to set properties for an OU.

Why might you need to move an OU?


To accommodate the changing needs of an organization.
Which is more flexible, domain structure or OU structure? Because OUs can
be easily renamed, moved, and deleted, OU structure is more flexible than
domain structure.

What are the three ways to move Active Directory objects between OUs?
There are three ways to move Active Directory objects between OUs:
■ Use drag and drop
■ Use the Move option on the Active Directory Users And Computers console
■ Use the Dsmove command

What happens to permissions when you move objects between OUs?


Permissions that are assigned directly to objects remain the same, and the
objects inherit per-missions from the new OU. Any permission that was
previously inherited from the old OU no longer affects the objects.

What is authentication?
The process by which the system validates the user’s logon information. A
user’s name and password are compared against the list of authorized users. If
the system detects a match, access is granted to the extent specified in the
permissions list for that user.

What is smart card?


A credit-card sized device that is used with an access code to enable
certificate-based authentication and single sign-on to the enterprise. Smart
cards securely store certificates, public and private keys, passwords, and other
types of personal information. A smart card reader attached to the computer
reads the smart card.

What is strong password?


A password that provides an effective defense against unauthorized access to a
resource. A strong password is at least seven characters long, does not contain
all or part of the user’s account name, and contains at least three of the
following four categories of characters: uppercase characters, lowercase
characters, base 10 digits, and symbols found on the keyboard (such as !, @,
and #).

Where are domain user accounts created?


Domain user accounts are created in Active Directory on a domain controller.

What is a smart card?


A smart card is a credit card-sized device that is used with a PIN number to
enable certificate-based authentication and single sign-on to the enterprise.
Smart cards securely store certificates, public and private keys, passwords, and
other types of personal information.

Why should you always rename the built-in Administrator account?


Rename the built-in Administrator account to provide a greater degree of
security; it is more difficult for unauthorized users to break into the
Administrator account if they do not know which user account it is.

What is the purpose of the Guest account? What is the default condition of
the Guest account?
The purpose of the built-in Guest account is to provide users who do not have
an account in the domain with the ability to log on and gain access to
resources. By default, the Guest account does not require a password (the
password can be blank) and is disabled. You should enable the Guest account
only in low-security networks and always assign it a password.

Which of the following are characteristics of a strong password?


a. Is at least seven characters long
b. Contains your user name
c. Contains keyboard symbols
d. Contains numerals
e. Contains a dictionary word
The correct answers are a, c, and d. Strong passwords do not contain your user
name or dictionary words.

A user’s full name must be unique to what Active Directory component?


A user’s full name must be unique to the OU or container where you create the
user account.

A user’s logon name must be unique to what Active Directory component?


A user’s logon name must be unique to the domain where you create the user
account.

Why should you always require new users to change their passwords the
first time that they log on?
Requiring new users to change their passwords means that only they know the
password, which makes the system more secure.

From which tab on a user’s Properties dialog box can you set logon hours?
a. General tab
b. Account tab
c. Profile tab
d. Security tab
The correct answer is b. You set logon hours by clicking the Logon Hours button
on the Account tab in a user’s Properties dialog box.

What is a user profile?


A user profile is a collection of folders and data that stores the user’s current
desktop environment, application settings, and personal data. A user profile
also contains all of the network connections that are established when a user
logs on to a computer, such as Start menu items and mapped drives to network
servers.

Describe the function of the three types of user profiles.


A local user profile is based at the local computer and is available at only the
local computer. When a user logs on to the client computer running Windows
Server 2003, he or she always receives his or her individual desktop settings
and connections, regardless of how many users share the same client
computer.
A roaming user profile is based at the server and is downloaded to the local
computer every time a user logs on and is available at any workstation or
server computer on the network. Changes made to a user’s roaming user profile
are updated locally and on the server when the user logs off. The user always
receives his or her individual desktop settings and connections, in contrast to a
local user profile, which resides only on one client computer.
A mandatory user profile is a read-only roaming profile that is based at the
server and down-loaded to the local computer every time a user logs on. It is
available at any workstation or server computer on the network. Users can
modify the desktop settings of the computer while they are logged on, but
none of these changes are saved when they log off.

What must you do to ensure that a user on a client computer running


Windows Server 2003 has a roaming user profile?
First, create a shared folder on a network server that will contain the user’s
roaming user profile. Second, in the Profiles tab in the Properties dialog box for
the user, provide a path to the shared folder on the server. The next time that
the user logs on, the roaming user profile is created.

How can you ensure that a user has a centrally located home folder?
First, create a shared folder on a network server that will contain the user’s
home folder. Second, in the Profiles tab in the Properties dialog box for the
user, provide a path to the shared folder on the server. The next time that the
user logs on, the home folder is available from the My Computer window.

Which of the following files must be renamed to configure a user profile as


mandatory?
a. Ntuser.dat
b. Ntuser.doc
c. Ntuser.man
d. Ntuser.txt
The correct answer is a. To configure a user profile as mandatory, you must
make it read-only by changing the name of the Ntuser.dat file to Ntuser.man.

why would you rename a user account and what is the advantage of doing
so?
Rename a user account if you want a new user to have all of the properties of a
former user, including permissions, desktop settings, and group membership.
The advantage of renaming an account is that you do not have to rebuild all of
the properties as you do for a new user account.

Why would you disable a user account and what is the advantage of doing
so?
Disable a user account when a user does not need an account for an extended
period, but will need it again. The advantage of disabling a user account is that
when the user returns, you can enable the user account so that the user can
log on to the network again without having to rebuild a new account.

How is a disabled user account designated in the Active Directory Users And
Computers console?
A disabled user account is designated by a red ―X.‖

Why should you select the User Must Change Password At Next Logon check
box when you reset a user’s password?
Select User Must Change Password At Next Logon to force the user to change
his or her pass-word the next time he or she logs on. This way, only the user
knows the password.

What is domain local group?


A security or distribution group often used to assign permissions to resources.
You can use a domain local group to assign permissions to gain access to
resources that are located only in the same domain where you create the
domain local group. In domains with the domain functional level set to
Windows 2000 mixed, domain local groups can contain user accounts, computer
accounts, and global groups from any domain. In domains with the domain
functional level set to Windows 2000 native or Windows Server 2003, domain
local groups can contain user accounts, computer accounts, global groups, and
universal groups from any domain, and domain local groups from the same
domain.

What is global group?


A security or distribution group often used to organize users who share similar
network access requirements. You can use a global group to assign permissions
to gain access to resources that are located in any domain in the tree or forest.
In domains with the domain functional level set to Windows 2000 mixed, global
groups can contain user accounts and computer accounts from the same
domain. In domains with the domain functional level set to Windows 2000
native or Windows Server 2003, global groups can contain user accounts,
computer accounts, and global groups from the same domain.

What is universal group?


A security or distribution group often used to assign permissions to related
resources in multiple domains. You can use a universal group to assign
permissions to gain access to resources that are located in any domain in the
forest. In domains with the domain functional level set to Windows 2000 mixed,
universal groups are not available. In domains with the domain functional level
set to Windows 2000 native or Windows Server 2003, universal groups can
contain user accounts, computer accounts, global groups, and other universal
groups from any domain in the forest.

What is Run As program?


A program that allows you to run administrative tools with either local or
domain administrator rights and permissions while logged on as a normal user.

What is the purpose of using groups? Use groups to simplify administration by


granting rights and assigning permissions once to the group rather than multiple
times to each individual member.

When should you use security groups rather than distribution groups?
Use security groups to assign permissions. Use distribution groups when the
only function of the group is not security related, such as an e-mail distribution
list. You cannot use distribution groups to assign permissions.

What strategy should you apply when you use domain and local groups?
Place user accounts into global groups, place global groups into domain local
groups, and then assign permissions to the domain local group.
Why is replication an issue with universal groups?
Universal groups and their members are listed in the global catalog. Therefore,
when member-ship of any universal group changes, the changes must be
replicated to every global catalog in the forest, unless the forest functional
level is set to Windows Server 2003.

Which of the following statements about group scope membership are


incorrect? (Choose all that apply.)
a. In domains with a domain functional level set to Windows 2000 mixed, global
groups can contain user accounts and computer accounts from the same
domain.
b. In domains with a domain functional level set to Windows 2000 mixed, global
groups can contain user accounts and computer accounts from any domain.
c. In domains with a domain functional level set to Windows 2000 mixed,
domain local groups can contain user accounts, computer accounts, and global
groups from the same domain.
d. In domains with a domain functional level set to Windows 2000 mixed,
domain local groups can contain user accounts, computer accounts, and global
groups from any domain.
e. In domains with a domain functional level set to Windows 2000 mixed,
universal groups can contain user accounts, computer accounts, global groups,
and other universal groups from any domain.
f. In domains with a domain functional level set to Windows 2000 mixed,
universal groups do not exist.
The correct answers are b, c, and e. In domains with a domain functional level
set to Windows 2000 mixed, global groups can contain user accounts and
computer accounts from the same domain. In domains with a domain functional
level set to Windows 2000 mixed, domain local groups can contain user
accounts, computer accounts, and global groups from any domain. In domains
with a domain functional level set to Windows 2000 mixed, universal groups do
not exist.

Where can you create groups?


With the necessary permissions, you can create groups in any domain in the
forest, in an OU, or in a container you have created specifically for groups.

What is deleted when you delete a group?


When you delete a group, you delete only the group and remove the
permissions and rights that are associated with it. Deleting a group does not
delete the user accounts that are members of the group.

What Active Directory components can be members of groups?


Members of groups can include user accounts, contacts, other groups, and
computers.

In what domain functional level is changing the group scope allowed? What
scope changes are permitted in this domain functional level?
You can change the scope of domains with the domain functional level set to
Windows 2000 native or Windows Server 2003. The following scope changes are
permitted:
■ Global to universal, as long as the group is not a member of another group
having global scope
■ Domain local to universal, as long as the group being converted does not have
another group with a domain local scope as its member
■ Universal to global, as long as the group being converted does not have
another universal group as its member
■ Universal to domain local

The name you select for a group must be unique to which of the following
Active Directory components?
a. forest
b. tree
c. domain
d. site
e. OU
The correct answer is c. The name you select for a group must be unique to the
domain in which the group is created.

Why shouldn’t administrators be assigned to the Administrators group?


Running Windows Server 2003 as an administrator makes the system vulnerable
to Trojan horse attacks and other security risks. For most tasks, administrators
should be assigned to the Users or Power Users group. To perform
administrative-only tasks, administrators should log on as an administrator,
perform the task, and then log off.

What is the purpose of the Run As program?


The Run As program allows a user to run specific tools and programs with
permissions other than those provided by the account with which the user is
currently logged on. Therefore, the Run As program can be used to run
administrative tools with either local or domain administrator rights and
permissions while logged on as a normal user.

What are the two ways of invoking the Run As Program?


The Run As program can be invoked on the desktop or by using the Runas
command from the command line.

What is access control?


A security mechanism that determines which operations a user, group, service,
or computer is authorized to perform on a computer or on a particular object.

What is delegation?
An assignment of administrative responsibility that allows users without
administrative credentials to complete specific administrative tasks or to
manage specific directory objects. Responsibility is assigned through
membership in a security group, the Delegation Of Control Wizard, or Group
Policy settings.

What is permission?
A rule associated with an object to regulate which users can gain access to the
object and in what manner. Permissions are assigned or denied by the object’s
owner.

What is selective authentication?


On domain controllers running Windows Server 2003, a method of determining
the scope of authentication between two forests joined by a forest trust or two
domains joined by an external trust. With these selective trusts, you can make
flexible forest-or domain-wide access control decisions.

What are two ways to locate Active Directory objects?


There are two ways to locate Active Directory objects: 1) use the Find option
on the Active Directory Users And Computers console, and 2) use the Dsquery
command.

Which Dsquery command should you use to find users in the directory who
have been inactive for two weeks? Dsquery user –inactive 2

Which Dsquery command should you use to find computers in the directory
that have been disabled?
Dsquery computer –disabled

What is the purpose of the saved queries feature?


The saved queries feature enables administrators to create, edit, save,
organize and e-mail saved queries in order to monitor or perform a specific
task on directory objects.

What is a security principal?


A security principal is a user, group, computer, or service that is assigned a
SID. A SID uniquely identifies the user, group, computer, or service in the
enterprise and is used to manage security principals.

You are trying to assign permissions to an object in its Properties dialog


box, but you cannot find the Security tab. How can you fix this problem?
To view the Security tab in the Properties dialog box, you must select
Advanced Features on the View menu on the Active Directory Users And
Computers console.

The permissions check boxes for a security principal are shaded. What does
this indicate?
If permission is inherited, its check boxes (located in the Security tab in the
Properties dialog box for an object, and in the Permission Entry dialog box for
an object) are shaded. However, shaded special permissions check boxes do
not indicate inherited permissions. These shaded check boxes merely indicate
that a special permission exists.

What are effective permissions?


Effective permissions are the overall permissions that a security principal has
for an object, including group membership and inheritance from parent
objects.

Why is it necessary to delegate administrative control of Active Directory


objects?
You delegate administrative control of domains, OUs, and containers in order
to provide other administrators, groups, or users with the ability to manage
functions according to their needs.
What is the purpose of the Delegation Of Control Wizard?
The Delegation Of Control Wizard is provided to automate and simplify the
process of setting administrative permissions for a domain, OU, or container.

How can you remove permissions you set by using the Delegation Of Control
Wizard?
Although the Delegation Of Control Wizard can be used to grant administrative
permissions to containers and the objects within them, it cannot be used to
remove those privileges. If you need to remove permissions, you must do so
manually in the Security tab in the Properties dialog box for the container and
in the Advanced Security Settings dialog box for the container.

For which of the following Active Directory objects can you delegate
administrative control by using the Delegation Of Control Wizard? (Choose
all that apply.)
a. Folder
b. User
c. Group
d. Site
e. OU
f. Domain
g. Shared folder
The correct answers are a, d, e, and f. Folders, sites, OUs, and domains are all
objects for which administrative control can be delegated by using the
Delegation Of Control Wizard.

What is Group Policy?


A collection of user and computer configuration settings that specifies how
programs, network resources, and the operating system work for users and
computers in an organization. Group Policy can be linked to computers, sites,
domains, and OUs.

What is Computer Configuration node?


A node in the Group Policy Object Editor which contains the settings used to
set group policies applied to computers, regardless of who logs on to them.
Computer configuration settings are applied when the operating system
initializes.

What is User Configuration node?


A node in the Group Policy Object Editor which contains the settings used to
set group policies applied to users, regardless of which computer the user logs
on to. User configuration settings are applied when users log on to the
computer.

What is a GPO?
A GPO is a Group Policy Object. Group Policy configuration settings are
contained within a GPO. Each computer running Windows Server 2003 has one
local GPO and can, in addition, be sub ject to any number of nonlocal (Active
Directory–based) GPOs.

What are the two types of Group Policy settings and how are they used?
The two types of Group Policy settings are computer configuration settings and
user configura tion settings. Computer configuration settings are used to set
group policies applied to com puters, regardless of who logs on to them, and
are applied when the operating system initializes. User configuration settings
are used to set group policies applied to users, regardless of which computer
the users logs on to, and are applied when users log on to the computer.

In what order is Group Policy applied to components in the Active Directory


structure?
Group Policy is applied to Active Directory components in the following order:
local computer, site, domain, and then OU.

What is the difference between Block Policy Inheritance and No Override?


Block Policy Inheritance is applied directly to the site, domain, or OU. It is not
applied to GPOs, nor is it applied to GPO links. Thus Block Policy Inheritance
deflects all Group Policy settings that reach the site, domain, or OU from
above (by way of linkage to parents in the Active Direc tory hierarchy) no
matter what GPOs those settings originate from. GPO links set to No Override
are always applied and cannot be blocked using the Block Policy Inheritance
option.
Any GPO linked to a site, domain, or OU (not the local GPO) can be set to No
Override, so that none of its policy settings can be overwritten by any other
GPO during the processing of group policies. When more than one GPO has
been set to No Override, the one highest in the Active Directory hierarchy (or
higher in the hierarchy specified by the administrator at each fixed level in
Active Directory) takes precedence. No Override is applied to the GPO link.

Which of the following nodes contains the registry-based Group Policy


settings?
a. Software Settings
b. Windows Settings
c. Administrative Templates
d. Security Settings
The correct answer is c. The Administrative Templates node contains the
registry-based Group Policy settings. The Software Settings node contains only
the Software Installation extension. The Windows Settings node contains the
settings for configuring the operating system, such as scripts, security settings,
folder redirection, and RIS. The Security Settings node contains set tings for
configuring security levels.

Describe a decentralized GPO design.


With a decentralized GPO design, you create a base GPO to be applied to the
domain that con tains policy settings for as many users and computers in the
domain as possible. Next, you cre ate additional GPOs tailored to the common
requirements of each OU, and apply them to the appropriate OUs. The goal of
a decentralized GPO design is to include a specific policy setting in as few GPOs
as possible. When a change is required, only one (or a few) GPO(s) have to be
changed to enforce the change.
If administrative responsibilities in your organization are task-based and
delegated among several administrators, which of the following types of
GPOs should you plan to create?
a. GPOs containing only one type of Group Policy setting
b. GPOs containing many types of Group Policy settings
c. GPOs containing only computer configuration settings
d. GPOs containing only user configuration settings
The correct answer is a. For example, a GPO that includes only security
settings is best suited for organizations in which administrative responsibilities
are task-based and delegated among several individuals.

If you want to create a GPO for a site, what administrative tool should you
use?
Use the Active Directory Sites And Services console to create a GPO for a site.

Why should you create an MMC for a GPO?


If you create an MMC for a GPO, it is easier to administer because you can open
it whenever necessary from the Administrative Tools menu.

Besides Read permission, what permission must you assign to allow a user
or administrator to see the settings in a GPO?
Write permission. A user or administrator who has Read access but not Write
access to a GPO cannot use the Group Policy Object Editor to see the settings
that it contains.

Why should you disable unused Group Policy settings?


Disabling unused Group Policy settings avoids the processing of those settings
and expedites startup and logging on for the users and computers subject to
the GPO.

How do you prevent a GPO from applying to a specific group?


You can prevent a policy from applying to a specific group by denying that
group the Apply Group Policy permission for the GPO.

What’s the difference between removing a GPO link and deleting a GPO?
When you remove a GPO link to a site, domain, or OU, the GPO still remains in
Active Directory. When you delete a GPO, the GPO is removed from Active
Directory, and any sites, domains, or OUs to which it is linked are not longer
affected by it.

You want to deflect all Group Policy settings that reach the North OU from
all of the OU’s parent objects. To accomplish this, which of the following
exceptions do you apply and where do you apply it?
a. Block Policy Inheritance applied to the OU
b. Block Policy Inheritance applied to the GPO
c. Block Policy Inheritance applied to the GPO link
d. No Override applied to the OU
e. No Override applied to the GPO
f. No Override applied to the GPO link
The correct answer is a. You use the Block Policy Inheritance exception to
deflect all Group Pol-icy settings from the parent objects of a site, domain, or
OU. Block Policy Inheritance can only be applied directly to a site, domain, or
OU, not to a GPO or a GPO link.

You want to ensure that none of the South OU Desktop settings applied to
the South OU can be overridden. To accomplish this, which of the following
exceptions do you apply and where do you apply it?
a. Block Policy Inheritance applied to the OU
b. Block Policy Inheritance applied to the GPO
c. Block Policy Inheritance applied to the GPO link
d. No Override applied to the OU
e. No Override applied to the GPO
f. No Override applied to the GPO link
The correct answer is f. You use the No Override exception to ensure that none
of a GPO’s set things can be overridden by any other GPO during the processing
of group policies. No Override can only be applied directly to a GPO link.

What is Resultant Set of Policy (RSoP)?


A feature that simplifies Group Policy implementation and troubleshooting.
RSoP has two modes: Logging mode and Planning mode. Logging mode
determines the resultant effect of policy settings that have been applied to an
existing user and computer based on a site, domain, and OU. Planning mode
simulates the resultant effect of policy settings that are applied to a user and a
computer.

What is SharePoint?
A centralized location for key folders on a server or servers, which provides
users with an access point for storing and finding information and
administrators with an access point for managing information.

What is folder redirection?


An extension within Group Policy that allows you to redirect the following
special folders: Application Data, Desktop, My Documents, My Pictures, and
Start Menu.

What is Offline Files?


A feature that provides users with access to redirected folders even when they
are not connected to the network. Offline Files caches files accessed through
folder redirection onto the hard drive of the local computer. When a user
accesses a file in a redirected folder, the file is accessed and modified locally.
When a user has finished working with the file and has logged off, only then
does the file traverse the network for storage on the server.

What is the purpose of generating RSoP queries?


RSoP is the sum of the policies applied to the user or computer, including the
application of filters (security groups, WMI) and exceptions (No Override, Block
Policy Inheritance). Because of the cumulative effects of GPOs, filters, and
exceptions, determining a user or computer’s RSoP can be difficult. The ability
to generate RSoP queries in Windows Server 2003 makes determining RSoP
easier.

What are the three tools available for generating RSoP queries?
Windows Server 2003 provides three tools for generating RSoP queries: the
Resultant Set Of Policy Wizard, the Gpresult command-line tool, and the
Advanced System Information– Policy tool.

What is the difference between Logging mode and Planning mode?


Logging mode reports the existing GPO settings for a user or computer.
Planning mode simulates the GPO settings that a user and computer might
receive, and it enables you change the simulation.

What is the difference between saving an RSoP query and saving RSoP
query data?
By saving an RSoP query, you can reuse it for processing another RSoP query
later. By saving RSoP query data, you can revisit the RSoP as it appeared for a
particular query when the query was created.

Which RSoP query generating tool provides RSoP query results on a console
similar to a Group Policy Object Editor console?
a. Resultant Set Of Policy Wizard
b. Group Policy Wizard
c. Gpupdate command-line tool
d. Gpresult command-line tool
e. Advanced System Information–Policy tool
f. Advanced System Information–Services tool
The correct answer is a. The Resultant Set Of Policy Wizard provides RSoP
query results on a console similar to a Group Policy Object Editor console.
There is no Group Policy Wizard. Gpupdate and Gpresult are command-line
tools. The Advanced System Information tools provide results in an HTML report
that appears in the Help And Support Center window.

What is the purpose of folder redirection?


You redirect users’ folders to provide a centralized location for key Windows XP
Professional folders on a server or servers. This centralized location, called a
sharepoint, provides users with an access point for storing and finding
information and administrators with an access point for managing information.

Which folders can be redirected?


Windows Server 2003 allows the following special folders to be redirected:
Application Data, Desktop, My Documents, My Pictures, and Start Menu.

Under what circumstances should you redirect My Documents to a home


folder?
Redirect My Documents to a user’s home folder only if you have already
deployed home directories in your organization. This option is intended only for
organizations that want to maintain compatibility with their existing home
directory environment.

What is the purpose of the Offline Files feature?


The Offline Files feature provides users with access to redirected folders even
when they are not connected to the network.

Which of the following are true statements? Choose three.


a. Remote Desktop for Administration is installed by default on computers
running Windows Server 2003.
b. Remote Desktop for Administration is enabled by default on computers
running Windows Server 2003.
c. A server can be configured to use Offline Files and Remote Desktop for
Administration at the same time.
d. A server cannot be configured to use Offline Files and Remote Desktop for
Administration at the same time.
e. Before attempting to configure the computer to use Offline Files, you must
disable Remote Desktop for Administration.
f. Before attempting to configure the computer to use Offline Files, you must
enable Remote Desktop for Administration.
The correct answers are a, d, and e. Remote Desktop for Administration is
installed, but not enabled, by default on computers running Windows Server
2003. Because Remote Desktop for Administration and Offline Files are
mutually exclusive, a server cannot be configured to use Offline Files and
Remote Desktop for Administration at the same time. Therefore, before you
can configure a computer to use Offline Files, you must disable Remote
Desktop for Administration.

Q In which Event Viewer log can you find Group Policy failure and warning
messages?
What type of event log records should you look for?
You can find Group Policy failure and warning messages in the application
event log. Event log records with the Userenv source pertain to Group Policy
events.

What diagnostic log file can you generate to record detailed information
about Group Policy processing and in what location is this file generated?
You can generate a diagnostic log to record detailed information about Group
Policy processing to a log file named Userenv.log in the hidden folder
%Systemroot%\Debug\Usermode.

Which of the following actions should you take if you attempt to open a
Group Policy Object Editor console for an OU GPO and you receive the
message Failed To Open The Group Policy Object?
a. Check your permissions for the GPO.
b. Check network connectivity.
c. Check that the OU exists.
d. Check that No Override is set for the GPO.
e. Check that Block Policy Inheritance is set for the GPO.
The correct answer is b. The message Failed To Open The Group Policy Object
indicates a net-working problem, specifically a problem with the Domain Name
System (DNS) configuration.

Which of the following actions should you take if you attempt to edit a GPO
and you receive the message Missing Active Directory Container?
a. Check your permissions for the GPO.
b. Check network connectivity.
c. Check that the OU exists.
d. Check that No Override is set for the GPO.
e. Check that Block Policy Inheritance is set for the GPO.
The correct answer is c. The message Missing Active Directory Container is
caused by Group Policy attempting to link a GPO to an OU that it cannot find.
The OU might have been deleted, or it might have been created on another
domain controller but not replicated to the domain controller that you are
using.

Which of the following actions should you take if folder redirection is


successful but files and folders are unavailable? Choose two.
a. Check the user’s permissions for the redirected folder.
b. Check network connectivity.
c. Check that the redirected folder exists.
d. Check to see if Remote Desktop for Administration is enabled.
e. Check to see if the files have extensions that are not synchronized by
default.
The correct answers are a and b. If folder redirection is successful but files and
folders are unavailable, users might not have Full Control for the redirected
folder or there might be a connectivity problem with the network. Because
folder redirection is successful, the redirected folder does exist. You would
check to see if Remote Desktop for Administration is enabled or if files have
extensions that are not synchronized by default if you are troubleshooting
Offline Files and file synchronization.

What is Software Installation extension?


An extension within Group Policy that is the administrator’s primary tool for
managing software within an organization. Soft-ware Installation works in
conjunction with Group Policy and Active Directory, establishing a Group
Policy–based software management system that allows you to centrally manage
the initial deployment of software, mandatory and non mandatory upgrades,
patches, quick fixes, and the removal of software.

What is Assign?
To deploy a program to members of a group where acceptance of the pro-gram
is mandatory.

What is publish?
To deploy a program to members of a group where acceptance of the pro-gram
is at the discretion of the user.

What is software distribution point (SDP)?


In Software Installation, a network location from which users are able to get
the software that they need.

what is Windows Installer package?


A file that contains explicit instructions on the installation and removal of
specific applications.

What are the hardware requirements for deploying software by using Group
Policy?
To deploy software by using Group Policy, an organization must be running
Windows 2000 Server or later, with Active Directory and Group Policy on the
server, and Windows 2000 Professional or later on the client computers.
Describe the tools provided for software deployment.
The Software Installation extension in the Group Policy Object Editor console
on the server is used by administrators to manage software. Add Or Remove
Programs in Control Panel is used by users to manage software on their own
computers.

What is the difference between assigning applications and publishing


applications?
When you assign an application to a user, the application is advertised to the
user the next time he or she logs on to a workstation, and local registry
settings, including filename extensions, are updated. The application
advertisement follows the user regardless of which physical computer he or she
logs on to. When you publish the application to users, the application does not
appear installed on the users’ computers. No shortcuts are visible on the
desktop or Start menu, and no updates are made to the local registry on the
users’ computers. You assign required or mandatory software to users or to
computers. You publish software that users might find useful to perform their
jobs.

What is the purpose of Windows Installer packages?


A Windows Installer package is a file that contains explicit instructions on the
installation and removal of specific applications.

Which of the following file extensions allows you to deploy software using
the Software Installation extension? (Choose two.)
a. .mst
b. .msi
c. .zap
d. .zip
e. .msp
f. .aas
The correct answers are b and c. Files with the extension .msi are either native
Windows Installer packages or repackaged Windows Installer packages, while
files with the extension .zap are application files. Files with the extensions
.mst and .msp are modifications and do not allow you to deploy software on
their own. Files with the extension .aas are application assignment scripts,
which contain instructions associated with the assignment or publication of a
package.

Why is it necessary to set up an SDP?


You must set up an SDP to provide a network location from which users can get
the software that they need.

What feature is configured in the File Extensions tab in the Software


Installation Properties dialog box?
In the File Extensions tab in the Software Installation Properties dialog box, you
specify which application users install when they open a file with an unknown
extension. You can also configure a priority for installing applications when
multiple applications are associated with an unknown file extension.

What feature is configured in the Categories tab in the Software Installation


Properties dialog box?
In the Categories tab in the Software Installation Properties dialog box, you can
designate categories for organizing assigned and published applications to make
it easier for users to locate the appropriate application from within Add Or
Remove Programs in Control Panel.

What feature is configured in the Modifications tab in the Properties dialog


box for a Windows Installer package?
In the Modifications tab in the Properties dialog box for a Windows Installer
package, you can add modifications, remove modifications, and set the order
of modifications. If the modifications are not properly configured, you will have
to uninstall the package or upgrade the package with a correctly configured
version.

You want to ensure that all users of the KC23 workstation can run
FrontPage 2000. What action should you perform?
a. Assign the application to the computer.
b. Assign the application to users.
c. Publish the application to the computer.
d. Publish the application to users.
The correct answer is a. Assigning the application to the KC23 workstation is
the only way to ensure that all users of the workstation can run FrontPage
2000.

What is the difference between redeploying and upgrading an application


deployed with Group Policy?
You redeploy an application previously deployed with Group Policy if there are
small changes that need to be made to the original software deployment
configuration. You upgrade an application previously deployed with Group
Policy if the original developer of the software releases a new version of the
software or if your organization chooses to use a different vendor’s application.
Upgrades typically involve major changes to the software and normally have
new version numbers. Usually a substantial number of files change for an
upgrade.

Why shouldn’t you give users the option of applying an upgrade?


If users have the option of applying the upgrade, they might or might not
choose to apply it, which could cause application version variances within an
organization.

What happens if you delete a GPO that deploys a software application


before you choose the software removal method you want to implement
and allow the soft-ware removal to be processed?
If you delete a GPO that deploys a software application before you choose the
software removal method you want to implement and allow the software
removal to be processed, the application cannot be uninstalled with Group
Policy. If the application cannot be uninstalled with Group Pol-icy, you (or the
users) must manually uninstall the application from each client computer.

A software application deployed with Group Policy in your organization is


no longer used. You no longer want users to be able to install or run the
software. What action should you perform?
a. Execute a forced removal
b. Execute an optional removal
c. Redeploy the application
d. Upgrade the application
The correct answer is a. If you no longer want users to be able to install or run
the software, you should execute a forced removal.

Which of the following actions should you perform if a user attempts to


install an assigned application and receives the message Another Installation
Is Already In Progress?
a. Check your permissions for the GPO
b. Check network connectivity
c. Check your permissions for the SDP
d. Wait for the installation to complete
The correct answer is d. The message Another Installation Is Already In Progress
indicates that Windows Installer is already running another installation. You
must wait for the installation to complete and then try your installation again.

Which of the following actions should you perform if a user attempts to


install an assigned application and receives the message The Feature You
Are Trying To Install Cannot Be Found In The Source Directory? Choose two.
a. Check your permissions for the GPO
b. Check connectivity with the SDP
c. Check your permissions for the SDP
d. Wait for the installation to complete
e. Set the auto-install property for the package
The correct answers are b and c. The message The Feature You Are Trying To
Install Cannot Be Found In The Source Directory can be caused by a
connectivity problem to the SDP or by insufficient user permission for the SDP.
There are also other reasons for receiving this message.

You are preparing a package for deployment. Which of the following


actions should you perform if you receive the message Cannot Prepare
Package For Deployment?
a. Check your permissions for the GPO
b. Check connectivity with the SDP
c. Check your permissions for the SDP
d. Set the appropriate category for the package
e. Set the auto-install property for the package
The correct answer is b. If you are preparing a package for deployment and you
receive the message Cannot Prepare Package For Deployment, one of the
actions you should take is to check connectivity with the SDP.

Which of the following actions should you take if a user double-clicks a


document associated with a published application and a different
application than the expected one installs?
a. Set the auto-install property for the package
b. Clear the auto-install property for the package
c. Adjust the precedence for the expected application in the Application
Precedence list
d. Delete the unexpected application from the Application Precedence list
The correct answer is c. If a user double-clicks a document associated with a
published application and a different application than the expected one
installs, you should adjust the precedence for the expected application in the
Application Precedence list.

What is security template?


A physical representation of a security configuration; a single file where a
group of security settings is stored.

What is software restriction policies?


Security settings in a GPO provided to identify soft-ware and control its ability
to run on a local computer, site, domain, or OU.

What is audit policy?


A policy that determines the security events to be reported to the net-work
administrator

How are account policies different from other security policies?


Account policies can be applied only to the root domain of the domain tree.
They cannot be applied to sites or OUs.

What is the difference between user rights and permissions?


User rights are assigned to user and group accounts and applied through a GPO
to sites, domains, or OUs. Permissions attached to objects are assigned to user
and group accounts. Additionally, because user rights are part of a GPO, user
rights can be overridden depending on the GPO affecting the computer or user.

Attributes for which logs are defined in the Event Log security area?
The Event Log security area defines attributes related to the application,
security, and system event logs in the Event Viewer console.

How can you set autoenrollment of user certificates?


You set autoenrollment of user certificates in the Autoenrollment Settings
Properties dialog box, which you can access by opening Autoenrollment
Settings in Computer Configuration or User Configuration/Windows
Settings/Security Settings/Public Key Policies in a GPO for a site, domain, or
OU.

In which of the following security areas would you find the settings for
determining which security events are logged in the security log on the
computer?
a. Event Log
b. Account Policies
c. Local Policies
d. Restricted Groups
The correct answer is c. You determine which security events are logged in the
security log on the computer in the Audit Policy settings in the Local Policies
security area.

What is the purpose of software restriction policies?


Software restriction policies address the problem of regulating unknown or
untrusted code. Software restriction policies are security settings in a GPO
provided to identify software and control its ability to run on a local computer,
site, domain, or OU.
Explain the two default security levels.
There are two default security levels for software restriction policies:
Disallowed, which does not allow the software to run, regardless of the access
rights of the user who is logged on to the computer, and Unrestricted, which
allows software to run with the full rights of the user who is logged on to the
computer. If the default level is set to Disallowed, you can identify and create
rule exceptions for the programs that you trust to run. If the default level is set
to Unrestricted, you can identify and create rules for the set of programs that
you want to prohibit from running.

Describe how software is identified by software restriction policies.


Using software restriction policies, software can be identified by its
■ Hash, a series of bytes with a fixed length that uniquely identify a program or
file
■ Certificate, a digital document used for authentication and secure exchange
of information on open networks, such as the Internet, extranets, and intranets
■ Path, a sequence of folder names that specifies the location of the software
within the directory tree
■ Internet zone, a subtree specified through Internet Explorer: Internet,
Intranet, Restricted Sites, Trusted Sites, or My Computer
List the order of rule precedence.
Rules are applied in the following order of precedence: hash rules, certificate
rules, path rules (in a conflict, the most restrictive path rule takes
precedence), and Internet zone rules.

Which of the following rule types applies only to Windows Installer


packages?
a. Hash rules
b. Certificate rules
c. Internet zone rules
d. Path rules
The correct answer is c. Internet zone rules apply only to Windows Installer
packages.

What is the purpose of auditing?


Auditing is a tool for maintaining network security. Auditing allows you to track
user activities and system-wide events.

Where can you view audited events?


You use the security log in the Event Viewer console to view audited events.

What is an audit policy?


An audit policy defines the categories of events recorded in the security log on
each computer. You set the Audit Policy settings in the Computer
Configuration/Windows Settings/Security Settings/ Local Policies/Audit Policy
extensions in a GPO.

Which event categories require you to configure specific objects for


auditing to log the events?
If you have specified the Audit Directory Service Access event category or the
Audit Object Access event category to audit, you must configure the objects
for auditing.
Which of the following event categories should you audit if you want to find
out if an unauthorized person is trying to access a user account by entering
random passwords or by using password-cracking software? Choose all that
apply.
a. Logon Events—success events
b. Logon Events—failure events
c. Account Logon—success events
d. Account Logon—failure events
The correct answers are b and d. By auditing failure events in the Logon Events
category, you can monitor logon failures that might indicate that an
unauthorized person is trying to access a user account by entering random
passwords or by using password-cracking software. By auditing failure events in
the Account Logon category, you can monitor logon failures that might indicate
an unauthorized person is trying to access a domain account by using brute
force.

What information is logged in the security log?


The security log contains information on security events that are specified in
the audit policy.

What is the default size of the security log?


The default size of the security log is 512 KB.

In which of the following file formats can you archive a security log? Choose
three.
a. .txt
b. .doc
c. .rtf
d. .bmp
e. .evt
f. .csv
g. .crv
The correct answers are a, e, and f. Logs can be saved as text (*.txt), event log
(*.evt), or comma-delimited (*.csv) file format.

In which of the following archived file formats can you reopen the file in the
Event Viewer console?
a. .txt
b. .doc
c. .rtf
d. .bmp
e. .evt
f. .csv
g. .crv
The correct answer is e. If you archive a log in log-file (*.evt) format, you can
reopen it in the Event Viewer console.

You filtered a security log to display only the events with Event ID 576.
Then you archived this log. What information is saved?
a. The entire log is saved
b. The filtered log is saved
c. The entire log and the filtered log are each saved separately
d. No log is saved
The correct answer is a. When you archive a log, the entire log is saved,
regardless of filtering options.

What is the purpose of security templates?


A security template is a physical representation of a security configuration, a
single file where a group of security settings is stored. You can use security
templates to define the Account Policies, Local Policies, Event Log, Restricted
Groups, Registry, and File System settings in a GPO. You can import (apply) a
security template file to a local or nonlocal GPO. All computer or user accounts
in the site, domain, or OU to which the GPO is applied receive the security
template settings. Importing a security template to a GPO eases domain
administration by configuring security for multiple computers at once.

For which settings can security templates not be used?


You cannot use security templates to define the IP Security, Public Key,
Software Restriction, and Wireless Network security settings in a GPO.

What is the purpose of the predefined security templates? The predefined


security templates are based on the role of a computer and common security
scenarios. These templates can be used as provided, they can be modified, or
they can serve as a basis for creating custom security templates.

Where are the predefined security templates stored?


By default, predefined templates are stored in the %Systemroot
%\Security\Templates folder.

Which of the following predefined security templates can be used to


change the default file and registry permissions granted to the Users group
so that members of the group can use most noncertified applications?
a. Compatible workstation or server security settings (Compatws.inf)
b. Default security settings updated for domain controllers (DC security.inf)
c. Secure domain controller security settings (Securedc.inf)
d. Out of the box default security settings (Setup security.inf)
The correct answer is a. Only the Compatible template changes the default file
and registry permissions granted to the Users group so that these members can
use most noncertified applications.

What is the function of the Security Configuration And Analysis feature?


The Security Configuration And Analysis feature is a tool for analyzing and
configuring local system security. This feature compares the effects of one
security template or the combined effects of a number of security templates
with the currently defined security settings on a local computer.

What item is contained in the security configuration and analysis database?


The security configuration and analysis database contains the security template
that you want to compare with the settings currently defined on the computer.

What actions are performed during a security analysis?


Security analysis compares the current state of system security against a
security template in the security configuration and analysis database. The local
computer’s security settings are queried for all security areas in the database
configuration, and the values are compared. If the local computer settings
match the database configuration settings, they are assumed to be correct. If
not, the policies in question are displayed as potential problems that need
investigation.

What actions are performed during a security configuration?


Security configuration applies the stored template configuration in the security
configuration and analysis database to the local computer.

In the security analysis results, which icon represents a difference from the
data-base configuration?
a. A red X
b. A red exclamation point
c. A green check mark
d. A black question mark
The correct answer is a. A red X indicates a difference from the database
configuration.

What is directory service log?


A tool that displays errors, warnings, and information generated by Active
Directory. If you experience problems with Active Directory, use the directory
service log first to locate the causes of the problem.

What is file replication service log?


A tool that displays errors, warnings, and information generated by FRS.

What is system Monitor?


A tool that allows you to collect and view extensive data about the usage of
hardware resources and the activity of system services on computers you
administer.

Which Active Directory performance-monitoring tool should you use first to


locate the causes of a problem with Active Directory?
You should examine the directory service log in Event Viewer.

What is the function of System Monitor?


System Monitor is a tool that supports detailed monitoring of the use of
operating system resources.

What is the difference between a performance object and a performance


counter?
A performance object is a logical collection of performance counters associated
with a resource or service that can be monitored. A performance counter is a
value that applies to a performance object.

In what format does a histogram display performance data?


A histogram displays performance data in a bar graph format.

Which of the following is not a function of System Monitor?


a. Enables you to view current Active Directory performance data
b. Enables you to view previously recorded Active Directory performance data
c. Enables you to view errors and warnings generated by Active Directory
d. Enables you to collect real-time performance data from a local computer
e. Enables you to collect real-time performance data from a specific computer
on the network where you have permission
The correct answer is c. You can view errors and warnings generated by Active
Directory on the directory service log, but not System Monitor.

What is the function of a counter log?


Counter logs record sampled data about hardware resources and system
services based on performance objects and counters in the same manner as
System Monitor.

What is the function of a trace log?


Trace logs collect event traces that measure performance statistics associated
with events such as disk and file I/O, page faults, and thread activity.

In which locations can you view performance data logged in a counter log?
You can view logged counter data using System Monitor or export the data to a
file for analysis and report generation.

What is the function of an alert?


An alert detects when a predefined counter value rises above or falls below the
configured threshold and notifies a user by means of the Messenger service.
Alerts enable you to define a counter value that triggers actions such as
sending a network message, running a program, making an entry in the
application log, or starting a log.

Which of the following actions can be triggered by an alert? (Choose two.)


a. Logging an entry into the application log
b. Starting logging automatically
c. Sending a network message to a computer
d. Stopping logging automatically
e. Presenting data in a graph format
The correct answers are a and c. The actions that can be triggered by an alert
include logging an entry in the application log in Event Viewer and sending a
network message to a computer.

What action should you take to troubleshoot problems indicated by error


and warning messages in the directory service log?
Double-click the error or warning message and examine the header information
in the Proper-ties dialog box for the message. In the header, you can find out
the date and time the problem occurred, and the user and computer affected
by the problem. In the Description box in the Properties dialog box for the
message, you can read a text description of the problem.

What registry subkey contains the entries for which you can increase the
logging level to retrieve more detailed information in the directory service
log?
HKEY_LOCAL_MACHINE SYSTEM\CurrentControlSet\Services\NTDS\Diagnostics

Why should you leave logging levels set to 0 unless you are investigating a
problem?
You should leave logging levels set to 0 unless you are investigating a problem
because increasing the logging level increases the detail of the messages and
the number of messages emitted and can degrade server performance.

What are the four steps in the process of analyzing and interpreting
performance-monitoring results?
The four steps are (1) establish a baseline, (2) analyze performance-monitoring
results, (3) plan and implement changes to meet the baseline, and (4) repeat
steps 2 and 3 until performance is optimized.

In the process of analyzing and interpreting performance-monitoring


results, what is a baseline?
A baseline is a measurement derived from the collection of data over an
extended period during varying workloads and user connections, representing
acceptable performance under typical operating conditions. The baseline
indicates how system resources are used during periods of normal activity and
makes it easier to spot problems when they occur.

Active Directory Facts


 Active Directory is based on the LDAP (Lightweight Directory Access
Protocol) standard.
 Active Directory uses DNS for locating and naming objects.
 The tree root domain is the highest level domain in a tree (a tree root
domain can also be a forest root domain).
 The tree root domain is the highest Active Directory domain in the tree.
 A tree is a group of domains based on the same name space.
 Domains in a tree:
o Are connected with a two-way transitive trust.
o Share a common schema.
o Have common global catalogs.
 A schema makes up the attributes of an object in a tree.
 The forest root domain is the first domain created in the Active Directory
forest.
 There are dedicated and regional forest root domains.
 Container objects are designed to contain other objects, either other
containers or leaf objects.
 Domain container objects can contain Organizational Unit (OU) container
objects.
 First level OUs can be called parents.
 Second level OUs can be called children.
 OUs can contain other OUs or any type of leaf object (e.g., users,
computers, printers).
 You cannot assign rights and permissions to OUs.
 You can assign GPOs (Group Policy Objects) to OUs.
 An Active Directory site is one or more well-connected, highly-reliable, fast
TCP/IP subnets.
 All Active Directory sites contain servers and site links (the connection
between two sites that allows replication to occur).
 A site link cost is a value assigned to a link that is used to regulate the
traffic according to the speed of the link. The higher the site link cost, the
slower the link speed.
 Domain controllers are servers that contain copies of the Active Directory
database that can be written to. Domain controllers participate in replication.
 The Active Directory database is partitioned and replicated.
 There are four types of Active Directory database partitions:
o Domain
o Configuration
o Schema
o Application
 Users find objects in Active Directory by querying the database.
 The first domain controller installed in the forest automatically becomes the
global catalog server for that domain.

Installation Facts
 Active Directory requires the following:
o TCP/IP running on the servers and clients.
o A DNS server with SRV support.
o Windows 2000 or 2003 operating systems.
 After installing Windows 2003, you can install Active Directory using the
Dcpromo command.
 Members of the Domain Admins group can add domain controllers to a
domain.
 Members of the Enterprise Admins group can perform administrative tasks
across the entire network, including:
o Change the Active Directory forest configuration by adding/removing
domains. (New domains are created when the first domain controller is
installed. Domains are removed when the last domain controller is uninstalled.)
o Add/remove sites.
o Change the distribution of subnets or servers in a site.
o Change site link configuration

Advanced Installation Facts


If you are installing a Windows Server 2003 server into an existing Windows
2000 Active Directory structure, you must first prepare Active Directory for the
installation by taking the following steps:
1. Apply Service Pack 2 or later on all domain controllers.
2. Back up your data.
3. On the schema master for the forest, disconnect the server from the
network and run Adprep /forestprep.
4. Reconnect the server and wait at least 15 minutes (or as long as a half a day
or more) for synchronization to occur.
5. If Active Directory has multiple domains, or if the infrastructure master for
the domain is on a different server than the schema master, run Adprep
/domainprep on the infrastructure master for the domain.

Keep in mind the following facts about using Adprep:


 To run /forestprep, you must be a member of the Schema Admins or
Enterprise Admins group.
 To run /domainprep, you must be a member of the Domain Admins or
Enterprise Admins group.
 If you have a single domain, and the infrastructure master is on the same
server as the schema master, you do not need to run /domainprep (/forestprep
performs all necessary functions to prepare Active Directory).

You should know the following facts about Active Directory advanced
installations:
 Installing from a replica media set will create the initial Active Directory
database using a backup copy and then replicate in any changes since the
backup. This prevents a lot of the replication traffic that is normally created
on a network when a server is promoted to a domain controller.
 To rename domain controllers, the domain functional level must be at least
Windows 2003 (this means all domain controllers must be running Windows
2003).

Installation Tools
You can use the following tools to Description
troubleshoot an Active Directory
installation: Tool
Directory Services log Use Event Viewer to examine the log.
The log lists informational, warning,
and error events.
Netdiag Run from the command line. Test for
domain controller connectivity (in some
cases, it can make repairs).
DCDiag Analyzes domain controller states and
tests different functional levels of
Active Directory.
Dcpromo log files Located in %Systemroot%/Debug folder.
Dcpromoui gives a detailed progress
report of Active Directory installation
and removal. Dcpromos is created when
a Windows 3.x or NT 4 domain
controller is promoted.
Ntdsutil Can remove orphaned data or a domain
controller object from Active Directory.
You can also check the following settings to begin troubleshooting an Active
Directory installation:
 Make sure the DNS name is properly registered.
 Check the spelling in the configuration settings.
 PING the computer to verify connectivity.
 Verify the domain name to which you are authenticating.
 Verify that the username and password are correct.
 Verify the DNS settings.

Backup and Restore Facts


 When you reboot after restoring, Active Directory replication replicates
changes.
 Items restored non-authoritatively will be overwritten during replication.
 Use an authoritative restore to restore deleted objects. Objects will be
replicated back to other domain controllers on the network.
 Use a nonauthoritative restore to get the DC back online. Items will
replicate from other DCs after the restored DC goes back online.
 Active Directory data is restored by restoring the System State data. You
cannot selectively restore Active Directory objects from the backup media.
 To restore objects that were added to deleted OUs, move the objects from
the LostAndFound container. No restore of objects is necessary.
 Make sure you perform backups more often than the tombstone lifetime
setting in Active Directory. For example, if the tombstone lifetime is set to 10
days, you should back up Active Directory at least every 9 days. If your backup
interval is larger than the tombstone lifetime, your Active Directory backup can
be viewed as expired by the system.

Microsoft gives the following as the best practice procedure for restoring Active
Directory from backup media:
1. Reboot into Active Directory restore mode. Log in using the password you
specified during setup (not a domain account).
2. Restore the System State data from backup to its original and to an alternate
location.
3. Run Ntdsutil to mark the entire Active Directory database (if you're restoring
the entire database) or specific Active Directory objects (if you're only
restoring selected Active Directory objects) as authoritative.
4. Reboot normally.
5. Restore Sysvol contents by copying the Sysvol directory from the alternate
location to the original location to overwrite the existing Sysvol directory (if
you're restoring the entire database). Or, copy the policy folders (identified by
GUID) from the alternate location to the original location to overwrite the
existing policy folders.

You should know the following facts about Sysvol restoration:


 Sysvol is the shared system volume on all domain controllers.
 Sysvol stores scripts and Group Policy objects for the local domain and the
network.
 The default location for Sysvol is %Systemroot/Sysvol.
 To ensure that the proper settings are authoritatively restored, copy the
Sysvol directory from an alternate location over the existing Sysvol directory.
Or, copy the Sysvol policy folders from the alternate location over the original
location. (This maintains the integrity of the Group Policy of the computer.)

Security Facts
 A security principal is an account holder who has a security identifier.
 The Active Directory migration tool allows you to move objects between
domains.
 Objects moved to a new domain get a new SID.
 The Active Directory migration tool creates a SID history.
 The SID history allows an object moved to a new domain to keep its original
SID.
You should know the following information pertaining to identifiers:

Identifier Description
GUID Globally Unique Identifier. 128-
bit number guaranteed to be
unique across the network.
Assigned to objects when they
are created. An object's GUID
never changes (even if object is
renamed or moved).
SID Security Identifier. Unique
number assigned when an
account is created. Every
account is given a unique SID.
System uses the SID to track
the account rather than the
account's user or group. A
deleted account that is
recreated will be given a
different SID. The SID is
composed of the domain SID
and a unique RID.
RID Relative Identifier. Unique to
all the SIDs in a domain. Passed
out by the RID master.
Group Facts
Active Directory defines three scopes Description
that describe the domains on the
network from which you can assign
members to the group; where the
group's permissions are valid; and which
groups you can nest. Scope
Global groups Are used to group users from the local
domain. Typically, you assign users who
perform similar job functions to a global
group. A global group can contain user
and computer accounts and global
groups from the domain in which the
global group resides. Global groups can
be used to grant permissions to
resources in any domain in the forest.
Domain local groups Are used to grant access to resources in
the local domain. They have open
membership, so they may contain user
and computer accounts, universal
groups, and global groups from any
domain in the forest. A domain local
group can also contain other domain
local groups from its domain. Domain
local groups can be used to grant
permissions to resources in the domain
in which the domain local group resides.

Universal groups Are used to grant access to resources in


any domain in the forest. They have
open membership, so you can include
user and computer accounts, universal
groups, and global groups from any
domain in the forest. Universal groups
can be used to grant permissions to
resources in any domain in the forest.
Universal groups are available only in
Windows 2000 Native or Windows 2003
domain functional level.
Group Strategy Facts
To make permission assignments easier, assign permissions to a group, then add
the accounts that need to use the group's resources. You can add user
accounts, computers, and other groups to groups. You should remember the
following when assigning members to groups:
 Adding a user account to a group gives that account all the permissions and
rights granted to the group (the user must log off and log back on before the
change takes effect).
 The same user account can be included in multiple groups. (This multiple
inclusion may lead to permissions conflicts, so be aware of the permissions
assigned to each group.)
 Nesting is the technique of making a group a member of another group.
Using hierarchies of nested groups may make administration simpler--as long as
you remember what permissions you have assigned at each level.

The following table Use Description Application


shows the three
basic
recommended
approaches to
managing users,
groups, and
permissions.
Strategy
ALP Used on A: Place user Best used in a
workstations and Accounts L: Into workgroup
member servers. Local groups P: environment, not
Assign Permissions in a domain.
to the local groups
AGDLP Used in mixed A: Place user
mode domains and Accounts G: Into 1. Identify the
in native mode Global groups DL: users in the domain
domains (does not Into Domain Local who use the same
use universal groups P: Assign resources and
groups, which are Permissions to perform the same
also not available domain local tasks. Group these
in mixed mode). groups accounts together
in global groups.
2. Create new
domain local
groups if
necessary, or use
the built-in groups
to control access
to resources.
3. Combine all
global groups that
need access to the
same resources
into the domain
local group that
controls those
resources.
4. Assign
permissions to the
resources to the
domain local
group.

AGUDLP Used in native A: Place user Universal groups


mode domains, Accounts G: Into should be used
when there is more Global groups U: when you need to
than one domain, Into Universal grant access to
and you need to groups DL: Into similar groups
grant access to Domain Local defined in multiple
similar groups groups P: Assign domains. It is best
defined in multiple Permissions to to add global
domains. domain local groups to universal
groups groups, instead of
placing user
accounts directly
in universal groups.
Designing Active Directory for Delegation
 You should structure the OUs and user account location based on
administrative needs.
 When you delegate control of an OU, you assign a user or group the
permissions necessary to administer Active Directory functions according to
their needs.
 In a small organization, you may have a single administrative group to
manage the Active Directory objects.
 In larger organizations, you may have OUs for several departments. In this
case, you could delegate control to a user or group within each OU.
 Use the Delegate Control wizard in Active Directory Users and Groups to
delegate control.
 You can verify permissions delegation two ways:
o Select the Security tab in the container's Properties dialog box.
o Open the Advanced Security Settings dialog box for the container.
Planning Guidelines
 To begin planning a forest, you must decide how many forests you need.
 You may need more than one forest because of the physical structure of the
company, business unit autonomy, schema differences, or trust limitations.
 Multiple forests require more administration. Additional administrative
difficulties include:
o Schema consistency.
o Global catalog placement.
o Trust configuration.
o Resource access.
 Every time you add a domain, you add administrative and hardware costs.
 You should consider multiple domains if you need to
o Configure separate security policies.
o Separate administration.
o Control replication traffic.
o Support Windows NT.
o Create distinct name spaces.
o Configure password policies.
 Create OUs for the following reasons:
o Administrative purposes.
o Corporate policies.
o Administer Group Policies.

Trust Types
The following table shows the types of Characteristics and Uses
trusts you can create in Active
Directory. Trust Type
Tree root Automatically established between two
trees in the same forest. Trusts are
transitive and two-way.
Parent/child Automatically created between child
and parent domains. Trusts are
transitive and two-way.
Shortcut Manually created between two domains
in the same forest. Trusts are
transitive, and can be either one-way
or two-way. Create a shortcut trust to
reduce the amount of Kerberos traffic
on the network due to authentication.
External Manually created between domains in
different forests. Typically used to
create trusts between Active Directory
and NT 4.0 domains. Trusts are not
transitive, and can be either one-way
or two-way.
Forest root Manually created between the two root
domains or two forests. Transitive
within the two forests. Can be either
one-way or two-way.
Realm Manually created between Active
Directory and non-Windows Kerberos
realms.
Trusts have a direction that indicates which way trust flows in the relationship.
 The direction of the arrow identifies the direction of trust. For example, if
Domain A trusts Domain B, the arrow would point from Domain A to Domain B.
Domain A is the trusting domain, and Domain B is the trusted domain.
 Resource access is granted opposite of the direction of trust. For example, if
Domain A trusts Domain B, users in Domain B have access to resources in
Domain A (remember that users in the trusted domain have access to resources
in the trusting domain).
 A two-way trust is the same as two one-way trusts in opposite directions.
Functional Level Types
The table below shows Domain Controller Features
the domain functional Operating Systems
levels. Domain
Functional Level
2000 Mixed NT 2000 2003 The following features
are available in 2000
Mixed:
 Universal groups are
available for distribution
groups.
 Group nesting is
available for distribution
groups.

2000 Native 2000 2003 The following features


are available in 2000
Native:
 Universal groups are
available for security and
distribution groups.
 Group nesting.
 Group converting
(allows conversion
between security and
distribution groups).
 SID history (allows
security principals to be
migrated among domains
while maintaining
permissions and group
memberships).

2003 2003 The following features


are available in 2003:
 All features of 2000
Native domains.
 Domain controller
rename.
 Update logon time
stamp.
 User password on
InetOrgPerson object.

Forest functional levels Domain Functional Level Features


depend on the domain
functional levels. The
table below shows the
forest functional levels.
Forest Functional Level
2000 2000 Mixed or 2000 The following features
Native are available in 2000:
 Global catalog
replication improvements
are available if both
replication partners are
running Windows Server
2003.

2003 2003 The following features


are available in 2003:
 Global catalog
replication improvements
 Defunct schema
objects
 Forest trusts
 Linked value
replication
 Domain rename
 Improved AD
replication algorithms
 Dynamic auxiliary
classes
 InetOrgPerson
objectClass change

Operation Master Types


The following table lists the Function and Characteristics
operation masters at the domain and
forest levels. Only one domain
controller in the domain or forest
performs each role. Operation
Master
RID Master Ensures domain-wide unique relative
IDs (RIDs). One domain controller in
each domain performs this role. The
RID master allocates pools of IDs to
each domain controller. When a DC
has used all the IDs, it gets a new
pool of IDs.
PDC Emulator Emulates a Windows NT 4.0 primary
domain controller (PDC). Replicates
password changes within a domain.
Ensures synchronized time within the
domain (and between domains in the
forest). One domain controller in
each domain performs this role.
Infrastructure Master Tracks moves and renames of
objects. Updates group membership
changes. One domain controller in
each domain performs this role.
Domain Naming Master Ensures that domain names are
unique. Must be accessible to add or
remove a domain from the forest.
One domain controller in the forest
performs this role.
Schema Master Maintains the Active Directory
schema for the forest. One domain
controller in the forest performs this
role.
You should know the following facts about operation master roles:
 Operation master role servers are also called flexible single master
operation (FSMO) servers. These are domain controllers that perform
operations on the network.
 By default, the first domain controller in the forest holds all operation
masters. When you create a new domain, the first domain controller holds the
three domain operation masters (RID master, PDC emulator, infrastructure
master).
 Use Active Directory Users and Computers to transfer RID master, PDC
emulator, and infrastructure masters.
 Use Active Directory Domains and Trusts to transfer the domain naming
master.
 Use the Active Directory Schema snap-in to transfer the schema master.
 Run Regsvr32 schmmgmt.dll to register the Active Directory Schema snap-in
to make it available for adding to a custom console.
 Before transferring any role, you must connect to the domain controller that
will receive the transferred role.

To move an object between domains (using Movetree.exe), you must


initiate the move on the domTroubleshooting Operation Masters
The following table lists several Check this operations master...
problems that can be attributed to
inaccessible or failed operation
masters. If you have this problem...
Unable to add Active Directory RID master
objects (either from one or many
domain controllers).
Unable to move or rename an object. Infrastructure master
Group membership information is not Infrastructure master
updated between domain controllers
Cannot add or remove a domain Domain naming master
Non-Windows 2000/XP/2003 clients PDC master
cannot authenticate.
Password changes are not updated. PDC master
Normally, you should transfer roles to other servers only if the server holding
the original role is available. If the server holding the master has failed, you
will need to seize the role (forcefully move the role to another server).
 To seize an operations master role you must use the Repadmin tool to make
sure the domain controller that is seizing the role is fully up-to-date with the
updates on the former role owner.
 Use the Ntdsutil tool to finish seizing the role:
o Enter ntdsutil at the command line.
o Enter roles.
o Enter connections.
o Enter connect to server [fully qualified domain name of the server].
o Enter quit.
o At the FSMO prompt, enter seize [master role name].
o Enter quit to exit.
 After seizing the role, do not bring the old server back on line. If you repair
the server, use Dcpromo to first remove Active Directory. Then bring it back on
line, install Active Directory, and transfer the role back if desired.
 ain controller acting as the RID master of the domain that currently contains
the object.
 With a few exceptions, the infrastructure master should not be located on a
global catalog server.

Managing the Schema


You should know the following facts about schema management:
 The schema is the database of object classes and attributes that can be
stored in Active Directory.
 Each object definition in the schema is stored as an object itself, so Active
Directory can manage these definitions just as it does other objects.
 The schema includes definitions for classes and attributes (the definitions
are also called metadata).
 Extending the schema allows Active Directory to recognize new attributes
and classes.
 Adding a component like Microsoft Exchange requires the Active Directory to
be extended.
 Only a member of the Schema Admins group has the permission to modify or
extend the schema.
 To perform schema management tasks, use the Active Directory Schema
snap-in.

Default Active Directory Objects


When you install Active Directory, Contents
several objects and containers are
automatically created. The following
table lists the default containers and
their contents. Container
Builtin Built-in domain local security groups.
These groups are pre-assigned
permissions needed to perform domain
management tasks.
Computers All computers joined to the domain
without a computer account.
Domain Controllers* All domain controllers. This OU cannot
be deleted.
ForeignSecurityPrincipals Proxy objects for security principals in
NT 4.0 domains or domains outside of
the forest.
LostAndFound** Objects moved or created at the same
time an Organizational Unit is deleted.
Because of Active Directory replication,
the parent OU can be deleted on one
domain controller. Administrators at
other domain controllers can add or
move objects to the deleted OU before
the change has been replicated. During
replication, new objects are placed in
the LostAndFound container.
NTDS Quotas** Objects that contain limits on the
number of objects users and groups can
own.
Program Data** Application-specific data created by
other programs. This container is empty
until a program designed to store
information in Active Directory uses it.
System** Configuration information about the
domain including security groups and
permissions,
the domain SYSVOL
share, Dfs configuration
information, and IP security policies.
Users Built-in user and group accounts. Users
and groups are pre-assigned
membership and permissions for
completing domain and forest
management tasks.
*Be aware that the Domain Controllers OU is the only default organizational
unit object. All other default containers are just containers, not OUs. As such,
you cannot apply a GPO to any default container except for the Domain
Controllers OU. **By default, these containers are hidden in Active Directory
Users and Computers. To view these containers, click View/Advanced Features
from the menu.
Object Management Tasks and Tools
 The Active Directory Migration Tool (ADMT) is a GUI-based utility that lets
you migrate users and other objects between domains. The tool requires that
the source domain trust the target domain.
 You can use the ADMT to retain an object's SID.
 Moving an object within a domain retains its permissions.
 Deleting the object deletes existing permissions.
 You should rename or move an object rather than delete and recreate the
object.
 The Ldp utility allows you to search for and view the properties of multiple
Active Directory objects.
 If a computer that does not have an account is joined to the domain, a
computer object is created by default in the built-in Computers OU.
 Use the Dsadd command to add an OU object to Active Directory from the
command line.
 The easiest way to create a single OU in Active Directory is to use the Active
Directory Users and Computers snap-in in the MMC.
 To view the LostAndFound folder, select Advanced Features from the View
menu in the Active Directory Users and Computers snap-in.
 The LostAndFound folder is used when, for example, a container is deleted
on one replica, but objects are added or moved beneath the same container on
another replica. In this case, the objects added or moved under the deleted
container are stored in the LostAndFound container

Group Policy Facts


Group policy is a tool used to implement system configurations that can be
deployed from a central location through GPOs (Group Policy Objects). You
should know the following Group Policy facts:
 GPOs contain hundreds of configuration settings.
 GPOs can be linked to Active Directory sites, domain, or organizational units
(OUs).
 GPOs include computer and user sections. Computer settings are applied at
startup. User settings are applied at logon.
 A GPO only affects the users and computers beneath the object to which the
GPO is linked.
 Group policy settings take precedence over user profile settings.
 A local GPO is stored on a local machine. It can be used to define settings
even if the computer is not connected to a network.
 GPOs are applied in the following order:
1. Local
2. Site
3. Domain
4. OU
 If GPOs conflict, the last GPO to be applied overrides conflicting settings.
 The Computers container is not an OU, so it cannot have a GPO applied to
it.
 Group policy is not available for Windows 98/NT clients or Windows NT 4.0
domains.
 You can use a GPO for document redirection, which customizes where user
files are saved. (For example, you can redirect the My Documents folder to
point to a network drive where regular backups occur. Folder redirection
requires Active Directory-based group policy.)
 Configuring a domain group policy to delete cached copies of roaming user
profiles will remove the cached versions of the profile when a user logs off.

Refreshing Group Policy


 By default, Computer Configuration group policy settings (except Software
Installation and Folder Redirection) refresh every 5 minutes on domain
controllers and every 90 minutes (plus a random offset between 0 and 30
minutes) for other computers.
 By default, User Configuration group policy settings (except Software
Installation and Folder Redirection) refresh every 90 minutes (plus a random
offset between 0 and 30 minutes).
 You can modify refresh rates by editing the properties of the following
settings in Group Policy:
o Group Policy refresh interval for computers.
o Group Policy refresh interval for Domain Controllers.
o Group Policy refresh intervals for users.
 Software Installation and Folder Redirection don't refresh because it is too
risky to install/uninstall software or move files while users are using their
computers.

To manually refresh group policy settings, use the Gpupdate command with the
following switches:

Switch Function
No switch Refresh user and
computer-related
group policy.
/target:user Refresh user-related
group policy.
/target:computer Refresh computer-
related group policy.
Editing GPO Facts
 Group Policy Object Editor has two nodes:
o Computer Configuration to set Group Policies for computers.
o User Configuration to set Group Policies for users.
 You can extend each node's capabilities by using snap-ins.
 Use an Administrative Template file (.adm) to extend registry settings
available in the Group Policy Editor.
 Use the Software setting to automate installation, update, repair, and
removal of software for users or computers.
 The Windows setting automates tasks that occur during startup, shutdown,
logon, or logoff.
 Security settings allow administrators to set security levels assigned to a
local or non-local GPO.

Controlling GPO Application


You should know the following controlling GPO application:
 All GPOs directly linked to or inherited by a site, domain, or OU apply to all
users and computers within that container that have Apply Group Policy and
Read permissions.
 By default, each GPO you create grants the Authenticated Users group
(basically all network users) Apply Group Policy and Read permissions.
 To apply settings to computers, configure the Computer Configuration node
of a GPO.
Edit Permissions
You can control the application of GPOs by editing the permissions in the GPO
access control list (ACL). (When you deny an object the required permissions to
a GPO, the object will not receive the GPO.)
 To deny access to a GPO, add the user, group, or computer to the GPO
permissions and deny the Apply Group Policy and Read permissions.
 To apply a GPO to specific users, groups, or computers, remove the
Authenticated Users group from the GPO permissions. Add the specific user,
group, or computer and grant the Apply Group Policy and Read permissions.

Block Inheritance
You can prevent Active Directory child objects from inheriting GPOs that are
linked to the parent objects. To block GPO inheritance,
1. Click the Group Policy tab for the domain or OU for which you want to block
GPO inheritance.
2. Select the Block Policy inheritance check box.

You cannot block inheritance on a per-GPO basis. Blocking policy inheritance


prevents the domain or OU (along with all the containers and objects beneath
them) from inheriting GPOs.
No Override
You should know the following facts about the No Override option:
 The no override option prevents a GPO from being overridden by another
GPO.
 When no override is set on more than one GPO, the GPO highest in the
Active Directory hierarchy takes precedence.
 No override cannot be set on a local GPO.

WMI Filtering
You should know the following facts about WMI filtering:
 You can use WMI queries to filter the scope of GPOs.
 WMI filtering is similar to using security groups to filter the scope of GPOs.
 WMI queries are written in WMI query language (WQL).

Loopback Processing
By default, Group Policy configuration applies Computer Configuration GPOs
during startup and User Configuration GPOs during logon. User Configuration
settings take precedence in the event of a conflict.
You can control how Group Policy is applied by enabling loopback processing.
Following are some circumstances when you might use loopback processing:
 If you want Computer Configuration settings to take precedence over User
Configuration settings.
 If you want to prevent User Configuration settings from being applied.
 If you want to apply User Configuration settings for the computer, regardless
of the location of the user account in Active Directory.

Loopback processing is typically used to apply User Configuration settings to


special computers located in public locations, such as kiosks and public
Internet stations.
Keep in mind the following about how loopback processing works.
 Loopback processing runs in Merge or Replace Mode.
 Merge mode gathers the Computer Configuration GPOs and appends them to
the User Configuration GPOs when the user logs on.
 Replace mode prevents the User Configuration GPOs from being applied.

To enable loopback processing:


1. Create or edit a GPO to distribute to computers on which you want to enable
loopback processing mode.
2. Choose Group Policy from the System node of Administrative Templates in
Computer Configuration.
3. Right-click Users Group Policy loopback processing mode and click
Properties.
4. Click Enabled.
5. Choose Merge mode or Replace Mode.

Group Policy Tools


You should be familiar with the use of the following Group Policy tools:
Gpresult
 Gpresult is a command line tool that allows you to examine the policy
settings of specific users and computers.
 Start Gpresult by entering Gpresult at the command line (use the /? switch
for syntax help).
 Gpresult can show the following:
o Last application of Group Policy and the domain controller from which policy
was applied.
o Detailed list of the applied GPOs.
o Detailed list of applied Registry settings.
o Details of redirected folders.
o Software management information, like information about assigned and
published software.

RSoP
RSoP (Resultant Set of Policy) is the accumulated results of the group policies
applied to a user or computer. You should know the following facts about RSoP:
 The RSoP wizard reports on how GPO settings affect users and computers.
The wizard runs in two modes: logging and planning.
 The RSoP wizard logging mode reports on existing group policies applied
against computers or users.
 The RSoP wizard planning mode simulates the effects policies would have if
applied to computers or users.

RSoP Access
You can access the Resultant Set of Policy (RSoP) wizard in various ways. Here
are some common ways:
 Install the RSoP wizard as an MMC snap-in
 Use the Start > Run sequence and run Rsop.msc.
 You can also select an object in Active Directory Users and Computer and
select Resultant Set of Policy (in planning or logging mode) from the All Tasks
menu.

Delegation Facts
You should know the following facts about trust delegating control of group
policies:
 Decentralized administrative delegation means that administration is
delegate to OU level administrators. In decentralized administrative
delegation, assign full-control permission to the OU administrators for GPOs.
 Centralized administrators only delegate full-control permissions to top level
OU administrators. Those administrators are responsible for everything
downward.
 In task-based delegation, administration of specific group policies to
administrators who handle specific tasks. For example, security administrators
would get full-control of security GPOs, and application administrators would
get full-control of application GPOs.

Software Distribution Facts


You should be familiar with the use of the following software distribution:
 When you configure the option Uninstall this application when it falls out of
the scope of management on a user assigned software application installed
through a GPO, you force the software to uninstall automatically when an
account is moved out of the OU to which the GPO was applied.
 There are two default settings for software restriction policies: Unrestricted
and Disallowed.
o Unrestricted allows software to run according to the rights of the user who is
accessing the software.
o Disallowed does not allow software to run regardless of the logged on user's
rights.
 If the default restriction level is Disallowed then no software will be able to
run unless there is an additional rule configured that explicitly makes the
software unrestricted.
 The Always wait for the network at computer startup and logon GPO setting
forces a computer to wait for the network to fully initialize before attempting
to refresh Group Policy settings.
 The source path to the location of an MSI file must always be a UNC path:
\\servername\sharename\filename.
 To fix the source path for an existing software package you need to delete
and recreate the package.
 In order for users to run installation files from the software distribution
point, they need to have Read and Execute permissions.

Use software restriction policies to prevent users from running specific


software. Configure rules to identify the method Windows uses to identify
unique software packages.

Restriction Option Characteristic


Certificate Rule A certificate rule uses the software
application's certificate. Windows
locates the certificate of the software
to identify allowed or restricted
software.
Hash Rule When you create a hash rule, Windows
performs a hashing function on the
executable file. When
users try to run software, Windows compares the hash value of the executable with
the hash value stored in group policy. Use a hash rule to restrict software regardless
of its location.
Internet Zone Rule The Internet Zone rule uses Internet
Explorer zones to identify software
based on zones.
Path Rule With a path rule, Windows identifies
restricted or allowed software by path
and name. However, the same
executable file in a different location
will not be governed by the rule.
Administrative Template Facts
You should be familiar with the following facts about Administrative templates:
 Computer Configuration and User Configuration each have the following
three nodes:
o Windows Components: Use to administer Windows 2003 Server components.
The Computer Configuration node has settings for IIS. The User Configuration
node has settings for Internet Explorer.
o System: Use to administer the functionality of the Windows 2003 OS.
o Network: Use to control the functionality of the network.
 In the Computer Configuration node, Administrative Templates contains a
Print node for printer administration.
 In the User Configuration node, Administrative Templates contains nodes of
administering the Start menu, Taskbar, Desktop, Control Panel, and shared
folders.

Folder Redirection Facts


You should know the following facts about folder redirection:
 To put user profile data back to the local system, make sure the GPO is
enabled and select the Redirect to the local userprofile location option.
 Folder redirection works best by distributing a Group Policy, but you can
redirect folders manually on the local system by modifying the folder's
properties (not through a local GPO, though).
 The following folders can be redirected:
o My Documents
o Application Data
o Start Menu
o My Pictures
o Desktop
 Redirected folders are made available offline automatically.

Logon Facts
You should know the following facts about managing logon:
 Password policies are only effective in GPOs applied to the domain.
 To create different password policies, you must create additional domains.
 Each forest has a single alternate user principle name (UPN) suffix list that
you can edit from the properties of the Active Directory Domains and Trusts
node. After adding an alternate UPN suffix, you can configure all user accounts
to use the same UPN suffix, thus simplifying user logon for users in all domains
in the forest.
You should be familiar with the following password and account lockout policy
settings:

Setting Description
Enforce password history Keeps a history of user passwords (up
to 24) so that users cannot reuse
passwords.
Minimum password length Configures how many characters a
valid password must have.
Minimum password age Forces the user to use the new
password for whatever length of time
you determine before changing it
again.
Password must meet complexity Determines that user passwords
requirements cannot contain the user name, the
user's real name, the company name,
or a complete dictionary word. The
password must also contain multiple
types of characters, such as upper
and lowercase letters, numbers, and
symbols.
Maximum password age Forces the user to change passwords
at whatever time interval you
determine.
Account lockout threshold Configures how many incorrect
passwords can be entered before
being locked out.
Account lockout duration Identifies how long an account will
stay locked out once it has been
locked. A value of 0 indicates that an
administrator must manually unlock
the account. Any other number
indicates the number of minutes
before the account will be
automatically unlocked.
Reset account lockout after Specifies the length of time that
must pass after a failed login
attempt before the counter resets to
zero.
Automatic Certificate Enrollment Facts
You should know the following facts about using Group Policy to configure
automatic certificate enrollment:
 Before you can add an automatic certificate request, you must have
certificate templates configured on your system. Run Certtmpl.msc to install
the certificate templates.
 For a completely automatic certificate installation, set the Request Handling
options of the certificate template to enroll the subject without requiring any
user input.
 Without the Request Handling option selected, the user will be prompted for
input during the certificate enrollment phase.
 An icon on the taskbar will also appear, which users can click to start the
enrollment process.

Managing Sites and Subnets


You should know the following facts about managing sites and subnets:
1. When a client attempts to find a domain controller for authentication, it
receives a list of DC IP addresses from DNS.
2. The client passes a query to the DCs to find a good match for authentication.
3. Active Directory grabs the query and passes it to Net Logon.
4. Net Logon looks for the client IP address in the subnet-to-site mapping table.
5. If the client IP address isn't found in the subnet-to-site mapping table, the
DC returns a NULL site value, and the client authenticates using the returned
DC.

Replication Facts
You should know the following facts about replication:
 Active Directory automatically decides which servers are the bridgehead
servers (generally, the first domain controller in the site).
 To force a specific server to be the bridgehead server, you must manually
configure it as the bridgehead server.
 To designate a preferred bridgehead server, edit the server object
properties in Active Directory Sites and Services.
 Replication between sites occurs only between the bridgehead servers.
 To have different replication settings for different WAN links, you need to
configure multiple site links.
 For complete flexibility, you should create a site link for each network
connection between sites.
 The default link cost is 100.
 A higher cost for a link is less desirable. To force traffic over one link, set a
lower cost. For example, set a lower cost for high-speed links to force traffic
over the high speed link. Configure a higher cost for dial-up links that are used
as backup links.
 Costs are additive when multiple links are required between sites.
 Use SMTP replication for high latency links where RPC replication would
probably fail.

Managing Replication Facts


You should know the following facts about managing replication:
 Use Replication Monitor (Replmon) or Active Directory Sites and Services to
force replication.
 Replmon has an Update Automatically feature that allows you to specify the
how often replication reports are refreshed.
 The Sysvol share replicates using the File Replication Service (this includes
things like group policy and logon scripts).
 Replication uses port 135.
 DCs must be able to contact each other for replication. This means they
need to have a valid network connection, valid IP address configuration, and
DNS must be available so the servers can locate each other.
 You can use the Directory Service and the File Replication Service logs in
Event Viewer to monitor replication services.
You should also know the following facts about Replmon:
 Replmon allows you to perform the following administrative tasks:
o force synchronization between domain controllers.
o monitor domain controller replication.
o perform simultaneous monitoring of domain controllers in different forests.
 Replmon gives a graphical view of the topology.
 Replmon must run on a computer running Windows Server 2003.
 You can start Replmon by entering Replmon at the command line.

Tombstones and Garbage Collection


You should know the following facts about tombstones and garbage collection:
 When an object is removed from the Active Directory database, it is moved
to a hidden Deleted Objects container. Objects in the Deleted Objects
container are called tombstones.
 The default storage time for tombstones is 60 days.
 Every 12 hours (default setting) a domain controller examines its Deleted
Objects folder for tombstones that have exceeded the storage period.
 Objects beyond the storage period are removed in a process called garbage
collection.

Global Catalogs and Universal Group Membership Caching


You should know the following facts about global catalogs and universal group
membership caching:
 A global catalog server needs to be contacted during logon. Place a global
catalog server in each site to speed up logon.
 A global catalog server also maintains universal group membership. Group
membership needs to be consulted during resource access.
 Only one server per site needs to be a global catalog server.
 Enabling the universal group membership caching feature for a site will let
users who are members of a universal group log on in the event of a WAN link
failure. If the only need is to obtain universal group membership information,
enabling this feature for a site is a better solution than creating a global
catalog server in the site.
 All servers in a site must be running Windows Server 2003 for universal group
membership caching to work.

Site License Facts


You should know the following facts about site licensing:
 Set up a site license servers to monitor license
o Purchases.
o Deletions.
o Usage.
 The license logging service runs on each server within a site, collecting
information to send to the site license server.
 The information in the site license server database can be viewed using the
Licensing tool in Administrative Tools.
 By default, the site license server is the first domain controller created for a
site.
 The site license server does not have to be a domain controller.
Application Directory Partitions
Application directory partitions are used to store dynamic objects. Most
information stored in Active Directory is relatively static, meaning that it
changes infrequently enough to allow it to be replicated across a domain with a
high degree of regularity. Dynamic objects, however, changes more frequently
than they can be efficiently and effectively replicated. (Dynamic objects are
created with a time-to-live (TTL) value, which, when it expires, allows Active
Directory to delete the object.)
Application directory partitions allow you to configure replication and replicas
to accommodate the unique requirements of dynamic objects. Where domain
partitions must replicate to all domain controllers in a domain, application
directory partitions do not have to meet this requirement.
For example, if DNS service is configured to use AD, the DNS zone data will be
replicated across a domain (because zone data will be stored in a domain
partition) even if the DNS server is not configured to run on the domain
controller. However, if you put the DNS zone data in an application directory
partition, you can limit the scope of replication.
Application directory partitions are not limited, however, in the types of data
they can hold. They can hold, for instance, user, computer, and group
objects--every object type, in fact, but security principals. However, objects in
an active directory partition operate under certain limitations including the
following:
 They cannot maintain DN-value references to objects in other application
directory or domain partitions. Neither can objects in other partitions maintain
DN-value references to objects in an application directory partition.
 They are not replicated to the Global Catalog. (However, a global catalog
server can be configured to replicate an application directory partition.)
 They cannot be moved to other application directory partitions outside the
partition in which they were created.

To create an application directory partition:


1. At the command line prompt, enter Ntdsutil.
2. Enter Domain management.
3. Enter Create nc [distinguished name of the application partition directory]
[domain controller name]

To delete an application directory partition:


1. At the command line prompt, enter Ntdsutil.
2. Enter Domain management.
3. Enter Delete nc [distinguished name of the application partition directory]

To add an application directory partition replica:


1. At the command line prompt, enter Ntdsutil.
2. Enter Domain management.
3. Enter Add nc [distinguished name of the application partition directory]
[domain controller name]

To remove an application directory partition replica:


1. At the command line prompt, enter Ntdsutil.
2. Enter Domain management.
3. Enter Remove nc [distinguished name of the application partition directory]
[domain controller name]
Technical Interview Questions – Active Directory
• What is Active Directory?
Active Directory (AD) is a technology created by Microsoft to provide
network services including LDAP directory services; Kerberos based
authentication, DNS naming, secure access to resources, and more

• What is LDAP?
The Lightweight Directory Access Protocol (LDAP) is a directory service
protocol that runs directly over the TCP/IP stack

• Can you connect Active Directory to other 3rd-party Directory


Services? Name a few options.
Yes you can Connect Active Directory to other 3rd -party Directory Services
such as dictionaries used by SAP, Domino etc with the help of MIIS
(Microsoft Identity Integration Server). you can use dirXML or LDAP to
connect to other directories (ie. E-directory from Novell).

• Where is the AD database held? What other folders are related to AD?
AD Database is saved in %systemroot%/ntds. You can see other files also in
this folder. These are the main files controlling the AD structure ntds.dit,
edb.log, res1.log, res2.log, edb.chk

• What is the SYSVOL folder? All active directory data base security
related information store in SYSVOL folder and it’s only created on NTFS
partition. The Sysvol folder on a Windows domain controller is used to
replicate file-based data among domain controllers.

• Name the AD NCs and replication issues for each NC


*Schema NC, *Configuration NC, * Domain NC

Schema NC This NC is replicated to every other domain controller in the


forest. It contains information about the Active Directory schema, which in
turn defines the different object classes and attributes within Active
Directory.

Configuration NC Also replicated to every other DC in the forest, this NC


contains forest-wide configuration information pertaining to the physical
layout of Active Directory, as well as information about display specifiers
and forest-wide Active Directory quotas.

Domain NC This NC is replicated to every other DC within a single Active


Directory domain. This is the NC that contains the most commonly-
accessed Active Directory data: the actual users, groups, computers, and
other objects that reside within a particular Active Directory domain.

• What are application partitions? When do I use them


Application Directory Partition is a partition space in Active
Directory which an application can use to store that application specific
data. This partition is then replicated only to some specific domain
controllers. The application directory partition can contain any type of
data except security principles (users, computers, groups).

Application directory partitions are usually created by the applications that will
use them to store and replicate data. For testing and troubleshooting purposes,
members of the Enterprise Admins group can manually create or manage
application directory partitions using the Ntdsutil command-line tool.

One of the benefits of an application directory partition is that, for


redundancy, availability, or fault tolerance, the data in it can be replicated to
different domain controllers in a forest

• How do you create a new application partition


The DnsCmd command is used to create a new application directory
partition. Ex. to create a partition named “NewPartition “ on
the domain controller DC1.contoso.com, log on to the domain controller
and type following command.

DnsCmd DC1/createdirectorypartition NewPartition.contoso.com

• How do you view replication properties for AD partitions and DCs?


By using replication monitor
go to start > run > type repadmin
go to start > run > type replmon

• What is the Global Catalog?


The global catalog contains a complete replica of all objects in Active
Directory for its Host domain, and contains a partial replica of all objects
in Active Directory for every other domain in the forest.

• How do you view all the GCs in the forest?


• C:\>repadmin /showreps
domain_controller

OR
You can use Replmon.exe for the same purpose.
OR
AD Sites and Services and nslookup gc._msdcs.

To find the in GC from the command line you can try using DSQUERY
command.
dsquery server -isgc to find all the gc's in the forest
you can try dsquery server -forest -isgc.

• Why not make all DCs in a large forest as GCs?


The reason that all DCs are not GCs to start is that in large (or even Giant)
forests the DCs would all have to hold a reference to every object in the
entire forest which could be quite large and quite a replication
burden. For a few hundred, or a few thousand users even, this not likely to
matter unless you have really poor WAN lines.

• Trying to look at the Schema, how can I do that?


register schmmgmt.dll using this command
c:\windows\system32>regsvr32 schmmgmt.dll
Open mmc --> add snapin --> add Active directory schema
name it as schema.msc
Open administrative tool --> schema.msc

• What are the Support Tools? Why do I need them?


Support Tools are the tools that are used for performing the complicated
tasks easily. You need them because you cannot properly manage an Active
Directory network without them.
Here they are, it would do you well to familiarize yourself with all of
them. Acldiag.exe , Adsiedit.msc, Bitsadmin.exe,
Dcdiag.exe Dfsutil.exe Dnslint.exe Dsacls.exe, Iadstools.dll Ktpass.exe Ldp.
exe Netdiag.exe
Netdom.exe Ntfrsutl.exe Portqry.exe Repadmin.exe Replmon.exe Setspn.e
xe

•What is LDP? What is REPLMON? What is ADSIEDIT? What is NETDOM?


What is REPADMIN?
The Lightweight Directory Access Protocol, or LDAP is an application
protocol for querying and modifying directory services running over
TCP/IP

Replmon is the first tool you should use when troubleshooting Active
Directory replication issues. As it is a graphical tool, replication issues
are easy to see and somewhat easier to diagnose than using its command
line counterparts. The purpose of this document is to guide you in how
to use it, list some common replication errors and show some examples
of when replication issues can stop other network installation actions

ADSIEdit is a Microsoft Management Console (MMC) snap-in that acts as a


low-level editor for Active Directory. It is a Graphical User Interface
(GUI) tool. Network administrators can use it for common administrative
tasks such as adding, deleting, and moving objects with a directory
service. The attributes for each object can be edited or deleted by using
this tool. ADSIEdit uses the ADSI application programming interfaces
(APIs) to access Active Directory. The following are the required files for
using this tool:
· ADSIEDIT.DLL
· ADSIEDIT.MSC
Regarding system requirements, a connection to an Active Directory
environment and Microsoft Management Console (MMC) is necessary

NETDOM is a command-line tool that allows management of Windows


domains and trust relationships. It is used for batch management of
trusts, joining computers to domains, verifying trusts, and secure
channels
REPADMIN.EXE is a command line tool used to monitor and troubleshoot
replication on a computer running Windows. This is a command line tool
that allows you to view the replication topology as seen from the
perspective of each domain controller

• What are sites? What are they used for?


Sites in Active Directory represent the physical structure, or topology, of
your network. Active Directory uses topology information, stored as site
and site link objects in the directory, to build the most efficient
replication topology. You use Active Directory Sites and Services to define
sites and site links. A site is a set of well-connected subnets. Sites differ
from domains; sites represent the physical structure of your network,
while domains represent the logical structure of your organization

• What's the difference between a site link's schedule and interval?


Schedule enables you to list weekdays or hours when the site link is
available for replication to happen in the give interval. Interval is the re
occurrence of the inter site replication in given minutes. It ranges from
15 - 10,080 mins. The default interval is 180 mins.

• What is the KCC?


The Knowledge Consistency Checker (KCC) is an Active Directory
component that is responsible for the generation of the replication
topology between domain controllers

• What is the ISTG? Who has that role by default?


Intersite Topology Generator (ISTG), which is responsible for the
connections among the sites. By default Windows 2003 Forest level
functionality has this role.
By Default the first Server has this role. If that server can no longer
preform this role then the next server with the highest GUID then takes
over the role of ISTG.

• What are the requirements for installing AD on a new server?


• An NTFS partition with enough free space (250MB minimum)
• An Administrator's username and password
• The correct operating system version
• A NIC
• Properly configured TCP/IP (IP address, subnet mask and -
optional - default gateway)
• A network connection (to a hub or to another computer via a
crossover cable)
• An operational DNS server (which can be installed on the DC
itself)
• A Domain name that you want to use
• The Windows 2000 or Windows Server 2003 CD media (or at least
the i386 folder)

• What can you do to promote a server to DC if you're in a remote


location with slow WAN link?
First available in Windows 2003, you will create a copy of the system
state from an existing DC and copy it to the new remote server. Run
"Dcpromo /adv". You will be prompted for the location of the system
state files

• How can you forcibly remove AD from a server, and what do you do
later?
• Demote the server using dcpromo /forceremoval, then remove the metadata from
Active directory using ndtsutil. There is no way to get user passwords from AD
that I am aware of, but you should still be able to change them.
• Another way out too
• Restart the DC is DSRM mode
• a. Locate the following registry subkey:
• HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\ProductOptio
ns
• b. In the right-pane, double-click ProductType.
• c. Type ServerNT in the Value data box, and then click OK.
• Restart the server in normal mode
• its a member server now but AD entries are still there. Promote teh server to a
fake domain say ABC.com and then remove gracefully using DCpromo. Else
after restart you can also use ntdsutil to do metadata as told in teh earlier post

• Can I get user passwords from the AD database?


Demote the server using dcpromo /forceremoval, then remove the
metadata from Active directory using ndtsutil. There is no way to get
user passwords from AD that I am aware of, but you should still be able
to change them.
Another way out too
Restart the DC is DSRM mode
a. Locate the following registry subkey:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\ProductOption
s
b. In the right-pane, double-click ProductType.
c. Type ServerNT in the Value data box, and then click OK.

Restart the server in normal mode it’s a member server now but AD
entries are still there. Promote teh server to a fake domain say ABC.com
and then remove gracefully using DCpromo. Else after restart you can
also use ntdsutil to do metadata as told in teh earlier post

• What tool would I use to try to grab security related packets from the
wire?
You must use sniffer-detecting tools to help stop the snoops. ...
A good packet sniffer would be "ethereal".
www.ethereal.com

• Name some OU design considerations.


OU design requires balancing requirements for delegating administrative
rights - independent of Group Policy needs - and the need to scope the
application of Group Policy. The following OU design recommendations
address delegation and scope issues:

Applying Group Policy An OU is the lowest-level Active Directory


container to which you can assign Group Policy settings.

Delegating administrative authority - usually don't go more than 3 OU


levels

• What is tombstone lifetime attribute? The number of days before a


deleted object is removed from the directory services. This assists in
removing objects from replicated servers and preventing restores from
reintroducing a deleted object. This value is in the Directory Service
object in the configuration NIC
Default Tombstone Lifetime for New Active Directory
Forests
Default Tombstone
Operating System
Lifetime
Windows 2000 Server 60 days
Windows Server 2003 no service
60 days
pack
Windows Server 2003 SP1 180 days
Windows Server 2003 R2 60 days
Windows Server 2003 SP2 180 days
Windows Server 2008 180 days

• What do you do to install a new Windows 2003 DC in a Windows 2000


AD? If you plan to install windows 2003 server domain controllers into an
existing windows 2000 domain or upgrade a windows 2000 domain
controllers to windows server 2003, you first need to run the Adprep.exe
utility on the windows 2000 domain controllers currently holding the
schema master and infrastructure master roles. The adprep / forestprep
command must first be issued on the windows 2000 server holding schema
master role in the forest root domain to prepare the existing schema to
support windows 2003 active directory. The adprep /domainprep command
must be issued on the sever holding the infrastructure master role in the
domain where 2000 server will be deployed

• What do you do to install a new Windows 2003 R2 DC in a Windows


2003 AD? If you're installing Windows 2003 R2 on an existing Windows
2003 server with SP1 installed, you require only the second R2 CD-ROM.
Insert the second CD and the r2auto.exe will display the Windows 2003
R2 Continue Setup screen.
If you're installing R2 on a domain controller (DC), you must first upgrade
the schema to the R2 version (this is a minor change and mostly related
to the new Dfs replication engine). To update the schema, run the
Adprep utility, which you'll find in the Cmpnents\r2\adprep folder on the
second CD-ROM. Before running this command, ensure all DCs are
running Windows 2003 or Windows 2000 with SP2 (or later). Here's a
sample execution of the Adprep /forestprep command:
D:\CMPNENTS\R2\ADPREP>adprep /forestprep
ADPREP WARNING:
Before running adprep, all Windows 2000 domain controllers in the forest
should be upgraded to Windows 2000 Service Pack 1 (SP1) with QFE 265089, or
to Windows 2000 SP2 (or later).

QFE 265089 (included in Windows 2000 SP2 and later) is required to prevent
potential domain controller corruption.
For more information about preparing your forest and domain see KB article
Q3311 61 at http://support.microsoft.com.

[User Action]
If ALL your existing Windows 2000 domain controllers meet this requirement,
type C and then press ENTER to continue. Otherwise, type any other key and
press ENT ER to quit.

C
Opened Connection to SAVDALDC01
SSPI Bind succeeded
Current Schema Version is 30
Upgrading schema to version 31
Connecting to "SAVDALDC01"
Logging in as current user using SSPI
Importing directory from file "C:\WINDOWS\system32\sch31.ldf"
Loading entries.....................................................
......................................................
139 entries modified successfully.
The command has completed successfully
Adprep successfully updated the forest-wide information.

After running Adprep, install R2 by performing these steps:

1. Click the "Continue Windows Server 2003 R2 Setup" link, as


thefigureshows.
2. At the "Welcome to the Windows Server 2003 R2 Setup Wizard" screen,
click Next.
3. You'll be prompted to enter an R2 CD key (this is different from your
existing Windows 2003 keys) if the underlying OS wasn't installed from R2
media (e.g., a regular Windows 2003 SP1 installation). Enter the R2 key
and click Next. Note: The license key entered for R2 must match the
underlying OS type, which means if you installed Windows 2003 using a
volume-license version key, then you can't use a retail or Microsoft
Developer Network (MSDN) R2 key.
4. You'll see the setup summary screen which confirms theactions to be
performed (e.g., Copy files). Click Next.
5. After the installation is complete, you'll see a confirmation dialog box.
Click Finish.

• How would you find all users that have not logged on since last
month?
• Using only native commands, JSILLD.bat produces a sorted/formated
report of Users who have not logged on since YYYYMMDD.
• The report is sorted by UserName and list the user's full name and last
logon date.
• The syntax for using JSILLD.bat is:
• JSILLD \Folder\OutputFile.Ext YYYYMMDD [/N]
• where:
• YYYYMMDD will report all users who have not logged on since this
date.
• /N is an optional parameter that will bypass users who have never
logged on.
• JSILLD.bat contains:

@echo off
setlocal
if {%2}=={} goto syntax
if "%3"=="" goto begin
if /i "%3"=="/n" goto begin
:syntax
@echo Syntax: JSILLD File yyyymmdd [/N]
endlocal
goto :EOF
:begin
if /i "%2"=="/n" goto syntax
set dte=%2
set XX=%dte:~0,4%
if "%XX%" LSS "1993" goto syntax
set XX=%dte:~4,2%
if "%XX%" LSS "01" goto syntax
if "%XX%" GTR "12" goto syntax
set XX=%dte:~6,2%
if "%XX%" LSS "01" goto syntax
if "%XX%" GTR "31" goto syntax
set never=X
if /i "%3"=="/n" set never=/n
set file=%1
if exist %file% del /q %file%
for /f "Skip=4 Tokens=*" %%i in ('net user /domain^|findstr /v /c:"----"^|
findstr /v /i /c:"The command completed"') do (
do call :parse "%%i"
)
endlocal
goto :EOF
:parse
set str=#%1#
set str=%str:#"=%
set str=%str:"#=%
set substr=%str:~0,25%#
set substr=%substr: =%
set substr=%substr: #=%
set substr=%substr:#=%
if "%substr%"=="" goto :EOF
for /f "Skip=1 Tokens=*" %%i in ('net user "%substr%" /domain') do call
:parse1 "%%i"
set substr=%str:~25,25%#
set substr=%substr: =%
set substr=%substr: #=%
set substr=%substr:#=%
if "%substr%"=="" goto :EOF
for /f "Skip=1 Tokens=*" %%i in ('net user "%substr%" /domain') do call
:parse1 "%%i"
set substr=%str:~50,25%#
set substr=%substr: =%
set substr=%substr: #=%
set substr=%substr:#=%
if "%substr%"=="" goto :EOF
for /f "Skip=1 Tokens=*" %%i in ('net user "%substr%" /domain') do call
:parse1 "%%i"
goto :EOF
:parse1
set ustr=%1
if %ustr%=="The command completed successfully." goto :EOF
set ustr=%ustr:"=%
if /i "%ustr:~0,9%"=="Full Name" set fullname=%ustr:~29,99%
if /i not "%ustr:~0,10%"=="Last logon" goto :EOF
set txt=%ustr:~29,99%
for /f "Tokens=1,2,3 Delims=/ " %%i in ('@echo %txt%') do set MM=%%i&set
DD=%%j&set YY=%%k
if /i "%MM%"=="Never" goto tstnvr
goto year
:tstnvr
if /i "%never%"=="/n" goto :EOF
goto report
:year
if "%YY%" GTR "1000" goto mmm
if "%YY%" GTR "92" goto Y19
set /a YY=100%YY%%%100
set YY=%YY% + 2000
goto mmm
:Y19
set YY=19%YY%
:mmm
set /a XX=100%MM%%%100
if %XX% LSS 10 set MM=0%XX%
set /a XX=100%DD%%%100
if %XX% LSS 10 set DD=0%XX%
set YMD=%YY%%MM%%DD%
if "%YMD%" GEQ "%dte%" goto :EOF
:report
set fullname=%fullname% #
set fullname=%fullname:~0,35%
set substr=%substr% #
set substr=%substr:~0,30%
@echo %substr% %fullname% %txt% >> %file%

• What are the DS* commands?


New DS (Directory Service) Family of built-in command line utilities for
Windows Server 2003 Active Directory

New DS built-in tools for Windows Server 2003


The DS (Directory Service) group of commands are split into two
families. In one branch are DSadd, DSmod, DSrm and DSMove and in the
other branch are DSQuery and DSGet.

When it comes to choosing a scripting tool for Active Directory objects,


you really are spoilt for choice. The the DS family of built-in command
line executables offer alternative strategies to CSVDE, LDIFDE and
VBScript.

Let me introduce you to the members of the DS family:

DSadd - add Active Directory users and groups


DSmod - modify Active Directory objects
DSrm - to delete Active Directory objects
DSmove - to relocate objects
DSQuery - to find objects that match your query attributes
DSget - list the properties of an object
DS Syntax
These DS tools have their own command structure which you can split
into five parts:

12345
Tool object "DN" (as in LDAP distinguished name) -switch value For
example:
DSadd user "cn=billy, ou=managers, dc=cp, dc=com" -pwd cX49pQba

This will add a user called Billy to the Managers OU and set the password
to cx49Qba

Here are some of the common DS switches which work with DSadd and
DSmod
-pwd (password) -upn (userPrincipalName) -fn (FirstName) -samid (Sam
account name).
The best way to learn about this DS family is to logon at
a domain controller and experiment from the command line. I have
prepared examples of the two most common programs. Try some sample
commands for DSadd.
Two most useful Tools: DSQuery and DSGet
The DSQuery and DSGet remind me of UNIX commands in that they
operate at the command line, use powerful verbs, and produce plenty of
action. One pre-requisite for getting the most from this DS family is a
working knowledge of LDAP.

If you need to query users or computers from a range of OU's and then
return information, for example, office, department manager. Then
DSQuery and DSGet would be your tools of choice. Moreover, you can
export the information into a text file

• What's the difference between LDIFDE and CSVDE? Usage


considerations?

Ldifde

Ldifde creates, modifies, and deletes directory objects on computers


running Windows Server 2003 operating systems or Windows XP Professional.
You can also use Ldifde to extend the schema, export Active Directory user and
group information to other applications or services, and populate Active
Directory with data from other directory services.

The LDAP Data Interchange Format (LDIF) is a draft Internet standard for a file
format that may be used for performing batch operations against directories
that conform to the LDAP standards. LDIF can be used to export and import
data, allowing batch operations such as add, create, and modify to be
performed against the Active Directory. A utility program called LDIFDE is
included in Windows 2000 to support batch operations based on the LDIF file
format standard. This article is designed to help you better understand how the
LDIFDE utility can be used to migrate directories.

Csvde

Imports and exports data from Active Directory Domain Services (AD DS) using
files that store data in the comma-separated value (CSV) format. You can also
support batch operations based on the CSV file format standard.

Csvde is a command-line tool that is built into Windows Server 2008 in


the/system32 folder. It is available if you have the AD DS or Active Directory
Lightweight Directory Services (AD LDS) server role installed. To use csvde, you
must run the csvde command from an elevated command prompt. To open an
elevated command prompt, click Start, right-click Command Prompt, and then
click Run as administrator.

DIFFERENCE USAGE WISE

Csvde.exe is a Microsoft Windows 2000 command-line utility that is located in


the SystemRoot\System32 folder after you install Windows 2000. Csvde.exe is
similar to Ldifde.exe, but it extracts information in a comma-separated value
(CSV) format. You can use Csvde to import and export Active Directory data
that uses the comma-separated value format. Use a spreadsheet program such
as Microsoft Excel to open this .csv file and view the header and value
information. See Microsoft Excel Help for information about functions such
asConcatenate that can simplify the process of building a .csv file.
Note Although Csvde is similar to Ldifde, Csvde has a significant limitation: it
can only import and export Active Directory data by using a comma-separated
format (.csv). Microsoft recommends that you use the Ldifde utility for Modify
or Delete operations. Additionally, the distinguished name (also known as DN)
of the item that you are trying to import must be in the first column of the .csv
file or the import will not work.

The source .csv file can come from an Exchange Server directory export.
However, because of the difference in attribute mappings between the
Exchange Server directory and Active Directory, you must make some
modifications to the .csv file. For example, a directory export from Exchange
Server has a column that is named "obj-class" that you must rename to
"objectClass." You must also rename "Display Name" to "displayName."

• What are the FSMO roles? Who has them by default? What happens
when each one fails?
FSMO stands for the Flexible single Master Operation

It has 5 Roles: -
• Schema Master:
The schema master domain controller controls all updates and
modifications to the schema. Once the Schema update is complete, it is
replicated from the schema master to all other DCs in the directory. To
update the schema of a forest, you must have access to the schema
master. There can be only one schema master in the whole forest.
• Domain naming master:
The domain naming master domain controller controls the addition or
removal of domains in the forest. This DC is the only one that can add or
remove a domain from the directory. It can also add or remove cross
references to domains in external directories. There can be only one
domain naming master in the whole forest.
• Infrastructure Master:
When an object in one domain is referenced by another object in
another domain, it represents the reference by the GUID, the SID (for
references to security principals), and the DN of the object being
referenced. The infrastructure FSMO role holder is the DC responsible for
updating an object's SID and distinguished name in a cross-domain object
reference. At any one time, there can be only one domain controller
acting as the infrastructure master in each domain.
Note: The Infrastructure Master (IM) role should be held by a domain
controller that is not a Global Catalog server (GC). If the Infrastructure
Master runs on a Global Catalog server it will stop updating object
information because it does not contain any references to objects that it
does not hold. This is because a Global Catalog server holds a partial
replica of every object in the forest. As a result, cross-domain object
references in that domain will not be updated and a warning to that
effect will be logged on that DC's event log. If all the domain controllers
in a domain also host the global catalog, all the domain controllers have
the current data, and it is not important which domain controller holds
the infrastructure master role.
• Relative ID (RID) Master:
The RID master is responsible for processing RID pool requests from all
domain controllers in a particular domain. When a DC creates a security
principal object such as a user or group, it attaches a unique Security ID
(SID) to the object. This SID consists of a domain SID (the same for all
SIDs created in a domain), and a relative ID (RID) that is unique for each
security principal SID created in a domain. Each DC in a domain is
allocated a pool of RIDs that it is allowed to assign to the security
principals it creates. When a DC's allocated RID pool falls below a
threshold, that DC issues a request for additional RIDs to the domain's
RID master. The domain RID master responds to the request by retrieving
RIDs from the domain's unallocated RID pool and assigns them to the pool
of the requesting DC. At any one time, there can be only one domain
controller acting as the RID master in the domain.
• PDC Emulator:
The PDC emulator is necessary to synchronize time in an enterprise.
Windows 2000/2003 includes the W32Time (Windows Time) time service
that is required by the Kerberos authentication protocol. All Windows
2000/2003-based computers within an enterprise use a common time.
The purpose of the time service is to ensure that the Windows Time
service uses a hierarchical relationship that controls authority and does
not permit loops to ensure appropriate common time usage.
The PDC emulator of a domain is authoritative for the domain. The PDC
emulator at the root of the forest becomes authoritative for the
enterprise, and should be configured to gather the time from an
external source. All PDC FSMO role holders follow the hierarchy of
domains in the selection of their in-bound time partner.
:: In a Windows 2000/2003 domain, the PDC emulator role holder retains
the following functions:
:: Password changes performed by other DCs in the domain are
replicated preferentially to the PDC emulator.
Authentication failures that occur at a given DC in a domain because of
an incorrect password are forwarded to the PDC emulator before a bad
password failure message is reported to the user.
Account lockout is processed on the PDC emulator.
Editing or creation of Group Policy Objects (GPO) is always done from
the GPO copy found in the PDC Emulator's SYSVOL share, unless
configured not to do so by the administrator.
The PDC emulator performs all of the functionality that a Microsoft
Windows NT 4.0 Server-based PDC or earlier PDC performs for Windows
NT 4.0-based or earlier clients.
This part of the PDC emulator role becomes unnecessary when all
workstations, member servers, and domain controllers that are running
Windows NT 4.0 or earlier are all upgraded to Windows 2000/2003. The
PDC emulator still performs the other functions as described in a
Windows 2000/2003 environment.

• What FSMO placement considerations do you know of?


Windows 2000/2003 Active Directory domains utilize a Single Operation
Master method called FSMO (Flexible Single Master Operation), as
described in Understanding FSMO Roles in Active Directory.
In most cases an administrator can keep the FSMO role holders (all 5 of
them) in the same spot (or actually, on the same DC) as has been
configured by the Active Directory installation process. However, there are
scenarios where an administrator would want to move one or more of the
FSMO roles from the default holder DC to a different DC.
Windows Server 2003 Active Directory is a bit different than the Windows
2000 version when dealing with FSMO placement. In this article I will only
deal with Windows Server 2003 Active Directory, but you should bear in
mind that most considerations are also true when planning Windows 2000
AD FSMO roles

• I want to look at the RID allocation table for a DC. What do I do?
install support tools from OS disk(OS Inst:
Disk=>support=>tools=>suptools.msi)

In Command prompt type dcdiag /test:ridmanager /s:system1 /v (system1 is


the name of our DC)

What's the difference between transferring a FSMO role and seizing



one? Which one should you NOT seize? Why?
Seizing an FSMO can be a destructive process and should only be attempted if
the existing server with the FSMO is no longer available.

If the domain controller that is the Schema Master FSMO role holder is
temporarily unavailable, DO NOT seize the Schema Master role.
If you are going to seize the Schema Master, you must permanently disconnect
the current Schema Master from the network.
If you seize the Schema Master role, the boot drive on the original Schema
Master must be completely reformatted and the operating system must be
cleanly installed, if you intend to return this computer to the network.

NOTE: The Boot Partition contains the system files (\System32). The System
Partition is the partition that contains the startup files, NTDetect.com, NTLDR,
Boot.ini, and possibly Ntbootdd.sys.

The Active Directory Installation Wizard (Dcpromo.exe) assigns all 5 FSMO roles
to the first domain controller in the forest root domain. The first domain
controller in each new child or tree domain is assigned the three domain-wide
roles. Domain controllers continue to own FSMO roles until they are reassigned
by using one of the following methods:
• An administrator reassigns the role by using a GUI administrative tool.
• An administrator reassigns the role by using the ntdsutil /roles
command.
• An administrator gracefully demotes a role-holding domain controller by
using the Active Directory Installation Wizard. This wizard reassigns any
locally-held roles to an existing domain controller in the forest.
Demotions that are performed by using the dcpromo /forceremoval
command leave FSMO roles in an invalid state until they are reassigned by
an administrator.

We recommend that you transfer FSMO roles in the following scenarios:


• The current role holder is operational and can be accessed on the
network by the new FSMO owner.
• You are gracefully demoting a domain controller that currently owns
FSMO roles that you want to assign to a specific domain controller in your
Active Directory forest.
• The domain controller that currently owns FSMO roles is being taken
offline for scheduled maintenance and you need specific FSMO roles to be
assigned to a "live" domain controller. This may be required to perform
operations that connect to the FSMO owner. This would be especially true
for the PDC Emulator role but less true for the RID master role, the
Domain naming master role and the Schema master roles.

We recommend that you seize FSMO roles in the following scenarios:


• The current role holder is experiencing an operational error that
prevents an FSMO-dependent operation from completing successfully and
that role cannot be transferred.
• A domain controller that owns an FSMO role is force-demoted by using
the dcpromo /forceremoval command.
• The operating system on the computer that originally owned a specific
role no longer exists or has been reinstalled.

As replication occurs, non-FSMO domain controllers in the domain or forest gain


full knowledge of changes that are made by FSMO-holding domain controllers.
If you must transfer a role, the best candidate domain controller is one that is
in the appropriate domain that last inbound-replicated, or recently inbound-
replicated a writable copy of the "FSMO partition" from the existing role holder.
For example, the Schema master role-holder has a distinguished name path of
CN=schema,CN=configuration,dc=<forest root domain>, and this mean that
roles reside in and are replicated as part of the CN=schema partition. If the
domain controller that holds the Schema master role experiences a hardware
or software failure, a good candidate role-holder would be a domain controller
in the root domain and in the same Active Directory site as the current owner.
Domain controllers in the same Active Directory site perform inbound
replication every 5 minutes or 15 seconds.

The partition for each FSMO role is in the following list:


Collapse this tableExpand this table FSMO role Partition Schema
CN=Schema,CN=configuration,DC=<forest root domain> Domain Naming Master
CN=configuration,DC=<forest root domain> PDC DC=<domain> RID DC=<domain>
Infrastructure DC=<domain>

A domain controller whose FSMO roles have been seized should not be
permitted to communicate with existing domain controllers in the forest. In
this scenario, you should either format the hard disk and reinstall the operating
system on such domain controllers or forcibly demote such domain controllers
on a private network and then remove their metadata on a surviving domain
controller in the forest by using the ntdsutil /metadata cleanup command. The
risk of introducing a former FSMO role holder whose role has been seized into
the forest is that the original role holder may continue to operate as before
until it inbound-replicates knowledge of the role seizure. Known risks of two
domain controllers owning the same FSMO roles include creating security
principals that have overlapping RID pools, and other problems.
Back to the top
Transfer FSMO roles
To transfer the FSMO roles by using the Ntdsutil utility, follow these steps:
1. Log on to a Windows 2000 Server-based or Windows Server 2003-
based member computer or domain controller that is located in the forest
where FSMO roles are being transferred. We recommend that you log on
to the domain controller that you are assigning FSMO roles to. The logged-
on user should be a member of the Enterprise Administrators group to
transfer Schema master or Domain naming master roles, or a member of
the Domain Administrators group of the domain where the PDC emulator,
RID master and the Infrastructure master roles are being transferred.
2. Click Start, click Run, type ntdsutil in the Open box, and then
click OK.
3. Type roles, and then press ENTER.

Note To see a list of available commands at any one of the prompts in the
Ntdsutil utility, type ?, and then press ENTER.
4. Type connections, and then press ENTER.
5. Type connect to server servername, and then press ENTER, where
servername is the name of the domain controller you want to assign the
FSMO role to.
6. At the server connections prompt, type q, and then press ENTER.
7. Type transfer role, where role is the role that you want to
transfer. For a list of roles that you can transfer, type ? at the fsmo
maintenance prompt, and then press ENTER, or see the list of roles at the
start of this article. For example, to transfer the RID master role, type
transfer rid master. The one exception is for the PDC emulator role,
whose syntax is transfer pdc, not transfer pdc emulator.
8. At the fsmo maintenance prompt, type q, and then press ENTER
to gain access to the ntdsutil prompt. Type q, and then press ENTER to
quit the Ntdsutil utility.

Seize FSMO roles


To seize the FSMO roles by using the Ntdsutil utility, follow these steps:
1. Log on to a Windows 2000 Server-based or Windows Server 2003-
based member computer or domain controller that is located in the forest
where FSMO roles are being seized. We recommend that you log on to the
domain controller that you are assigning FSMO roles to. The logged-on
user should be a member of the Enterprise Administrators group to
transfer schema or domain naming master roles, or a member of the
Domain Administrators group of the domain where the PDC emulator, RID
master and the Infrastructure master roles are being transferred.
2. Click Start, click Run, type ntdsutil in the Open box, and then
click OK.
3. Type roles, and then press ENTER.
4. Type connections, and then press ENTER.
5. Type connect to server servername, and then press ENTER, where
servername is the name of the domain controller that you want to assign
the FSMO role to.
6. At the server connections prompt, type q, and then press ENTER.
7. Type seize role, where role is the role that you want to seize. For
a list of roles that you can seize, type ? at the fsmo maintenance prompt,
and then press ENTER, or see the list of roles at the start of this article.
For example, to seize the RID master role, type seize rid master. The one
exception is for the PDC emulator role, whose syntax is seize pdc, not
seize pdc emulator.
8. At the fsmo maintenance prompt, type q, and then press ENTER
to gain access to the ntdsutil prompt. Type q, and then press ENTER to
quit the Ntdsutil utility.

Notes
o Under typical conditions, all five roles must be assigned to "live"
domain controllers in the forest. If a domain controller that owns a
FSMO role is taken out of service before its roles are transferred,
you must seize all roles to an appropriate and healthy domain
controller. We recommend that you only seize all roles when the
other domain controller is not returning to the domain. If it is
possible, fix the broken domain controller that is assigned the FSMO
roles. You should determine which roles are to be on which
remaining domain controllers so that all five roles are assigned to a
single domain controller. For more information about FSMO role
placement, click the following article number to view the article in
the Microsoft Knowledge Base: 223346
(http://support.microsoft.com/kb/223346/ ) FSMO placement and
optimization on Windows 2000 domain controllers
o If the domain controller that formerly held any FSMO role is not
present in the domain and if it has had its roles seized by using the
steps in this article, remove it from the Active Directory by
following the procedure that is outlined in the following Microsoft
Knowledge Base article: 216498
(http://support.microsoft.com/kb/216498/ ) How to remove data in
active directory after an unsuccessful domain controller demotion
o Removing domain controller metadata with the Windows 2000
version or the Windows Server 2003 build 3790 version of the
ntdsutil /metadata cleanup command does not relocate FSMO roles
that are assigned to live domain controllers. The Windows Server
2003 Service Pack 1 (SP1) version of the Ntdsutil utility automates
this task and removes additional elements of domain controller
metadata.
o Some customers prefer not to restore system state backups of
FSMO role-holders in case the role has been reassigned since the
backup was made.
o Do not put the Infrastructure master role on the same domain
controller as the global catalog server. If the Infrastructure master
runs on a global catalog server it stops updating object information
because it does not contain any references to objects that it does
not hold. This is because a global catalog server holds a partial
replica of every object in the forest.

To test whether a domain controller is also a global catalog server:


1. Click Start, point to Programs, point to Administrative Tools, and
then click Active Directory Sites and Services.
2. Double-click Sites in the left pane, and then locate the
appropriate site or click Default-first-site-name if no other sites are
available.
3. Open the Servers folder, and then click the domain controller.
4. In the domain controller's folder, double-click NTDS Settings.
5. On the Action menu, click Properties.
6. On the General tab, view the Global Catalog check box to see if it
is selected.

• How do you configure a "stand-by operation master" for any of the


roles?
Open Active Directory Sites and Services.
Expand the site name in which the standby operations master is located
to display the Servers folder.
Expand the Servers folder to see a list of the servers in that site.
Expand the name of the server that you want to be the standby
operations master to display its NTDS Settings.
Right-click NTDS Settings, click New, and then click Connection.
In the Find Domain Controllers dialog box, select the name of the
current role holder, and then click OK.
In the New Object-Connection dialog box, enter an appropriate name
for the Connection object or accept the default name, and click OK.

• How do you backup AD?


• Backing up Active Directory is essential to maintain an Active Directory
database. You can back up Active Directory by using the Graphical User
Interface (GUI) and command-line tools that the Windows Server 2003
family provides.

You frequently backup the system state data on domain controllers so
that you can restore the most current data. By establishing a regular
backup schedule, you have a better chance of recovering data when
necessary.

• To ensure a good backup includes at least the system state data and
contents of the system disk, you must be aware of the tombstone
lifetime. By default, the tombstone is 60 days. Any backup older than 60
days is not a good backup. Plan to backup at least two domain
controllers in each domain, one of at least one backup to enable an
authoritative restore of the data when necessary.

• System State Data


Several features in the windows server 2003 family make it easy to
backup Active Directory. You can backup Active Directory while the
server is online and other network function can continue to function.

• System state data on a domain controller includes the following


components:

• Active Directory system state data does not contain Active Directory
unless the server, on which you are backing up the system state data, is
a domain controller. Active Directory is present only on domain
controllers.
The SYSVOL shared folder: This shared folder contains Group policy
templates and logon scripts. The SYSVOL shared folder is present only on
domain controllers.
The Registry: This database repository contains information about the
computer's configuration.
System startup files: Windows Server 2003 requires these files during its
initial startup phase. They include the boot and system files that are
under windows file protection and used by windows to load, configure,
and run the operating system.
The COM+ Class Registration database: The Class registration is a
database of information about Component Services applications.
The Certificate Services database: This database contains certificates
that a server running Windows server 2003 uses to authenticate users.
The Certificate Services database is present only if the server is
operating as a certificate server.
System state data contains most elements of a system's configuration,
but it may not include all of the information that you require recovering
data from a system failure. Therefore, be sure to backup all boot and
system volumes, including the System State, when you back up your
server.

• Restoring Active Directory


In Windows Server 2003 family, you can restore the Active Directory
database if it becomes corrupted or is destroyed because of hardware or
software failures. You must restore the Active Directory database when
objects in Active Directory are changed or deleted.

• Active Directory restore can be performed in several ways. Replication


synchronizes the latest changes from every other replication partner.
Once the replication is finished each partner has an updated version of
Active Directory. There is another way to get these latest updates by
Backup utility to restore replicated data from a backup copy. For this
restore you don't need to configure again your domain controller or no
need to install the operating system from scratch.

• Active Directory Restore Methods


You can use one of the three methods to restore Active Directory from
backup media: primary restore, normal (non authoritative) restore, and
authoritative restore.

• Primary restore: This method rebuilds the first domain controller in a


domain when there is no other way to rebuild the domain. Perform a
primary restore only when all the domain controllers in the domain are
lost, and you want to rebuild the domain from the backup.
Members of Administrators group can perform the primary restore on
local computer, or user should have been delegated with this
responsibility to perform restore. On a domain controller only Domain
Admins can perform this restore.
Normal restore: This method reinstates the Active Directory data to the
state before the backup, and then updates the data through the normal
replication process. Perform a normal restore for a single domain
controller to a previously known good state.
Authoritative restore: You perform this method in tandem with a normal
restore. An authoritative restore marks specific data as current and
prevents the replication from overwriting that data. The authoritative
data is then replicated through the domain.
Perform an authoritative restore individual object in a domain that has
multiple domain controllers. When you perform an authoritative restore,
you lose all changes to the restore object that occurred after the
backup. Ntdsutil is a command line utility to perform an authoritative
restore along with windows server 2003 system utilities. The Ntdsutil
command-line tool is an executable file that you use to mark Active
Directory objects as authoritative so that they receive a higher version
recently changed data on other domain controllers does not overwrite
system state data during replication.

• How do you restore AD?


• Restoring Active Directory
in Windows Server 2003 family, you can restore the Active Directory
database if it becomes corrupted or is destroyed because of hardware or
software failures. You must restore the Active Directory database when
objects in Active Directory are changed or deleted.
• Active Directory restore can be performed in several ways. Replication
synchronizes the latest changes from every other replication partner.
Once the replication is finished each partner has an updated version of
Active Directory. There is another way to get these latest updates by
Backup utility to restore replicated data from a backup copy. For this
restore you don't need to configure again your domain controller or no
need to install the operating system from scratch.

• Active Directory Restore Methods


You can use one of the three methods to restore Active Directory from
backup media: primary restore, normal (non authoritative) restore, and
authoritative restore.

• Primary restore: This method rebuilds the first domain controller in a


domain when there is no other way to rebuild the domain. Perform a
primary restore only when all the domain controllers in the domain are
lost, and you want to rebuild the domain from the backup.
Members of Administrators group can perform the primary restore on
local computer, or user should have been delegated with this
responsibility to perform restore. On a domain controller only Domain
Admins can perform this restore.
Normal restore: This method reinstates the Active Directory data to the
state before the backup, and then updates the data through the normal
replication process. Perform a normal restore for a single domain
controller to a previously known good state.
Authoritative restore: You perform this method in tandem with a normal
restore. An authoritative restore marks specific data as current and
prevents the replication from overwriting that data. The authoritative
data is then replicated through the domain.
Perform an authoritative restore individual object in a domain that has
multiple domain controllers. When you perform an authoritative restore,
you lose all changes to the restore object that occurred after the
backup. Ntdsutil is a command line utility to perform an authoritative
restore along with windows server 2003 system utilities. The Ntdsutil
command-line tool is an executable file that you use to mark Active
Directory objects as authoritative so that they receive a higher version
recently changed data on other domain controllers does not overwrite
system state data during replication.
• How do you change the DS Restore admin password?

Method 1
If Windows 2000 Service Pack 2 or later is installed on your computer, you can
use the Setpwd.exe utility to change the SAM-based Administrator password. To
do this:

1. Log on to the computer as the administrator or a user who is a member


of the Administrators group.
2. At a command prompt, change to the %SystemRoot%\System32 folder.
3. To change the local SAM-based Administrator password, type setpwd,
and then press ENTER.

To change the SAM-based Administrator password on a remote domain


controller, type the following command at a command prompt, and then
press ENTER

setpwd /s:servername

where servername is the name of the remote domain controller.

4. When you are prompted to type the password for the Directory Service
Restore Mode Administrator account, type the new password that you
want to use.

NOTE: If you make a mistake, repeat these steps to run setpwd again.

Method 2

1. Log on to the computer as the administrator or a user who is a member


of the Administrators group.
2. Shut down the domain controller on which you want to change the
password.
3. Restart the computer. When the selection menu screen is displayed
during restar, press F8 to view advanced startup options.
4. Click the Directory Service Restore Mode option.
5. After you log on, use one of the following methods to change the local
Administrator password:

 At a command prompt, type the following command: net user


administrator *
 Use the Local User and Groups snap-in (Lusrmgr.msc) to change
the Administrator password.

6. Shut down and restart the computer.


You can now use the Administrator account to log on to Recovery Console
or Directory Services Restore Mode using the new password

• Why can't you restore a DC that was backed up 4 months ago?


Because of the tombstone life which is set to only 60 days

• What are GPOs? Group Policy gives you administrative control over users
and computers in your network. By using Group Policy, you can define
the state of a user's work environment once, and then rely on Windows
Server 2003 to continually force the Group Policy settings that you apply
across an entire organization or to specific groups of users and
computers.
• Group Policy Advantages
You can assign group policy in domains, sites and organizational units.
All users and computers get reflected by group policy settings in domain,
site and organizational unit.
No one in network has rights to change the settings of Group policy; by
default only administrator has full privilege to change, so it is very
secure.
Policy settings can be removed and can further rewrite the changes.
Where GPO's store Group Policy Information
Group Policy objects store their Group Policy information in two
locations:

• Group Policy Container: The GPC is an Active Directory object that


contains GPO status, version information, WMI filter information, and a
list of components that have settings in the GPO. Computers can access
the GPC to locate Group Policy templates, and domain controller does
not have the most recent version of the GPO, replication occurs to
obtain the latest version of the GPO.
Group Policy Template: The GPT is a folder hierarchy in the shared
SYSVOL folder on a domain controller. When you create GPO, Windows
Server 2003 creates the corresponding GPT which contains all Group
Policy settings and information, including administrative templates,
security, software installation, scripts, and folder redirection settings.
Computers connect to the SYSVOL folder to obtain the settings.
The name of the GPT folder is the Globally Unique Identifier (GUID) of
the GPO that you created. It is identical to the GUID that Active
Directory uses to identify the GPO in the GPC. The path to the GPT on a
domain controller is systemroot\SYSVOL\sysvol.

Managing GPOs
to avoid conflicts in replication, consider the selection of domain
controller, especially because the GPO data resides in SYSVOL folder and
the Active Directory. Active Directory uses two independent replication
techniques to replicate GPO data among all domain controllers in the
domain. If two administrator's changes can overwrite those made by
other administrator, depends on the replication latency. By default the
Group Policy Management console uses the PDC Emulator so that all
administrators can work on the same domain controller.
• WMI Filter
WMI filters is use to get the current scope of GPOs based on attributes of
the user or computer. In this way, you can increase the GPOs filtering
capabilities beyond the security group filtering mechanisms that were
previously available.

• Linking can be done with WMI filter to a GPO. When you apply a GPO to
the destination computer, Active Directory evaluates the filter on the
destination computer. A WMI filter has few queries that active Directory
evaluates in place of WMI repository of the destination computer. If the
set of queries is false, Active Directory does not apply the GPO. If set of
queries are true, Active Directory applies the GPO. You write the query
by using the WMI Query Language (WQL); this language is similar to
querying SQL for WMI repository.

• Planning a Group Policy Strategy for the Enterprise


When you plan an Active Directory structure, create a plan for GPO
inheritance, administration, and deployment that provides the most
efficient Group Policy management for your organization.

• Also consider how you will implement Group Policy for the organization.
Be sure to consider the delegation of authority, separation of
administrative duties, central versus decentralized administration, and
design flexibility so that your plan will provide for ease of use as well as
administration.

• Planning GPOs
Create GPOs in way that provides for the simplest and most manageable
design -- one in which you can use inheritance and multiple links.

• Guidelines for Planning GPOs


Apply GPO settings at the highest level: This way, you take advantage of
Group Policy inheritance. Determine what common GPO settings for the
largest container are starting with the domain and then link the GPO to
this container.
Reduce the number of GPOs: You reduce the number by using multiple
links instead of creating multiple identical GPOs. Try to link a GPO to
the broadest container possible level to avoid creating multiple links of
the same GPO at a deeper level.
Create specialized GPOs: Use these GPOs to apply unique settings when
necessary. GPOs at a higher level will not apply the settings in these
specialized GPOs.
Disable computer or use configuration settings: When you create a GPO
to contain settings for only one of the two levels-user and computer-
disable the logon and prevents accidental GPO settings from being
applied to the other area.

• What is the order in which GPOs are applied?


Local, Site, Domain, OU

Group Policy settings are processed in the following order:


1:- Local Group Policy object-each computer has exactly one Group
Policy object that is stored locally. This processes for both computer and
user Group Policy processing.

2:- Site-Any GPOs that have been linked to the site that the computer
belongs to are processed next. Processing is in the order that is specified
by the administrator, on the Linked Group Policy Objects tab for the site
in Group Policy Management Console (GPMC). The GPO with the lowest
link order is processed last, and therefore has the highest precedence.

3:- Domain-processing of multiple domain-linked GPOs is in the order


specified by the administrator, on the Linked Group Policy Objects tab
for the domain in GPMC. The GPO with the lowest link order is processed
last, and therefore has the highest precedence.

4:- Organizational units-GPOs that are linked to the organizational unit


that is highest in the Active Directory hierarchy are processed first, then
GPOs that are linked to its child organizational unit, and so on. Finally,
the GPOs that are linked to the organizational unit that contains the
user or computer are processed.

At the level of each organizational unit in the Active Directory hierarchy,


one, many, or no GPOs can be linked. If several GPOs are linked to an
organizational unit, their processing is in the order that is specified by
the administrator, on the Linked Group Policy Objects tab for the
organizational unit in GPMC. The GPO with the lowest link order is
processed last, and therefore has the highest precedence.

This order means that the local GPO is processed first, and GPOs that
are linked to the organizational unit of which the computer or user is a
direct member are processed last, which overwrites settings in the
earlier GPOs if there are conflicts. (If there are no conflicts, then the
earlier and later settings are merely aggregated.)

• Name a few benefits of using GPMC.Microsoft released the Group Policy


Management Console (GPMC) years ago, which is an amazing innovation in
Group Policy management. The tool provides control over Group Policy in
the following manner:
• Easy administration of all GPOs across the entire Active Directory Forest
• View of all GPOs in one single list
• Reporting of GPO settings, security, filters, delegation, etc.
• Control of GPO inheritance with Block Inheritance, Enforce, and Security
Filtering
• Delegation model
• Backup and restore of GPOs
• Migration of GPOs across different domains and forests

With all of these benefits, there are still negatives in using the GPMC alone.
Granted, the GPMC is needed and should be used by everyone for what it is
ideal for. However, it does fall a bit short when you want to protect the GPOs
from the following:
• Role based delegation of GPO management
• Being edited in production, potentially causing damage to desktops and
servers
• Forgetting to back up a GPO after it has been modified
• Change management of each modification to every GPO

• What are the GPC and the GPT? Where can I find them?
GPOs store group policy settings in two locations: a Group Policy
container (GPC) (preferred) and a Group Policy template (GPT). The GPC
is an Active Directory object that stores version information, status
information, and other policy information (for example, application
objects).

The GPT is used for file-based data and stores software policy, script,
and deployment information. The GPT is located on the system volume
folder of the domain controller. A GPO can be associated with one or
more Active Directory containers, such as a site, domain, or
organizational unit. Multiple containers can be associated with the same
GPO, and a single container can have more than one associated GPO.

• What are GPO links? What special things can I do to them?


To apply the settings of a GPO to the users and computers of a domain,
site, or OU, you need to add a link to that GPO. You can add one or more
GPO links to each domain, site, or OU by using GPMC. Keep in mind that
creating and linking GPOs is a sensitive privilege that should be delegated
only to administrators who are trusted and understand Group Policy.

• What can I do to prevent inheritance from above? IN OOPS Concept.

Declare your class as Final. A final class cannot be inherited by any other
class.
You can block policy inheritance for a domain or organizational unit.
Using block inheritance prevents GPOs linked to higher sites, domains, or
organizational units from being automatically inherited by the child-
level. By default, children inherit all GPOs from the parent, but it is
sometimes useful to block inheritance. For example, if you want to
apply a single set of policies to an entire domain except for one
organizational unit, you can link the required GPOs at the domain level
(from which all organizational units inherit policies by default), and then
block inheritance only on the organizational unit to which the policies
should not be applied

How can I override blocking of inheritance?



if you want to override the block of method form base class
you must use the method in base class as virtual and use the
method in sub class in override..

like an example:

class A //base class


{
public virtual void add()
{
// some operations...
}
}

class B : A //derived class from base class


{
public override void add()
{
//
}
}

If you call the method add() it should execute the derived


class method only not execute the base class add() method..
base class add() was blocked or hidden..

• How can you determine what GPO was and was not applied for a user?
Name a few ways to do that. Simply use the Group Policy Management
Console created by MS for that very purpose, allows you to run simulated
policies on computers or users to determine what policies are enforced.
Link in sources

• A user claims he did not receive a GPO, yet his user and computer
accounts are in the right OU, and everyone else there gets the GPO.
What will you look for? Here interviewer want to know the
troubleshooting steps
what gpo is applying ?
if it applying in all user and computer?
what gpo are implemented on ou?
make sure user not be member of loopback policy as in loopback policy it
doesn't effect user settings only computer policy will applicable.
if he is member of gpo filter grp or not?
You may also want to check the computers event logs. If you find event ID
1085 then you may want to download the patch to fix this and reboot the
computer.

• Name some GPO settings in the computer and user parts.


Group Policy Object (GPO) computer=Computer Configuration, User=User
ConfigurationName some GPO settings in the computer and user parts

• What are administrative templates?


• The GPO settings is divided between the Computer settings and the User
settings. In both parts of the GPO you can clearly see a large section
called Administrative Templates.

• Administrative Templates are a large repository of registry-based


changes (in fact, over 1300 individual settings) that can be found in any
GPO on Windows 2000, Windows XP, and Windows Server 2003.
• By using the Administrative Template sections of the GPO you can deploy
modifications to machine (called HKEY_LOCAL_MACHINE in the registry)
and user (called HKEY_CURRENT_USER in the registry) portions of the
Registry of computers that are influenced by the GPO.

• The Administrative Templates are Unicode-formatted text files with the


extension .ADM and are used to create the Administrative Templates
portion of the user interface for the GPO Editor.

• What's the difference between software publishing and assigning?


ANS An administrator can either assign or publish software applications.

Assign Users
The software application is advertised when the user logs on. It is installed
when the user clicks on the software application icon via the start menu,
or accesses a file that has been associated with the software application.
Assign Computers
The software application is advertised and installed when it is safe to do
so, such as when the computer is next restarted.
Publish to users
The software application does not appear on the start menu or desktop.
This means the user may not know that the software is available. The
software application is made available via the Add/Remove Programs
option in control panel, or by clicking on a file that has been associated
with the application. Published applications do not reinstall themselves in
the event of accidental deletion, and it is not possible to publish to
computers.

• Can I deploy non-MSI software with GPO?


yes we can deploy non msi package with GPO with the help of zap file.
.zap files can be written to allow non-windows installer - compliant
applications to be deployed. zap files donot support automatic repair,
customized installations, or automatic software removal. In adition,
these files must be published.

You want to standardize the desktop environments (wallpaper, My



Documents, Start menu, printers etc.) on the computers in one
department. How would you do that?
Login on client as Domain Admin user change whatever you need add printers
etc go to system-User profiles copy this user profile to any location by select
Everyone in permitted to use after copy change ntuser.dat to ntuser.man and
assgin this path under user profile

• What is an IP address? Internet Protocol Address (or IP Address) is an


unique address that computing devices use to identify itself and
communicate with other devices in the Internet Protocol network

• What is a subnet mask? A subnet mask separates the IP address into the
network and host addresses
• What is ARP? Address Resolution Protocol, a network
layer protocol used to convert an IP address into a physical address
(called a DLC address), such as an Ethernet address

• What is ARP Cache Poisoning? ARP cache poisoning, also known as ARP
spoofing, is the process of falsifying the source Media Access Control
(MAC) addresses of packets being sent on an Ethernet network.

• What is the ANDing process? In order to determine whether a


destination host is local or remote, a computer will perform a simple
mathematical computation referred to as an AND operation. While the
sending host does this operation internally, understanding what takes
place is the key to understanding how an IP-based system knows whether
to send packets directly to a host or to a router

• What is a default gateway? What happens if I don't have one?


Default gateway is a node (a router) on a TCP/IP Network that serves as
an access point to another network.a default geteway is used by a host
when the ip's packet destination address belongs to someplace outside
the local subnet,

• Can a workstation computer be configured to browse the Internet and


yet NOT have a default gateway? Without default gateway you cannot
browse internet. It doesnt matter if you are on public or private
network. Default Gateway is required to route your IP packets from your
network to the other networks.

• What is a subnet? A subnet is an identifiably separate part of an


organization's network. A subnet specifies a range of IP addresses.

• What is APIPA? A Windows-based computer that is configured to use


DHCP can automatically assign itself an Internet Protocol (IP) address if
a DHCP server is not available. For example, this could occur on a
network without a DHCP server or on a network if a DHCP server is
temporarily down for maintenance.

• What is an RFC? Name a few if possible (not necessarily the numbers,


just the ideas behind them) A Request For Comments (RFC) document
defines a protocol or policy used on the Internet. An RFC can be
submitted by anyone. Eventually, if it gains enough interest, it may
evolve into an Internet Standard Each RFC is designated by an RFC
number. Once published, an RFC never changes. Modifications to an
original RFC are assigned a new RFC number.

• What is RFC 1918? RFC 1918 is Address Allocation for Private Internets
The Internet Assigned Numbers Authority (IANA) has reserved the
following three blocks of the IP address space for private internets:
10.0.0.0 - 10.255.255.255 (10/8 prefix) 172.16.0.0 - 172.31.255.255
(172.16/12 prefix) 192.168.0.0 - 192.168.255.255 (192.168/16 prefix) We
will refer to the first block as "24-bit block", the second as "20-bit block",
and to the third as "16-bit" block.
• What is CIDR? In Internet Protocol terminology, a private network is
typically a network that uses private IP address space, following the
standards set by RFC 1918 and RFC 4193. These addresses are common in
home and office local area networks (LANs), as globally routable
addresses are scarce, expensive to obtain, or their use is not necessary.
Private IP address spaces were originally defined in efforts to delay IPv4
address exhaustion, but they are also a feature of the next generation
Internet Protocol, IPv6.

• You have the following Network ID: 192.115.103.64/27. What is the


IP range for your network?
It ranges from 192.115.103.64 - 192.115.103.96
But the usable addresses are from 192.115.103.64 -
192.115.103.94
192.115.103.95 - it is the broadcast address
192.115.103.96 - will be the ip address of next range
We can use 30 hostes in this network

• You have the following Network ID: 131.112.0.0. You need at least
500 hosts per network. How many networks can you create? What
subnet mask will you use? If you need to divide it up into the maximum
number of subnets containing at least 500 hosts each, you should use a /
23 subnet mask. This will provide you with 128 networks of 510 hosts
each. If you used a /24 mask, you would be limited to 254 hosts.
Similarly, a /22 mask would be wasteful, allowing you 1022 hosts.

• You need to view at network traffic. What will you use? Name a few
tools? winshark or tcp dump
you can use Network Monitor. You can also use Etheral

• How do I know the path that a packet takes to the destination?


use "tracert" command-line

• What does the ping 192.168.0.1 -l 1000 -n 100 command do?

• What is DHCP? What are the benefits and drawbacks of using it? DHCP,
Dynamic Host Configuration Protocol, is a communications protocol that
dynamically assigns unique IP addresses to network devices

Benefits of using DHCP


DHCP provides the following benefits for administering your TCP/IP-based
network:

• Safe and reliable configuration


DHCP avoids configuration errors caused by the need to manually type in
values at each computer. Also, DHCP helps prevent address conflicts
caused by a previously assigned IP address being reused to configure a
new computer on the network.
• Reduces configuration management
Using DHCP servers can greatly decrease time spent configuring and
reconfiguring computers on your network. Servers can be configured to
supply a full range of additional configuration values when assigning
address leases. These values are assigned using DHCP options.

Also, the DHCP lease renewal process helps assure that where client
configurations need to be updated often (such as users with mobile or
portable computers who change locations frequently), these changes can
be made efficiently and automatically by clients communicating directly
with DHCP servers.

Benefits:

1. DHCP minimizes configuration errors caused by manual IP address


configurationDHCP minimizes configuration errors caused by manual IP
address configuration

2. Reduced network administration.

Disadvantage
Your machine name does not change when you get a new IP address. The
DNS (Domain Name System) name is associated with your IP address and
therefore does change. This only presents a problem if other clients try
to access your machine by its DNS name.

Benefits:

1. DHCP minimizes configuration errors caused by manual IP address


configurationDHCP minimizes configuration errors caused by manual IP
address configuration

2. Reduced network administration.

Disadvantage
Your machine name does not change when you get a new IP address. The
DNS (Domain Name System) name is associated with your IP address and
therefore does change. This only presents a problem if other clients try
to access your machine by its DNS name.

• Describe the steps taken by the client and DHCP server in order to
obtain an IP address.
At least one DHCP server must exist on a network. Once the DHCP server
software is installed, you create a DHCP scope, which is a pool of IP
addresses that the server manages. When clients log on, they request an
IP address from the server, and the server provides an IP address from
its pool of available addresses.

DHCP was originally defined in RFC 1531 (Dynamic Host Configuration


Protocol, October 1993) but the most recent update is RFC 2131
(Dynamic Host Configuration Protocol, March 1997). The IETF Dynamic
Host Configuration (dhc) Working Group is chartered to produce a
protocol for automated allocation, configuration, and management of IP
addresses and TCP/IP protocol stack parameters.

• What is the DHCPNACK and when do I get one? Name 2 scenarios.

DHCPNAK (server response to indicate to the client that its lease has
expired or if the client announces a bad network configuration)

DHCP server will issue a NAK to the client ONLY IF it is sure that the
client, "on the local subnet", is asking for an address that doesn't exist
on that subnet.

The server will send a NAK EXCEPT in the following scenarios:-

1. Requested address from possibly the same subnet but not in the
address pool of the server:-

This can be the failover scenario in which 2 DHCP servers are serving the
same subnet so that when one goes down, the other should not NAK to
clients which got an IP from the first server.

2. Requested address on a different subnet:-

If the Address is from the same superscope to which the subnet belongs,
DHCP servers will ACK the REQUEST.

• What ports are used by DHCP and the DHCP clients?


Requests are on UDP port 68, Server replies on UDP 67

The DHCP protocol utilizes UDP ports 67 and 68, which are the same
ports used by BOOTP.

• Describe the process of installing a DHCP server in an AD


infrastructure.
Terms you'll need to understand:
• DHCP
• Lease duration
• Scopes
• Superscopes
• Multicast scopes
• Scope options

Techniques you'll need to master:


• Installing DHCP
• Understanding the DHCP lease process
• Creating scopes, superscopes, and multicast scopes
• Configuring the lease duration
• Configuring optional IP parameters that can be assigned to DHCP clients
• Understanding how DHCP interacts with DNS
• Configuring DHCP for DNS integration
• Authorizing a DHCP server in Active Directory
• Managing a DHCP server
• Monitoring a DHCP server
Introduction The TCP/IP protocol is an Active Directory operational
requirement. This means that all computers on a Windows 2000 network
require a unique IP address to communicate with the Active Directory.
Static IP addresses can add a lot of administrative overhead. Not only can
management of static IP addresses become time consuming, but such
management also increases the chances of misconfigured parameters. Imagine
having to manually type 10,000 IP addresses and not make a single error.
The Dynamic Host Configuration Protocol (DHCP) can be implemented to
centralize the administration of IP addresses. Through DHCP, many of the tasks
associated withIP addressing can be automated. However,
implementing DHCP also introduces some security issues because anyone with
physical access to the network can plug in a laptop and obtain IP information
about the internal network.

In this chapter, you'll learn how to implement a DHCP server, including the
installation process, authorization of the server, and the configuration
of DHCP scopes. The chapter ends by looking at how to manage a DHCP server
and monitor its performance.

There must be a working DNS in the environment to install a DHCP server. To


validate your DNS server, click Start, click Run, type cmd, press ENTER, type
ping friendly name of an existing DNS server in your environment, and then
press ENTER. An unsuccessful reply generates an "Unknown Host My DNS server
name" message.

To install the DHCP Service on an existing Windows 2003 Server:


 Click Start, click Settings, and then click Control Panel.
 Double-click Add/Remove Programs, and then click Add/Remove
Windows Components.
 In the Windows Component Wizard, click Networking Services in
the Componentsbox, and then click Details.
 Click to select the Dynamic Host Configuration Protocol (DHCP) check
box if it is not already selected, and then click OK.
 In the Windows Components Wizard, click Next to start Windows 2003
Setup. Insert the Windows 2003 Server CD-ROM into the CD-ROM drive if
you are prompted to do so. Setup copies the DHCP server and tool files
to your computer.
 When Setup is complete, click Finish.

• What is DHCPINFORM? DHCPInform is a DHCP message used by DHCP


clients to obtain DHCP options. The DHCPInform message received by
the remote access server is then forwarded to a DHCP server. The
remote access server forwards DHCPInform messages only if it has been
configured with the DHCP Relay Agent.

• Describe the integration between DHCP and DNS.


Traditionally, DNS and DHCP servers have been configured and managed
one at a time. Similarly, changing authorization rights for a particular
user on a group of devices has meant visiting each one and making
configuration changes. DHCP integration with DNS allows the aggregation
of these tasks across devices, enabling a company's network services to
scale in step with the growth of network users, devices, and policies,
while reducing administrative operations and costs. This integration
provides practical operational efficiencies that lower total cost of
ownership. Creating a DHCP network automatically creates an associated
DNS zone, for example, reducing the number of tasks required of
network administrators. And integration of DNS and DHCP in the same
database instance provides unmatched consistency between service and
management views of IP address-centric network services data

Traditionally, DNS and DHCP servers have been configured and managed one at
a time. Similarly, changing authorization rights for a particular user on a group
of devices has meant visiting each one and making configuration changes. DHCP
integration with DNS allows the aggregation of these tasks across devices,
enabling a company's network services to scale in step with the growth of
network users, devices, and policies, while reducing administrative operations
and costs.

This integration provides practical operational efficiencies that lower total cost
of ownership. Creating a DHCP network automatically creates an associated
DNS zone, for example, reducing the number of tasks required of network
administrators. And integration of DNS and DHCP in the same database instance
provides unmatched consistency between service and management views of IP
address-centric network services data.

Windows Server 2003 DNS supports DHCP by means of the dynamic update of
DNS zones. By integrating DHCP and DNS in a DNS deployment, you can provide
your network resources with dynamic addressing information stored in DNS. To
enable this integration, you can use the Windows Server 2003 DHCP service.
The dynamic update standard, specified in RFC 2136: Dynamic Updates in the
Domain Name System (DNS UPDATE), automatically updates DNS records. Both
Windows Server 2003 and Windows 2000 support dynamic update, and both
clients and DHCP servers can send dynamic updates when their IP addresses
change.
Dynamic update enables a DHCP server to register address (A) and pointer
(PTR) resource records on behalf of a DHCP client by using DHCP Client FQDN
option 81. Option 81 enables the DHCP client to provide its FQDN to the DHCP
server. The DHCP client also provides instructions to the DHCP server
describing how to process DNS dynamic updates on behalf of the DHCP client.
The DHCP server can dynamically update DNS A and PTR records on behalf of
DHCP clients that are not capable of sending option 81 to the DHCP server. You
can also configure the DHCP server to discard client A and PTR records when
the DHCP client lease is deleted. This reduces the time needed to manage
these records manually and provides support for DHCP clients that cannot
perform dynamic updates. In addition, dynamic update simplifies the setup of
Active Directory by enabling domain controllers to dynamically register SRV
resource records.
If the DHCP server is configured to perform DNS dynamic updates, it performs
one of the following actions:
• The DHCP server updates resource records at the request of the client.
The client requests the DHCP server to update the DNS PTR record on
behalf of the client, and the client registers A.
• The DHCP server updates DNS A and PTR records regardless of whether
the client requests this action or not.

By itself, dynamic update is not secure because any client can modify
DNS records. To secure dynamic updates, you can use the secure
dynamic update feature provided in Windows Server 2003. To delete
outdated records, you can use the DNS server aging and scavenging
feature.

• What options in DHCP do you regularly use for an MS network?


 Automatic providing IP address
 Subnet mask
 DNS server
 Domain name
 Default getaway or router
Gernerlly we use the options like Automatic providing IPaddress,
Subnet mask,DNS server,Domain name,Default getaway or routers ip
address

• What are User Classes and Vendor Classes in DHCP? Vendor-defined


classes are used for managing DHCP options assigned to clients identified
by vendor type.
User-defined classes are used for managing DHCP options assigned to
clients identified by a common need for a similar DHCP options
configuration.

• How do I configure a client machine to use a specific User Class?


The command to configure a client machine to use a specific user class
is
ipconfig /setclassid "<Name of your Network card>" <Name of the class
you created on DHCP and you want to join (Name is case sensitive)>
Eg: ipconfig /setclassid " Local Area Network" Accounting

• What is the BOOTP protocol used for, where might you find it in
Windows network infrastructure? BootP (RFC951) provides
 a unique IP address to the requester (using port 67) similar to the DHCP
request on port 68 AND
 can provide (where supported) the ability to boot a system without a
hard drive (ie: a diskless client)

Apple OS X 10.* Server supports BootP (albeit) renamed as NetBoot. The facility
allows the Admin to maintain a selected set of configurations as boot images
and then assign sets of client systems to share(or boot from) that image. For
example Accounting, Management, and Engineering departments have
elements in common, but which can be unique from other departments.
Performing upgrades and maintenance on three images is far more productive
that working on all client systems individually.

Startup is obviously network intensive, and beyond 40-50 clients, the Admin
needs to carefully subnet the infrastructure, use gigabit switches, and host the
images local to the clients to avoid saturating the network. This will expand
the number of BootP servers and multiply the number of images, but the
productivity of 1 BootP server per 50 clients is undeniable :)

Sunmicro, Linux, and AIX RS/600 all support BootP.

Todate, Windows does not support booting "diskless clients".

• DNS zones – describe the differences between the 4 types.


Dns zone is actual file which contains all the records for a
specific domain.

i) Forward Lookup Zones :-This zone is responsible to


resolve host name to ip.

ii) Reverse Lookup Zones :- This zone is responsible to


resolve ip to host name.

iii) Stub Zone :-Stubzone is read only copy of primary


zone.but it contains only 3 records the SOA for the
primary zone, NS record and a Host (A) record.
A DNS zone is the contiguous portion of the DNS domain name space over which
a DNS server has authority, or is authoritative. A zone is a portion of a
namespace. It is not a domain. A domain is a branch of the DNS namespace. A
DNS zone can contain one or more contiguous domains. A DNS server can be
authoritative for multiple DNS zones. A
noncontiguous namespace cannot be a DNS zone.

A zone contains the resource records for all of the names within the particular
zone. Zone files are used if DNS data is not integrated with Active Directory.
The zone files contain the DNS database resource records which define the
zone. If DNS and Active Directory are integrated, then DNS data is stored in
Active Directory.

The different types of zones used in Windows Server 2003 DNS are listed below:

 Primary zone
 Secondary zone
 Active Directory-integrated zone
 Reverse lookup zone
 Stub zone
A primary zone is the only zone type that can be edited or updated because
the data in the zone is the original source of the data for all domains in the
zone. Updates made to the primary zone are made by the DNS server
that is authoritative for the specific primary zone. You can also back up data
from a primary zone to a secondary zone.
A secondary zone is a read-only copy of the zone that was copied from the
master server during zone transfer.
In fact, a secondary zone can only be updated through zone transfer.

An Active Directory-integrated zone is a zone that stores its data in Active


Directory. DNS zone files are not needed. This type of zone is an authoritative
primary zone. Zone data of an Active Directory-integrated zone is
replicated during the Active Directory replication process. Active Directory-
integrated zones also enjoy the security features of Active Directory.

A reverse lookup zone is an authoritative DNS zone. These zones are mainly
used to resolve IP addresses to resource names on the network. A reverse
lookup zone can be either of the following zones:

 Primary zone
 Secondary zone
 Active Directory-integrated zone
A stub zone is a new Windows Server 2003 feature. Stub zones only contain
those resource records necessary to identify the authoritative DNS servers for
the master zone. Stub zones therefore contain only a copy of a zone, and are
used to resolve recursive queries and iterative queries:
• Iterative queries: The DNS server provides the best answer it can. This
can be:

 The resolved name


 A referral to a different DNS server
• Recursive queries: The DNS server has to reply with the requested
information, or with an error. The DNS server cannot provide a referral
to a different DNS server Stub zones contain the following information:

 Start of Authority (SOA) resource records of the zone.


 Resource records that list the authoritative DNS servers of the zone
 Glue addresses (A) resource records that are necessary for contacting
the authoritative servers of the zone.

• DNS record types – describe the most important ones.


 A (Host) Classic resource record. Maps hostname to IP(ipv4)
 PTR Maps IP to hostname (Reverse of A (Host)
 AAAA Maps hostname to ip (ipv6)
 Cname Canonical name, in plain English an alias.such as Web
Server,FTP Server, Chat Server
 NS Identifies DNS name servers. Important for forwarders
 MX Mail servers, particularly for other domains.MX records
required to deliver internet email.
 _SRV Required for Active Directory. Whole family of underscore
service,records, for example, gc = global catalog.
 SOA Make a point of finding the Start of Authority (SOA) tab at
the DNS Server.