What Is Active Directory?

Active Directory consists of a series of components that constitute both its logical structure and its physical structure. It provides a way for organizations to centrally manage and store their user objects, computer objects, group membership, and define security boundaries in a logical database structure. Purpose of Active Directory Active Directory stores information about users, computers, and network resources and makes the resources accessible to users and applications. It provides a consistent way to name, describe, locate, access, manage, and secure information about these resources. Functions of Active Directory Active Directory provides the following functions: ●Centralizes control of network resources By centralizing control of resources such as servers, shared files, and printers, only authorized users can access resources in Active Directory. ●Centralizes and decentralizes resource management Administrators have Centralized Administration with the ability to delegate administration of subsets of the network to a limited number of individuals giving them greater granularity in resource management. ●Store objects securely in a logical structure Active Directory stores all of the resources as objects in a secure, hierarchical logical structure. ●Optimizes network traffic The physical structure of Active Directory enables you to use network bandwidth more efficiently. For example, it ensures that, when users log on to the network, the authentication authority that is nearest to the user, authenticates them reducing the amount of network traffic. Sites within Active Directory

Sites are defined as groups of well-connected computers. When you establish sites, domain controllers within a single site communicate frequently. This communication minimizes the latency within the site; that is, the time required for a change that is made on one domain controller to be replicated to other domain controllers. You create sites to optimize the use of bandwidth between domain controllers that are in different locations. Operations Master Roles When a change is made to a domain, the change is replicated across all of the domain controllers in the domain. Some changes, such as those made to the schema, are replicated across all of the domains in the forest. This replication is called multimaster replication. During multimaster replication, a replication conflict can occur if originating updates are performed concurrently on the same object attribute on two domain controllers. To avoid replication conflicts, Active Directory uses single master replication, which designates one domain controller as the only domain controller on which certain directory changes can be made. This way, changes cannot occur at different places in the network at the same time. Active Directory uses single master replication for important changes, such as the addition of a new domain or a change to the forest-wide schema.Operations that use singlemaster replication are arranged together in specific roles in a forest or domain. These roles are called operations master roles. For each operations master role, only the domain controller that holds that role can make the associated directory changes. The domain controller that is responsible for a particular role is called an operations master for that role. Active Directory stores information about which domain controller holds a specific role. Forest-wide Roles Forest-wide roles are unique to a forest,forest-wide roles are: ●Schema masterControls all updates to the schema. The schema contains the master list of object classes and attributes that are used to create all Active Directory objects, such as users, computers, and printers.

●Domain naming masterControls the addition or removal of domains in the forest. When you add a new domain to the forest, only the domain controller that holds the domain naming master role can add the new domain.There is only one schema master and one domain naming master in the entire forest. Domain-wide Roles Domain-wide roles are unique to each domain in a forest, the domain-wide roles are: ●Primary domain controller emulator (PDC) Acts as a Windows NT PDC to support any backup domain controllers (BDCs) running Microsoft Windows® NT within a mixed-mode domain. This type of domain has domain controllers that run Windows NT 4.0. The PDC emulator is the first domain controller that you create in a new domain. ●Relative identifier master (RID) When a new object is created, the domain controller creates a new security principal that represents the object and assigns the object a unique security identifier (SID). This SID consists of a domain SID, which is the same for all security principals created in the domain, and a RID, which is unique for each security principal created in the domain. The RID master allocates blocks of RIDs to each domain controller in the domain. The domain controller then assigns a RID to objects that are created from its allocated block of RIDs. ●Infrastructure master when objects are moved from one domain to another, the infrastructure master updates object references in its domain that point to the object in the other domain. The object reference contains the object’s globally unique identifier (GUID), distinguished name, and a SID. Active Directory periodically updates the distinguished name and the SID on the object reference to reflect changes made to the actual object, such as moves within and between domains and the deletion of the object. The global catalog contains

last name. phone number. in addition to its full. for example). If you search for an object that you do not have the appropriate permissions to view. a Windows 2000.A global catalog server is a domain controller that. and logon name. it would by default have many different attributes such as first name. Access permissions ensure that users can find only objects to which they have been assigned access. The GC will by default only store the most common of those attributes that would be used in search operations (such as a user’s first and last names. the object will not appear in the search results. Domain Controllers always contain the full attribute list for objects belonging to their domain. read-only replica of all other domain directory partitions in the forest. last name. If the Domain Controller is also a GC. Active Directory uses DNS as the name resolution service to identify domains and domain host computers during processes such as logging on to the network Similar to the way a Windows NT 4. or a NetBIOS DOMAIN record for domain controllers. .●The attributes that are most frequently used in queries. This allows searches done against a local GC. also stores a partial. and many more. ●The access permissions for each object and attribute that is stored in the global catalog. or Windows XP client can query DNS to find a domain controller by looking for SRV records. The partial attributes that it has for that object would be enough to allow a search for that object to be able to locate the full replica of the object in active directory. writable domain directory partition replica.0 client will query WINS for a NetBIOS DOMAIN[1B] record to locate a PDC. ●The information that is necessary to determine the location of any object in the directory. 2003. such as a user’s first name. and reduces network traffic over the WAN in an attempt to locate objects somewhere else in the network. Taking a user object as an example. it will also contain a partial replica of objects from all other domains in the forest. or login name.

The A resource record contains the FQDN and IP address for the domain controller. it can then either be: ●Managed and included as part of the original zone records. A zone is a portion of the domain namespace that has a logical grouping of resource records. these domains can either be part of the same zone or belong to another zone. Once a subdomain is added. Forward lookup zones contain information needed to resolve . Active Directory Integrated Zones Microsoft DNS servers store information that is used to resolve host names to IP addresses and IP addresses to host names in a database file that has the extension . they are replicated to all domain controllers in the domain.Integration of DNS and Active Directory The integration of DNS and Active Directory is essential because a client computer in a Windows 2000 network must be able to locate a domain controller so that users can log on to a domain or use the services that Active Directory provides. If other domains are added below the domain used to create the zone. Clients locate domain controllers and services by using A resource records and SRV records. which allows zone transfers of these records to operate as one unit.dns for each zone. What Are Active Directory Integrated Zones? One benefit of integrating DNS and Active Directory is the ability to integrate DNS zones into an Active Directory database. forward lookup and reverse lookup. What Are DNS Zones? A zone starts as a storage database for a single DNS domain name.Active Directory integrated zones are primary zones that are stored as objects in the Active Directory database. If zone objects are stored in an Active Directory domain partition. or ●Delegated away to another zone created to support the subdomain Types of Zones There are two types of zones. TheSRV record contains the FQDN of the domain controller and the name of the service that the domain controller provides.

Reverse lookup zones contain information needed to perform reverse lookups. no additional primary servers for the zone are permitted. However. Once you have installed Active Directory.microsoft. Only one server is allowed to accept dynamic updates. This type of query is typically described as a forward lookup. The DNS standard provides for this possibility through reverse lookups. and CNAME records. PTR. They usually include SOA.microsoft. you have two options for storing your zones when operating the DNS server at the new domain controller: Standard Zone Zones stored this way are located in . With most queries. and is used for TCP/IP network troubleshooting. also known as DDNS. NS. such as Example.dns text files that are stored in the %SystemRoot%\System32\Dns folder on each computer operating a DNS server.names within the DNS domain. They must include SOA and NS records and can include any type of resource record except the PTR resource record. Zone file names correspond to the name you choose for the zone when creating it.com This type offers the choice of using either a Standard Primary zone or a Standard Secondary zone. the client supplies a name and requests the IP address that corresponds to that name. Active Directory requires forward lookup zones.com. Standard Primary Zone For standard primary-type zones.dns if the zone name was example. what if a client already has a computer's IP address and wants to determine the DNS name for the computer? This is important for programs that implement security based on the connecting FQDN. only a single DNS server can host and load the master copy of the zone. If you create a zone and keep it as a standard primary zone. and process zone .

if a primary server is down. Win2003 also supports stub zones. Each directory-integrated zone is stored in a dnsZone container object identified by the name you choose for the zone when creating it. Directory-integrated Zone Zones stored this way are located in the Active Directory tree under the domain object container. or replicate with other domain controllers since it does not have Active Directory installed. Active Directory integrated zones will replicate this information to other domain controllers in that domain. but may allow zone transfers to Secondary zones. A secondary or stub zone cannot be hosted on a DNS server that hosts a primary zone for the same domain name. Note A Standard Primary zone will not replicate its information to any other DNS servers.. The standard primary model implies a single point of failure. Note If DNS is running on a Windows 2000 server that is not a domain controller. Additionally. The data in a Secondary zone is Read only. Secondary servers can provide a means to offload DNS query traffic in areas of the network where a zone is heavily queried and used. DNS Records . Zone transfers occur over TCP port 53. Standard Secondary Zone A secondary name server gets the data for its zones from another name server (either a primary name server or another secondary name server) for that zone across the network. a secondary server can provide some name resolution in the zone until the primary server is available. The process of obtaining this zone information (i. it will not be able to use an Active Directory integrated zones.changes. the database file) across the network is referred to as a zone transfer.e. and updated information must come from additional zone transfers.

Q1. group membership. A user object. The attributes that make up an object are defined by an object class. Record Types Name Description Host (A) For mapping a DNS domain name to an IP address used by a computer. The user class. for example. Sub category:object class An object is really just a collection of attributes. specifies the attributes that make up the user object. phone number. additional resource records need to be added to it. and so on. The Active Directory Schema:- . Mail Exchanger (MX) For mapping a DNS domain. such as Active Directory domain controllers. name to the name of a computer that exchange for forwards mail Pointer (PTR) For mapping a reverse DNS domain name based on the IP address of a computer that points to the forward DNS domain name of that computer. password. is made up of attributes such as name.After you create a zone. What does the logical component of the Active Directory structure include? ■ Objects:-Resources are stored in the Active Directory as objects. Alias (CNAME) For mapping an alias DNS domain name to another primary or canonical name. Service location (SRV) For mapping a DNS domain name to a specified list of DNS host computers that offer a specific type of service. for example. The most common resource records (RRs) to be added are:Table 1.

The classes and the attributes that they define are collectively referred to as the Active Directory Schema—in database terms. This is where the forest comes in. The first domain you create in a tree is called the root domain. In the example shown in Figure 1-1. Microsoft.com was the first domain created in Active Directory in this example and is therefore the root domain.com. your model must be able to expand outside the boundaries of a single tree. for organizations that use multiple DNS namespaces. However. This expandability of domains makes it possible to have many domains in a tree. Figure 1-1 shows an example of a tree. The computers. Using a single tree is fine if your organization is confined within a single DNS namespace. and other objects within a domain share a common security database. a schema is the structure of the tables and fields and how they are related to one another. you still have a tree. Figure 1-1 A tree is a hierarchical organization of multiple domains. ■ Trees Multiple domains are organized into a hierarchical structure called a tree. A domain represents an administrative boundary. all of the domains in the tree under the microsoft. Actually. The next domain that you add becomes a child domain of that root. even if you have only one domain in your organization. users.All domains in a tree share a common schema and a contiguous namespace. You can think of the Active Directory Schema as a collection of data (object classes) that defines how the real data of the directory (the attributes of an object) is organized and stored ■ Domains The basic organizational structure of the Windows Server 2003 networking model is the domain.com root domain share the namespace microsoft. ■ Forest A forest is a group of one or more domain trees that do not form a contiguous namespace but may share a common schema and global catalog. There is always at least one forest on a network. .

For example. A forest is the outermost boundary of Active Directory.com is a second tree. Both are in a forest named microsoft. called the forest root domain. Typically. this would let you grant access to resources and accounts that are outside of a particular forest. Q2. Q3. this allows you to delegate administrative tasks within the domain. Figure 1-2 shows an example of a forest with two trees.and it is created when the first Active Directory–enabled computer (domain controller) on a network is installed. In the figure. the directory cannot be larger than the forest. Each tree in the forest has its own namespace.com (after the first domain created). Also. You can then assign administrative permissions on the OU itself.OUs serve as containers into which the resources of a domain can be placed. ■Organizational Units Organizational Units (OUs) provide a way to create administrative boundaries within a domain. you can create multiple forests and then create trust relationships between specific domains in those forests.com is one tree and contoso. no other domain can ever be created above the forest root domain in the forest domain hierarchy. microsoft. This first domain in a forest. is special because it holds the schema and controls domain naming for the entire forest. Primarily. the structure of OUs follows an organization’s business or functional structure. a relatively small organization with a single domain might create separate OUs for departments within the organization.What is nesting? . However. What does the physical structure of active directory contain? Physical structures include domain controllers and sites. It cannot be removed from the forest without removing the entire forest itself.

If different LANs on the network are connected by a wide area network (WAN). What is trust relationship and how many types of trust relationship is there in exchange 2003? Since domains represent security boundaries.once you go beyond about 12 OUs deep in a nesting structure. Q4. What is a site? A Windows Server 2003 site is a group of domain controllers that exist on one or more IP subnets (see Lesson 3 for more on this) and are connected by a fast. In other words. Domain controllers within a site are pretty much free to replicate changes to the Active Directory database whenever changes are made. Q6. a site usually follows the boundaries of a local area network (LAN). you start running into significant performance issues. special mechanisms called trust relationships allow objects in one domain (called the trusted domain) to access resources in another domain (called the trusting domain). you’ll likely create one site for each LAN. Windows Server 2003 supports six types of trust relationships: ■ Parent and child trusts ■ Tree-root trusts ■ External trusts ■ Shortcut trusts ■ Realm trusts ■ Forest trusts Q5. Fast means connections of at least 1Mbps. What is the use of site? Sites are primarily used to control replication traffic.IMP: . sites are used to control the following: ■ Workstation logon traffic .The creation of an OU inside another OU. Domain controllers in different sites compress the replication traffic and operate based on a defined schedule. both of which are intended to cut down on network traffic More specifically. reliable network connection.

■ File Replication Service (FRS) Every domain controller has a built-in collection of folders named SYSVOL (for System Volume). FRS uses site boundaries to govern the replication of items in the SYSVOL folders. DFS uses site information to direct a client to the server that is hosting the requested data within the site. regardless of where on the network those items are actually stored. startup and shutdown scripts. so it makes sense that Active Directory should be able to direct users to the closest physical location of the data they need.What is a Site link? Within a site. The second type of object is the site links configured to connect the site to other sites.■ Replication traffic ■ Distributed File System (DFS) Distributed File System (DFS) is a server component that provides a unified naming convention for folders and files stored on different servers on a network. Files represented in the DFS might be stored in multiple locations on the network. You can use SYSVOL to replicate Group Policy Objects. To this end. What are the objects a site contains? Sites contain only two types of objects. and logon and logoff scripts. you must establish a link between the sites. If DFS does not find a copy of the data within the same site as the client. Q8. Q7. DFS uses the site information in Active Directory to determine which file server that has DFS shared data is closest to the client. For replication to occur between sites. The SYSVOL folders provide a default Active Directory location for files that must be replicated throughout a domain. The first type is the domain controllers contained in the site. There are two components to this link: the actual physical . A Windows Server 2003 service named File Replication Service (FRS) is responsible for replicating files in the SYSVOL folders between domain controllers. DFS lets you create a single logical hierarchy for folders and files that is consistent on a network. replication happens automatically.

Those two LANs are connected to one another with a slow (256K) WAN link. For example. To address this situation. in which all replicas of the Active Directory database are considered equal masters. What are the different types of replication? Single site (called intrasite replication) Replication between sites (called intersite replication) ■ Intrasite Replication Intrasite replication sends replication traffic in an uncompressed format. Q10. The site link object is created within Active Directory and determines the protocol used for transferring replication traffic (Internet Protocol [IP] or Simple Mail Transfer Protocol [SMTP]). the partners then request the changes and replication occurs. The site link object also governs when replication is scheduled to occur. replication occurs as needed rather than according to a schedule. suppose you have a number of domain controllers on your main LAN and a few domain controllers on a LAN at a branch location. This is because of the assumption that all domain controllers within the site are connected by high-bandwidth links. You would want replication traffic to occur as needed between the domain controllers on each LAN. low-cost connections assumed within a site. Explain Replication in Active directory? Windows Server 2003 uses a replication model called multimaster replication.connection between the sites (usually a WAN link) and a site link object. You can make changes to the database on any domain controller and the changes will be replicated to other domain controllers in the domain. but you would want to control traffic across the WAN link to prevent it from affecting higher priority network traffic.You should create additional sites when you need to control how replication traffic occurs over slower WAN links. Because of the high-speed. When changes are made on a domain controller. it notifies its replication partners (the other domain controllers in the site). you would set up two sites— one site that contained all the domain controllers on the main LAN and one site that contained all the domain controllers on the remote LAN. Q9. .Domain controllers in the same site replicate on the basis of notification.

■ Intersite Replication Intersite replication sends all data compressed. What is LDAP? LDAP. those changes are quickly replicated to the other domain controllers. the relative distinguished name of an object is the same as that object’s Common Name attribute. The relative distinguished name of the parent organizational unit is Users.CN=Users.An LDAP-aware directory service (such as Active Directory) indexes all the attributes of all the objects stored in the directory and publishes them. For most objects.Not only is the traffic uncompressed. you may decide to allow replication only during slower times of the day. This means that if changes are made in the domain. the replication can be scheduled for times that are more appropriate to your organization. this delay in replication (based on the schedule) can cause inconsistency between servers in different sites. Lightweight Directory Access Protocol. Q12.These names include:■ Relative Distinguished NamesThe relative distinguished name (RDN) of an object identifies an object uniquely. but it increases the server load because compression/decompression is added to the processing requirements.What types of naming convention active directory uses? Active Directory supports several types of names for the different formats that can accessActive Directory. but replication occurs according to a change notification mechanism. Thus the name uniquely identifies the object relative to the other objects within the same container. the relative distinguished name of the object is CN=wjglenn. Of course.DC=com. LDAP-aware clients can query the server in a wide variety of ways. In addition to the compression.DC=contoso. This shows an appreciation for the fact that the traffic will probably be going across slower WAN links (as opposed to the LAN connectivity intrasite replication assumes). Q11. is an Internet protocol that email and other programs use to look up information from a server. . In the example CN=wjglenn. For example. but only within its parent container.

■ User Principal Names . but also where the object resides in the overall object hierarchy.DC=contoso.Active Directory creates the relative distinguished name automatically. based on information provided when the object is created. its DN will change to reflect its new position in the hierarchy.The notations used in the relative distinguished name (and in the distinguished name discussed in the next section) use special notations called LDAP attribute tags to identify each part of the name. ■ Distinguished Names Each object in the directory has a distinguished name (DN) that is globally unique and identifies not only the object itself. Active Directory does not allow two objects with the same relative distinguished name to exist in the same parent container. similar to the way that a fully qualified domain name uniquely identifies an object’s placement in a DNS hierarchy. ■ CN The Common Name (CN) tag identifies the common name configured for an Active Directory object. You cannot have two objects with the same distinguished name.This distinguished name would indicate that the user object wjglenn is in the Users container. such as COM or ORG.CN=Users.An example of a typical distinguished name would be:CN=wjglenn. If the wjglenn object is moved to another container.DC=com. Distinguished names are guaranteed to be unique in the forest. ■ OU The Organizational Unit (OU) tag identifies an organizational unit container. You can think of the distinguished name as the relative distinguished name of an object concatenated with the relative distinguished names of all parent containers that make up the path to the object.com domain. which in turn is located in the contoso. The three attribute tags used include: ■ DC The Domain Component (DC) tag identifies part of the DNS name of the domain.

com/Users/wjglenn. however. Users can log on with their user principal name.The user principal name that is generated for each object is in the form username@ domain_name. Q14.. ■ Canonical Names An object’s canonical name is used in much the same way as the distinguished name— it just uses a different syntax. The second difference is that the canonical name does not use the LDAP attribute tags (e. CN and DC).Which two operations master roles should be available when new security principals are being created and named? Domain naming master and the relative ID master Q15. The same distinguished name presented in the preceding section would have the canonical name:contoso. User principal names should be unique. there are two primary differences in the syntax of distinguished names and canonical names. and those updates are then replicated to other domain controllers. What are different types of groups? ■ Security groups Security groups are used to group domain users into a single administrative unit. to formulate a naming convention that avoids duplicate user principal names. but Active Directory does not enforce this requirement. Q13.g. Security groups can be assigned permissions and can also be used as e-mail distribution lists. . Users placed into a group inherit the permissions assigned to the group for as long as they remain members of that group. What is multimaster replication? Active Directory follows the multimaster replication which every replica of the Active Directory partition held on every domain is considered an equal master. The first difference is that the canonical name presents the root of the path first and works downward toward the object name. It’s best. Windows itself uses only security groups. and an administrator can define suffixes for user principal names if desired.As you can see. Updates can be made to objects on any domain controller.

domain . the domain contains only Windows 2000 or 2003 servers). What is a group scope and what are the different types of group scopes? Group scopes determine where in the Active Directory forest a group is accessible and what objects can be placed into the group. ■ Global groups are used to gather users that have similar permissions requirements. there are both local and domain-level groups. you use local groups on those systems instead). Q16. Local groups are stored in a local computer’s security database and are intended to control resource access on that computer. Domain groups are stored in Active Directory and let you gather users and control resource access in a domain and on domain controllers. Global groups can contain user and computer accounts only from the domain in which the global group is created. ■ Domain local groups exist on domain controllers and are used to control access to resources located on domain controllers in the local domain (for member servers and workstations. One of the primary uses is within an e-mailAs with user accounts. When the domain functional level is set to Windows 2000 native or Windows Server 2003 (i. Domain local groups can contain users and global groups from any domain in a forest no matter what functional level is enabled.2. Global groups have the following characteristics:1.■ Distribution groups These are used for nonsecurity purposes by applications other than Windows. Windows Server 2003 includes three group scopes: global. Global groups can be assigned permissions or be added to local groups in any domain in a forest. Domain local groups share the following characteristics:1.e.3.2. domain local.. and universal. global groups can also contain other global groups from the local domain. When the domain functional level is set to Windows 2000 native or Windows Server 2003.

What are the items that groups of different scopes can contain in mixed and native mode domains? Q18. This approach would allow you to set permissions on a single group and have those permissions flow down to the members. suppose you had juniorlevel administrators in four different geographic locations. Universal groups are available only when the forest functional level is set to Windows 2000 native or Windows Server 2003. Q19. 5. you could create a single group named Junior Admins and make each of the location-based groups a member of the main group. yet still be able to subdivide the junior administrators by location. Universal groups are used to assign permissions to related resources in multiple domains. as shown in Figure 4-10. What does the logical component of the Active Directory structure include? . Universal groups exist outside the boundaries of any particular domain and are managed by Global Catalog servers. 2. Then. 3. Universal groups share the following characteristics: 1. You can grant permissions for a universal group to any resource in any domain. Universal groups can contain users. You could create a separate group for each location (named something like Dallas JuniorAdmins). 4. How many characters does a group name contain? Ans) 64 Q1. Q17. global groups.local groups can also contain other domain local groups and universal groups. and other universal groups from any domain in a forest. What is group nesting? Placing of one group in another is called as group nestingFor example. ■ Universal groups: are normally used to assign permissions to related resources in multiple domains.

Using a single tree is fine if your organization is confined within a single DNS namespace. A domain represents an administrative boundary. . phone number. users. You can think of the Active Directory Schema as a collection of data (object classes) that defines how the real data of the directory (the attributes of an object) is organized and stored ■ Domains The basic organizational structure of the Windows Server 2003 networking model is the domain.com. you still have a tree. is made up of attributes such as name. and so on. ■ Trees Multiple domains are organized into a hierarchical structure called a tree. The Active Directory Schema:The classes and the attributes that they define are collectively referred to as the Active Directory Schema—in database terms. for example. Actually. A user object. password. The next domain that you add becomes a child domain of that root. Figure 1-1 A tree is a hierarchical organization of multiple domains. and other objects within a domain share a common security database. The first domain you create in a tree is called the root domain. for example. even if you have only one domain in your organization. specifies the attributes that make up the user object.com was the first domain created in Active Directory in this example and is therefore the root domain. The user class.■ Objects:-Resources are stored in the Active Directory as objects. Microsoft. Figure 1-1 shows an example of a tree.All domains in a tree share a common schema and a contiguous namespace.com root domain share the namespace microsoft. all of the domains in the tree under the microsoft. The computers. Sub category:object class An object is really just a collection of attributes. This expandability of domains makes it possible to have many domains in a tree. The attributes that make up an object are defined by an object class. In the example shown in Figure 1-1. group membership. a schema is the structure of the tables and fields and how they are related to one another.

. you can create multiple forests and then create trust relationships between specific domains in those forests. and it is created when the first Active Directory–enabled computer (domain controller) on a network is installed.com is a second tree. your model must be able to expand outside the boundaries of a single tree. microsoft. This is where the forest comes in. For example. the structure of OUs follows an organization’s business or functional structure. called the forest root domain. There is always at least one forest on a network. the directory cannot be larger than the forest. Each tree in the forest has its own namespace. this allows you to delegate administrative tasks within the domain.com is one tree and contoso. ■Organizational Units Organizational Units (OUs) provide a way to create administrative boundaries within a domain.However. You can then assign administrative permissions on the OU itself. is special because it holds the schema and controls domain naming for the entire forest. In the figure.OUs serve as containers into which the resources of a domain can be placed. for organizations that use multiple DNS namespaces. Typically. this would let you grant access to resources and accounts that are outside of a particular forest. Figure 1-2 shows an example of a forest with two trees. A forest is the outermost boundary of Active Directory. ■ Forest A forest is a group of one or more domain trees that do not form a contiguous namespace but may share a common schema and global catalog. no other domain can ever be created above the forest root domain in the forest domain hierarchy. However. Also. Both are in a forest named microsoft. This first domain in a forest. a relatively small organization with a single domain might create separate OUs for departments within the organization.com (after the first domain created). Primarily. It cannot be removed from the forest without removing the entire forest itself.

What does the physical structure of active directory contain? Physical structures include domain controllers and sites. special mechanisms called trust relationships allow objects in one domain (called the trusted domain) to access resources in another domain (called the trusting domain). In other words. What is a site? A Windows Server 2003 site is a group of domain controllers that exist on one or more IP subnets (see Lesson 3 for more on this) and are connected by a fast.What is nesting? The creation of an OU inside another OU. Q3. What is trust relationship and how many types of trust relationship is there in exchange 2003? Since domains represent security boundaries. you’ll likely create one site for each LAN.IMP: . Fast means connections of at least 1Mbps. reliable network connection. What is the use of site? Sites are primarily used to control replication traffic.Q2.once you go beyond about 12 OUs deep in a nesting structure. If different LANs on the network are connected by a wide area network (WAN). Windows Server 2003 supports six types of trust relationships: ■ Parent and child trusts ■ Tree-root trusts ■ External trusts ■ Shortcut trusts ■ Realm trusts ■ Forest trusts Q5. a site usually follows the boundaries of a local area network (LAN). you start running into significant performance issues. Q4. Q6. Domain controllers in different sites compress the replication . Domain controllers within a site are pretty much free to replicate changes to the Active Directory database whenever changes are made.

DFS lets you create a single logical hierarchy for folders and files that is consistent on a network. Q7. A Windows Server 2003 service named File Replication Service (FRS) is responsible for replicating files in the SYSVOL folders between domain controllers. DFS uses site information to direct a client to the server that is hosting the requested data within the site. To this end. The second type of object is the site links configured to connect the site to other sites. You can use SYSVOL to replicate Group Policy Objects. The first type is the domain controllers contained in the site.traffic and operate based on a defined schedule. Files represented in the DFS might be stored in multiple locations on the network. Q8. so it makes sense that Active Directory should be able to direct users to the closest physical location of the data they need. sites are used to control the following: ■ Workstation logon traffic ■ Replication traffic ■ Distributed File System (DFS) Distributed File System (DFS) is a server component that provides a unified naming convention for folders and files stored on different servers on a network. regardless of where on the network those items are actually stored. What are the objects a site contains? Sites contain only two types of objects. ■ File Replication Service (FRS) Every domain controller has a built-in collection of folders named SYSVOL (for System Volume). both of which are intended to cut down on network traffic More specifically. FRS uses site boundaries to govern the replication of items in the SYSVOL folders.What is a Site link? . If DFS does not find a copy of the data within the same site as the client. and logon and logoff scripts. DFS uses the site information in Active Directory to determine which file server that has DFS shared data is closest to the client. startup and shutdown scripts. The SYSVOL folders provide a default Active Directory location for files that must be replicated throughout a domain.

you must establish a link between the sites. You can make changes to the database on any domain controller and the changes will be replicated to other domain controllers in the domain. Explain Replication in Active directory? Windows Server 2003 uses a replication model called multimaster replication. Because of the high-speed. low-cost connections assumed within a site. Those two LANs are connected to one another with a slow (256K) WAN link. The site link object is created within Active Directory and determines the protocol used for transferring replication traffic (Internet Protocol [IP] or Simple Mail Transfer Protocol [SMTP]). For replication to occur between sites. What are the different types of replication? Single site (called intrasite replication) Replication between sites (called intersite replication) ■ Intrasite Replication . The site link object also governs when replication is scheduled to occur. To address this situation. There are two components to this link: the actual physical connection between the sites (usually a WAN link) and a site link object. in which all replicas of the Active Directory database are considered equal masters.Within a site. For example. When changes are made on a domain controller. it notifies its replication partners (the other domain controllers in the site). suppose you have a number of domain controllers on your main LAN and a few domain controllers on a LAN at a branch location. You would want replication traffic to occur as needed between the domain controllers on each LAN.Domain controllers in the same site replicate on the basis of notification. you would set up two sites— one site that contained all the domain controllers on the main LAN and one site that contained all the domain controllers on the remote LAN. Q10. replication occurs as needed rather than according to a schedule. but you would want to control traffic across the WAN link to prevent it from affecting higher priority network traffic. replication happens automatically. the partners then request the changes and replication occurs.You should create additional sites when you need to control how replication traffic occurs over slower WAN links. Q9.

These names include:■ Relative Distinguished NamesThe relative distinguished name (RDN) of an object identifies an object uniquely. Lightweight Directory Access Protocol. is an Internet protocol that email and other programs use to look up information from a server. What is LDAP? LDAP. LDAP-aware clients can query the server in a wide variety of ways. For example. but only within its parent container. you may decide to allow replication only during slower times of the day. the replication can be scheduled for times that are more appropriate to your organization. Of course. Thus the name uniquely identifies the object relative to the other objects within the same container.Intrasite replication sends replication traffic in an uncompressed format. those changes are quickly replicated to the other domain controllers.DC=com. In the example CN=wjglenn.What types of naming convention active directory uses? Active Directory supports several types of names for the different formats that can accessActive Directory. In addition to the compression. This is because of the assumption that all domain controllers within the site are connected by high-bandwidth links. Not only is the traffic uncompressed.DC=contoso. ■ Intersite Replication Intersite replication sends all data compressed. but it increases the server load because compression/decompression is added to the processing requirements. The . Q12. This means that if changes are made in the domain. this delay in replication (based on the schedule) can cause inconsistency between servers in different sites.An LDAP-aware directory service (such as Active Directory) indexes all the attributes of all the objects stored in the directory and publishes them. This shows an appreciation for the fact that the traffic will probably be going across slower WAN links (as opposed to the LAN connectivity intrasite replication assumes). but replication occurs according to a change notification mechanism. the relative distinguished name of the object is CN=wjglenn. Q11.CN=Users.

DC=com.This distinguished name would indicate that the user object wjglenn is in the Users container.DC=contoso.CN=Users. ■ Distinguished Names Each object in the directory has a distinguished name (DN) that is globally unique and identifies not only the object itself. but also where the object resides in the overall object hierarchy. The three attribute tags used include: ■ DC The Domain Component (DC) tag identifies part of the DNS name of the domain. ■ OU The Organizational Unit (OU) tag identifies an organizational unit container. Distinguished names are guaranteed to be unique in the forest. based on information provided when the object is created.relative distinguished name of the parent organizational unit is Users. its DN will change to reflect its new position in the hierarchy.The notations used in the relative distinguished name (and in the distinguished name discussed in the next section) use special notations called LDAP attribute tags to identify each part of the name.com domain. the relative distinguished name of an object is the same as that object’s Common Name attribute. Active Directory creates the relative distinguished name automatically. similar to the way that a fully qualified domain name uniquely identifies an object’s placement in a DNS hierarchy. ■ CN The Common Name (CN) tag identifies the common name configured for an Active Directory object. You can think of the distinguished name as the relative distinguished name of an object concatenated with the relative distinguished names of all parent containers that make up the path to the object. .An example of a typical distinguished name would be:CN=wjglenn. For most objects. If the wjglenn object is moved to another container. Active Directory does not allow two objects with the same relative distinguished name to exist in the same parent container. You cannot have two objects with the same distinguished name. such as COM or ORG. which in turn is located in the contoso.

■ User Principal Names The user principal name that is generated for each object is in the form username@ domain_name. but Active Directory does not enforce this requirement. The second difference is that the canonical name does not use the LDAP attribute tags (e. The first difference is that the canonical name presents the root of the path first and works downward toward the object name. CN and DC).As you can see.Which two operations master roles should be available when new security principals are being created and named? Domain naming master and the relative ID master Q15. Q13. What is multimaster replication? Active Directory follows the multimaster replication which every replica of the Active Directory partition held on every domain is considered an equal master. and those updates are then replicated to other domain controllers. User principal names should be unique. Users placed into a group inherit the permissions assigned to the group for as long . Q14.. Security groups can be assigned permissions and can also be used as e-mail distribution lists. to formulate a naming convention that avoids duplicate user principal names. however. there are two primary differences in the syntax of distinguished names and canonical names.g. Updates can be made to objects on any domain controller. What are different types of groups? ■ Security groups Security groups are used to group domain users into a single administrative unit. It’s best. ■ Canonical Names An object’s canonical name is used in much the same way as the distinguished name— it just uses a different syntax. Users can log on with their user principal name. and an administrator can define suffixes for user principal names if desired.com/Users/wjglenn. The same distinguished name presented in the preceding section would have the canonical name:contoso.

What is a group scope and what are the different types of group scopes? Group scopes determine where in the Active Directory forest a group is accessible and what objects can be placed into the group. Domain groups are stored in Active Directory and let you gather users and control resource access in a domain and on domain controllers. domain local. Local groups are stored in a local computer’s security database and are intended to control resource access on that computer.2. Global groups have the following characteristics:1. domain .e.2.3. Windows Server 2003 includes three group scopes: global. ■ Distribution groups These are used for nonsecurity purposes by applications other than Windows. Domain local groups can contain users and global groups from any domain in a forest no matter what functional level is enabled. Domain local groups share the following characteristics:1. Global groups can be assigned permissions or be added to local groups in any domain in a forest. When the domain functional level is set to Windows 2000 native or Windows Server 2003. ■ Domain local groups exist on domain controllers and are used to control access to resources located on domain controllers in the local domain (for member servers and workstations. you use local groups on those systems instead). Global groups can contain user and computer accounts only from the domain in which the global group is created. there are both local and domain-level groups. and universal. ■ Global groups are used to gather users that have similar permissions requirements. When the domain functional level is set to Windows 2000 native or Windows Server 2003 (i. the domain contains only Windows 2000 or 2003 servers). One of the primary uses is within an e-mailAs with user accounts. Windows itself uses only security groups.. Q16.as they remain members of that group. global groups can also contain other global groups from the local domain.

Universal groups are available only when the forest functional level is set to Windows 2000 native or Windows Server 2003. You could create a separate group for each location (named something like Dallas JuniorAdmins). ■ Universal groups are normally used to assign permissions to related resources in multiple domains. What is group nesting? Placing of one group in another is called as group nestingFor example. Universal groups can contain users. Q19. yet still be able to subdivide the junior administrators by location. Universal groups share the following characteristics: 1. Is site part of the Active Directory namespace? NO: . computers and users are grouped into domains and OUs without reference to .local groups can also contain other domain local groups and universal groups. Then. you could create a single group named Junior Admins and make each of the location-based groups a member of the main group. 5. 4. as shown in Figure 4-10. What are the items that groups of different scopes can contain in mixed and native mode domains? Q18. 3. This approach would allow you to set permissions on a single group and have those permissions flow down to the members. 2. Universal groups are used to assign permissions to related resources in multiple domains. You can grant permissions for a universal group to any resource in any domain. global groups. Q17. suppose you had juniorlevel administrators in four different geographic locations. Universal groups exist outside the boundaries of any particular domain and are managed by Global Catalog servers.When a user browses the logical namespace. and other universal groups from any domain in a forest. How many characters does a group name contain? 64 Q20.

It can also be installed on a cluster for even better performance and reliability. site names are used in the Domain Name System (DNS) records. The client windows operating system consists of a DFS client which provides additional features as well as caching. which has been improved to better performance and add additional fault tolerance. What is DFS? The Distributed File System is used to build a hierarchical view of multiple file servers and shares on the network.sites. . which will be the 'key' to a list of shares found on multiple servers on the network. However. you can group them together as Dfs Targets under the same link. Windows 2003 offers a revamped version of the Distributed File System found in Windows 2000. Dfs target (or replica): This can be referred to as either a root or a link. and in this share you can have additional files and folders. Instead of having to think of a specific machine name for each set of files. It also comes with a powerful set of command-line scripting tools which can be used to make administrative backup and restoration tasks of the DFS namespaces easier. Dfs root: You can think of this as a share that is visible on the network.DFS has the capability of routing a client to the closest available file server by using Active Directory site metrics. so sites must be given valid DNS names. Q21. Below is an definition of each of them. Think of it as the home of all file shares with links that point to one or more servers that actually host those shares. When a user opens this link they will be redirected to a shared folder. Dfs link: A link is another share somewhere on the network that goes under the root. load balancing and reduced use of network bandwidth. Understanding the DFS Terminology It is important to understand the new concepts that are part of DFS. the user will only have to remember one name. If you have two identical shares. normally stored on different servers.

Which are conventions? the four generally accepted naming . Q2.Q22. A host file is manually modified. And DNS drastically lowers the need to remember numeric IP addresses when accessing hosts on the Internet or any other TCP/IP-based network.■ Tracking subnetting information for the network. subnet masks. This includes IP addresses. Q1.The DNS system consists of three components: DNS data (called resource records). DFS and requires all files to be replicated manually. Host files are easy to understand. What are the types of replication in DFS? There are two types of replication: * Automatic . DNS provides name registration and name to address resolution capabilities. and the locations of the subnets. Q23. Which service is responsible for replicating files in SYSVOL folder? File Replication Service (FRS) Q24.which is available for stand alone. These are static ASCII text files that simply map a host name to an IP address in a tablelike format. the practice of mapping friendly host or computer names to IP addresses was handled via host files. The owner is responsible for making any necessary changes to the site as the physical network grows and changes.Before DNS.which is only available for Domain DFS * Manual . and Internet protocols for fetching data from the servers. Windows ships with a HOSTS file in the \winnt\system32\drivers\etc subdirectoryThe fundamental problem with the host files was that these files were labor intensive. What is DNS. and it is typically centrally administrated. servers (called name servers). The site topology owner’s responsibilities include:■ Making changes to the site topology based on changes to the physical network topology. What all can a site topology owner do? The site topology owner is the name given to the administrator (or administrators) that oversee the sitetopology.■ Monitoring network connectivity and setting the costs for links between sites.

NetBIOS Name (for instance. higher-level name servers until the query resolution process starts with far-right term (for instance. If all else fails.1.idgbooks.2. the URL term www. A client (or “resolver”) passes its request to its local name server. Domain. Which are the major records in DNS? 1. For example. This DNS server is known as the local name server. com) or at the top of the DNS tree with root name servers Q4. All you must do is add a second A record. the request is passed to more and more. the local name server is unable to resolve the request. E. Step 2. The DNS client. this record states the hostname and IP address of a certain machine.:.foobarbaz. IN A 36. as often happens.36. If. SPRINGERS01) TCP/IP Address (121. Have three fields: Host Name. perform queries against the DNS servers.44) Host Name (Abbey) Media Access Control (MAC) —this is the network adapter hardware address Q3. with every column the same save for the IP address. How DNS really works? DNS uses a client/server model in which the DNS server maintains a static database of domain names mapped to IP addresses.com typed into Internet Explorer is passed to the DNS server identified in the client TCP/IP configuration. known as the resolver. other name servers are queried so that the resolver may be satisfied. Step 3. 2. Aliases or Canonical Name Records (CNAME) . Host or Address Records (A):map the name of a machine to its numeric IP address.eric. In clearer terms. Host IP Address.com. This often happens for people who run a firewall and have two 19thernet cards in one machine.g.133. The bottom line? DNS resolves domain names to IP address using these steps Step 1.6 It is possible to map more than one IP address to a given hostname.

Obviously. the computer delivering the mail will attempt every other server listed in the DNS tables.com” rather than “user@eric. perhaps more than one. or official name of the machine.com. The next two entries have been explained thoroughly in previous records. 3.foobarbaz. This is accomplished by the record shown below: foobarbaz. A lower number in an MX record means a higher priority.com. and it allows your mail to be sent to any address in your domain even if that particular address does not have a computer associated with it. The next column.You can add A or CNAME records for the service name pointing to the machines you want to load balance. Often larger systems will have backup mail servers. in order of priority. It is a signifier of priority. IN CNAME eric.“CNAME” records simply allow a machine to be known by more than one hostname. For convenience sake. There must always be an A record for the machine before aliases can be added. Mail Exchange Records (MX) MX” records are far more important than they sound. Here is an example of a CNAME:www. Records always read from left to right.com”. For example. Other records should point to the canonical name. and mail will be sent to the server with the lowest number (the lowest possible being 0). The host name of a machine that is stated in an A record is called the canonical. IN MX 10 eric.com. This is exceedingly useful – it abates the load on your internal hosts since they do not have to route incoming mail. A new record must be entered for each alias. we want our email address to be “user@foobarbaz. If something happens so that this server becomes unreachable. .com.foobarbaz. A machine can have an unlimited number of CNAME aliases.com. with the subject to be queried about on the left and the answer to the query on the right.You can see the similarities to the previous record. however. is different from the normal DNS record format. The column on the far left signifies the address that you want to use as an Internet email address.foobarbaz. They allow all mail for a domain to be routed to one host. the number “10”. You can indicate this with your MX records. we have a mail server running on the fictitious machine eric.foobarbaz.foobarbaz. you will only want the backups receiving mail if something goes wrong with the primary mail server.

36. Name Server Records (NS) . we cannot pull the inverse zones (these in-addr. Pointer Records (PTR) Although there are different ways to set up PTR records. called “inaddr.com page.In-addr.arpa records look as such:6.com.arpa”.arpa records) unless you have been assigned a full class C network. If you would like us to put PTR records in our name servers for you. the record simply has the IP address in reverse for the host name in the last column. specific records will be given precedence over ones containing wildcards.allegianceinternet. you will have to fill out the online web form on the support. we will be explaining only the most frequently used method. Reverse lookups are a good security measure. Resolving a machine in this fashion is called a “reverse lookup”.Obviously.foobarbaz. verifying that your machine is exactly who it claims to be.A note for those who run their own name servers: although Allegiance Internet is capable of pulling zones from your name server. This would make any mail set to any individual workstation in the foobarbaz. mail could be sent directly to each machine. you can add an MX record like this one: *.in-addr.36. It is becoming more and more common that a machine will do a reverse lookup on your machine before allowing you to access a service (such as a World Wide Web page). If you have a domain where your users each have their own machine running mail clients on them. One should use caution with wildcards.com domain go through the server eric.foobarbaz.arpa PTR records are the exact inverse of A records. Rather than clutter your DNS entry.foobarbaz. IN PTR eric.com. They allow your machine to be recognized by its IP address.1. Some sendmail programs only look for MX records. IN MX 10 eric. In-addr.foobarbaz. It is also a good idea to include an MX record even if you are having mail sent directly to a machine with an A record.com. It is also possible to include wildcards in MX records.arpa. 5. you can have as many MX records as you would like.As you can see from the example for the A record in the beginning of this document. 4.com.

net” as your two authoritative name servers. The last entry on this row is actually an email address. They are very simple.Retry 3600000 . with “nse.com. Minimum The first column contains the domain for which this record begins authority for.foobarbaz. The serial number is a record of how often this DNS entry has been updated.com. There should always be a viable contact address in the SOA record.foobarbaz.com” entry is the primary name server for the domain. ( 1996111901 . if you substituted a “@” for the first “. they merely state the authoritative name servers for the given domain. Other name servers that pull information for a zone from the primary only pull the zone if the serial number on the primary name server’s entry is higher than the serial number on it’s entry. IN NS draven. Expire 86400 ) . Here is an example of a SOA record. 6.com.algx. NS records look like this:foobarbaz. This record is called the start of authority because it denotes the DNS entry as the official source of information for its domain. hostmaster. the serial number must be incremented. Start Of Authority Records (SOA) The “SOA” record is the most crucial record in a DNS entry.”.foobarbaz.net” and “nsf. The next two entries should look familiar.There also must be an A record in your DNS for each machine you enter as A NAME server in your domain. IN SOA draven. then each part of it will be explained:foobarbaz. Serial 10800 .algx. There must be at least two NS records in every DNS entry. It conveys more information than all the other records combined. Every time a change is made to the entry.foobarbaz. The “draven. In this way the .com.NS records are imperative to functioning DNS entries.If Allegiance Internet is doing primary and secondary names service.com. we will set up these records for you automatically. Refresh 3600 . The next entries are a little more unusual then what we have become used to.

Also.microsoft. For fault tolerance purposes and load balancing. where the NN is the number of times that day the DNS has been changed.com domain. The “refresh” number stands for how often secondary name servers should check the primary for a change in the serial number. subdomains are split into several zones to make manageability easier. Quick Summary of the major records in DNS Q5.com are separate zones. “Expire” is how long the secondary server should use its current entry if it is unable to perform a refresh. Often.microsoft.name servers for a domain are able to update themselves.com and msdn.The entries within a zone give the DNS server the information it needs to satisfy requests from other computersor DNS servers. . this entry. a note for Allegiance Internet customers who run their own name servers: even if the serial number is incremented. For example. Allegiance Internet sets up this record for you if you are not running your own name server. a domain may have several DNS servers that respond to requests for the same information. Like NS records. Records for a zone are stored and managed together. where support and msdn are subdomains within the Microsoft.What is a DNS zone? A zone is simply a contiguous section of the DNS namespace. “Retry” is how long a secondary server should wait before trying to reconnect to primary server if the connection was refused. Name the two Zones in DNS? DNS servers can contain primary and secondary zones. or save. A primary zone is a copy of a zone where updates can be made. and “minimum” is how long other name servers should cache. while a secondary zone is a copy of a primary zone. you should still fill out the web form and use the comment box when you make changes asking us to pull the new zones. in seconds. All the rest of the numbers in the record are measurements of time. There can only be one SOA record per domain. support. Q6. A recommended way of using your serial number is the YYYYMMDDNN format shown above.

Q11. How the resolution in a stub zone takes place? . name server (NS) resource records. MX records are used when configuring a domain for email. Overloading DNS server responsibilities on your domain controllers may not be something you want to do if you plan on supporting a large volume of DNS requests. Q9.The master servers for a stub zone are one or more DNS servers authoritative for the child zone. How many SOA record does each zone contain? Each zone will have one SOA record.•The IP address of one or more master servers that can be used to update the stub zone. The one catch with AD-integrated zones is that the DNS server must also be a domain controller. CNAME records are used to give a host multiple names. refresh interval settings. and the glue A resource records for the delegated zone. The PTR record is used for reverse lookups (IP to name).Q7. Q10. This type of resolution may be necessary when a corporate merger requires that the DNS servers for two separate DNS namespaces resolve names for clients in both namespaces. Short summary of the records in DNS? The NS records are used to point to additional DNS servers. and a serial number (incremented with every update). What is an AD-integrated zone? AD-integrated zones store the zone data in Active Directory and use the same replication process used to replicate other data between domain controllers. Q12. Q8. What does a stub zone consists of? A stub zone consists of:•The start of authority (SOA) resource record.What is a STUB zone? A stub zone is a copy of a zone that contains only those resource records necessary to identify the authoritative Domain Name System (DNS) servers for that zone. TTL (Time To Live) settings. A stub zone is used to resolve names between separate DNS namespaces. usually the DNS server hosting the primary zone for the delegated domain name. such as who is responsible for the zone. This records contains many miscellaneous settings for the zone.

the DNS server uses the resource records in the stub zone to resolve the query. directory-integrated primary zones are strongly recommended and provide the following benefits: • Multimaster update and enhanced security based on the capabilities of Active Directory In a standard zone storage model. and glue A resource records. If this server is not available.What is the benefits of Active Directory Integration? For networks deploying DNS to support Active Directory. a single authoritative DNS server for a zone is designated as the primary source for the zone. The DNS server sends an iterative query to the authoritative DNS servers specified in the NS resource records of the stub zone as if it were using NS resource records in its cache. If the DNS server cannot find the authoritative DNS servers in its stub zone.If the query was an iterative query. and glue A resource records returned in response to the query are stored in the stub zone. update requests from DNS clients are not processed for the zone. With this model. which are not written to cache. primary zone. . The SOA. expire according to the expire interval specified in the stub zone's SOA record. This server maintains the master copy of the zone in a local file. NS. which is created during the creation of the stub zone and updated during transfers to the stub zone from the original. In this model. but it will not store these resource records in the stub zone itself. the primary server for the zone represents a single fixed point of failure. NS.When a DNS client performs a recursive query operation on a DNS server hosting a stub zone. The resource records stored in the cache are cached according to the Time-toLive (TTL) value in each resource record. DNS updates are conducted based upon a single-master update model.The DNS server will store the resource records it receives from the authoritative DNS servers listed in a stub zone in its cache. the DNS server returns a referral containing the servers specified in the stub zone. only the SOA. the DNS server hosting the stub zone attempts standard recursion using its root hints. Q 13.

ACLs may only be applied to the DNS client service. . It must store them in standard text files. This allows less data to be used and submitted in updates for directory-stored zones. In this model. The multimaster replication model of Active Directory removes the need for secondary zones when all zones are stored in Active Directory. • Directory replication is faster and more efficient than standard DNS replication. With the multimaster update model of Active Directory. For example. any authoritative DNS server. Also. the default for updating the zone changes to allow only secure updates. A DNS server cannot store secondary zones in the directory.With directory-integrated storage. Also. such as a domain controller running a DNS server. This security feature is not available with standard primary zones. Because the master copy of the zone is maintained in the Active Directory database. the zone can be updated by the DNS servers operating at any domain controller for the domain. any of the primary servers for the directory-integrated zone can process requests from DNS clients to update the zone as long as a domain controller is available and reachable on the network. Note: Only primary zones can be stored in the directory. while you may use ACLs on DNSrelated Active Directory objects. when using directory-integrated zones. Because Active Directory replication processing is performed on a per-property basis. an ACL for a zone RR can be restricted so that dynamic updates are only allowed for a specified client computer or a secure group such as a domain administrators group. This feature provides granulated access to either the zone or a specified RR in the zone. Note that when you change the zone type to be directoryintegrated. only relevant changes are propagated. dynamic updates to DNS are conducted based upon a multimaster update model. you can use access control list (ACL) editing to secure a dnsZone object container in the directory tree. which is fully replicated to all domain controllers. is designated as a primary source for the zone.

background refresh is every 5 mins.interval.. To use secedit. To force a reload of all group policies regardless of the last change. every 16 hours every PC will request all group policies to be reapplied (user and machine) These settings can be changed under Computer and User Nodes. 90 or 120 mins. When the group policy gets refreshed/applied? Group Policies can be applied when a computer boots up.exe is a command line tool that can be used to refresh group policies on a Windows 2000 computer. with a +/.System. and/or when a user logs in. open a command prompt and type: secedit /refreshpolicy user_policy to refresh the user policies secedit /refreshpolicy machine_policy to refresh the machine (or computer) policies These parameters will only refresh any user or computer policies that have changed since the last refresh. So the refresh could be 60. Group Policy. Logoff. Q9. How to refresh Group Policies suing the command line? Secedit. use: secedit /refreshpolicy user_policy /enforce . policies are also refreshed automatically according to a predefined schedule. Startup. Shutdown Scripts Q9.30 min.Also.Q8. Which are the policies which does not get affected by background refresh? Policies not affected by background refresh. For DCs (Domain Controllers). These policies are only applied at Logon time: Folder Redirection Software InstallationLogon. However. Administrative Templates. This is called Background Refresh Background refresh for non DCs (PCs and Member Servers) is every 90 mins.

secedit /refreshpolicy machine_policy /enforce Gpupdate. Which are the policies which get applied regardless of the speed of the dial-up connection? Some policies are always applied regardless of the speed of the dial-up connection. There is no separation of the two like there is with secedit Q10. these parameters will only refresh any user or computer policies that have changed since the last refresh. To force a reload of all group policies regardless of the last change. Q11. Windows 2000 will automatically detect the speed of the dial-up connection and make a decision about applying Group Policies. These are: Administrative Templates Security Settings EFS Recovery IPSec Q12. It has replaced the secedit command.exe is a command line tool that can be used to refresh group policies on a Windows XP computer. To use gpupdate. What is the Default Setting for Dial-up users? Win2000 considers a slow dial-up link as anything less than 500kbps. Which are the policies which do not get applied over slow links? IE Maintenance Settings Folder Redirection Scripts . When a user logs into a domain on a link under 500k some policies are not applied. open a command prompt and type: gpupdate /target:user to refresh the user policies gpupdate /target: machine to refresh the machine (or computer) policies As with secedit. use: gpupdate /force Notice the /force switch applies to both user and computer policies.

followed by the user policies. System. If the user connects to the domain using "Network and Dial-up Connections". Login to the domain you get the domain policy. Which are the two types of default policies? There are two default group policy objects that are created when a domain is created. Windows Settings. there are 3 policies that are affected by Default Domain Policy: Automatically log off users when logon time expires .this GPO can be found under the group policy tab for that domain. If you double click this GPO and drill down to Computer Configuration. Security Settings. login locally you get the OU policy. If you drill down to Computer Configuration. the policies are applied using the standard refresh cycle. If the user connects to the domain using "Logon Using Dial-up Connection" from the logon screen. Administrative Templates. Windows Settings. Default Domain Policy. It is the first policy listed. Q13. Group Policy. after they logon. Local Policies. they are ignored. The default domain policy is unique in that certain policies can only be applied at the domain level. Security Options. setting these 3 policies at the OU level will have the effect of setting these policies for users who log on locally to their PCs. Account Policies. However. Security Settings. The Default Domain policy and the Default Domain Controllers policy. If you set these policies anywhere else.Disk Quota settings Software Installation and Maintenance These settings can be changed under Computer and User Nodes.Site or OU. the computer policies are applied first. once the user is authenticated. you will see three policies listed: Password Policy Account Lockout Policy Kerberos Policy These 3 policies can only be set at the domain level.

Use the Default Domain Controllers Policy to set local policies for your domain controllers. you should create additional domain level GPOs. but it is not recommended. it affects the Domain Administrator account only. Do not delete the Default Domain Policy.Rename Administrator Account . no matter where you put your domain controllers in Active Directory (whatever OU you put them in). itnot restore the GPOs. Q14. You can work around this by using the /ignoreschema switch. they will still process this policy. Rename Guest Account . the dcgpofix utility is your solution. Audit Policies.How to restore Group policy setting back to default? The following command would replace both the Default Domain Security Policy and DefaultDomain Controller Security Policy. choosing Properties. Event Log settings. If the version it expects to be current is different from what is in Active Directory. You can specify Domain or DC instead of Both.When set at the domain level. > dcgpofix /target:Both Note that this must be run from a domain controller in the target domain where you want to reset the GPO If you've ever made changes to the default GPOs and would like to revert back to the original settings. You can disable it. The only time you mightexperience this issue is if you install a service pack on a domain controller (dc1) that extendsschema. then the Group Policy tab. who can logon locally and so on. That is.When set at the domain level.This policy can be found by right clicking the Domain Controllers OU. whichrestore the GPO according to the version dcgpofix thinks is current. e. to onlyrestore one or the other. but have not . If you want to create additional domain level policies. it affects the Domain Guest account only. dcgpofix works with a particular version of schema. Default Domain Controllers Policy . This policy affects all Domain Controllers in the domain regardless of where you put the domain controllers.g. The Default Domain Policy should be used only for the policies listed above.

If multiple GPOs are linked to a site. If you try to run dcgpofix from dc2. Again. you will receive the error since a new version of the schema and thedcgpofix utility was installed on dc1. 4. GPOs linked to the highest level OU in the Active Directory hierarchy are processed first. In this case. 2. What are the two exceptions to control the inheritance of the group policy? ■ No Override When you link a GPO to a container. Settings made at this level override any conflicting settings made at the preceding level. GPOs are processed in the following order: 1. and so on.installed it yet on a second domain controller (dc2). or site level. local. Q15. Resolving GPOs from Multiple Sources Because GPOs can come from different sources to apply to a single user or computer. Settings made at the OU level override conflicting settings applied at the domain. 3. OU GPOs GPOs linked to any OUs that contain the user or computer object are processed. This . followed by the next highest level OU. Local GPO The local GPO on the computer is processed and all settings specified in that GPO are applied. you can configure a No Override option that prevents settings in the GPO from being overridden by settings in GPOs linked to child containers. Settings made at the domain level override conflicting settings applied at the local or site level. It is possible for a single object to be in multiple OUs. If multiple GPOs are linked to a single . the site administrator can control the order in which those GPOs are processed. the administrator can control the processing order when multiple GPOs are linked to the domain. Site GPOs GPOs linked to the site in which the computer resides are processed. Domain GPOs GPOs linked to the domain in which the computer resides are processed and any settings are applied. there must be a way of determining how those GPOs are combined.

if a parent container has the No Override option set. . respectively. the child container cannot block inheritance from this parent. where the appropriate GPOs are linked. “Redirecting the Users and Computers Containers in Windows Server 2003 Domains.com . Administrators could then move the new user accounts to a more appropriate location later.exe to redirect user accounts and redircomp. new user and computer accounts are created in the Users and Computers containers. you could create an OU named New Users. You can use redirusr. Q17. Q16. Windows Server 2003 includes two new tools that let you redirect the target locationfor new user and computer accounts. You can find both of these tools in the %windir%\system32 folder on any computer running Windows Server 2003.exe to redirect computer accounts. You can learn more about using these tools in Knowledge Base article 324949. and then redirect the creation of newusers accounts to the New Users OU. However.provides a way to force child containers to conform to a particular policy. You cannot link a GPO to either of these built-in containers. What permissions should a administrator have to manage GPOs? Editing GPOs linked to sites requires Enterprise Administrative permissions. Any new users created would immediately be affected by the settings in the GPO. Even though the built-in containers inherit GPOs linked to the domain.” in the Microsoft Knowledge Base at http://support. you may have a situation that requires user accounts and computer accounts to be stored in an OU to which you can link a GPO. ■ Block Inheritance You can configure the Block Inheritance option on a container to prevent the container from inheriting GPO settings from its parent containers.microsoft. For example. link an appropriate GPO to the OU. new user and computer accounts are createddirectly in the new target OU. Once you choose the OU for redirection. How to Redirect New User and Computer Accounts? By default.

■ Windows 2000 Professional and Server support many of the Group Policy settings available in Windows Server 2003. records. What is the default interval when DNS server will kick off the scavenging process? The default value is 168 hours. DNS scavenging is a recommended practice so that your DNS zones are automatically kept clean of stale resource records. which is equivalent to 7 days. and Windows Server 2003 fully support Group Policy.Editing GPOs linked to domains requires Domain Administrative Editing GPOs linked to OUs requires permissions for the OU. Q15. Support for Group Policy for key operating systems includes the following: ■ Windows 95/98/Me do not support Group Policy. DNS Q&A corner Q1. but not all. Unsupported settings are ignored. but you can also scavenge manually added. Q14. Windows XP 64-bit Edition. How do I use a load balancer with my name servers? Just wanted to ask a question about load¬ balanced DNS servers . also referred to as static. Q18. What is Scavenging? DNS scavenging is the process whereby resource records are automatically removed if they are not updated after a period of time. What is the client requirement for supporting GPOs? For client computers to accept Group Policy settings. ■ Windows NT 4. they must be members of Active Directory. Typically.0 and earlier versions do not support Group Policy. this applies to only resource records that were added via DDNS. ■ Windows XP Professional.

147.2 There's usually not much need to design solutions like these.1. since most name server implementations will automatically choose the name server that responds most quickly. > The main question being the configuration whether to use 2 > Master/Primary Servers or is it wiser to use 1 Primary and 1 > Secondary? configurations The reason is that I feel there are two > that could be setup. .> via an external network load balancing appliance (i. > Cisco's Content Switches/ Local Directors). ie .1 1. In other words.1. and vice versa.F5's Big IP.------------->> DNS 1 | | DNS 2 | > ---------------. if DNS 1 fails.-------------> 1. Have you ever > heard or architected such a configuration? > VIP = 167.1. I've included a text > representation of the physical configuration.e . One in which only the resolvers query the > virtual IP address on the load balancing appliance or actually > configure your NS records to point to the Virtual Address so that all > queries.both by local queries directly from local users and > also queries from external DNS servers. remote name servers will automatically try DNS 2.5 > ----------------------------------->> Load Balancer Device | > ----------------------------------->| >| > ---------------->|| > ---------------.1.1.

114.in-addr. If necessary. these name servers map the IP address to inmail. the IP address would become the domain name 206. The root name servers refer the querier to the 161. run by Compaq.161.how does it know where to look? Is there a giant reverse lookup zone in > the sky? Yes.206 & get a reply for a Compaq server > . How does reverse mapping work? How can reverse lookup possibly work on the Internet .1. the American Registry for Internet Numbers. These name servers refer the querier to 1. just setting up a virtual IP address.arpa. you don't need to worry about NS records (since resolvers don't use them).in-addr. Q2. I run > nslookup 161. in this case.161. Then the resolver sends a query for PTR records attached to that domain name. run by an organization called ARIN.114. there is: in-addr.compaq." So.arpa. I have looked into having a primary master server running in my server . say.arpa.com. the resolution process starts at the root name servers.arpa name servers. it first inverts the octets of the IP address and appends "in-addr.114.arpa name servers. And. Q3. 161. Also.1. is there any problem in running two Master/Primaries? Just that you'd have to synchronize the zone data between the two manually. actually. What are the pros and cons of running slaves versus caching-only name servers? > Question: I am in the process of setting up dns servers in several locations for my > business.in-addr.how can a local > resolver or ISP's Dns server find the pointer records please? E. it can be useful for resolvers. If a resolver needs to reverse map. In that case.1. finally.However.114.g.206 to a domain name.

What are the pros and cons of these two options.1 Q5.0. The main advantage of having slaves everywhere is that you have a source of your own zone data on each name server. how would you put in an MX > record for a backup mail server. You specify explicit TTLs in a record's TTL field. Q4. the local name server can answer most of their queries.> room and adding slave servers in the other areas.0. > www cname 192. administering slaves is a little more work than administering caching-only name servers. Please help. > If an MX record is not needed. If you want to use a backup mailer. I then thought I could just > setup a primary and a single slave server and run caching only servers in the other > areas. and a little greater burden on the primary master name server.1 . or should I run a slave > server in every location and still have a caching server with it? I just don't > know what the best way would be. Can I use an A record instead of an MX record? > I have a single machine running DNS mail and web for a domain > and I'm not sure that I have DNS setup properly.168. 300 IN A 10. Can I set a TTL on a specific record? Is it possible to setup ttl values for individual records in bind? Sure. On the other hand.0. Example. you need to use MX records. between the owner field and the class field: foo. You can't. So if you have a community of hosts near each slave that look up domain names in your zones. If the machine > that is running the mail is the name of the domain does there need > to be an MX record for mail? Technically. no. Nearly all mailers will look up A records for a domain name in a mail destination if no MX records exist.

168.Your name servers returns them in responses to queries.0. Q6.0.Dynamic updaters determine where to send updates using the NS records.0. For example.. which they often get from the authoritative name servers.Your name servers use the NS records to determine where to send NOTIFY messages. Is there any problem if our > own NS records have lower TTLs than the records from parent name server ? That's a good question. yours "wins.1 > smtp cname 192. not an IP address. Do slaves only communicate with their masters over TCP? > When the slave zone checks in with the master zone for the serial number. the set of NS records that comes directly from your name server supersedes the set that a querier gets from your parent zone's name servers. so if the two sets are different.example. in the authority section of the DNS message. so the field after "CNAME"must contain a domain name. Q7.1 These CNAME records are all incorrect.168. is> all this traffic happening on TCP. What are a zone's NS records used for? > Could you elaborate a little bit on why do we need to put NS records for > the zone we are authoritative for ? > The parent name server handles these already.> mail cname 192. .1 > pop cname 192. Moreover.168." . CNAME records createan alias from one domain name to another. The NS records from your zone data file are used for several things: . if you have acl's blocking> udp traffic but allowing tcp traffic will the transfer work or will it fail > due to the slaves inability to query for the SOA record on udp? No. For example:www CNAME foo. The refresh query (for the zone's SOA record) is usually done over UDP.

16-bit number. or just Internet policy stuff. 2. It can also add or remove cross references to domains in . UDP-based DNS messages can be up to 512 byteslong. Why are there only 13 root name servers? > I'm very wondering why there are only 13 root servers on globally.Q8. and once the schema update is complete. Q2. so the largest number you can use is 65535. Q9. > From my understanding. > > Which one is proper reason? It's a technical limitation. it seems that some limitation of NS record numbers > in DNS packet that specified by certain RFCs. There is only one schema master in the forest. What are their functions? 1. and only 13 NS records and their corresponding A records will fit into a DNS message that size. it is replicated from the schema master to all other DCs in the forest.Domain Naming Master (Forest level) The domain naming master FSMO role holder is the DC responsible for making changes to the forest-wide domain name space of the directory. and that is it's major purpose. What's the largest number I can use in an MX record? > Could you tell us the highest possible number we can use for the MX > preference ?Preference is an unsigned. It contains the only writable copy of the AD schema. > Some documents explain that one of the reason is technical limit on Domain > Name System (without any detailed explanation).Schema Master (Forest level) The schema master FSMO role holder is the Domain Controller responsible for performing updates to the active directory schema. This DC is the only one that can process updates to the directory schema. This DC is the only one that can add or remove a domain from the directory.

There is only one domain naming master in the active directory or forest. and a relative ID (RID) that makes the object unique in a domain. This SID consists of a domain SID (the same for all SIDs created in a domain). PDC Emulator (Domain level) In a Windows 2000 domain. group or computer account. Authentication failures that occur at a given DC in a domain because of an incorrect password are forwarded to the PDC emulator for validation before a bad password failure message is reported to the user. the PDC emulator server role performs the following functions: Password changes performed by other DCs in the domain are replicated preferentially to the PDC emulator first. Each Windows 2000 DC in a domain is allocated a pool of RIDs that it assigns to the security principals it creates. It is also responsible for removing an object from its domain and putting it in another domain during an object move. There is only one PDC emulator per domain.external directories. 4.RID Master (Domain level) The RID master FSMO role holder is the single DC responsible for processing RID Pool requests from all DCs within a given domain. Time synchronization for the domain. Account lockout is processed on the PDC emulator. it attaches a unique Security ID (SID) to the object. Group Policy changes are preferentially written to the PDC emulator. then the Windows 2000 domain controller.Additionally. the PDC emulator is still necessary for the reasons above. if your domain is a mixed mode domain that contains Windows NT 4 BDCs. This is not true. When a DC creates a security principal object such as a user. Note: Some consider the PDC emulator to only be relevant in a mixed mode domain. that is the PDC emulator. 3. acts as a Windows NT 4 PDC to the BDCs. Even after you have changed your domain to native mode (no moreNT 4 domain controllers). When a DC's allocated RID pool falls below a .

the Infrastructure master must update the group membership(s) in DomainB with the name change. The Infrastructure role holder is the DC responsible for updating an object's SID and distinguished name in a cross-domain object reference. But what if you only have one domain controller in your domain? That is fine. who has been added to a group in DomainB. and the distinguished name (DN) of the object being referenced. one domain. All 5 FSMO server roles will exist on that DC. There is only one Infrastructure master per domain. the FSMO roles can be moved to other domain controllers. 5. then the Infrastructure master is involved. it represents the reference by the GUID. Q5. as more domain controllers are added to the domain. holds all five of the FSMO server roles. by default. Q4. When an object in one domain is referenced by another object in another domain. Then. Q6.Infrastructure Master (Domain level) The DC that holds the Infrastructure Master FSMO role is responsible for cross domain updates and lookups. that DC issues a request for additional RIDs to the domain's RID master. moving a FSMO server role is a manual process. Can you Move FSMO roles? Yes. it does not happen automatically. The domain RID master responds to the request by retrieving RIDs from the domain's unallocated RID pool and assigns them to the pool of the requesting DC. If you have only one domain controller in your organization then you have one forest.threshold.There is one RID master per domain in a directory. When a user in DomainA is added to a group in DomainB. if that user in DomainA. Where are these FSMO server roles found? The first domain controller that is installed in a Windows 2000 domain. There is no rule that says you have to have one server for each FSMO server role. Likewise. then changes his username in DomainA. Where to place the FSMO roles? . and of course the one domain controller. the SID (for references to security principals).

. Since all three are. and that machine should be a Global Catalog server. it contacts the Global Catalog server for this information. Note: According to MS. Note: In a single domain environment this is not an issue. but is recommended. Also.Assuming you do have multiple domain controllers in your domain. needs information about objects not in it's domain. This is not mandatory like the Infrastructure Master and the Global Catalog server above. It is also recommended that all FSMO role holders be direct replication partners and they have high bandwidth connections to one another as well as a Global Catalog server. on the first domain controller installed in a forest. If you are going to separate the Domain Naming master and Schema master. there are some best practices to follow for placing FSMO server roles. Microsoft also recommends that the PDC Emulator and RID Master be on the same server. then you can leave them as they are. it should be on a server that can handle the load. since the PDC Emulator will receive more traffic than any other FSMO role holder. then the Infrastructure Master will never think there are changes to objects that reside in other domains because the Global Catalog will keep it constantly updated.Why Infrastructure Master should not be on the same server that acts as a Global Catalog server? The Infrastructure Master should not be on the same server that acts as a Global Catalog server. If they both reside on the same server. which is responsible for updating Active Directory information about cross domain object changes. just make sure they are both on Global Catalog servers. This would result in the Infrastructure Master never replicating changes to other domain controllers in its domain. The Schema Master and Domain Naming Master should reside on the same server. IMP: . by default. When the Infrastructure Master.The reason for this is the Global Catalog contains information about every object in the forest. the Domain Naming master needs to be on a Global Catalog Server.

choose a role to move and click the Change button. right click on the domain you want to view the FSMO roles for and click "Operations Masters". Tools to find out what servers in your domain/forest hold what server roles? 1. you will see the dialog box below. A dialog box (below) will open with three tabs.Q7. you must first connect to the domain controller you want to move it to. then . right click "Active Directory Domains and Trusts" at the top of the tree. 2. Active Directory Users and Computers:use this snap-in to find out where the domain level FSMO roles are located (PDC Emulator. RID Master. Open Active Directory Users and Computers. When you do. go back into the Operations Masters dialog box. except you use the Active Directory Domains and Trusts snap-in. To change the server roles. When you do connect to another DC. one for each FSMO role. you must have the appropriate permissions depending on which role you plan to transfer: FSMO TOOLS Q8.What permissions you should have in order to transfer a FSMO role? Before you can transfer a role. Active Directory Domains and Trusts . Once connected to the DC. Open Active Directory Domains and Trusts. Changing the server that houses the Domain Naming Master requires that you first connect to the new domain controller.use this snap-in to find out where the Domain Naming Master FSMO role is and to change it's location. Infrastructure Master).The process is the same as it is when viewing and changing the Domain level FSMO roles in Active Directory Users and Computers. Do this by right clicking "Active Directory Users and Computers" at the top of the Active Directory Users and Computers snap-in and choose "Connect to Domain Controller". you will notice the name of that DC will be in the field below the Change button . and choose "Operations Master". Click each tab to see what server that role resides on. and also to change the location of one or more of these 3 FSMO roles.

Once the snap-in is open. You first have to install the Support Tools from the \Support directory on the Windows 2000 server CD or install the Windows 2000 Server Resource Kit. Programs. run. the Active Directory Schema snap-in is not part of the default Windows 2000 administrative tools or installation.You can connect to another domain controller by right clicking "Active Directory Schema" at the top of the Active Directory Schema snap-in and choosing "Connect to Domain Controller 4. right click "Active Directory Schema" at the top of the tree and choose "Operations Masters".To use Netdom to view the FSMO role holders.click the Change button. Active Directory Relication Monitor another tool that comes with the Support Tools is the Active Directory Relication Monitor .. You will see a list of the FSMO role servers: 5. Open this utility from Start..Netdom The easiest and fastest way to find out what server holds what FSMO role is by using the Netdom command line utility. You will see the dialog box below. Add Monitored Server and add the . the Netdom utility is only available if you have installed the Support Tools from the Windows 2000 CD or the Win2K Server Resource Kit.this snap-in is used to view and change the Schema Master FSMO role. mmc) and add the snap-in to the console. Changing the server the Schema Master resides on requires you first connect to another domain controller. 3. Windows 2000 Support Tools. Like the Active Directory Schema snap-in. Once you install the support tools you can open up a blank Microsoft Management Console (start. open a command prompt window and type:netdom query fsmo and press enter. click Edit. Once open. and then click the Change button. Active Directory Schema . However. You can connect to another domain controller by right clicking "Active Directory Domains and Trusts" at the top of the Active Directory Domains and Trusts snap-in and choosing "Connect to Domain Controller".

svrops. right click the Server name and choose properties.microsoft.com/windows2000/techinfo/reskit/defau lt. users or both. It is something you should check out if you haven't already. Adcheck (470k) (3rd party) A simple utility to view information about AD and FSMO roleshttp://www. Once added. Finally. How to Transfer and Seize a FSMO Role? GROUP POLICY Q1. is rather complicated and beyond the scope of this document.exe utility to gather information about and change servers for FSMO roles.exe. NLTEST Command-line tool to perform common network administrative tasks Type “nltest /?” for syntax and switches Common uses Get a list of all DCs in the domain Get the name of the PDC emulator Query or reset the secure channel for a server Call DsGetDCName to query for an available domain controller 8.m si Q9. What are Group Policies? Group Policies are settings that can be applied to Windows computers. Group Policies are usually used to lock . 6. but this tool has many other useful purposes in regard to Active Directory information.aspPrints to the screen. You cannot change roles using Replication Monitor. In Windows 2000 there are hundreds of Group Policy settings. DUMPFSMOS Command-line tool to query for the current FSMO role holders Part of the Microsoft Windows 2000 Server Resource Kit Downloadable fromhttp://www. you can use the Ntdsutil. the current FSMO holders Calls NTDSUTIL to get this information 7.com/svrops/downloads/zipfiles/ADcheck. Click the FSMO Roles tab to view the servers holding the 5 FSMO roles (below). a command line utility that is installed with Windows 2000 server. Ntdsutil.name of a Domain Controller.

down some aspect of a PC. Whether you don't want users to run Windows Update or change their Display Settings, or you want to insure certain applications are installed on computers - all this can be done with Group Policies.Group Policies can be configured either Locally or by Domain Polices . Local policies can be accessed by clicking Start, Run and typing gpedit.msc. They can also be accessed by opening the Microsoft Management Console (Start, Run type mmc), and adding the Group Policy snap-in. You must be an Administrator to configure/modify Group Policies. Windows 2000 Group Policies can only be used on Windows 2000 computers or Windows XP computers. They cannot be used on Win9x or WinNT computers. Q2. Domain policy gets applied to whom ? Domain Policies are applied to computers and users who are members of a Domain, and these policies are configured on Domain Controllers. You can access Domain Group Polices by opening Active Directory Sites and Services (these policies apply to the Site level only) or Active Directory Users and Computers (these policies apply to the Domain and/or Organizational Units). Q3. From Where to create a Group Policy? To create a Domain Group Policy Object open Active Directory Sites and Services and right click Default-First-Site-Name or another Site name, choose properties, then the Group Policy tab, then click the New button Give the GPO a name, then click the Edit button to configure the policies. For Active Directory Users and Computers, it the same process except you right click the Domain or an OU and choose properties. Q4. Who can Create/Modify Group Policies? You have to have Administrative privileges to create/modify group policies. The following table shows who can create/modify group policies: Q5. How are Group Policies Applied?

Group Polices can be configured locally, at the Site level, the Domain level or at the Organizational Unit (OU) level. Group Policies are applied in a Specific Order, LSDO Local policies first, then Site based policies, then Domain level policies, then OU polices, then nested Polices (OUs within OUs). Group polices cannot be linked to a specific user or group, only container objects. In order to apply Group Polices to specific users or computers, you add users (or groups) and computers to container objects. Anything in the container object will then get the policies linked to that container. Sites, Domains and OUs are considered container objects. Computer and User Active Directory objects do not have to put in the same container object. For example, Sally the user is an object in Active Directory. Sally's Windows 2000 Pro PC is also an object in Active Directory. Sally the user object can be in one OU, while her computer object can be another OU. It all depends on how you organize your Active Directory structure and what Group Policies you want applied to what objects. There are two nodes in each Group Policy Object that is created. A Computer node and a User Node. They are called Computer Configuration and User Configuration (see image above). The polices configured in the Computer node apply to the computer as a whole. Whoever logs onto that computer will see those policies. Note: Computer policies are also referred to as machine policies. User policies are user specific. They only apply to the user that is logged on. When creating Domain Group Polices you can disable either the Computer node or User node of the Group Policy Object you are creating. By disabling a node that no policies are defined for, you are decreasing the time it takes to apply the polices. To disable the node polices: After creating a Group Policy Object, click that Group Policy Object on the Group Policy tab, then click the Properties button. You will see two check boxes at the bottom of the General tab. It's important to understand that when Group Policies are being applied, all the policies for a node are evaluated first, and then applied. They are not applied one after the other. For example, say Sally the user is a member of the Development OU, and the

Security OU. When Sally logs onto her PC the policies set in the User node of the both the Development OU and the Security OU Group Policy Objects are evaluated, as a whole, and then applied to Sally the user. They are not applied Development OU first, and then Security OU (or visa- versa).The same goes for Computer policies. When a computer boots up, all the Computer node polices for that computer are evaluated, and then applied. When computers boot up, the Computer policies are applied. When users login, the User policies are applied. When user and computer group policies overlap, the computer policy wins Note: IPSec and EFS policies are not additive. The last policy applied is the policy the user/computer will have When applying multiple Group Policies Objects from any container, Group Policies are applied from bottom to top in the Group Policy Object list. The top Group Policy in the list is the last to be applied. In the above image you can see three Group Policy Objects associated with the Human Resources OU. These polices would be applied No Windows Update first, then No Display Settings, then No Screen Saver. If there were any conflicts in the policy settings, the one above it would take precedence.

Q6.How to disable Group Policy Objects? When you are creating a Group Policy Object, the changes happen immediately. There is no "saving" of GPOs. To prevent a partial GPO from being applied, disable the GPO while you are configuring it. To do this, click the Group Policy Object on the Group Policy tab and under the Disable column, double click - a little check will appear. Click the Edit button, make your changes, then double click under the Disable column to re-enable the GPO. Also, if you want to temporarily disable a GPO for troubleshooting reasons, this is the place to do it. You can also click the Options button on the Group Policy tab and select the Disabled check box. Q7. When does the group policy Scripts run?

Shutdown Scripts Q9. background refresh is every 5 mins. but before the computer shuts down. Startup. However. every 16 hours every PC will request all group policies to be reapplied (user and machine) These settings can be changed under Computer and User Nodes.System. Login scripts are processed when the user logs in. and/or when a user logs in. So the refresh could be 60. Shutdown scripts are processed after a user logs off. When the group policy gets refreshed/applied? Group Policies can be applied when a computer boots up.interval. How to refresh Group Policies suing the command line? Secedit. These policies are only applied at Logon time: Folder Redirection Software InstallationLogon.exe is a command line tool that can be used to refresh group policies on a Windows 2000 computer. but before the shutdown script runs. This is called Background Refresh Background refresh for non DCs (PCs and Member Servers) is every 90 mins. For DCs (Domain Controllers).Also. with a +/. Group Policy. To use secedit. 90 or 120 mins. Administrative Templates.. Q8.30 min. Logoff. Which are the policies which does not get affected by background refresh? Policies not affected by background refresh. open a command prompt and type: .Startup scripts are processed at computer boot up and before the user logs in. policies are also refreshed automatically according to a predefined schedule. Q9. Log off scripts are processed when the user logs off.

It has replaced the secedit command. Which are the policies which get applied regardless of the speed of the dial-up connection? Some policies are always applied regardless of the speed of the dial-up connection. Windows 2000 will automatically detect the speed of the dial-up connection and make a decision about applying Group Policies. open a command prompt and type: gpupdate /target:user to refresh the user policies gpupdate /target: machine to refresh the machine (or computer) policies As with secedit. use: secedit /refreshpolicy user_policy /enforce secedit /refreshpolicy machine_policy /enforce Gpupdate.exe is a command line tool that can be used to refresh group policies on a Windows XP computer. To force a reload of all group policies regardless of the last change. To force a reload of all group policies regardless of the last change. What is the Default Setting for Dial-up users? Win2000 considers a slow dial-up link as anything less than 500kbps. use: gpupdate /force Notice the /force switch applies to both user and computer policies.secedit /refreshpolicy user_policy to refresh the user policies secedit /refreshpolicy machine_policy to refresh the machine (or computer) policies These parameters will only refresh any user or computer policies that have changed since the last refresh. These are: Administrative Templates Security Settings . When a user logs into a domain on a link under 500k some policies are not applied. There is no separation of the two like there is with secedit Q10. these parameters will only refresh any user or computer policies that have changed since the last refresh. To use gpupdate. Q11.

It is the first policy listed. System. the policies are applied using the standard refresh cycle. the computer policies are applied first. followed by the user policies. The Default Domain policy and the Default Domain Controllers policy. Which are the policies which do not get applied over slow links? IE Maintenance Settings Folder Redirection Scripts Disk Quota settings Software Installation and Maintenance These settings can be changed under Computer and User Nodes. The default domain policy is unique in that certain policies can only be applied at the domain level. Administrative Templates. If you set these policies anywhere else. Account Policies.this GPO can be found under the group policy tab for that domain. Which are the two types of default policies? There are two default group policy objects that are created when a domain is created. Security Settings.EFS Recovery IPSec Q12. If you double click this GPO and drill down to Computer Configuration. If the user connects to the domain using "Logon Using Dial-up Connection" from the logon screen. you will see three policies listed: Password Policy Account Lockout Policy Kerberos Policy These 3 policies can only be set at the domain level. they are ignored. Default Domain Policy. setting these 3 policies at the OU level will have the . Windows Settings. once the user is authenticated. Q13. However. If the user connects to the domain using "Network and Dial-up Connections". after they logon.Site or OU. Group Policy.

effect of setting these policies for users who log on locally to their PCs. Login to the domain you get the domain policy, login locally you get the OU policy. If you drill down to Computer Configuration, Windows Settings, Security Settings, Local Policies, Security Options, there are 3 policies that are affected by Default Domain Policy: Automatically log off users when logon time expires Rename Administrator Account - When set at the domain level, it affects the Domain Administrator account only. Rename Guest Account - When set at the domain level, it affects the Domain Guest account only. The Default Domain Policy should be used only for the policies listed above. If you want to create additional domain level policies, you should create additional domain level GPOs. Do not delete the Default Domain Policy. You can disable it, but it is not recommended. Default Domain Controllers Policy - This policy can be found by right clicking the Domain Controllers OU, choosing Properties, then the Group Policy tab. This policy affects all Domain Controllers in the domain regardless of where you put the domain controllers. That is, no matter where you put your domain controllers in Active Directory (whatever OU you put them in), they will still process this policy. Use the Default Domain Controllers Policy to set local policies for your domain controllers, e.g. Audit Policies, Event Log settings, who can logon locally and so on. Q14.How to restore Group policy setting back to default? The following command would replace both the Default Domain Security Policy and DefaultDomain Controller Security Policy. You can specify Domain or DC instead of Both, to onlyrestore one or the other. > dcgpofix /target:Both Note that this must be run from a domain controller in the target domain where you want to reset the GPO

If you've ever made changes to the default GPOs and would like to revert back to the original settings, the dcgpofix utility is your solution. dcgpofix works with a particular version of schema. If the version it expects to be current is different from what is in Active Directory, itnot restore the GPOs. You can work around this by using the /ignoreschema switch, whichrestore the GPO according to the version dcgpofix thinks is current. The only time you mightexperience this issue is if you install a service pack on a domain controller (dc1) that extendsschema, but have not installed it yet on a second domain controller (dc2). If you try to run dcgpofix from dc2, you will receive the error since a new version of the schema and thedcgpofix utility was installed on dc1. Resolving GPOs from Multiple Sources Because GPOs can come from different sources to apply to a single user or computer, there must be a way of determining how those GPOs are combined. GPOs are processed in the following order: 1. Local GPO The local GPO on the computer is processed and all settings specified in that GPO are applied. 2. Site GPOs GPOs linked to the site in which the computer resides are processed. Settings made at this level override any conflicting settings made at the preceding level. If multiple GPOs are linked to a site, the site administrator can control the order in which those GPOs are processed. 3. Domain GPOs GPOs linked to the domain in which the computer resides are processed and any settings are applied. Settings made at the domain level override conflicting settings applied at the local or site level. Again, the administrator can control the processing order when multiple GPOs are linked to the domain. 4. OU GPOs GPOs linked to any OUs that contain the user or computer object are processed. Settings made at the OU level override conflicting settings applied at the domain, local, or site level. It is possible for a single object to be in multiple OUs. In this case, GPOs linked to the highest level OU in the Active Directory

hierarchy are processed first, followed by the next highest level OU, and so on. If multiple GPOs are linked to a single

. Q15. What are the two exceptions to control the inheritance of the group policy? ■ No Override When you link a GPO to a container, you can configure a No Override option that prevents settings in the GPO from being overridden by settings in GPOs linked to child containers. This provides a way to force child containers to conform to a particular policy. ■ Block Inheritance You can configure the Block Inheritance option on a container to prevent the container from inheriting GPO settings from its parent containers. However, if a parent container has the No Override option set, the child container cannot block inheritance from this parent. Q16. How to Redirect New User and Computer Accounts? By default, new user and computer accounts are created in the Users and Computers containers, respectively. You cannot link a GPO to either of these built-in containers. Even though the built-in containers inherit GPOs linked to the domain, you may have a situation that requires user accounts and computer accounts to be stored in an OU to which you can link a GPO. Windows Server 2003 includes two new tools that let you redirect the target locationfor new user and computer accounts. You can use redirusr.exe to redirect user accounts and redircomp.exe to redirect computer accounts. Once you choose the OU for redirection, new user and computer accounts are createddirectly in the new target OU, where the appropriate GPOs are linked. For example, you could create an OU named New Users, link an appropriate GPO to the OU, and then redirect the creation of newusers accounts to the New Users OU. Any new users created would immediately be affected by the settings in the GPO.

■ Windows XP Professional. “Redirecting the Users and Computers Containers in Windows Server 2003 Domains. You can learn more about using these tools in Knowledge Base article 324949. You can find both of these tools in the %windir%\system32 folder on any computer running Windows Server 2003.microsoft. they must be members of Active Directory. Editing GPOs linked to domains requires Domain Administrative Editing GPOs linked to OUs requires permissions for the OU. Q17. ■ Windows 2000 Professional and Server support many of the Group Policy settings available in Windows Server 2003.Administrators could then move the new user accounts to a more appropriate location later. Support for Group Policy for key operating systems includes the following: ■ Windows 95/98/Me do not support Group Policy. What is the client requirement for supporting GPOs? For client computers to accept Group Policy settings. ■ Windows NT 4. Windows XP 64-bit Edition.com .” in the Microsoft Knowledge Base at http://support. What permissions should a administrator have to manage GPOs? Editing GPOs linked to sites requires Enterprise Administrative permissions. Unsupported settings are ignored.0 and earlier versions do not support Group Policy. and Windows Server 2003 fully support Group Policy . Q18. but not all.

It provides a way for organizations to centrally manage and store their user objects. only authorized users can access resources in Active Directory. locate. Purpose of Active Directory Active Directory stores information about users. computers. ●Centralizes and decentralizes resource management Administrators have Centralized Administration with the ability to delegate administration of subsets of the network to a limited . describe.DUPLICATED: Active directory. and define security boundaries in a logical database structure. access. shared files.fsmo. manage. It provides a consistent way to name.dns. and secure information about these resources.group policy questions What Is Active Directory? Active Directory consists of a series of components that constitute both its logical structure and its physical structure. and printers. group membership. Functions of Active Directory Active Directory provides the following functions: ●Centralizes control of network resources By centralizing control of resources such as servers. and network resources and makes the resources accessible to users and applications. computer objects.

Operations Master Roles When a change is made to a domain. This way. authenticates them reducing the amount of network traffic. ●Optimizes network traffic The physical structure of Active Directory enables you to use network bandwidth more efficiently. the authentication authority that is nearest to the user. Sites within Active Directory Sites are defined as groups of well-connected computers. a replication conflict can occur if originating updates are performed concurrently on the same object attribute on two domain controllers.number of individuals giving them greater granularity in resource management. the change is replicated across all of the domain controllers in the domain. hierarchical logical structure. You create sites to optimize the use of bandwidth between domain controllers that are in different locations. Some changes. the time required for a change that is made on one domain controller to be replicated to other domain controllers. which designates one domain controller as the only domain controller on which certain directory changes can be made. when users log on to the network. domain controllers within a single site communicate frequently. such as the addition of a new domain or a change to the forest-wide schema. This communication minimizes the latency within the site. ●Store objects securely in a logical structure Active Directory stores all of the resources as objects in a secure. This replication is called multimaster replication. Active Directory uses single master replication for important changes. changes cannot occur at different places in the network at the same time. To avoid replication conflicts. When you establish sites. During multimaster replication. such as those made to the schema. For example. it ensures that. are replicated across all of the domains in the forest. that is.Operations that use single- . Active Directory uses single master replication.

Active Directory stores information about which domain controller holds a specific role. and printers. the domain controller creates a new security principal that represents the object and assigns the object a unique security identifier (SID). ●Domain naming masterControls the addition or removal of domains in the forest. The schema contains the master list of object classes and attributes that are used to create all Active Directory objects. only the domain controller that holds that role can make the associated directory changes. For each operations master role. which is the same for all security principals created in the domain. The domain controller that is responsible for a particular role is called an operations master for that role. Forest-wide Roles Forest-wide roles are unique to a forest. computers. such as users. and a RID. Domain-wide Roles Domain-wide roles are unique to each domain in a forest. This SID consists of a domain SID.0. which is unique for each security principal created in the domain. the domain-wide roles are: ●Primary domain controller emulator (PDC) Acts as a Windows NT PDC to support any backup domain controllers (BDCs) running Microsoft Windows® NT within a mixed-mode domain. When you add a new domain to the forest. The RID master allocates blocks of RIDs to each domain controller in the domain.forest-wide roles are: ●Schema masterControls all updates to the schema. ●Relative identifier master (RID) When a new object is created.There is only one schema master and one domain naming master in the entire forest. The PDC emulator is the first domain controller that you create in a new domain. This type of domain has domain controllers that run Windows NT 4. only the domain controller that holds the domain naming master role can add the new domain.master replication are arranged together in specific roles in a forest or domain. These roles are calledoperations master roles. The domain .

read-only replica of all other domain directory partitions in the forest. and many more. ●Infrastructure master when objects are moved from one domain to another. in addition to its full. phone number. Active Directory periodically updates the distinguished name and the SID on the object reference to reflect changes made to the actual object. .controller then assigns a RID to objects that are created from its allocated block of RIDs. Access permissions ensure that users can find only objects to which they have been assigned access. This allows searches done against a local GC. The global catalog contains ●The attributes that are most frequently used in queries. The GC will by default only store the most common of those attributes that would be used in search operations (such as a user’s first and last names. The partial attributes that it has for that object would be enough to allow a search for that object to be able to locate the full replica of the object in active directory. distinguished name. Taking a user object as an example. last name. such as moves within and between domains and the deletion of the object. the object will not appear in the search results. last name. the infrastructure master updates object references in its domain that point to the object in the other domain. The object reference contains the object’s globally unique identifier (GUID). ●The information that is necessary to determine the location of any object in the directory. and a SID. writable domain directory partition replica. and reduces network traffic over the WAN in an attempt to locate objects somewhere else in the network. such as a user’s first name.A global catalog server is a domain controller that. it would by default have many different attributes such as first name. or login name. ●The access permissions for each object and attribute that is stored in the global catalog. also stores a partial. and logon name. for example). If you search for an object that you do not have the appropriate permissions to view.

or a NetBIOS DOMAIN record for domain controllers.Domain Controllers always contain the full attribute list for objects belonging to their domain. Integration of DNS and Active Directory The integration of DNS and Active Directory is essential because a client computer in a Windows 2000 network must be able to locate a domain controller so that users can log on to a domain or use the services that Active Directory provides. it will also contain a partial replica of objects from all other domains in the forest. 2003. TheSRV record contains the FQDN of the domain controller and the name of the service that the domain controller provides. a Windows 2000. Active Directory Integrated Zones Microsoft DNS servers store information that is used to resolve host names to IP addresses and IP addresses to host names in a database file that has the extension . . Active Directory uses DNS as the name resolution service to identify domains and domain host computers during processes such as logging on to the network Similar to the way a Windows NT 4. The A resource record contains the FQDN and IP address for the domain controller. which allows zone transfers of these records to operate as one unit. If zone objects are stored in an Active Directory domain partition. they are replicated to all domain controllers in the domain.0 client will query WINS for a NetBIOS DOMAIN[1B] record to locate a PDC. Clients locate domain controllers and services by using A resource records and SRV records. A zone is a portion of the domain namespace that has a logical grouping of resource records. If the Domain Controller is also a GC. or Windows XP client can query DNS to find a domain controller by looking for SRV records. What Are Active Directory Integrated Zones? One benefit of integrating DNS and Active Directory is the ability to integrate DNS zones into an Active Directory database.dns for each zone.Active Directory integrated zones are primary zones that are stored as objects in the Active Directory database.

They must include SOA and NS records and can include any type of resource record except the PTR resource record. Once you have installed Active Directory. Forward lookup zones contain information needed to resolve names within the DNS domain.dns text files that are stored in the %SystemRoot%\System32\Dns folder on each computer operating a DNS server. what if a client already has a computer's IP address and wants to determine the DNS name for the computer? This is important for programs that implement security based on the connecting FQDN. Zone file names correspond to the name you choose for the zone when creating it. PTR. Once a subdomain is added. the client supplies a name and requests the IP address that corresponds to that name. Reverse lookup zones contain information needed to perform reverse lookups. This type of query is typically described as a forward lookup. With most queries. If other domains are added below the domain used to create the zone. . these domains can either be part of the same zone or belong to another zone. forward lookup and reverse lookup. you have two options for storing your zones when operating the DNS server at the new domain controller: Standard Zone Zones stored this way are located in .What Are DNS Zones? A zone starts as a storage database for a single DNS domain name. and CNAME records. However. Active Directory requires forward lookup zones. it can then either be: ●Managed and included as part of the original zone records. The DNS standard provides for this possibility through reverse lookups. They usually include SOA. or ●Delegated away to another zone created to support the subdomain Types of Zones There are two types of zones. NS. and is used for TCP/IP network troubleshooting.

Standard Primary Zone For standard primary-type zones. Only one server is allowed to accept dynamic updates. Additionally.com This type offers the choice of using either a Standard Primary zone or a Standard Secondary zone. only a single DNS server can host and load the master copy of the zone. a secondary server can provide some name resolution in the zone until the primary server is available. Zone transfers occur over TCP port 53. A secondary or stub zone cannot be hosted on a DNS server that hosts a primary zone for the same domain name. Active Directory . The process of obtaining this zone information (i.com. If you create a zone and keep it as a standard primary zone. Each directory-integrated zone is stored in a dnsZone container object identified by the name you choose for the zone when creating it.dns if the zone name was example. Directory-integrated Zone Zones stored this way are located in the Active Directory tree under the domain object container. also known as DDNS. The data in a Secondary zone is Read only.microsoft.microsoft.such as Example. if a primary server is down. Note A Standard Primary zone will not replicate its information to any other DNS servers. Standard Secondary Zone A secondary name server gets the data for its zones from another name server (either a primary name server or another secondary name server) for that zone across the network. The standard primary model implies a single point of failure.. no additional primary servers for the zone are permitted. Secondary servers can provide a means to offload DNS query traffic in areas of the network where a zone is heavily queried and used. but may allow zone transfers to Secondary zones.e. Win2003 also supports stub zones. and process zone changes. and updated information must come from additional zone transfers. the database file) across the network is referred to as a zone transfer.

Service location (SRV) For mapping a DNS domain name to a specified list of DNS host computers that offer a specific type of service. Mail Exchanger (MX) For mapping a DNS domain. it will not be able to use an Active Directory integrated zones. Note If DNS is running on a Windows 2000 server that is not a domain controller. additional resource records need to be added to it. DNS Records After you create a zone. Alias (CNAME) For mapping an alias DNS domain name to another primary or canonical name. Record Types Name Description Host (A) For mapping a DNS domain name to an IP address used by a computer. name to the name of a computer that exchange for forwards mail Pointer (PTR) For mapping a reverse DNS domain name based on the IP address of a computer that points to the forward DNS domain name of that computer. or replicate with other domain controllers since it does not have Active Directory installed.integrated zones will replicate this information to other domain controllers in that domain. . such as Active Directory domain controllers. The most common resource records (RRs) to be added are:Table 1.

What do I do? . Where is the AD database held? What other folders are related to AD? What is the SYSVOL folder? Name the AD NCs and replication issues for each NC What are application partitions? When do I use them How do you create a new application partition How do you view replication properties for AD partitions and DCs? What is the Global Catalog? How do you view all the GCs in the forest? Why not make all DCs in a large forest as GCs? Trying to look at the Schema. What is tombstone lifetime attribute? What do you do to install a new Windows 2003 DC in a Windows 2000 AD? What do you do to install a new Windows 2003 R2 DC in a Windows 2003 AD? How would you find all users that have not logged on since last month? What are the DS* commands? What's the difference between LDIFDE and CSVDE? Usage considerations? What are the FSMO roles? Who has them by default? What happens when each one fails? What FSMO placement considerations do you know of? I want to look at the RID allocation table for a DC. and what do you do later? • Can I get user passwords from the AD database? What tool would I use to try to grab security related packets from the wire? Name some OU design considerations.Technical Interview Questions – Active Directory • • • • • • • • • • • • • • • • • • • • • • • • • • • • • • • • • What is Active Directory? What is LDAP? Can you connect Active Directory to other 3rd-party Directory Services? Name a few options. how can I do that? What are the Support Tools? Why do I need them? What is LDP? What is REPLMON? What is ADSIEDIT? What is NETDOM? What is REPADMIN? What are sites? What are they used for? What's the difference between a site link's schedule and interval? What is the KCC? What is the ISTG? Who has that role by default? What are the requirements for installing AD on a new server? What can you do to promote a server to DC if you're in a remote location with slow WAN link? How can you forcibly remove AD from a server.

) on the computers in one department. printers etc. yet his user and computer accounts are in the right OU. My Documents. What are administrative templates? What's the difference between software publishing and assigning? Can I deploy non-MSI software with GPO? You want to standardize the desktop environments (wallpaper. How would you do that? RELATED TOPICS • • • • • • • • • • A Word about Working with GPOs and Terminal Servers Active Directory Client (dsclient) for Win98/NT Active Directory Installation Requirements Active Directory Migration Tool Active Directory Migration Tool Usage NT -> Windows 2000 Active Directory Migration Tool Usage NT -> Windows 2003 Active Directory Migration Tool Usage Windows 2000 -> Windows 2003 Active Directory Offline Defragmentation Active Directory Restore Mode Trick Active Directory Search Limit . A user claims he did not receive a GPO. Start menu. What are the GPC and the GPT? Where can I find them? What are GPO links? What special things can I do to them? What can I do to prevent inheritance from above? How can I override blocking of inheritance? How can you determine what GPO was and was not applied for a user? Name a few ways to do that. What will you look for? Name a few differences in Vista GPOs Name some GPO settings in the computer and user parts.• • • • • • • • • • • • • • • • • • • • • What's the difference between transferring a FSMO role and seizing one? Which one should you NOT seize? Why? How do you configure a "stand-by operation master" for any of the roles? How do you backup AD? How do you restore AD? How do you change the DS Restore admin password? Why can't you restore a DC that was backed up 4 months ago? What are GPOs? What is the order in which GPOs are applied? Name a few benefits of using GPMC. and everyone else there gets the GPO.

• • • • • • • • • • • • • • • • • • • • • • • • • • • • • • • • • • • • Active Directory Sizer Tool Active Directory SRV Records Active Directory Training Labs Add Additional Attributes to the User Objects Add Unlock User Option to Active Directory Users and Computers Add User Account Information to Active Directory Users and Computers Adding New Administrative Templates to a GPO Administer Windows 2000/2003 Domain from Windows XP Anonymous LDAP operations in Windows 2003 AD Basic Active Directory Services Interface (ADSI) Scripting Change Recovery Console Password Change Directory Services Restore Mode Password Configure a New Global Catalog Control Active Directory Intrasite Replication Interval Controlling IE cache size via GPO Create Taskpads for Active Directory Operations Create Users for Testing Purposes Creating a trust relationship between two Small Business Server 2000/2003 domains Delete Failed DCs from Active Directory Determining FSMO Role Holders Disable Active Directory Circular Logging Disable Password Requirements in Windows Server 2003 Domains Editing Additional Attributes of User Objects Event logs archiving with GPO First DC in Domain Problem Fix an Unsuccessful DC Demotion Forcibly Removing Active Directory from a DC Groups in Active Directory .Hebrew How to Install Active Directory on Windows 2000 How to Install Active Directory on Windows 2000 (for idiots) How to Install Active Directory on Windows 2003 How to Install a Replica DC in an Existing AD Domain on Windows 2000 How to Install a Replica DC in an Existing AD Domain on Windows Server 2003 Import Saved Queries in Windows Server 2003 AD Users & Computers Install DC from Media in Windows Server 2003 Joining a Domain in Windows XP Pro .

Active Directory Planning FSMO Roles in Active Directory Raise Domain Function Level in Windows Server 2003 Domains Raise Forest Function Level in Windows Server 2003 Active Directory Require Windows 98 Clients to Logon to the Domain Requirements when Joining a Domain Saved Queries in Windows Server 2003 AD Users & Computers Seizing FSMO Roles Transferring FSMO Roles Tracking Change Replications in AD using Repadmin.Part 2 .exe Troubleshooting Dcpromo Errors Unable to Logon to Windows 2003 Domain Due to Windows Cannot Connect to the Domain Error Unattended Installation of Active Directory Understanding Active Directory Schema Understanding Administrative Templates in GPO Understanding FSMO Roles in Active Directory Understanding Function Levels in Windows Server 2003 Active Directory Upgrade Windows 2000 GPO with XP Features View Additional User Information in AD Users and Computers What's New in Windows Server 2003 Active Directory? Windows 2000 Domain Rename Windows 2003 ADPrep Windows 2003 ADPrep Fix for Exchange 2000 Windows 2003 Domain Controller Rename Windows 2003 Domain Rename Working with Group Policy DISTASTER RECOVERY • • • • Change Recovery Console Administrator Password on a Domain Controller Configure Recovery Console Auto Logon Delete the Recovery Console Deploy Recovery Console through RIS .• • • • • • • • • • • • • • • • • • • • • • • • • • • • • LDAP Search Samples for Windows Server 2003 and Exchange 2000/2003 List all Users and Groups in Domain Load Balancing on Windows 2000/2003 DC after Upgrading from NT MCSE and System Administrator Job Interview Questions .

ini? .• • • • • • • • • • Install Windows 2000/XP/2003 Recovery Console Last Known Good in Windows 2000/XP/2003 Recovery and Troubleshooting Options in Windows XP Recovery Console Access to Other Partitions Recovery Console and Software RAID1 (Mirroring) Safe Mode in Windows 2000/XP/2003 What's ASR in Windows XP/2003? What's System Restore in Windows XP? What's the Recovery Console? Windows Product Activation after System Repair Disk Management Tips and Tricks • • • • • • • • • • • • • • • • • • • • • • Change a Drive Letter in Windows XP Change System Drive Letter in Windows XP Convert FAT16 to FAT32 in Windows 2000/XP/2003 Create DOS Boot Floppy Disk in Windows XP Delete Undeletable Files Difference Between Basic and Dynamic Disks in Windows XP/2000/2003 Disable Dynamic Disk Upgrade in Windows 2000 Disable Writing to USB Disks in XP SP2 Disable Writing to USB Disks with GPO Disable USB Disks Disable USB Disks with GPO DISKPART Command in Windows XP/2003 Do Not Upgrade Disks from Custom MMC How to Use the Shadow Copy Client How to Write ISO Files to CD Quickly Format a Floppy Disk Recover a Deleted NTFS/FAT32 Volume in Windows XP/2003 Schedule Disk Cleanup to Run Automatically in Windows XP/2003 Schedule Disk Defragmenter to Run Automatically in Windows XP/2003 Software Mirror (RAID1) in Windows XP What's Shadow Copy on Windows Server 2003? What's the Signature Parameter in Boot.

Windows 2000/2003 Single-Master Model To prevent conflicting updates in Windows 2000/2003. such as the Active Directory. This is similar to the role given to a primary domain controller (PDC) in earlier versions of Windows (such as Microsoft Windows NT 4. groups. Windows 2000/2003 incorporates methods to prevent conflicting Active Directory updates from occurring. The Schema is defines as the formal definition of all object classes. computers. that can be stored in the directory. the Active Directory database includes a default Schema. provides the flexibility of allowing changes to occur at any DC in the enterprise. Although this resolution method may be acceptable in some cases. or programmatically. in which the PDC is responsible for processing all updates in a given domain. organizational units. As mentioned earlier.0). meaning that you can modify the schema by defining new object types and their attributes and by defining new attributes for existing objects. . Understanding FSMO Roles in Active Directory? Windows 2000/2003 Multi-Master Model A multi-master enabled database. but it also introduces the possibility of conflicts that can potentially lead to problems once the data is replicated to the rest of the enterprise. only one DC in the entire directory is allowed to process updates. there are times when conflicts are just too difficult to resolve using the "last writer wins" approach.Understanding Active Directory Schema? Windows 2000 and Windows Server 2003 Active Directory uses a database set of rules called "Schema". One way Windows 2000/2003 deals with conflicting updates is by having a conflict resolution algorithm handle discrepancies in values by resolving to the DC to which changes were written last (that is. You can do this either with the Schema Manager snap-in tool included with Windows 2000/2003 Server. These objects are also known as "Classes". and the attributes that make up those object classes. it is best to prevent the conflict from occurring rather than to try to resolve it after the fact. domains. and so on. which defines many object classes. In such cases. The Active Directory Schema can be dynamically extensible. such as users. "the last writer wins"). the Active Directory performs updates to certain objects in a single-master fashion. while discarding the changes in all other DCs. In a single-master model. For certain types of changes.

there are five FSMO roles that are assigned to one or more domain controllers. that DC issues a request for additional RIDs to the domain's RID master. it is replicated from the schema master to all other DCs in the directory. If all the domain controllers in a domain also host the global catalog. This is because a Global Catalog server holds a partial replica of every object in the forest. it represents the reference by the GUID. When a DC's allocated RID pool falls below a threshold. At any one time. there can be only one domain controller acting as the RID master in the domain. When a DC creates a security principal object such as a user or group. Note: The Infrastructure Master (IM) role should be held by a domain controller that is not a Global Catalog server (GC). Domain naming master: The domain naming master domain controller controls the addition or removal of domains in the forest. Relative ID (RID) Master: The RID master is responsible for processing RID pool requests from all domain controllers in a particular domain. it attaches a unique Security ID (SID) to the object. It can also add or remove cross references to domains in external directories. There can be only one schema master in the whole forest. This DC is the only one that can add or remove a domain from the directory. there can be only one domain controller acting as the infrastructure master in each domain. The domain RID master responds to the request by retrieving RIDs from the domain's unallocated RID pool and assigns them to the pool of the requesting DC. Once the Schema update is complete. you must have access to the schema master. There can be only one domain naming master in the whole forest. and the DN of the object being referenced. and a relative ID (RID) that is unique for each security principal SID created in a domain. Infrastructure Master: When an object in one domain is referenced by another object in another domain. If the Infrastructure Master runs on a Global Catalog server it will stop updating object information because it does not contain any references to objects that it does not hold. the SID (for references to security principals).In a forest. All Windows 2000/2003-based computers within an enterprise use a common time. Each DC in a domain is allocated a pool of RIDs that it is allowed to assign to the security principals it creates. cross-domain object references in that domain will not be updated and a warning to that effect will be logged on that DC's event log. To update the schema of a forest. At any one time. and it is not important which domain controller holds the infrastructure master role. The purpose of the time service is to ensure that the Windows Time service uses a hierarchical relationship that controls authority and does not permit loops to ensure appropriate common time usage. Windows 2000/2003 includes the W32Time (Windows Time) time service that is required by the Kerberos authentication protocol. PDC Emulator: The PDC emulator is necessary to synchronize time in an enterprise. all the domain controllers have the current data. As a result. The five FSMO roles are: Schema Master: The schema master domain controller controls all updates and modifications to the schema. This SID consists of a domain SID (the same for all SIDs created in a domain). . The infrastructure FSMO role holder is the DC responsible for updating an object's SID and distinguished name in a cross-domain object reference.

unless configured not to do so by the administrator. and the current forest functional level must be at Windows 2000 native or .The PDC emulator of a domain is authoritative for the domain. After this requirement is met. new Active Directory features are activated by the Windows Server 2003 operating system over its Windows 2000 counterparts. At any one time. The PDC emulator still performs the other functions as described in a Windows 2000/2003 environment. member servers. Authentication failures that occur at a given DC in a domain because of an incorrect password are forwarded to the PDC emulator before a bad password failure message is reported to the user. To activate new forest-wide features. In a Windows 2000/2003 domain. The PDC emulator at the root of the forest becomes authoritative for the enterprise. all domain controllers in the domain must be running Windows Server 2003. Account lockout is processed on the PDC emulator. To activate the new domain features. All PDC FSMO role holders follow the hierarchy of domains in the selection of their in-bound time partner. When a computer that is running Windows Server 2003 is installed and promoted to a domain controller.0 Server-based PDC or earlier PDC performs for Windows NT 4.0 or earlier are all upgraded to Windows 2000/2003. Editing or creation of Group Policy Objects (GPO) is always done from the GPO copy found in the PDC Emulator's SYSVOL share. the PDC emulator role holder retains the following functions: • • • • • Password changes performed by other DCs in the domain are replicated preferentially to the PDC emulator. Understanding Function Levels in Windows Server 2003 Active Directory? Functional levels are an extension of the mixed/native mode concept introduced in Windows 2000 to activate new Active Directory features after all the domain controllers in the domain or forest are running the Windows Server 2003 operating system. all domain controllers in the forest must be running Windows Server 2003.0-based or earlier clients. The PDC emulator performs all of the functionality that a Microsoft Windows NT 4. there can be only one domain controller acting as the PDC emulator master in each domain in the forest. the administrator can raise the domain functional level to Windows Server 2003 (read Raise Domain Function Level in Windows Server 2003 Domains for more info). and domain controllers that are running Windows NT 4. Additional Active Directory features are available when all domain controllers in a domain or forest are running Windows Server 2003 and the administrator activates the corresponding functional level in the domain or forest. This part of the PDC emulator role becomes unnecessary when all workstations. and should be configured to gather the time from an external source.

Allows you to configure the replication scope for application-specific data among domain controllers. a set of default Active Directory features becomes available.Windows Server 2003 domain level. For example. Any existing Windows NT 4. the administrator can raise the domain functional level (read Raise Forest Function Level in Windows Server 2003 Active Directory for more info). ensure that you will never need to install domain controllers running Windows NT 4. When the first Windows Server 2003–based domain controller is deployed in a domain or forest. You can also add Drag and drop functionality objects to group membership lists by dragging one or more objects (including other group objects) to the target group.0 or Windows 2000–based domain controllers in the environment will no longer function. . These levels only affect the way that domain controllers interact with each other. Note: Network clients can authenticate or access resources in the domain or forest without being affected by the Windows Server 2003 domain or forest functional levels.0 or Windows 2000 in your environment. The following table summarizes the Active Directory features that are available by default on any domain controller running Windows Server 2003: Feature Functionality Allows you to modify common attributes of multiple user Multiple selection of user objects objects at one time. After this requirement is met.0–based or Windows 2000–based domain controllers to the environment. Important Raising the domain and forest functional levels to Windows Server 2003 is a nonreversible task and prohibits the addition of Windows NT 4. Before raising functional levels to take advantage of advanced Windows Server 2003 features. Search functionality is object-oriented and provides an Efficient search capabilities efficient search that minimizes network traffic associated with browsing objects. Allows you to save commonly used search parameters Saved queries for reuse in Active Directory Users and Computers Allows you to run new directory service commands for Active Directory command-line tools administration scenarios. The inetOrgPerson class has been added to the base InetOrgPerson class schema as a security principal and can be used in the same manner as the user class. Allows you to move Active Directory objects from container to container by dragging one or more objects to a location in the domain hierarchy. you can control the replication scope of Application directory partitions Domain Name System (DNS) zone data stored in Active Directory so that only specific domain controllers in the forest participate in DNS zone replication.

When the first Windows Server 2003–based domain controller is deployed in a domain or forest. group. only Windows Server 2003 domain controllers can operate in that domain or forest. you cannot introduce any domain controllers that are running versions of Windows earlier than Windows Server 2003 into that domain. or computer can own Active Directory quotas in a given directory partition. but fewer features than the Windows Server 2003 forest functional level supports. however. a set of advanced features becomes available.Ability to add additional domain controllers by using backup media Reduces the time it takes to add an additional domain controller in an existing domain by using backup media. Windows 2000. Only the new attributes are replicated. This allows you to take advantage of the default Active Directory features while running versions of Windows earlier than Windows Server 2003. Members of the Domain Administrators and Enterprise Administrators groups are exempt from quotas. the domain or forest operates by default at the lowest functional level that is possible in that environment. For example. Provides improved replication of the global catalog when Partial synchronization of the global schema changes add attributes to the global catalog catalog partial attribute set. Quotas can be specified in Active Directory to control the number of objects a user. This applies to the forest functional level as well. Windows Server 2003 is the highest functional level that is available for a domain or forest. Prevents the need to locate a global catalog across a wide area network (WAN) when logging on by storing Universal group membership caching universal group membership information on an authenticating domain controller.0. their corresponding features. The four domain functional levels. global catalog support Windows 2000 native . not the entire global catalog. the Windows Server 2003 interim forest functional level supports more features than the Windows 2000 forest functional level. The Windows Server 2003 functional level supports the most advanced Active Directory features. When you raise the functional level of a domain or forest. Signing LDAP traffic Protocol (LDAP) traffic guarantees that the packaged data comes from a known source and that it has not been tampered with. If you raise the domain functional level to Windows Server 2003. Windows Server 2003 Activated features: local and global groups. Active Directory administrative tools sign and encrypt all Secure Lightweight Directory Access LDAP traffic by default. Domain Functional Level Domain functionality activates features that affect the whole domain and that domain only. and supported domain controllers are as follows: Windows 2000 mixed (Default) • • Supported domain controllers: Microsoft Windows NT 4.

0. Windows 2000 domains maintain their current domain functional level when Windows 2000 domain controllers are upgraded to the Windows Server 2003 operating system. Constrained delegation. Windows Server 2003 • • Domains that are upgraded from Windows NT 4. The following describes the domain functional level and the domain-wide features that are activated for that level. you can redirect the Users and Computers containers. All domains in a forest are automatically raised to this level when the forest level increases to interim. and their supported domain controllers are listed below. you can raise domain levels by increasing the forest level settings Windows Server 2003 interim • • Supported domain controllers: Windows NT 4.0 domains to Windows Server 2003 domain controllers. Windows 2000 (default) • • Supported domain controllers: Windows NT 4. Supported domain controllers: Windows Server 2003 Supported features: domain controller rename. Windows Server 2003 New features: Partial list includes universal group caching. domain controllers that are running Windows 2000 Server cannot be added to that domain. SidHistory. rapid global catalog demotion. universal groups. Three forest functional levels. install from media. Windows 2000. For example.0 or created by the promotion of a Windows Server 2003-based computer operate at the Windows 2000 mixed functional level. Single Instance Store (SIS) for System Access Control Lists (SACL) in the Jet Database Engine. application partitions. converting groups between security groups and distribution groups. if you raise the domain functional level to Windows Server 2003. Forest Functional Level Forest functionality activates features across all the domains in your forest. You can raise the domain functional level to either Windows 2000 native or Windows Server 2003. the feature set of the previous level is included.0. This mode is only used when you upgrade domain controllers in Windows NT 4. Improved topology generation event logging. domain controllers that are running earlier operating systems cannot be introduced into the domain. logon timestamp attribute updated and replicated. Windows Server 2003 Supported features: There are no domain-wide features activated at this level. No global catalog full sync when attributes are added to the PAS Windows Server 2003 domain controller assumes the Intersite Topology Generator (ISTG) role. quotas. the corresponding features. Windows Server 2003 interim .• • Supported domain controllers: Windows 2000. After the domain functional level is raised. Windows Server 2003 Activated features: group nesting. Note that with each successive level increase. User password support on the InetOrgPerson objectClass.

Domain Rename. again. After the domain functional level is raised. Print-Rate-Unit Windows Server 2003 • • Supported domain controllers: Windows Server 2003 Activated features: all features in Interim Level. When you raise the functional level of a domain or forest. Understanding Windows Server 2008 Active Directory Domain and Forest Functional Levels? In Windows Server 2003. if you raise the domain functional level to Windows Server 2008.0 or Windows 2000 Server cannot be added to the forest. Application Groups. ISTG Aliveness no longer replicated.0 BDCs. Cross Forest Trust. Print-Rate. ms-DS-Entry-Time-To-Die. Message Queuing-Secured-Source. This allows you to take advantage of the default Active Directory features while running versions of Windows earlier than Windows Server 2008. domain controllers that are running earlier operating systems cannot be introduced into the forest. However. ms-DS-TrustForest-Trust-Info. As for Windows 2000 Native Mode.0 Domain" section of this article. Trust-Attributes. For example. Unless you still have old NT 4. InetOrgPerson objectClass change.0. remember that . if you raise forest functional levels to Windows Server 2003. See the "Upgrade from a Windows NT 4. Attributes added to the global catalog. so if you are still using them and planning to upgrade your Active Directory to Windows Server 2008. Functional levels determine the features of Active Directory Domain Services (AD DS) that are enabled in a domain or forest. SecurityIdentifier. Trust-Direction. if you still do. domain controllers that are running Windows NT 4. there's no reason for staying in that function level. Defunct schema objects. Dynamic auxiliary classes. and are used to activate new Active Directory features after all the Domain Controllers (DCs) in the domain or forest are running Windows Server 2008 operating systems.• • Supported domain controllers: Windows NT 4. In Windows Server 2008 this was further extended to include new features and benefits. Message Queuing-Multicast-Address. Trust-Partner. meaning Windows 2000 Native Mode. 15-second intrasite replication frequency for Windows Server 2003 domain controllers upgraded from Windows 2000 After the forest functional level is raised. Windows Server 2003. Improved Replication Topology Generation. Windows Server 2008 does not support NT 4. For example. unless you still have Windows 2000 Domain Controllers.0 BDCs there's no reason for staying in Mixed Mode. a set of advanced features becomes available. Domain Controllers that are running Windows Server 2003 cannot be added to that domain. Activated features: Windows 2000 features plus Efficient Group Member Replication using Linked Value Replication. When the first Windows Server 2008–based Domain Controller is deployed in a domain or forest. re-think your strategy. the domain or forest operates by default at the lowest functional level that is possible in that environment. Trust-Type. and as you already know. Print-Memory. functional levels were an extension of the older mixed/native mode concept introduced in Windows 2000. DCs that are running earlier operating systems cannot be introduced into the domain.

the administrator can raise the domain functional level. all features from the Windows 2000 native domain functional level. Converting groups between security groups and distribution groups – Unlike Windows NT 4.0 servers.0 are NOT supported by domain controllers that are running Windows Server 2008. After this requirement is met. servers running Windows NT Server 4. Supported Domain controllers – Windows Server 2003. Be sure to have SP4 on all your Windows 2000 DCs. After this requirement is met. all DCs in the domain must be running the right operating system. . allows placing of a group of one scope as a member of another group of the same scope.0. Supported Domain controllers – Windows 2000. Read my "Raising Windows Server 2008 Active Directory Domain and Forest Functional Levels" article for information on how to actually raise the domain and forest function levels. Windows Server 2008. SidHistory – Enables usage of SidHistory when migrating objects between domains. Domain Function Levels To activate a new domain function level. Features and benefits include all default Active Directory features. Universal security groups – Allows usage of Universal security type groups. meaning you MUST have additional DCs running Windows 2000/2003 to support older NT 4. Windows Server 2008. However. all domain controllers in the domain must be running Windows Server 2003. Features and benefits: • • • • Group nesting – Unlike Windows NT 4. Windows Server 2003 Mode To activate the new domain features. allows converting of a group type into another group type (with some limitations). the administrator can raise the domain functional level to Windows Server 2003. Read my "Raise Domain Function Level in Windows Server 2003 Domains" article for more info about that. Note: Network clients can authenticate or access resources in the domain or forest without being affected by the Windows Server 2003 or Windows Server 2008 domain or forest functional levels.0.Windows Server 2008 does only supports Windows 2000 SP4. Windows Server 2003. These levels only affect the way that domain controllers interact with each other. For more information about Windows Server 2008 Active Directory requirements. You can read my "What are the domain and forest function levels in a Windows Server 2003based Active Directory?" article for more info about that. Here's a list of the available domain function levels available in Windows Server 2008: Windows 2000 Native Mode This is the default function level for new Windows Server 2008 Active Directory domains. please read my "Active Directory on Windows Server 2008 Requirements" article. be aware of the fact that regardless of the domain or function level. plus: • Universal group caching – Windows Server 2003 functional level supports Universal group caching which eliminate the need for local global catalog server.

Read-Only Domain Controllers – Allows implementation of domain controllers that only host read-only copy of NTDS database. Supported Domain controllers – Windows Server 2008. and in fact.• • • Domain Controller rename – By using the NETDOM command. After this requirement is met. or lingering objects. Granular auditing – Allows history of object changes in Active Directory. which in turn enables having more than 5000 members in a group and better replication capabilities. Users and Computers containers can be redirected – This allows the redirection of the default location of new users and computers (by using the REDIRUSR and REDIRCMP commands). all domain controllers in the domain must be running Windows Server 2008. the upgrading wizard will not allow you to continue with the operation. Important Raising the domain and forest functional levels to Windows Server 2008 is a nonreversible task and prohibits the addition of Windows 2000–based or Windows Server 2003–based Domain Controllers to the environment. Lingering objects (zombies) detection – Windows Server 2003 has the ability to detect zombies. Support for selective authentication – Makes it possible to specify the users and groups from a trusted forest who are allowed to authenticate to resource servers in a trusting forest. Any existing Windows 2000–based or Windows Server 2003–based Domain Controllers in the environment will no longer function. Advanced Encryption Services – (AES 128 and 256) support for the Kerberos protocol. all features from the Windows Server 2003 domain functional level. . Features and benefits include all default Active Directory features. AD-integrated DNS zones in application partitions – This allows storing of DNS data in AD application partition for more efficient replication. plus: • • • • Fine-grained password policies – Allows multiple password polices to be applied to different users in the same domain. Before raising functional levels to take advantage of advanced Windows Server 2008 features. the administrator can raise the domain functional level to Windows Server 2008. • • • • Windows Server 2008 Mode To activate the new domain features. This attribute is replicated within the domain. ensure that you will never need to install domain controllers running Windows 2000-based or Windows Server 2003–based Domain Controllers in your environment. Logon time stamp update – The lastLogonTimestamp attribute will be updated with the last logon time of the user or computer. Multivalued attribute replication improvements – Allows incremental membership changes.

all domain controllers in the forest must be running Windows Server 2003. Features and benefits include all default Active Directory features. Windows Server 2008. • • • • • • Windows Server 2008 forest function level . called application basic groups and Lightweight Directory Access Protocol (LDAP) query groups. Windows Server 2003 forest function level To activate new forest-wide features. and the reverse. Here's a list of the available forest function levels available in Windows Server 2008: Windows 2000 forest function level This is the default setting for new Windows Server 2008 Active Directory forests. The ability to create instances of the new group types. Supported Domain controllers in all domains in the forest – Windows 2000.• Distributed File System Replication (DFSR) – Allows SYSVOL to replicate using DFSR instead of older File Replication Service (FRS). Domain rename. Windows Server 2003. from what workstation. • Forest function levels Forest functionality activates features across all the domains in your forest. The ability to create instances of the dynamicObject dynamic auxiliary class. to support role-based authorization. The ability to convert an inetOrgPerson object instance into a User object instance. Supported Domain controllers in all domains in the forest – Windows Server 2003. Linked-value replication – Changes in group membership to store and replicate values for individual members instead of replicating the entire membership as a single unit. the administrator can raise the forest functional level. plus the following features: • • • Forest trust. Intersite topology generator (ISTG) improvements – Supports a more efficient ISTG algorithm allows support for extremely large numbers of sites. all the domain in the forest must be running the right operating system and be set to the right domain function level. Windows Server 2008. Read my "Raise Forest Function Level in Windows Server 2003 Active Directory" article for more info about that. After this requirement is met. Last Interactive Logon Information – Displays the time of the last successful interactive logon for a user. To activate a new forest function level. Deployment of an RODC. and the number of failed logon attempts since the last logon. It provides more robust and detailed replication of SYSVOL contents. Deactivation and redefinition of attributes and classes in the schema.

Features Available If Any Domain Controller Is Running Windows Server 2003 The following list summarizes the Active Directory features that are enabled by default on any domain controller running Windows Server 2003. Supported Domain controllers in all domains in the forest – Windows Server 2008. • • Multiple selection of user objects. secure. all domain controllers in the forest must be running Windows Server 2008. thus consolidating directories and easing management of the entire network operating system. Enterprise Edition. Active Directory plays such an important role in managing the network. Companies can also use Active Directory to extend systems securely to the Internet. You can also add objects to group membership lists by dragging and dropping one or more objects (including other group objects) onto the target group. • . but no additional features. It also helps organizations integrate systems not using Windows with Windows-based applications and Windows-compatible devices. New features can be divided into those available on any domain controller running Windows Server 2003. New Active Directory Features With the new Active Directory features in Standard Edition. What’s New in Windows Server 2003 Active Directory? The Active Directory service is an essential and inseparable part of the Windows Server 2003 network architecture that provides a directory service designed for distributed networking environments. servers. Active Directory provides a single point of management for Windows-based user accounts. more efficient administration of Active Directory is available to you. Modify common attributes of multiple user objects at one time.To activate new forest-wide features. Efficient search capabilities. Drag-and-drop functionality. All domains that are subsequently added to the forest will operate at the Windows Server 2008 domain functional level by default. Features and benefits include all of the features that are available at the Windows Server 2003 forest functional level. and applications. and Datacenter Edition. Search functionality is object-oriented and provides an efficient browse-less search that minimizes network traffic associated with browsing objects. Active Directory thus increases the value of an organization's existing network investments and lowers the overall costs of computing by making the Windows network operating system more manageable. Read my "Raising Windows Server 2008 Active Directory Domain and Forest Functional Levels" article for more info about that. and interoperable. it is helpful to review the new features of the Active Directory service. and those available only when all domain controllers of a domain or forest are running Windows Server 2003. Move Active Directory objects from container to container by dragging and dropping one or more objects to a desired location in the domain hierarchy. clients. that as you prepare to move to Windows Server 2003.

You can change the NetBIOS name or DNS name of any child. The userPassword attribute can also be used to set the account password.and forest-wide Active Directory features that can be enabled when either a domain or forest functional level has been raised to Windows Server 2003. Deactivate unnecessary classes or attributes from the schema. The following list summarizes the domain. You can create instances of several common classes. and not just to entire classes of objects. Save commonly used search parameters for reuse in Active Directory Users and Computers. • • • • Features Available When All Domain Controllers Are Running Windows Server 2003 New domain. person. Domain rename. Rename domain controllers without first demoting them. treeor forest-root domain. parent. Create instances of specified classes in the base schema of a Windows Server 2003 forest. For example. Dynamic auxiliary classes. Forest trusts. you can control the replication scope of Domain Name System (DNS) zone data stored in Active Directory so that only specific domain controllers in the forest participate in DNS zone replication. Move existing domains to other locations in the domain hierarchy. organizationalPerson.• • • Saved queries. Rename any domain running Windows Server 2003 domain controllers. Reduce the time it takes to add an additional domain controller in an existing domain by using backup media. Provides support for dynamically linking auxiliary classes to individual objects. Universal group membership caching.or forest-wide Active Directory features can be enabled only when all domain controllers in a domain or forest are running Windows Server 2003 and the domain functionality or forest functionality has been set to Windows Server 2003. • • Domain controller rename tool. • • • • . Defunct schema objects. In addition. Enterprise Edition. Active Directory command-line tools. including: country or region. auxiliary classes that have been attached to an object instance can subsequently be removed from the instance. and certificationAuthority. and Datacenter Edition. device. Add additional domain controllers to existing domains using backup media. The inetOrgPerson class has been added to the base schema as a security principal and can be used in the same manner as the user class. InetOrgPerson class. Application directory partitions. Create a forest trust to extend two-way transitivity beyond the scope of a single forest to a second forest. Forest restructuring. Run new directory service commands for administration scenarios. Configure the replication scope for applicationspecific data among domain controllers running Standard Edition. Prevent the need to locate a global catalog across a wide area network (WAN) during logons by storing user universal group memberships on an authenticating domain controller. groupOfNames. Selective class creation.

right clicking the domain for which you want to raise functionality. For example. Windows NT 4. and then clicking Raise Domain Functional Level. domain controllers running Windows 2000 Server cannot be added to that domain.0.• Global catalog replication tuning. and Windows Server 2003). Once all domain controllers are running on Windows Server 2003. The following table describes the domain-wide features that are enabled for the corresponding domain functional level: Quick Links • • • • • • • • • • Knowledge Base Active Directory Cisco and Routing Windows Networking Exchange Server Virtualization Windows Server 2008 Windows 7 Windows Vista New Articles [noil] Popular Articles • Repair PST Files . Preserves the synchronization state of the global catalog when an administrative action results in an extension of the partial attribute set. you can raise the Domain and Forest Functionality to Windows Server 2003 by opening Active Directory Domains and Trusts. Windows 2000 native (which includes domain controllers running Windows 2000 and Windows Server 2003). • Raising Domain Functional Levels Domains can operate at three functional levels: Windows 2000 mixed. Note that once you raise the domain functional level. if you raise the domain functional level to Windows Server 2003. Linked value replication allows individual group members to be replicated across the network instead of treating the entire group membership as a single unit of replication. the default setting (which includes domain controllers running Windows 2000. This minimizes the work generated as a result of a partial attribute set extension by only transmitting attributes that were added. Replication enhancements. and Windows Server 2003 (which only includes domain controllers running Windows Server 2003). domain controllers running earlier operating systems cannot be introduced into the domain.

• • • • • • • • • • • • Forgot the Administrator's Password? Excel Password Recovery How to Write ISO Files How to Partition a Hard Drive Repairing DLL Errors How to Change the Serial in Windows XP Install Windows XP Pro Disable UAC in Windows Vista Install Active Directory on Windows 2003 Home Network Setup Device Driver Updates How to Setup a VLAN on a Cisco Switch • • • • • • • • Download the Windows Server 2008 R2 Feature Components Poster Download Microsoft FAST Search Server 2010 for SharePoint Beta Share your Windows 7 Tips with TechNet Magazine Silverlight 4 Beta ready for developers The 2010 Betas are available Compose you R2 Haiku and win big Open Beta for IPD Guide Now Available for Download Join our newsletter Top of Form Stay Connected Our biweekly emails will keep you up to date on our latest news and articles straight to your inbox! Sign Up Now ! E-mail Address: Privacy Policy Bottom of Form • • Follow on Twitter Subscribe via Rss .

secure. and interoperable. New Active Directory Features With the new Active Directory features in Standard Edition. clients. 2009 What's new in Windows Server 2003 Active Directory? LANsurveyor: Map Your Network in Minutes! Relax while LANsurveyor automatically maps your network. LANsurveyor automatically discovers your LAN or WAN and produces comprehensive. New features can be divided into those available on any domain controller running Windows Server 2003.Exchange Server MVP What’s New in Windows Server 2003 Active Directory? by Daniel Petri .Author is a Microsoft Windows Server System . thus consolidating directories and easing management of the entire network operating system. and those available only when all domain controllers of a domain or forest are running Windows Server 2003. Active Directory provides a single point of management for Windows-based user accounts. and applications. and Datacenter Edition. Active Directory plays such an important role in managing the network. Active Directory thus increases the value of an organization's existing network investments and lowers the overall costs of computing by making the Windows network operating system more manageable. it is helpful to review the new features of the Active Directory service. servers. It also helps organizations integrate systems not using Windows with Windows-based applications and Windows-compatible devices. Companies can also use Active Directory to extend systems securely to the Internet.January 8. The Active Directory service is an essential and inseparable part of the Windows Server 2003 network architecture that provides a directory service designed for distributed networking environments. more efficient administration of Active Directory is available to you. that as you prepare to move to Windows Server 2003. You Have Got To Try This! Get the Download Here.. easy-toview network diagrams that can be exported into Microsoft Office® Visio®. Enterprise Edition. ..

The inetOrgPerson class has been added to the base schema as a security principal and can be used in the same manner as the user class.Features Available If Any Domain Controller Is Running Windows Server 2003 The following list summarizes the Active Directory features that are enabled by default on any domain controller running Windows Server 2003. Active Directory command-line tools. Add additional domain controllers to existing domains using backup media. Modify common attributes of multiple user objects at one time. Move Active Directory objects from container to container by dragging and dropping one or more objects to a desired location in the domain hierarchy. groupOfNames. You can also add objects to group membership lists by dragging and dropping one or more objects (including other group objects) onto the target group. including: country or region. person. Save commonly used search parameters for reuse in Active Directory Users and Computers. Efficient search capabilities. Application directory partitions. device. For example. Search functionality is object-oriented and provides an efficient browse-less search that minimizes network traffic associated with browsing objects. Run new directory service commands for administration scenarios. • • • • • • • • Features Available When All Domain Controllers Are Running Windows Server 2003 New domain. The userPassword attribute can also be used to set the account password. Drag-and-drop functionality. Enterprise Edition. . Universal group membership caching. Saved queries. InetOrgPerson class. You can create instances of several common classes. Create instances of specified classes in the base schema of a Windows Server 2003 forest. organizationalPerson. Reduce the time it takes to add an additional domain controller in an existing domain by using backup media. Prevent the need to locate a global catalog across a wide area network (WAN) during logons by storing user universal group memberships on an authenticating domain controller. Selective class creation. • • Multiple selection of user objects. and Datacenter Edition. and certificationAuthority. Configure the replication scope for application-specific data among domain controllers running Standard Edition. you can control the replication scope of Domain Name System (DNS) zone data stored in Active Directory so that only specific domain controllers in the forest participate in DNS zone replication.or forest-wide Active Directory features can be enabled only when all domain controllers in a domain or forest are running Windows Server 2003 and the domain functionality or forest functionality has been set to Windows Server 2003.

For example. Domain rename. Move existing domains to other locations in the domain hierarchy. This minimizes the work generated as a result of a partial attribute set extension by only transmitting attributes that were added. • • • • • • Raising Domain Functional Levels Domains can operate at three functional levels: Windows 2000 mixed. Dynamic auxiliary classes. and then clicking Raise Domain Functional Level. if you raise the domain functional level to Windows Server 2003. and Windows Server 2003 (which only includes domain controllers running Windows Server 2003). Replication enhancements. right clicking the domain for which you want to raise functionality.0. Preserves the synchronization state of the global catalog when an administrative action results in an extension of the partial attribute set. parent. tree. Linked value replication allows individual group members to be replicated across the network instead of treating the entire group membership as a single unit of replication. Provides support for dynamically linking auxiliary classes to individual objects. you can raise the Domain and Forest Functionality to Windows Server 2003 by opening Active Directory Domains and Trusts. Once all domain controllers are running on Windows Server 2003. In addition. domain controllers running Windows 2000 Server cannot be added to that domain. Note that once you raise the domain functional level. The following table describes the domain-wide features that are enabled for the corresponding domain functional level: Domain Feature Windows 2000 mixed Windows 2000 native Windows Server 2003 . Rename domain controllers without first demoting them.and forest-wide Active Directory features that can be enabled when either a domain or forest functional level has been raised to Windows Server 2003. Create a forest trust to extend two-way transitivity beyond the scope of a single forest to a second forest.or forest-root domain. domain controllers running earlier operating systems cannot be introduced into the domain. and Windows Server 2003). Rename any domain running Windows Server 2003 domain controllers. You can change the NetBIOS name or DNS name of any child. the default setting (which includes domain controllers running Windows 2000. • • Domain controller rename tool. Global catalog replication tuning. Forest restructuring. Forest trusts.The following list summarizes the domain. auxiliary classes that have been attached to an object instance can subsequently be removed from the instance. Windows 2000 native (which includes domain controllers running Windows 2000 and Windows Server 2003). and not just to entire classes of objects. Deactivate unnecessary classes or attributes from the schema. Windows NT 4. Defunct schema objects.

Converting Groups Disabled Enabled Enabled No group conversions Allows conversion Allows conversion allowed. nesting. and distribution groups. Two forest functional levels are available: Windows 2000 (which supports domain controllers running Windows NT 4. Allows both security and distribution groups. If you are upgrading your first . Raising Forest Functional Levels Forest functionality enables features across all the domains within your forest. SID History Disabled Enabled Enabled Allows migration of Allows migration of security principals from security principals from one domain to another. Group Nesting Enabled for distribution Enabled groups. Allows both security Disabled for security groups. Enabled Allows full group nesting. and Windows Server 2003) and Windows Server 2003 (which only supports domain controllers running Windows Server 2003). Windows 2000.Domain controller rename tool Update logon timestamp Kerberos KDC key version numbers Disabled Disabled Disabled Disabled Disabled Disabled Disabled Enabled Enabled Enabled Enabled Enabled User password on Disabled InetOrgPerson object Universal Groups Enabled for distribution Enabled groups.0. Allows full group Disabled for security groups. between security groups between security groups and distribution groups. and distribution groups. except for domain local security groups that can have global groups as members. one domain to another.

new Active Directory features are activated by the Windows Server 2003 operating system over its Windows 2000 counterparts. forests operate at the Windows 2000 functional level. By default. . Additional Active Directory features are available when all domain controllers in a domain or forest are running Windows Server 2003 and the administrator activates the corresponding functional level in the domain or forest (read Understanding Function Levels in Windows Server 2003 Active Directory for more info). The following table describes the forest-wide features that are enabled for the corresponding forest functional level: Forest Feature Global catalog replication tuning Defunct schema objects Forest trust Linked value replication Domain rename Improved replication algorithms Dynamic auxiliary classes InetOrgPerson objectClass change Windows 2000 Disabled Disabled Disabled Disabled Disabled Disabled Disabled Windows Server 2003 Enabled Enabled Enabled Enabled Enabled Enabled Enabled Raise Forest Fuction Level in Windows Server 2003 Active Directory? How can I raise the forest function level in a Windows Server 2003-based Active Directory? Functional levels are an extension of the mixed/native mode concept introduced in Windows 2000 to activate new Active Directory features after all the domain controllers in the domain or forest are running the Windows Server 2003 operating system. there is an additional forest functional level that you can choose called Windows Server 2003 interim. Once forest functional level has been raised. domain controllers running earlier operating systems cannot be introduced into the forest. You can raise the forest functional level to Windows Server 2003. When a computer that is running Windows Server 2003 is installed and promoted to a domain controller.Windows NT domain so that it becomes the first domain in a new Windows Server 2003 forest.

After this requirement is met. and then click Active Directory Domains and Trusts. As soon as the forest functional level is raised to Windows Server 2003. any domain controllers running Windows NT 4. and then click Raise to raise the forest functional level to Windows Server 2003.To activate the new domain features.0 or Windows 2000. Log on to the PDC of the forest root domain with a user account that is a member of the Enterprise Administrators group. Note: Network clients can authenticate or access resources in the domain or forest without being affected by the Windows Server 2003 domain or forest functional levels. Open Active Directory Domains and Trusts. Under Select an available forest functional level. Read the warning message. To activate new forest-wide features. and if you wish to perform the action. 3. you must be a member of the Enterprise Admins group. and the current forest functional level must be at Windows 2000 native or Windows Server 2003 domain level. click Ok. In order to raise the Forest Functional Level: 1. point to Administrative Tools. or will have. 2. These levels only affect the way that domain controllers interact with each other. In the console tree. the administrator can raise the domain functional level to Windows Server 2003 (read Raise Domain Function Level in Windows Server 2003 Domains for more info). all domain controllers in the forest must be running Windows Server 2003. 1. After this requirement is met. click Windows Server 2003. Important Do not raise the forest functional level if you have. right-click Active Directory Domains and Trusts. . To raise the forest functional level. point to All Programs. all domain controllers in the domain must be running Windows Server 2003. it cannot be changed back to the Windows 2000 forest functional level. the administrator can raise the domain functional level. and then click Raise Forest Functional Level. 1. click Start.

The current forest functional level appears under Current forest functional level in the Raise Forest Functional Level dialog box. Note: To raise the forest functional level. Windows NT Server 4. After the forest level is successfully increased and replicated to the PDCs in the domains.1. use the report generated by "Save As" to identify all domains and domain controllers that do not meet the requirements for the requested increase. the PDCs for each domain automatically increase their domain level to the current forest level. you can click Save As in the Raise Forest Functional Level dialog box to save a log file that specifies which domain controllers in the forest still must be upgraded from Windows NT 4. Active Directory clients and domain controllers use SRV records to determine the IP addresses of domain controllers. DNS servers must provide support for Service Location (SRV) resource records described in RFC 2052. The level increase is performed on the Schema FSMO and requires Enterprise Administrator credentials. If you receive a message that indicates you cannot raise the forest functional level.0 or Windows 2000. Although not a technical requirement of Active Directory. SRV resource records map the name of a service to the name of a server offering that service. You can check the function level by performing step 3 again and viewing the current function level. You will receive an acknowledgement message telling you that the operation was completed successfully. you must upgrade (or demote) all existing Windows 2000 domain controllers in your forest. Observations on the use of Components of the Class A Address Space within the Internet. The Windows 2000 DNS service provides support for both SRV records and dynamic updates. For example. it must be upgraded to a version that does support the use of the SRV resource record. A DNS RR for specifying the location of services (DNS SRV). verify that it at least supports the SRV resource record. it is highly recommended that DNS servers provide support for DNS dynamic updates described in RFC 2136. Click Ok. If you cannot raise the forest functional level. 1. If not. If a non-Windows 2000 DNS server is being used.0 DNS servers must be upgraded to Service Pack 4 . What DNS entries (SRV Records) does Windows 2000/2003 add when you create a domain? In order for Active Directory to function properly.

_ldap. Only the PDC of the domain registers this record.dns file created by the Active Directory Installation wizard while promoting a Windows 2000 Server to a domain controller.<DNSTreeName> Enables a client to find a Global Catalog (GC) server._sites. If you enable dynamic update on the relevant DNS zones. If a server ceases to be a GC server._tcp. • <DNSDomainName> Enables a client to find a domain controller through a normal Host record._sites._tcp._msdcs.<DNSTreeName> Enables a client to find a GC server in the specified site (e. After running DCPROMO. A GUID is a 128-bit (8 byte) number that generates automatically for referencing Active Directory objects.._tcp. A text file containing the appropriate DNS resource records for the domain controller is created.dns into the appropriate primary zone file to manually configure the primary zone on that server to support Active Directory. .net._msdcs.dns is used by the Windows 2000 NetLogon service and to support Active Directory for non-Windows 2000 DNS servers._tcp.<DNSDomainName> Enables a client to locate a W2K domain controller in the domain named by <DNSDomainName>.pdc.gc.domains. the server will deregister the record.lab. Understanding server roles: ._tcp. A DNS server that supports SRV records but does not support dynamic update must be updated with the contents of the Netlogon.net for a domain controller in the Lab site of dpetri.<SiteName>. • _ldap.net would query the DNS server for _ldap.gc._tcp. • _ldap. W2K creates these entries automatically: • _ldap.<DNSDomainName> Enables a client to find the PDC flexible single master object (FSMO) role holder of a mixedmode domain. you can import the records in Netlogon. A client searching for a domain controller in the domain dpetri. _ldap.g._msdcs._tcp. Netlogon._sites. The Netlogon.g._tcp.dns file is described in the following section. • _ldap.lab.dns is created in the %systemroot %\System32\config folder and contains all the records needed to register the resource records of the domain controller.<DomainGuid>.net).<DNSTreeName> Enables a client to find a domain controller in a domain based on the domain controller’s globally unique ID. The file called Netlogon.net).._msdcs.gc.dpetri.0 DNS server). Only domain controllers serving as GC servers for the tree will register this name.dpetri.dpetri._sites. If you are using a DNS server that supports the SRV resource record but does not support dynamic updates (such as a UNIX-based DNS server or a Windows NT Server 4._ms-dcs. • _ldap. So now you understand that Windows 2000 domains rely heavily on DNS entries.or later to support SRV resource records._tcp.<DNSDomainName> Enables a client to find a W2K domain controller in the domain and site specified (e. • _ldap.

until these additional features and functionality make certain services available. servers have more disk space and memory. The network infrastructure's physical hardware and logical components are needed to provide a number of features for the network. when planning your network design and deciding on the computers for your network. The applications that the server is running specify the role of the particular server. Portable workstation roles: Portable workstations are the solution to bringing the features of a desktop computer to an off-site employee. routing and switching capabilities. the computer cannot be used as required by users. and faster processors. You though have to implement additional features and functionality on a server to provide the services and capabilities required by the organization and its users. The network or network infrastructure has to exist before a number of servers needed to support applications which are needed by your users can be deployed into your networking environment. When compared to workstations. Therefore. In fact. including connectivity. and access control. Computers required on your network can be broadly grouped according to the following roles: • Server roles: Servers can be configured to perform a number of roles. Windows Server 2003 itself provides a number of features and tools when you install it on a computer. • . you must know what functions the computer will be performing.A network or network infrastructure is the grouping of hardware devices and software components which are needed to connect devices within the organization. A few common server roles are listed below: ○ ○ ○ ○ ○ ○ ○ ○ • Domain controller Database server Backup server File server Print server Infrastructure server Web server E-mail server Desktop workstation roles: Desktop workstations differ to servers in that desktop workstations are general purpose computers that can perform a number of different types of functions. network security. Server's typically need services and additional features installed to perform its specific role. The hardware required by servers is determined by the role being performed by the server. Understanding these functions will put you in a good position to determine the hardware and software components needed for your computers. and to connect the organization to other organizations and the Internet.

The file server role is though not available in the Windows Server 2003 Web Edition. Files and folder resources can be shared between network users.Windows Server 2003 introduced the concept of server roles. The actual Wizard for applying the server roles to computers is the Configure Your Server Wizard. A file stored on a file server volume can be accessed by users that have the necessary rights to access the directories wherein the files are stored. For Windows Server 2003. then a number of additional services. Windows Server 2003 provides a new tool for defining and managing server roles. the server is set up to provide the required services to your users. File servers provide the following functionality to users: • • • • Enables users to store files in a centralized location. if you configure a server for a certain server role. With Windows Server 2003. This is due to the file server role storing data for network users. namely. features and tools are installed for the server. The Configure Your Server Wizard is included within the Manage Your Server utility and is also managed through this utility. and are used to provide a specific capability or function to the network design. A few characteristics and features of the file server role are listed: . Administrators can manage the following aspects of file servers: ○ ○ ○ Access to files and folders Disk space Disk quotas can be implemented to control the amount of space which users can utilize. and providing access to files stored on the file server. Server roles basically group related administrative tasks. the Manage Your Server utility. In this manner. " Enable a user to share files with another user. there are 11 different server roles that you can configure using the Configure Your Server Wizard: • • • • • • • • • • • File server Print server Application server Mail server Terminal server Remote access server/VPN server Domain controllers DNS server WINS server DHCP server Streaming media server Understanding the File Server Role The file server role is a widely used role when configuring servers in Windows Server 2003 based networks.

The print servers also manage communication between the printers and the client computers. A network interface printer is a printer that connects to the network through a network card. Print servers can also be remotely managed. With Windows NT. Users only see a single file structure even though there are multiple folders located on different file servers within the organization. the print servers supply clients with the necessary printer drivers. Administrators can control access to printers Priorities can be defined for print jobs. fast drive for the print spooler. Windows 2000. A few characteristics of print servers are listed here: • • • • • • • The Windows Management Instrumentation (WMI) a management application program interface (API) can be used to manage printing on the network. and can also supply audit logs on jobs printed by users. resumed. The print server is the computer where the print drivers are located that manage printing between printers and client computers. and deleted and viewed. Windows XP. Offline Files make is possible for a user to mirror server files to a local laptop. Encrypting File System (EFS) enables users to encrypt files and folders. Distributed File System (Dfs) provides a single hierarchical file system that assists in organizing shared folders on multiple computers in the network. and entire data drives on NTFS formatted volumes. For your laptop users. Through the print server role. . ○ • The Offline files feature can be enabled if necessary. and Windows Server 2003. When deciding on a print server. EFS secures confidential corporate data from unauthorized access.• For file servers that have NTFS volumes: ○ ○ NTFS security can be used to protect files from users who are not authorized to access the files and folders. Print jobs can be paused. Users typically connect to a network printer through a connection to a print server. Dfs provides a single logical file system structure by concealing the underlying file share structure within a virtual folder structure. Printers can be published in Active Directory so that access to printers can be controlled according to Active Directory accounts. It is recommended to use a dedicated. Understanding the Print Server Role The print server role provides network printing capabilities for the network. The print servers manage the print queues. and ensures that the laptop files and server files are in sync. You should consider implementing a print server cluster if your enterprise needs exceptional reliability and performance when it comes to printing. Offline Files ensures that the user can access the server based files when they are not connected to the network. Administrators can control when printing devices can be utilized. ensure that the print server has sufficient disk space to store print jobs waiting in the printer queue. The print server role is though not available in the Windows Server 2003 Web Edition. you can configure a server to manage printing functions on the network.

IIS 6 is included with the 32-bit version and the 64-bit versions of the Windows Server 2003 Editions. 2. Before you can deploy IIS 6 Web servers within your enterprise. . so that the client can request additional pages. users can utilize Web based applications and download files as well. The server sends the client the requested Web page. When you install a Web server. To start the Configure Your Server Wizard. When you first log on after Windows Server 2003 is installed. you first need to install Windows Server 2003 or upgrade to Windows Server 2003. the extension of the Component Object Model (COM) Internet Information Services 6. HTTP handles the publishing of static and dynamic Web content. A Web server typically contains a copy of a World Wide Web site and can also host Web based applications. IIS 6 include support for a number of protocols and management tools which enable you to configure the server as a Web server. 4. After Windows Server 2003 is installed. for all editions of Windows Server 2003 other than the Web Edition. Port 80 is used for HTTP connections. are listed here: • Hypertext Transfer Protocol (HTTP) is a TCP/IP application layer protocol used to connect to websites. Only after Windows Server 2003 is deployed. and share and distribute information over the Internet or intranet.0 (IIS 6. the client sends a HTTP GET request message to the server. The client establishes a TCP connection to the server by using a TCP three way handshake. choose the Add Or Remove A Role link. The protocols supported by IIS 6. came the advent of Internet Information Services (IIS) 6.NET) option. you can create and manage Web sites. With the introduction of Windows Server 2003. the Microsoft integrated Web server. are you able to install IIS 6 in your environment. You next have to follow the prompts of the Configure Your Server Wizard to install the Application Server (IIS. the Manage Your Server Wizard is initiated. HTTP Keep-Alives maintains the TCP connection between the client and server if it is enabled.0.0) is Microsoft's integrated Web server that enables you to create and manage Web sites within your organization. File Transfer Protocol (FTP) server or a Simple Mail Transport Protocol (SMTP) server. you can install IIS 6 from the Configure Your Server Wizard. The management tools included with Windows Server 2003 allows you to manage Internet Information Services on the Windows Server 2003 product platforms. a HTTP request and a HTTP response 1. A HTTP session consists of a connection. When you add a Web server through the application server role. and to create Web content.Understanding Web servers The application server role makes Web applications and distributed applications available to users. After the connection is established. Through IIS. ASP.0 The Application Server console The Distributed Transaction Coordinator (DTC) COM+. 3. the following components are installed: • • • • Internet Information Services 6.

• Network News Transfer Protocol (NNTP) is a TCP/IP application layer protocol used to send network news messages to NNTP servers and NNTP clients on the Internet. You can specify that users need to be authenticated to both read and post items to newsgroups. to convey the data. The NNTP protocol enables a NNTP host to replicate its list of newsgroups and messages with another host through newsfeeds. A FTP session has a connection. Mail clients use POP3 or IMAP to receive e-mail. You need an FTP server and FTP client to use the protocol. SMTP cannot deliver mail directly to the client. you can create and administer FTP servers. 5. and a response. • . 4. The NNTP service can also integrate with the Windows Indexing Service for the indexing of newsgroup content. The TIME_WAIT state ends when the connection timeout. A NNTP client can establish a connection with a NNTP host to download a list of newsgroups. The second connection remains in a TIME_WAIT state after the data is transferred to the client. SMTP also enables IIS machines to protect mail servers such as Microsoft Exchange servers from malicious attacks by operating between these servers and Sendmail host at the ISP of the organization. Through NNTP. A port number over 1023 is assigned to the client. FTP makes it possible for clients to upload and download files from a FTP server over an internetwork. • File Transfer Protocol (FTP) is a TCP/IP application layer protocol used for copying files to and from remote systems through the Transmission Control Protocol (TCP). you have to install the SMTP service first if you are running a Windows Server 2003 Edition other than the Windows Server 2003 Web Edition. using a push method or a pull method. and for handling incoming e-mail. NNTP is a client/server and server/server protocol. the TCP connection is terminated after the requested page is downloaded. It is also fully integrated with event and performance monitoring of Windows Server 2003. you can implement private news servers to host discussion groups. If HTTP Keep-Alives is not enabled.5. Windows Server 2003 includes the POP3 service for providing clients with mailboxes. If the client needs to receive data. To use the SMTP as a component of IIS. 1. and read the messages contained in the newsgroups. SMTP can be used to forward mail from one SMTP host to another SMTP host. 3. This connection utilizes port 20. or you can allow access to everybody. Simple Mail Transfer Protocol (SMTP) is a TCP/IP application layer protocol used for routing and transferring e-mail between SMTP hosts on the Internet. a request. Through IIS. The client sends a FTP command to port 21. The SMTP service is installed on the Windows Server 2003 Web Edition by default. SMTP enables IIS machines to operate as SMTP hosts to forward e-mail over the Internet. IIS can be utilized instead of Sendmail. another connection is created with the client. The TIME_WAIT state makes it possible for additional data to be transferred. or you can implement public news servers to provide customer support and help resources to Internet users. The client establishes a TCP connection to the FTP server through port 21. 2.

Once a client establishes a connection to Terminal Services. The SMTP service has to be installed because mail servers and clients utilize this service to send e-mail. All processing is handled by the Terminal Services server. the following TCP/IP based protocols are installed: • Simple Mail Transfer Protocol (SMTP): SMTP is a TCP/IP application layer protocol used for routing and transferring e-mail between SMTP hosts on the Internet. Windows based terminals. When a user connects to a Windows Server 2003 server using Remote Desktop. the local machine only needs to handle the console. it stores the e-mail for the intended user until that particular user retrieves it from the mail server. Windows for Workgroups clients. Terminal Services is therefore popular in WANs where bandwidth is limited. Clients can access Terminal Services over a local area connection or a wide area connection. and for handling incoming e-mail. The primary functions of mail servers are listed here: • • • Store e-mail data. and run sessions from. When you configure a server for the mail server role. The terminal is only responsible for the keyboard. A mail server has to exist for users to send e-mail to each other. When a mail server receives e-mail for a user. Windows Server 2003 includes the POP3 service for providing clients with mailboxes. Sessions are unique and do not affect one another. a user connecting to a Windows Server 2003 server through Remote Desktop functions as a terminal on that server. IIS 6 has to be installed to install both the SMTP service and the Post Office Protocol 3 (POP3) service. • Understanding the Terminal Server Role Terminal Services have the ability to operate as an application server that remote clients can connect to. When applications need to be installed or updated. Process client requests Receive incoming e-mail from the Internet. (version 3.Understanding the Mail Server Role The mail server role provides e-mail services for the network. and Macintosh clients. The data response is transmitted back to the Terminal Services client. The POP3 service also enables clients to retrieve e-mail from the mail server. Terminal Services clients can be MS-DOS based clients. the resources of the server is used. a single instance of the application can be installed or updated on the Terminal Services server. and not that of the workstation. Users will have access to the application without you needing to install or update the application on all machines. The Terminal Services server runs the applications.11). mouse and the display. It is also suited for mobile users who have to execute processor intensive applications over a dial-up connection. by providing the functionality needed for users to both send and receive e-mail messages. . Every user has its own individual Terminal Services session. In this manner. and a client computer running a Terminal Server client. Post Office Protocol 3 (POP3): Mail clients use the POP3 service or IMAP to receive e-mail. Clients use insignificant bandwidth on the underlying network when they establish a connection. In this case. it creates a Terminal Services session for the client. Remote Desktop Protocol (RDP) is the protocol that manages communications between a computer running Terminal Services.

and Windows 95. including ○ ○ ○ ○ • • IP multicasting Packet filtering Demand-dial routing DHCP relay • A few features and capabilities provided by the RRAS server are listed here: • • • • Assign DHCP addresses to RRAS clients Remote Access Policies (RAPs): RAPs are used to grant remote access permissions. clients and off-site employees can access through web browsers or email. LAN-to-LAN routing and LAN-to-WAN routing Virtual private network (VPN) routing Network Address Translation (NAT) routing: NAT. Remote Desktop Connection is by default installed with Windows XP and Windows Server 2003. or it can be used for Remote Administration. Understanding the Remote Access and VPN Server Role The Windows Server 2003 remote access and VPN server role can be used to provide remote access to clients through either of the methods: • Dial-up connections: Dial-up networking makes it possible for a remote access client to establish a dial-up connection to a port on a remote access server. connect to the network much like a standard LAN user accessing network resources. The RDC utility can be used for complete terminal server client utilization. Virtual private networks (VPNs): Virtual Private Networks (VPNs) provide secure and advanced connections through a non-secure network by providing data privacy. Email. VPNs are implemented over extensive shared infrastructures. . dial and mobile IP. By using analog.The connection can be established using Terminal Services on a terminal server. ISDN. The RDC utility is backward compatible. Windows 2000 and Windows NT 4 Terminal Server Edition. Users that connect through a dial-up networking server. cable technology. Through their ISPs. You can however install Remote Desktop Connection on the previous Windows Operating Systems (OSs) such as Windows 2000. Windows 98. remote users running VPN client software are assured private access in a publicly shared environment. and can therefore interact with Terminal Services in Windows XP. Private data is secure in a public environment. Windows NT. Many companies supply their own VPN connections via the Internet. DSL. defined in RFC 1631 translates private addresses to Internet IP addresses that can be routed on the Internet Routing features. Remote access VPNs provides a common environment where many different sources such as intermediaries. Windows ME. The configuration of the dial-up networking server determines what resources the remote user can access. database and office applications use these secure remote VPN connections.

The Active Directory directory services ensure that network resources are available to. Active Directory also makes it possible for administrators to log on to a one network computer. and can be accessed by users. Active Directory was designed to provide a centralized repository of information. and then manage Active Directory objects on a different computer within the domain. • • • • Certain master roles can be assigned to domain controllers within a domain and forest. They also copy data to the remainder of the domain controllers. forestwide master roles. These domain controllers host a master copy of specific data in Active Directory. Domain controllers that are assigned special master roles are called Operations Masters. is changed on a different domain controller prior to the change on the initial domain controller being fully propagated. Domain controllers in Active Directory utilize multimaster replication. Domain controllers in Active Directory maintain the Active Directory data store and security policy of the domain. domain controllers can detect collisions. Internet Authentication Service (IAS). A domain controller is a computer running Windows 2000 or Windows Server 2003 that contains a replica of the domain directory. Updates that are considered important are replicated immediately to the remainder of the domain controllers within the domain.• Layer Two Tunneling Protocol (L2TP) combines Layer 2 Forwarding (L2F) of Cisco with Point-to-Point Tunneling Protocol (PPTP) of Microsoft. applications and programs. Two types of master roles. . The other three master roles. are assigned to one domain controller in a forest. There are five different types of master roles that can be defined for domain controllers. All domain controllers are considered peers. Domain controllers also automatically replicate directory information for objects stored in the domain between one another. What this means is that no single domain controller is the master domain controller. are applied to a domain controller in every domain. Implementing multiple domain controllers within the domain provides fault tolerance for the domain. provides remote authentication. In Active Directory. domainwide master roles. a Remote Authentication Dial-In User Service (RADIUS) server. Domain controllers therefore also provide security for the domain by authenticating user logon attempts. or data store that could securely manage the resources of an organization. Collisions take place when an attribute modified on one particular domain. authorization and accounting for users that are connecting to the network through a network access server (NAS) such as Windows Routing and Remote Access. • Understanding the Domain Controllers Role A domain controller is a server that stores a write copy of Active Directory. and maintains the Active Directory data store. L2TP is a Data-link protocol that can be used to establish Virtual Private Networks (VPNs). The main functions of the domain controller role within Active Directory are listed here: • • Each domain controller in a domain stores and maintains a replica of the Active Directory data store for the particular domain.

such as adding and removing a domain. • • • A Global Catalog (GC) server(s) can also be installed on a domain controller. The Relative ID (RID) Master is a domainwide master role applied to a domain controller that creates unique ID numbers for domain controllers and manages the allocation of these numbers. It can find all Active Directory data irrespective of the domain in which the data is held. the GC server assists in locating the user account so that the authenticating domain controller can proceed with the logon request for the user. This role is typically necessary when there are computers in your environment running pre-Windows 2000 and XP operating systems. The global catalog server deals with all search requests of users searching for information in Active Directory. It is generally recommended to configure a global catalog server for each site in a domain. The first domain controller installed in a domain is designated as the global catalog server by default. and is used to improve performance when searching for objects in Active Directory. The PDC Emulator is a domainwide master role applied to a domain controller that operates like a Windows NT primary domain controller.The different types of master roles which can be configured on domain controllers are listed here: • • The Schema Master is a forestwide master role applied to a domain controller that manages all changes in the Active Directory schema. The Domain Naming Master is a forestwide master role applied to a domain controller that manages changes to the forest. The IP addresses are then resolved to MAC . The global catalog server also makes it possible for users to provide Universal Group membership information to the domain controller for network logon requests. The functions of the global catalog server are summarized below: • Global catalog servers are crucial for Active Directory's UPN functionality because they resolve user principal names (UPNs) when the domain controller handling the authentication request is unable to authenticate the user account because the user account actually exists in another domain. • • Understanding the DNS Server Role Domain Name Service (DNS) is a hierarchically distributed database that creates hierarchical names that can be resolved to IP addresses. The domain controller serving this role also manages changes to the domain namespace. The partial replica contains those objects which are frequently searched for. and a partial replica of objects for the remainder of the domains in the forest. The Infrastructure Master is a domainwide master role applied to a domain controller that manages changes made to group memberships. The global catalog server stores a full replica of all objects in its host domain. Here. The GC server deals with requests for the entire forest. The global catalog is a central information store on the Active Directory objects in a forest and domain.

The server role that you configure for a DNS server affects the following operations of the server: • • • • The way in which the DNS server stores DNS data. DNS provides the means for naming IP hosts. it has to be done on the primary DNS server so that is can be included in the local zone database. A DNS server is authoritative for the contiguous portion of the DNS namespace over which it resides. and domain name to IP addresses. When a DNS server is queried for name resolution services it can do either of the following: • • • • Respond to the request directly by providing the requested information. A standard primary DNS server obtains zone data from the local DNS database. A DNS primary server is created when a new primary zone is added. A DNS server is a computer running the DNS service or BIND. It is recommended to install at least one primary DNS server. Provide a pointer (referral) to another DNS server that can assist in resolving the query. Secondary DNS servers are usually implemented to provide fault tolerance. All information stored on the The different DNS server roles which you can configure are listed here: • • . Respond that the information is unavailable. Standard Secondary DNS server: This DNS server obtains a read-only copy of zones through DNS zone transfers. The primary DNS server is authoritative for the zone data that it contains. Respond that the information does not exist You can configure different server roles for your DNS servers. A Fully Qualified Domain Name (FQDN) is the DNS name that is used to identify a computer on the network. Caching-only DNS server: A caching-only DNS server only performs queries and then stores the results of these queries. that provides domain name services. provide fast access for clients in remote locations. DNS provides name resolution services to establish connections for those clients that need to resolve to IP addresses. and to distribute the DNS server processing load evenly. If a secondary DNS server is implemented. The way in which the DNS server maintains data. In this way. Whether the DNS data in the database file can be directly edited.addresses. When a change needs to be made to the resource records of the zone. and can make changes to its zones. that DNS server can continue to handle queries when the primary DNS becomes unavailable. This information is used to provide responses to client requests for name resolution. The information in the DNS database of a DNS server pertains to a portion of the DNS domain tree structure or namespace. and one secondary DNS server for each DNS zone. and for locating IP hosts when they are queried for by name. A secondary DNS server can however resolve queries for name resolution. A secondary DNS server cannot make any changes to the information contained in its read-only copy. Secondary DNS servers also assist in reducing the processing load of the primary DNS server. Standard Primary DNS server: This DNS server owns the zones defined in its DNS database. The DNS server manages the DNS database that is located on it. The DNS server role resolves IP addresses to domain names.

no broadcast traffic is sent over the network. Since Windows 2000 was the first Windows operating system where NetBIOS naming was no longer required. A secondary DNS server initiates the zone transfer process from its particular master server when it is brought online. and vice versa. Remember that all Windows operating system prior to Windows 2000 require NetBIOS name support. When a secondary DNS server is configured. When dynamic DNS updates are enabled. Here. The registrations are used when clients query for host name resolution and service information and to resolve a NetBIOS name to an IP address. To implement WINS. Broadcasts are only utilized if the WINS server is unable to resolve the NetBIOS name. A WINS enabled client can communicate with a WINS server that is located anywhere on the internetwork. who are beneath it in the DNS hierarchy. or renewed through Dynamic Host Configuration Protocol (DHCP). If the WINS server resolves the NetBIOS name to an IP address. A WINS server is an enhanced NetBIOS name server (NBNS) designed by Microsoft to resolve NetBIOS computer names to IP addresses. you might still need to provide support for NetBIOS naming if you have legacy applications. However. Dynamic DNS Servers: Windows 2000. • Understanding the WINS Server Role The Windows Internet Name Service (WINS) server roles provide name resolution services for clients that need to resolve IP addresses to NetBIOS names. . WINS registers NetBIOS computer names. Zone transfer enables a secondary DNS server to obtain zone information from its configured primary DNS server. This indicates to the DNS server that the A type resource record of the client needs to be updated. The secondary WINS server would be used for name resolution if the primary WINS server is unavailable to service WINS clients' requests. Caching-only DNS servers do not host zones and are not authoritative for any DNS domain. A secondary DNS server can also transfer its zone data to other secondary DNS servers. a client sends a message to the DNS server when changes are made to its IP addressing data. you only need one WINS server for an internetwork. WINS can resolve NetBIOS names for local hosts and remote hosts. Clients that are configured to utilize a WINS server as a NetBIOS name server (NBNS) are called WINS enabled clients. you have to specify the master server from whom it will obtain zone information. Windows XP and Windows Server 2003 computers can dynamically update the resource records of a DNS server when a client's IP addressing information is added. Caching-only DNS servers only cache information when the queries have been resolved. and stores these client name registrations in the WINS database. implementing two WINS servers provides fault tolerance for name resolution. The information stored by caching-only DNS servers is the name resolution data that it has collected through name resolution queries.caching-only DNS server is therefore only that data which has been cached while the server performed queries. the secondary DNS server is regarded as the master server to the other subordinate secondary DNS servers. • Master DNS servers: The DNS servers from which secondary DNS servers obtain zone information in the DNS hierarchy are called master DNS servers. Both DHCP and Dynamic DNS (DDNS) updates make this possible.

A server running the DHCP service is called a DHCP server. The options which can be specified to enable/disable the DHCP service to dynamically update DNS records on behalf the client are: • The DHCP server can be configured to not register any IP address of the DHCP clients when it assigns IP addresses to these clients. When you configure the WINS server role. The DHCP protocol automates the configuration of TCP/IP clients because IP addressing occurs through the system. Allocate 20 percent of the IP addresses to the DHCP Server on the remote subnet. subnet mask and default gateway.500 name queries per minute. The functions of the DHCP server are outlined below: • • Dynamically assign IP addresses to DHCP clients. the WINS server must be statically assigned with the following TCP/IP parameters: static IP address. The options can be configured for the DHCP server. The DHCP server assigns IP addresses from a predetermined IP address range(s). and is not shared between DHCP servers. DHCP functions at the application layer of the TCP/IP protocol stack. With Windows Server 2003 DHCP. A scope contains specific configuration information for clients that have IP addresses which are within the particular scope. One of the primary tasks of the protocol is to automatically assign IP addresses to DHCP clients.500 name registrations and roughly 4. three options are available for registering IP addresses in DNS. Understanding the DHCP Server Role DHCP is a service and protocol which runs on a Windows Server 2003 operating system.A WINS server can cope with 1. Scopes for DHCP servers are configured by administrators. The 80/20 Rule is applied as follows: • • Allocate 80 percent of the IP addresses to the DHCP server which resides on the local subnet. . or for each individual scope. It is recommended to have one WINS server and a backup server for each 10. called a scope. You can configure a server as a DHCP server so that the DHCP server can automatically assign IP addresses to DHCP clients. A DHCP scope can be defined as a set of IP addresses which the DHCP server can allocate or assign to DHCP clients. the remote DHCP server would resume assigning the DHCP clients with IP addresses.000 WINS clients. IP addresses that are assigned through a DHCP server are regarded as dynamically assigned IP addresses. Allocate the following TCP/IP configuration information to DHCP clients: ○ ○ ○ ○ Subnet mask information Default gateway IP addresses Domain Name System (DNS) IP addresses Windows Internet Naming Service (WINS) IP addresses You can increase the availability of DHCP servers by using the 80/20 Rule if you have two DHCP servers located on different subnets. If the DHCP server that is allocated with 80 percent of the IP addresses has a failure. and with no manual intervention. Scope information for each DHCP server is specific to that particular DHCP server only.

The CA utilizes its policies. A certificate cannot be forged because the authority that issued the certificate digitally signs the certificate. The first CA that is installed becomes the root CA. Web user and Web server authentication. Understanding Certificate Authorities (CAs) Servers A Certificate Authority is an entity that generates and validates digital certificates. computer or service requesting the certificate. based on the client's request for an IP address. and services. and for securing e-mail. computers. application. you can create an internal CA structure within your organization. and incorporates the type of certificate being requested. code signing. When a root CA issues . The common practice is to first install the root CA. or service. An organization can have multiple CAs. or it can be an internal entity of the organization. The certificate verifies the identity of the owner. Authenticates the identity of the user. Creates the certificate for the requestor. Understanding the Streaming Media Server Role The streaming media role provides media services so that clients can access streaming audio and video. and then use the root CA to validate all the other CAs within the organization. it is stored in the Registry and in Active Directory. The default option results in the DHCP server registering the IP addresses of clients with the authoritative DNS server.• • The DHCP server can be configured to at all times register all IP address of clients when they receive IP addresses from the DHCP server. to verify the identity of the requestor. A digital certificate associates a public key with an owner. • • Windows Certificate Services is used to create a Certificate Authority on Windows Server 2003 servers. The functions performed by Certificate Authorities (CAs) are listed below: • • Accepts the request for a certificate from a user. and on enterprise platforms. computer. Certificates in Windows XP and Windows Server 2003 are managed by the Data Protection API. You can also store certificates on smart cards. A CA can be a trusted third party entity such as VeriSign or Thawte. which are arranged in a logical manner. A root CA is the most trusted CA in a CA hierarchy. The CA adds its own signature to the public key of the client. Digitally signs the certificate using its own private key. Windows Server 2003 Certificate Services can be used to create certificates for users and computers in Active Directory domains. The Windows Media Services is used to provide media services to clients. The information included in a certificate is determined by the type of certificate being used. The Windows Media Services is not available in the following edition of Windows Server 2003: • • Windows Server 2003 Web Edition Windows Server 2003 64-bit versions. The Windows Media Services can be configured on server platforms. When certificates are issued to a client. Certificates are issued for functions such as the encryption of data. Certificate Authorities (CAs) are servers which are configured to issue certificates to users. An example of an internal CA entity is Windows Server 2003 Certificate Services. CAs also manage certificates. By using the tools provided by Microsoft.

computers. we can rename domain name? 11.certificates to other CAs. A subordinate CA can also issue certificates to other subordinate CAs. A stand-alone root CA is not however dependent on Active Directory. What is a site? 13. • • • 1. and not to other subordinate CAs. which contain schema? . are called leaf CAs. Enterprise root CAs are reliant on Active Directory. 8. applications or services. Subordinate CAs which only issue certificates to users. Enterprise Subordinate CA: This CA also needs Active Directory. In which domain functional level. What is Active Directory schema? What are the domain functional level in Windows Server 2003? What are the forest functional level in Windows Server 2003? What is global catalog server? How we can raise domain functional & forest functional level in Windows Server 2003? Which is the deafult protocol used in directory services? What is IPv6? What is the default domain functional level in Windows Server 2003? What are the physical & logical components of ADS 10. it is used to issue certificates to subordinate CAs. This makes a stand-alone root CAs the solution for implementing a secure offline root CA. and other CAs. What is multimaster replication? 12. Enterprise root CAs issue certificates to subordinate CAs. Stand-alone Root CA: A stand-alone root CA is the topmost CA in the certificate chain. 4. While an intermediate CA is subordinate to the root CA. Which is the command used to remove active directory from a domain controler? 14. these CAs become subordinate CAs of the root CA. it is considered superior to those subordinate CAs to which it issued certificates. These subordinate CAs are called intermediate CAs. When a root CA is online. How we can create console. Stand-alone Subordinate CA: This type of CA is also not dependent on Active Directory. and is the first CA installed in the enterprise. 3. and can be removed from the network. and is used to issue certificates to users. The root CA never usually directly issues certificates to users. 5. 2. computers. The type of CAs which you can install: • Enterprise root CA: This is the topmost CA in the CA hierarchy. 9. 7. and is used to issue certificates to users and computers. 6.

15. What is the file that’s responsible for keep all Active Directory database? . What is trust? 16.

Sign up to vote on this title
UsefulNot useful