Professional Documents
Culture Documents
Best Questions For Ad Interview
Best Questions For Ad Interview
Note
If DNS is running on a Windows 2000 server that is not a domain
controller, it will not be able to use an Active Directory integrated
zones, or replicate with other domain controllers since it does not
have Active Directory installed.
DNS Records
After you create a zone, additional resource records need to be
added to it. The most common resource records (RRs) to be
added are:Table 1. Record Types
Name Description
Host (A) For mapping a DNS domain name to an IP address used
by a computer.
Alias (CNAME) For mapping an alias DNS domain name to another
primary or
canonical name.
Mail Exchanger (MX) For mapping a DNS domain, name to the
name of a computer that exchange
for forwards mail
Pointer (PTR) For mapping a reverse DNS domain name based on
the IP address of a computer that points to the forward DNS
domain name of that computer.
Service location (SRV) For mapping a DNS domain name to a
specified list of DNS host computers
that offer a specific type of service, such as Active Directory
domain controllers.
■Organizational Units
Organizational Units (OUs) provide a way to create administrative
boundaries within a domain. Primarily, this allows you to delegate
administrative tasks within the domain.OUs serve as containers
into which the resources of a domain can be placed. You can then
assign administrative permissions on the OU itself. Typically, the
structure of OUs follows an organization’s business or functional
structure. For example, a relatively small organization with a
single domain might create separate OUs for departments within
the organization.
Q2. What does the physical structure of active directory
contain?
Physical structures include domain controllers and sites.
Q3.What is nesting?
The creation of an OU inside another OU.IMP: - once you go
beyond about 12 OUs deep in a nesting structure, you start
running into significant performance issues.
Q4. What is trust relationship and how many types of trust
relationship is there in exchange 2003?
Since domains represent security boundaries, special
mechanisms called trust relationships allow objects in one domain
(called the trusted domain) to access resources in another
domain (called the trusting domain). Windows Server 2003
supports six types of trust relationships:
■ Parent and child trusts
■ Tree-root trusts
■ External trusts
■ Shortcut trusts
■ Realm trusts
■ Forest trusts
■ Global groups
are used to gather users that have similar permissions
requirements. Global groups have the following characteristics:1.
Global groups can contain user and computer accounts only from
the domain in which the global group is created.2. When the
domain functional level is set to Windows 2000 native or Windows
Server 2003 (i.e., the domain contains only Windows 2000 or
2003 servers), global groups can also contain other global groups
from the local domain.3. Global groups can be assigned
permissions or be added to local groups in any domain in a forest.
■ Domain local groups
exist on domain controllers and are used to control access to
resources located on domain controllers in the local domain (for
member servers and workstations, you use local groups on those
systems instead). Domain local groups share the following
characteristics:1. Domain local groups can contain users and
global groups from any domain in a forest no matter what
functional level is enabled.2. When the domain functional level is
set to Windows 2000 native or Windows Server 2003, domain
local groups can also contain other domain local groups and
universal groups.
■ Universal groups: are normally used to assign permissions to
related resources in multiple domains. Universal groups share the
following characteristics:
1. Universal groups are available only when the forest functional
level is set to Windows 2000 native or Windows Server 2003.
2. Universal groups exist outside the boundaries of any particular
domain and are managed by Global Catalog servers.
3. Universal groups are used to assign permissions to related
resources in multiple domains.
4. Universal groups can contain users, global groups, and other
universal groups from any domain in a forest.
5. You can grant permissions for a universal group to any
resource in any domain.
Q17. What are the items that groups of different scopes
can contain in mixed and native mode domains?
Q18. What is group nesting?
Placing of one group in another is called as group nestingFor
example, suppose you had juniorlevel administrators in four
different geographic locations, as shown in Figure 4-10. You could
create a separate group for each location (named something like
Dallas JuniorAdmins). Then, you could create a single group
named Junior Admins and make each of the location-based groups
a member of the main group. This approach would allow you to
set permissions on a single group and have those permissions
flow down to the members, yet still be able to subdivide the junior
administrators by location.
Q19. How many characters does a group name contain?
Ans) 64
■Organizational Units
Organizational Units (OUs) provide a way to create administrative
boundaries within a domain. Primarily, this allows you to delegate
administrative tasks within the domain.OUs serve as containers
into which the resources of a domain can be placed. You can then
assign administrative permissions on the OU itself. Typically, the
structure of OUs follows an organization’s business or functional
structure. For example, a relatively small organization with a
single domain might create separate OUs for departments within
the organization.
Q2. What does the physical structure of active directory
contain?
Physical structures include domain controllers and sites.
Q3.What is nesting?
The creation of an OU inside another OU.IMP: - once you go
beyond about 12 OUs deep in a nesting structure, you start
running into significant performance issues.
Q4. What is trust relationship and how many types of trust
relationship is there in exchange 2003?
Since domains represent security boundaries, special
mechanisms called trust relationships allow objects in one domain
(called the trusted domain) to access resources in another
domain (called the trusting domain). Windows Server 2003
supports six types of trust relationships:
■ Parent and child trusts
■ Tree-root trusts
■ External trusts
■ Shortcut trusts
■ Realm trusts
■ Forest trusts
.
Q15. What are the two exceptions to control the inheritance of
the group policy?
■ No Override
When you link a GPO to a container, you can configure a No
Override option that prevents settings in the GPO from being
overridden by settings in GPOs linked to child containers. This
provides a way to force child containers to conform to a particular
policy.
■ Block Inheritance
You can configure the Block Inheritance option on a container to
prevent the container from inheriting GPO settings from its parent
containers. However, if a parent container has the No Override
option set, the child container cannot block inheritance from this
parent.
Q16. How to Redirect New User and Computer Accounts?
By default, new user and computer accounts are created in the
Users and Computers containers, respectively. You cannot link a
GPO to either of these built-in containers. Even though the built-in
containers inherit GPOs linked to the domain, you may have a
situation that requires user accounts and computer accounts to
be stored in an OU to which you can link a GPO. Windows Server
2003 includes two new tools that let you redirect the target
locationfor new user and computer accounts. You can use
redirusr.exe to redirect user accounts and redircomp.exe to
redirect computer accounts. Once you choose the OU for
redirection, new user and computer accounts are createddirectly
in the new target OU, where the appropriate GPOs are linked. For
example, you could create an OU named New Users, link an
appropriate GPO to the OU, and then redirect the creation of new-
users accounts to the New Users OU. Any new users created
would immediately be affected by the settings in the GPO.
Administrators could then move the new user accounts to a more
appropriate location later. You can find both of these tools in the
%windir%\system32 folder on any computer running Windows
Server 2003. You can learn more about using these tools in
Knowledge Base article 324949, “Redirecting the Users and
Computers Containers in Windows Server 2003 Domains,” in the
Microsoft Knowledge Base at http://support.microsoft.com
.
Q17. What permissions should a administrator have to
manage GPOs?
Editing GPOs linked to sites requires Enterprise Administrative
permissions.
Editing GPOs linked to domains requires Domain Administrative
Editing GPOs linked to OUs requires permissions for the OU.
Q18. What is the client requirement for supporting GPOs?
For client computers to accept Group Policy settings, they must
be members of Active Directory. Support for Group Policy for key
operating systems includes the following:
■ Windows 95/98/Me do not support Group Policy.
■ Windows NT 4.0 and earlier versions do not support Group
Policy.
■ Windows 2000 Professional and Server support many of the
Group Policy settings available in Windows Server 2003, but not
all. Unsupported settings are ignored.
■ Windows XP Professional, Windows XP 64-bit Edition, and
Windows Server 2003 fully support Group Policy
DUPLICATED:
RELATED TOPICS
DISTASTER RECOVERY
Functional levels are an extension of the mixed/native mode concept introduced in Windows
2000 to activate new Active Directory features after all the domain controllers in the domain or
forest are running the Windows Server 2003 operating system.
When a computer that is running Windows Server 2003 is installed and promoted to a domain
controller, new Active Directory features are activated by the Windows Server 2003 operating
system over its Windows 2000 counterparts. Additional Active Directory features are available
when all domain controllers in a domain or forest are running Windows Server 2003 and the
administrator activates the corresponding functional level in the domain or forest.
To activate the new domain features, all domain controllers in the domain must be running
Windows Server 2003. After this requirement is met, the administrator can raise the domain
functional level to Windows Server 2003 (read Raise Domain Function Level in Windows
Server 2003 Domains for more info).
To activate new forest-wide features, all domain controllers in the forest must be running
Windows Server 2003, and the current forest functional level must be at Windows 2000 native or
Windows Server 2003 domain level. After this requirement is met, the administrator can raise the
domain functional level (read Raise Forest Function Level in Windows Server 2003 Active
Directory for more info).
Note: Network clients can authenticate or access resources in the domain or forest without being
affected by the Windows Server 2003 domain or forest functional levels. These levels only affect
the way that domain controllers interact with each other.
Important
Raising the domain and forest functional levels to Windows Server 2003 is a
nonreversible task and prohibits the addition of Windows NT 4.0–based or
Windows 2000–based domain controllers to the environment. Any existing
Windows NT 4.0 or Windows 2000–based domain controllers in the
environment will no longer function. Before raising functional levels to take
advantage of advanced Windows Server 2003 features, ensure that you will
never need to install domain controllers running Windows NT 4.0 or
Windows 2000 in your environment.
When the first Windows Server 2003–based domain controller is deployed in a domain or forest,
a set of default Active Directory features becomes available. The following table summarizes the
Active Directory features that are available by default on any domain controller running
Windows Server 2003:
Feature Functionality
Allows you to modify common attributes of multiple user
Multiple selection of user objects
objects at one time.
Allows you to move Active Directory objects from
container to container by dragging one or more objects to
a location in the domain hierarchy. You can also add
Drag and drop functionality
objects to group membership lists by dragging one or
more objects (including other group objects) to the target
group.
Search functionality is object-oriented and provides an
Efficient search capabilities efficient search that minimizes network traffic associated
with browsing objects.
Allows you to save commonly used search parameters
Saved queries
for reuse in Active Directory Users and Computers
Allows you to run new directory service commands for
Active Directory command-line tools
administration scenarios.
The inetOrgPerson class has been added to the base
InetOrgPerson class schema as a security principal and can be used in the
same manner as the user class.
Allows you to configure the replication scope for
application-specific data among domain controllers. For
example, you can control the replication scope of
Application directory partitions
Domain Name System (DNS) zone data stored in Active
Directory so that only specific domain controllers in the
forest participate in DNS zone replication.
Ability to add additional domain Reduces the time it takes to add an additional domain
controllers by using backup media controller in an existing domain by using backup media.
Prevents the need to locate a global catalog across a wide
area network (WAN) when logging on by storing
Universal group membership caching
universal group membership information on an
authenticating domain controller.
Active Directory administrative tools sign and encrypt all
Secure Lightweight Directory Access LDAP traffic by default. Signing LDAP traffic
Protocol (LDAP) traffic guarantees that the packaged data comes from a known
source and that it has not been tampered with.
Provides improved replication of the global catalog when
Partial synchronization of the global schema changes add attributes to the global catalog
catalog partial attribute set. Only the new attributes are
replicated, not the entire global catalog.
Quotas can be specified in Active Directory to control
the number of objects a user, group, or computer can own
Active Directory quotas in a given directory partition. Members of the Domain
Administrators and Enterprise Administrators groups are
exempt from quotas.
When the first Windows Server 2003–based domain controller is deployed in a domain or forest,
the domain or forest operates by default at the lowest functional level that is possible in that
environment. This allows you to take advantage of the default Active Directory features while
running versions of Windows earlier than Windows Server 2003.
When you raise the functional level of a domain or forest, a set of advanced features becomes
available. For example, the Windows Server 2003 interim forest functional level supports more
features than the Windows 2000 forest functional level, but fewer features than the Windows
Server 2003 forest functional level supports. Windows Server 2003 is the highest functional level
that is available for a domain or forest. The Windows Server 2003 functional level supports the
most advanced Active Directory features; however, only Windows Server 2003 domain
controllers can operate in that domain or forest.
If you raise the domain functional level to Windows Server 2003, you cannot introduce any
domain controllers that are running versions of Windows earlier than Windows Server 2003 into
that domain. This applies to the forest functional level as well.
Domain Functional Level
Domain functionality activates features that affect the whole domain and that domain only. The
four domain functional levels, their corresponding features, and supported domain controllers are
as follows:
Windows 2000 mixed (Default)
• Supported domain controllers: Microsoft Windows NT 4.0, Windows 2000, Windows
Server 2003
• Activated features: local and global groups, global catalog support
Windows 2000 native
• Supported domain controllers: Windows 2000, Windows Server 2003
• Activated features: group nesting, universal groups, SidHistory, converting groups
between security groups and distribution groups, you can raise domain levels by
increasing the forest level settings
Windows Server 2003 interim
• Supported domain controllers: Windows NT 4.0, Windows Server 2003
• Supported features: There are no domain-wide features activated at this level. All
domains in a forest are automatically raised to this level when the forest level increases to
interim. This mode is only used when you upgrade domain controllers in Windows NT
4.0 domains to Windows Server 2003 domain controllers.
Windows Server 2003
• Supported domain controllers: Windows Server 2003
• Supported features: domain controller rename, logon timestamp attribute updated and
replicated. User password support on the InetOrgPerson objectClass. Constrained
delegation, you can redirect the Users and Computers containers.
Domains that are upgraded from Windows NT 4.0 or created by the promotion of a Windows
Server 2003-based computer operate at the Windows 2000 mixed functional level. Windows
2000 domains maintain their current domain functional level when Windows 2000 domain
controllers are upgraded to the Windows Server 2003 operating system. You can raise the
domain functional level to either Windows 2000 native or Windows Server 2003.
After the domain functional level is raised, domain controllers that are running earlier operating
systems cannot be introduced into the domain. For example, if you raise the domain functional
level to Windows Server 2003, domain controllers that are running Windows 2000 Server cannot
be added to that domain.
The following describes the domain functional level and the domain-wide features that are
activated for that level. Note that with each successive level increase, the feature set of the
previous level is included.
Forest Functional Level
Forest functionality activates features across all the domains in your forest. Three forest
functional levels, the corresponding features, and their supported domain controllers are listed
below.
Windows 2000 (default)
• Supported domain controllers: Windows NT 4.0, Windows 2000, Windows Server 2003
• New features: Partial list includes universal group caching, application partitions, install
from media, quotas, rapid global catalog demotion, Single Instance Store (SIS) for
System Access Control Lists (SACL) in the Jet Database Engine, Improved topology
generation event logging. No global catalog full sync when attributes are added to the
PAS Windows Server 2003 domain controller assumes the Intersite Topology Generator
(ISTG) role.
Windows Server 2003 interim
• Supported domain controllers: Windows NT 4.0, Windows Server 2003. See the
"Upgrade from a Windows NT 4.0 Domain" section of this article.
• Activated features: Windows 2000 features plus Efficient Group Member Replication
using Linked Value Replication, Improved Replication Topology Generation. ISTG
Aliveness no longer replicated. Attributes added to the global catalog. ms-DS-Trust-
Forest-Trust-Info. Trust-Direction, Trust-Attributes, Trust-Type, Trust-Partner, Security-
Identifier, ms-DS-Entry-Time-To-Die, Message Queuing-Secured-Source, Message
Queuing-Multicast-Address, Print-Memory, Print-Rate, Print-Rate-Unit
Windows Server 2003
• Supported domain controllers: Windows Server 2003
• Activated features: all features in Interim Level, Defunct schema objects, Cross Forest
Trust, Domain Rename, Dynamic auxiliary classes, InetOrgPerson objectClass change,
Application Groups, 15-second intrasite replication frequency for Windows Server 2003
domain controllers upgraded from Windows 2000
After the forest functional level is raised, domain controllers that are running earlier operating
systems cannot be introduced into the forest. For example, if you raise forest functional levels to
Windows Server 2003, domain controllers that are running Windows NT 4.0 or Windows 2000
Server cannot be added to the forest.
Understanding Windows Server 2008 Active Directory Domain and Forest Functional
Levels?
In Windows Server 2003, functional levels were an extension of the older
mixed/native mode concept introduced in Windows 2000. In Windows Server 2008
this was further extended to include new features and benefits, and are used to
activate new Active Directory features after all the Domain Controllers (DCs) in the
domain or forest are running Windows Server 2008 operating systems. Functional
levels determine the features of Active Directory Domain Services (AD DS) that are
enabled in a domain or forest.
When the first Windows Server 2008–based Domain Controller is deployed in a domain or
forest, the domain or forest operates by default at the lowest functional level that is possible in
that environment, meaning Windows 2000 Native Mode. This allows you to take advantage of
the default Active Directory features while running versions of Windows earlier than Windows
Server 2008. When you raise the functional level of a domain or forest, a set of advanced
features becomes available.
After the domain functional level is raised, DCs that are running earlier operating systems cannot
be introduced into the domain. For example, if you raise the domain functional level to Windows
Server 2008, Domain Controllers that are running Windows Server 2003 cannot be added to that
domain.
Unless you still have old NT 4.0 BDCs there's no reason for staying in Mixed Mode, and as you
already know, Windows Server 2008 does not support NT 4.0 BDCs, so if you are still using
them and planning to upgrade your Active Directory to Windows Server 2008, re-think your
strategy.
As for Windows 2000 Native Mode, unless you still have Windows 2000 Domain Controllers,
again, there's no reason for staying in that function level. However, if you still do, remember that
Windows Server 2008 does only supports Windows 2000 SP4. Be sure to have SP4 on all your
Windows 2000 DCs.
You can read my "What are the domain and forest function levels in a Windows Server 2003-
based Active Directory?" article for more info about that.
Note: Network clients can authenticate or access resources in the domain or forest without being
affected by the Windows Server 2003 or Windows Server 2008 domain or forest functional
levels. These levels only affect the way that domain controllers interact with each other.
However, be aware of the fact that regardless of the domain or function level, servers running
Windows NT Server 4.0 are NOT supported by domain controllers that are running Windows
Server 2008, meaning you MUST have additional DCs running Windows 2000/2003 to support
older NT 4.0 servers.
For more information about Windows Server 2008 Active Directory requirements, please read
my "Active Directory on Windows Server 2008 Requirements" article.
Read my "Raising Windows Server 2008 Active Directory Domain and Forest Functional
Levels" article for information on how to actually raise the domain and forest function levels.
Domain Function Levels
To activate a new domain function level, all DCs in the domain must be running the right
operating system. After this requirement is met, the administrator can raise the domain functional
level. Here's a list of the available domain function levels available in Windows Server 2008:
Windows 2000 Native Mode
This is the default function level for new Windows Server 2008 Active Directory domains.
Supported Domain controllers – Windows 2000, Windows Server 2003, Windows Server
2008.
Features and benefits:
• Group nesting – Unlike Windows NT 4.0, allows placing of a group of one scope as a
member of another group of the same scope.
• Universal security groups – Allows usage of Universal security type groups.
• SidHistory – Enables usage of SidHistory when migrating objects between domains.
• Converting groups between security groups and distribution groups – Unlike
Windows NT 4.0, allows converting of a group type into another group type (with some
limitations).
Windows Server 2003 Mode
To activate the new domain features, all domain controllers in the domain must be running
Windows Server 2003. After this requirement is met, the administrator can raise the domain
functional level to Windows Server 2003. Read my "Raise Domain Function Level in Windows
Server 2003 Domains" article for more info about that.
Supported Domain controllers – Windows Server 2003, Windows Server 2008.
Features and benefits include all default Active Directory features, all features from the
Windows 2000 native domain functional level, plus:
• Universal group caching – Windows Server 2003 functional level supports Universal
group caching which eliminate the need for local global catalog server.
• Domain Controller rename – By using the NETDOM command.
• Logon time stamp update – The lastLogonTimestamp attribute will be updated with the
last logon time of the user or computer. This attribute is replicated within the domain.
• Multivalued attribute replication improvements – Allows incremental membership
changes, which in turn enables having more than 5000 members in a group and better
replication capabilities.
• Lingering objects (zombies) detection – Windows Server 2003 has the ability to detect
zombies, or lingering objects.
• AD-integrated DNS zones in application partitions – This allows storing of DNS data
in AD application partition for more efficient replication.
• Users and Computers containers can be redirected – This allows the redirection of the
default location of new users and computers (by using the REDIRUSR and REDIRCMP
commands).
• Support for selective authentication – Makes it possible to specify the users and groups
from a trusted forest who are allowed to authenticate to resource servers in a trusting
forest.
Windows Server 2008 Mode
To activate the new domain features, all domain controllers in the domain must be running
Windows Server 2008. After this requirement is met, the administrator can raise the domain
functional level to Windows Server 2008.
Important
Raising the domain and forest functional levels to Windows Server 2008 is a
nonreversible task and prohibits the addition of Windows 2000–based or
Windows Server 2003–based Domain Controllers to the environment. Any
existing Windows 2000–based or Windows Server 2003–based Domain
Controllers in the environment will no longer function, and in fact, the
upgrading wizard will not allow you to continue with the operation. Before
raising functional levels to take advantage of advanced Windows Server
2008 features, ensure that you will never need to install domain controllers
running Windows 2000-based or Windows Server 2003–based Domain
Controllers in your environment.
The Active Directory service is an essential and inseparable part of the Windows Server 2003
network architecture that provides a directory service designed for distributed networking
environments. Active Directory provides a single point of management for Windows-based user
accounts, clients, servers, and applications. It also helps organizations integrate systems not
using Windows with Windows-based applications and Windows-compatible devices, thus
consolidating directories and easing management of the entire network operating system.
Companies can also use Active Directory to extend systems securely to the Internet. Active
Directory thus increases the value of an organization's existing network investments and lowers
the overall costs of computing by making the Windows network operating system more
manageable, secure, and interoperable.
Active Directory plays such an important role in managing the network, that as you prepare to
move to Windows Server 2003, it is helpful to review the new features of the Active Directory
service.
New Active Directory Features
With the new Active Directory features in Standard Edition, Enterprise Edition, and Datacenter
Edition, more efficient administration of Active Directory is available to you.
New features can be divided into those available on any domain controller running Windows
Server 2003, and those available only when all domain controllers of a domain or forest are
running Windows Server 2003.
Features Available If Any Domain Controller Is Running
Windows Server 2003
The following list summarizes the Active Directory features that are enabled by default on any
domain controller running Windows Server 2003.
• Multiple selection of user objects. Modify common attributes of multiple user objects at
one time.
• Drag-and-drop functionality. Move Active Directory objects from container to
container by dragging and dropping one or more objects to a desired location in the
domain hierarchy. You can also add objects to group membership lists by dragging and
dropping one or more objects (including other group objects) onto the target group.
• Efficient search capabilities. Search functionality is object-oriented and provides an
efficient browse-less search that minimizes network traffic associated with browsing
objects.
• Saved queries. Save commonly used search parameters for reuse in Active Directory
Users and Computers.
• Active Directory command-line tools. Run new directory service commands for
administration scenarios.
• Selective class creation. Create instances of specified classes in the base schema of a
Windows Server 2003 forest. You can create instances of several common classes,
including: country or region, person, organizationalPerson, groupOfNames, device, and
certificationAuthority.
• InetOrgPerson class. The inetOrgPerson class has been added to the base schema as a
security principal and can be used in the same manner as the user class. The
userPassword attribute can also be used to set the account password.
• Application directory partitions. Configure the replication scope for application-
specific data among domain controllers running Standard Edition, Enterprise Edition, and
Datacenter Edition. For example, you can control the replication scope of Domain Name
System (DNS) zone data stored in Active Directory so that only specific domain
controllers in the forest participate in DNS zone replication.
• Add additional domain controllers to existing domains using backup media. Reduce
the time it takes to add an additional domain controller in an existing domain by using
backup media.
• Universal group membership caching. Prevent the need to locate a global catalog
across a wide area network (WAN) during logons by storing user universal group
memberships on an authenticating domain controller.
Features Available When All Domain Controllers Are
Running Windows Server 2003
New domain- or forest-wide Active Directory features can be enabled only when all domain
controllers in a domain or forest are running Windows Server 2003 and the domain functionality
or forest functionality has been set to Windows Server 2003.
The following list summarizes the domain- and forest-wide Active Directory features that can be
enabled when either a domain or forest functional level has been raised to Windows Server 2003.
• Domain controller rename tool. Rename domain controllers without first demoting
them.
• Domain rename. Rename any domain running Windows Server 2003 domain
controllers. You can change the NetBIOS name or DNS name of any child, parent, tree-
or forest-root domain.
• Forest trusts. Create a forest trust to extend two-way transitivity beyond the scope of a
single forest to a second forest.
• Forest restructuring. Move existing domains to other locations in the domain hierarchy.
• Defunct schema objects. Deactivate unnecessary classes or attributes from the schema.
• Dynamic auxiliary classes. Provides support for dynamically linking auxiliary classes to
individual objects, and not just to entire classes of objects. In addition, auxiliary classes
that have been attached to an object instance can subsequently be removed from the
instance.
• Global catalog replication tuning. Preserves the synchronization state of the global
catalog when an administrative action results in an extension of the partial attribute set.
This minimizes the work generated as a result of a partial attribute set extension by only
transmitting attributes that were added.
• Replication enhancements. Linked value replication allows individual group members
to be replicated across the network instead of treating the entire group membership as a
single unit of replication.
Raising Domain Functional Levels
Domains can operate at three functional levels: Windows 2000 mixed, the default setting (which
includes domain controllers running Windows 2000, Windows NT 4.0, and Windows Server
2003), Windows 2000 native (which includes domain controllers running Windows 2000 and
Windows Server 2003), and Windows Server 2003 (which only includes domain controllers
running Windows Server 2003).
Once all domain controllers are running on Windows Server 2003, you can raise the Domain and
Forest Functionality to Windows Server 2003 by opening Active Directory Domains and Trusts,
right clicking the domain for which you want to raise functionality, and then clicking Raise
Domain Functional Level.
Note that once you raise the domain functional level, domain controllers running earlier
operating systems cannot be introduced into the domain. For example, if you raise the domain
functional level to Windows Server 2003, domain controllers running Windows 2000 Server
cannot be added to that domain.
The following table describes the domain-wide features that are enabled for the corresponding
domain functional level:
Quick Links
• Knowledge Base
• Active Directory
• Cisco and Routing
• Windows Networking
• Exchange Server
• Virtualization
• Windows Server 2008
• Windows 7
• Windows Vista
• New Articles
[noil]
Popular Articles
Our biweekly emails will keep you up to date on our latest news and articles straight to
your inbox!
Sign Up Now !
E-mail Address:
Privacy Policy
Bottom of Form
• Follow on Twitter
• Subscribe via Rss
Author is a Microsoft Windows Server System - Exchange Server MVP
LANsurveyor automatically discovers your LAN or WAN and produces comprehensive, easy-to-
view network diagrams that can be exported into Microsoft Office® Visio®.
You Have Got To Try This! Get the Download Here...
The Active Directory service is an essential and inseparable part of the Windows Server 2003
network architecture that provides a directory service designed for distributed networking
environments. Active Directory provides a single point of management for Windows-based user
accounts, clients, servers, and applications. It also helps organizations integrate systems not
using Windows with Windows-based applications and Windows-compatible devices, thus
consolidating directories and easing management of the entire network operating system.
Companies can also use Active Directory to extend systems securely to the Internet. Active
Directory thus increases the value of an organization's existing network investments and lowers
the overall costs of computing by making the Windows network operating system more
manageable, secure, and interoperable.
Active Directory plays such an important role in managing the network, that as you prepare to
move to Windows Server 2003, it is helpful to review the new features of the Active Directory
service.
New Active Directory Features
With the new Active Directory features in Standard Edition, Enterprise Edition, and Datacenter
Edition, more efficient administration of Active Directory is available to you.
New features can be divided into those available on any domain controller running Windows
Server 2003, and those available only when all domain controllers of a domain or forest are
running Windows Server 2003.
Features Available If Any Domain Controller Is Running
Windows Server 2003
The following list summarizes the Active Directory features that are enabled by default on any
domain controller running Windows Server 2003.
• Multiple selection of user objects. Modify common attributes of multiple
user objects at one time.
• Drag-and-drop functionality. Move Active Directory objects from container
to container by dragging and dropping one or more objects to a desired
location in the domain hierarchy. You can also add objects to group
membership lists by dragging and dropping one or more objects (including
other group objects) onto the target group.
• Efficient search capabilities. Search functionality is object-oriented and
provides an efficient browse-less search that minimizes network traffic
associated with browsing objects.
• Saved queries. Save commonly used search parameters for reuse in Active
Directory Users and Computers.
• Active Directory command-line tools. Run new directory service
commands for administration scenarios.
• Selective class creation. Create instances of specified classes in the base
schema of a Windows Server 2003 forest. You can create instances of several
common classes, including: country or region, person, organizationalPerson,
groupOfNames, device, and certificationAuthority.
• InetOrgPerson class. The inetOrgPerson class has been added to the base
schema as a security principal and can be used in the same manner as the
user class. The userPassword attribute can also be used to set the account
password.
• Application directory partitions. Configure the replication scope for
application-specific data among domain controllers running Standard Edition,
Enterprise Edition, and Datacenter Edition. For example, you can control the
replication scope of Domain Name System (DNS) zone data stored in Active
Directory so that only specific domain controllers in the forest participate in
DNS zone replication.
• Add additional domain controllers to existing domains using backup
media. Reduce the time it takes to add an additional domain controller in an
existing domain by using backup media.
• Universal group membership caching. Prevent the need to locate a
global catalog across a wide area network (WAN) during logons by storing
user universal group memberships on an authenticating domain controller.
How can I raise the forest function level in a Windows Server 2003-based Active
Directory?
Functional levels are an extension of the mixed/native mode concept introduced in Windows
2000 to activate new Active Directory features after all the domain controllers in the domain or
forest are running the Windows Server 2003 operating system.
When a computer that is running Windows Server 2003 is installed and promoted to a domain
controller, new Active Directory features are activated by the Windows Server 2003 operating
system over its Windows 2000 counterparts. Additional Active Directory features are available
when all domain controllers in a domain or forest are running Windows Server 2003 and the
administrator activates the corresponding functional level in the domain or forest (read
Understanding Function Levels in Windows Server 2003 Active Directory for more info).
To activate the new domain features, all domain controllers in the domain must be running
Windows Server 2003. After this requirement is met, the administrator can raise the domain
functional level to Windows Server 2003 (read Raise Domain Function Level in Windows
Server 2003 Domains for more info).
To activate new forest-wide features, all domain controllers in the forest must be running
Windows Server 2003, and the current forest functional level must be at Windows 2000 native or
Windows Server 2003 domain level. After this requirement is met, the administrator can raise the
domain functional level.
Note: Network clients can authenticate or access resources in the domain or forest without being
affected by the Windows Server 2003 domain or forest functional levels. These levels only affect
the way that domain controllers interact with each other.
Important
Do not raise the forest functional level if you have, or will have, any domain
controllers running Windows NT 4.0 or Windows 2000. As soon as the
forest functional level is raised to Windows Server 2003, it cannot be
changed back to the Windows 2000 forest functional level.
To raise the forest functional level, you must be a member of the Enterprise Admins group.
In order to raise the Forest Functional Level:
1. Log on to the PDC of the forest root domain with a user account that is a member of the
Enterprise Administrators group.
2. Open Active Directory Domains and Trusts, click Start, point to All Programs, point to
Administrative Tools, and then click Active Directory Domains and Trusts.
3. In the console tree, right-click Active Directory Domains and Trusts, and then click Raise
Forest Functional Level.
1. Under Select an available forest functional level, click Windows Server 2003.
and then click Raise to raise the forest functional level to Windows Server 2003.
1. Read the warning message, and if you wish to perform the action, click Ok.
1. You will receive an acknowledgement message telling you that the operation was
completed successfully. Click Ok.
1. You can check the function level by performing step 3 again and viewing the current
function level.
Note: To raise the forest functional level, you must upgrade (or demote) all existing Windows
2000 domain controllers in your forest.
If you cannot raise the forest functional level, you can click Save As in the Raise Forest
Functional Level dialog box to save a log file that specifies which domain controllers in the
forest still must be upgraded from Windows NT 4.0 or Windows 2000.
If you receive a message that indicates you cannot raise the forest functional level, use the report
generated by "Save As" to identify all domains and domain controllers that do not meet the
requirements for the requested increase.
The current forest functional level appears under Current forest functional level in the Raise
Forest Functional Level dialog box. After the forest level is successfully increased and replicated
to the PDCs in the domains, the PDCs for each domain automatically increase their domain level
to the current forest level. The level increase is performed on the Schema FSMO and requires
Enterprise Administrator credentials.
What DNS entries (SRV Records) does Windows 2000/2003 add when you create a
domain?
In order for Active Directory to function properly, DNS servers must provide support for Service
Location (SRV) resource records described in RFC 2052, A DNS RR for specifying the location
of services (DNS SRV). SRV resource records map the name of a service to the name of a server
offering that service. Active Directory clients and domain controllers use SRV records to
determine the IP addresses of domain controllers. Although not a technical requirement of Active
Directory, it is highly recommended that DNS servers provide support for DNS dynamic updates
described in RFC 2136, Observations on the use of Components of the Class A Address Space
within the Internet.
The Windows 2000 DNS service provides support for both SRV records and dynamic updates. If
a non-Windows 2000 DNS server is being used, verify that it at least supports the SRV resource
record. If not, it must be upgraded to a version that does support the use of the SRV resource
record. For example, Windows NT Server 4.0 DNS servers must be upgraded to Service Pack 4
or later to support SRV resource records. A DNS server that supports SRV records but does not
support dynamic update must be updated with the contents of the Netlogon.dns file created by
the Active Directory Installation wizard while promoting a Windows 2000 Server to a domain
controller. The Netlogon.dns file is described in the following section.
So now you understand that Windows 2000 domains rely heavily on DNS entries. If you enable
dynamic update on the relevant DNS zones, W2K creates these entries automatically:
• _ldap._tcp.<DNSDomainName>
Enables a client to locate a W2K domain controller in the domain named by
<DNSDomainName>. A client searching for a domain controller in the domain dpetri.net would
query the DNS server for _ldap._tcp.dpetri.net.
• _ldap._tcp.<SiteName>._sites.<DNSDomainName>
Enables a client to find a W2K domain controller in the domain and site specified (e.g.,
_ldap._tcp.lab._sites.dpetri.net for a domain controller in the Lab site of dpetri.net).
• _ldap._tcp.pdc._ms-dcs.<DNSDomainName>
Enables a client to find the PDC flexible single master object (FSMO) role holder of a mixed-
mode domain. Only the PDC of the domain registers this record.
• _ldap._tcp.gc._msdcs.<DNSTreeName>
Enables a client to find a Global Catalog (GC) server. Only domain controllers serving as GC
servers for the tree will register this name. If a server ceases to be a GC server, the server will
deregister the record.
• _ldap._tcp. ._sites.gc._msdcs.<DNSTreeName>
Enables a client to find a GC server in the specified site (e.g.,
_ldap._tcp.lab._sites.gc._msdcs.dpetri.net).
• _ldap._tcp.<DomainGuid>.domains._msdcs.<DNSTreeName>
Enables a client to find a domain controller in a domain based on the domain controller’s
globally unique ID. A GUID is a 128-bit (8 byte) number that generates automatically for
referencing Active Directory objects.
• <DNSDomainName>
Enables a client to find a domain controller through a normal Host record.
After running DCPROMO, A text file containing the appropriate DNS resource records for the
domain controller is created. The file called Netlogon.dns is created in the %systemroot
%\System32\config folder and contains all the records needed to register the resource records of
the domain controller. Netlogon.dns is used by the Windows 2000 NetLogon service and to
support Active Directory for non-Windows 2000 DNS servers.
If you are using a DNS server that supports the SRV resource record but does not support
dynamic updates (such as a UNIX-based DNS server or a Windows NT Server 4.0 DNS server),
you can import the records in Netlogon.dns into the appropriate primary zone file to manually
configure the primary zone on that server to support Active Directory.
Therefore, when planning your network design and deciding on the computers for your network,
you must know what functions the computer will be performing. Understanding these functions
will put you in a good position to determine the hardware and software components needed for
your computers.
Windows Server 2003 itself provides a number of features and tools when you install it on a
computer. You though have to implement additional features and functionality on a server to
provide the services and capabilities required by the organization and its users. In fact, until these
additional features and functionality make certain services available, the computer cannot be
used as required by users.
Computers required on your network can be broadly grouped according to the following roles:
• Server roles: Servers can be configured to perform a number of roles. The
applications that the server is running specify the role of the particular
server. Server's typically need services and additional features installed to
perform its specific role. When compared to workstations, servers have more
disk space and memory, and faster processors. The hardware required by
servers is determined by the role being performed by the server. A few
common server roles are listed below:
○ Domain controller
○ Database server
○ Backup server
○ File server
○ Print server
○ Infrastructure server
○ Web server
○ E-mail server
• Desktop workstation roles: Desktop workstations differ to servers in that
desktop workstations are general purpose computers that can perform a
number of different types of functions.
• Portable workstation roles: Portable workstations are the solution to bringing
the features of a desktop computer to an off-site employee.
Windows Server 2003 introduced the concept of server roles. Server roles basically group
related administrative tasks, and are used to provide a specific capability or function to the
network design. With Windows Server 2003, if you configure a server for a certain server role,
then a number of additional services, features and tools are installed for the server. In this
manner, the server is set up to provide the required services to your users.
Windows Server 2003 provides a new tool for defining and managing server roles, namely, the
Manage Your Server utility. The actual Wizard for applying the server roles to computers is the
Configure Your Server Wizard. The Configure Your Server Wizard is included within the
Manage Your Server utility and is also managed through this utility.
For Windows Server 2003, there are 11 different server roles that you can configure using the
Configure Your Server Wizard:
• File server
• Print server
• Application server
• Mail server
• Terminal server
• Remote access server/VPN server
• Domain controllers
• DNS server
• WINS server
• DHCP server
• Streaming media server
5. How we can raise domain functional & forest functional level in Windows Server 2003?
7. What is IPv6?
13. Which is the command used to remove active directory from a domain controler?
16. What is the file that’s responsible for keep all Active Directory database?